tests/screentest: add test for vuln with custom_ranges

Change-Id: Idf26fba7712eeb98b84c5d87aa31da86e2ea0a7a
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/597615
kokoro-CI: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

devtools/snapshot_vulndb_v1.sh

@@ -23,9 +23,11 @@ copyFiles=(
   "ID/GO-2021-0240.json"
   "ID/GO-2021-0264.json"
   "ID/GO-2022-0273.json"
+  "ID/GO-2024-2527.json"
   "ID/GO-2024-2730.json"
   "ID/GO-2024-2659.json"
   "ID/GO-2024-2864.json"
+  "ID/GO-2024-2979.json"
 )
 
 go install golang.org/x/vulndb/cmd/indexdb@latest

tests/screentest/testcases.ci.txt

@@ -33,6 +33,16 @@ pathname /vuln/GO-2024-2659
 capture fullscreen
 capture fullscreen 540x1080
 
+test vuln entry custom ranges module
+pathname /vuln/GO-2024-2979
+capture fullscreen
+capture fullscreen 540x1080
+
+test vuln entry custom ranges package
+pathname /vuln/GO-2024-2527
+capture fullscreen
+capture fullscreen 540x1080
+
 test vuln entry unreviewed
 pathname /vuln/GO-2024-2864
 capture fullscreen

tests/screentest/testdata/vulndb-v1/ID/GO-2022-0463.json

@@ -1 +1 @@
-{"schema_version":"1.3.1","id":"GO-2022-0463","modified":"2024-05-20T16:03:47Z","published":"2022-07-01T20:06:59Z","aliases":["CVE-2022-31259","GHSA-qx32-f6g6-fcfr"],"summary":"Access control bypass due to broad route matching in github.com/beego/beego and beego/v2","details":"Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\". This may bypass access control applied to the prefix \"/a/\".","affected":[{"package":{"name":"github.com/astaxie/beego","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/astaxie/beego","symbols":["App.Run","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.ServeHTTP","FilterRouter.ValidRouter","InitBeegoBeforeTest","Run","RunWithMiddleWares","TestBeegoInit","Tree.Match","adminApp.Run"]}]}},{"package":{"name":"github.com/beego/beego","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.12.9"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/beego/beego","symbols":["App.Run","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.ServeHTTP","FilterRouter.ValidRouter","InitBeegoBeforeTest","Run","RunWithMiddleWares","TestBeegoInit","Tree.Match","Tree.match","adminApp.Run"]}]}},{"package":{"name":"github.com/beego/beego/v2","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.3"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/beego/beego/v2/server/web","symbols":["AddNamespace","AddViewPath","Any","AutoPrefix","AutoRouter","BuildTemplate","Compare","CompareNot","Controller.Abort","Controller.Bind","Controller.BindForm","Controller.BindJSON","Controller.BindProtobuf","Controller.BindXML","Controller.BindYAML","Controller.CheckXSRFCookie","Controller.CustomAbort","Controller.Delete","Controller.DestroySession","Controller.Get","Controller.GetBool","Controller.GetFile","Controller.GetFloat","Controller.GetInt","Controller.GetInt16","Controller.GetInt32","Controller.GetInt64","Controller.GetInt8","Controller.GetSecureCookie","Controller.GetString","Controller.GetStrings","Controller.GetUint16","Controller.GetUint32","Controller.GetUint64","Controller.GetUint8","Controller.Head","Controller.Input","Controller.IsAjax","Controller.JSONResp","Controller.Options","Controller.ParseForm","Controller.Patch","Controller.Post","Controller.Put","Controller.Redirect","Controller.Render","Controller.RenderBytes","Controller.RenderString","Controller.Resp","Controller.SaveToFile","Controller.SaveToFileWithBuffer","Controller.ServeFormatted","Controller.ServeJSON","Controller.ServeJSONP","Controller.ServeXML","Controller.ServeYAML","Controller.SessionRegenerateID","Controller.SetData","Controller.SetSecureCookie","Controller.Trace","Controller.URLFor","Controller.XMLResp","Controller.XSRFFormHTML","Controller.XSRFToken","Controller.YamlResp","ControllerRegister.Add","ControllerRegister.AddAuto","ControllerRegister.AddAutoPrefix","ControllerRegister.AddMethod","ControllerRegister.AddRouterMethod","ControllerRegister.Any","ControllerRegister.CtrlAny","ControllerRegister.CtrlDelete","ControllerRegister.CtrlGet","ControllerRegister.CtrlHead","ControllerRegister.CtrlOptions","ControllerRegister.CtrlPatch","ControllerRegister.CtrlPost","ControllerRegister.CtrlPut","ControllerRegister.Delete","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.Get","ControllerRegister.GetContext","ControllerRegister.Handler","ControllerRegister.Head","ControllerRegister.Include","ControllerRegister.Init","ControllerRegister.InsertFilter","ControllerRegister.Options","ControllerRegister.Patch","ControllerRegister.Post","ControllerRegister.Put","ControllerRegister.ServeHTTP","ControllerRegister.URLFor","CtrlAny","CtrlDelete","CtrlGet","CtrlHead","CtrlOptions","CtrlPatch","CtrlPost","CtrlPut","Date","DateFormat","DateParse","Delete","Exception","ExecuteTemplate","ExecuteViewPathTemplate","FileSystem.Open","FilterRouter.ValidRouter","FlashData.Error","FlashData.Notice","FlashData.Set","FlashData.Store","FlashData.Success","FlashData.Warning","Get","GetConfig","HTML2str","Handler","Head","Htmlquote","Htmlunquote","HttpServer.Any","HttpServer.AutoPrefix","HttpServer.AutoRouter","HttpServer.CtrlAny","HttpServer.CtrlDelete","HttpServer.CtrlGet","HttpServer.CtrlHead","HttpServer.CtrlOptions","HttpServer.CtrlPatch","HttpServer.CtrlPost","HttpServer.CtrlPut","HttpServer.Delete","HttpServer.Get","HttpServer.Handler","HttpServer.Head","HttpServer.Include","HttpServer.InsertFilter","HttpServer.LogAccess","HttpServer.Options","HttpServer.Patch","HttpServer.Post","HttpServer.PrintTree","HttpServer.Put","HttpServer.RESTRouter","HttpServer.Router","HttpServer.RouterWithOpts","HttpServer.Run","Include","InitBeegoBeforeTest","InsertFilter","LoadAppConfig","LogAccess","MapGet","Namespace.Any","Namespace.AutoPrefix","Namespace.AutoRouter","Namespace.Cond","Namespace.CtrlAny","Namespace.CtrlDelete","Namespace.CtrlGet","Namespace.CtrlHead","Namespace.CtrlOptions","Namespace.CtrlPatch","Namespace.CtrlPost","Namespace.CtrlPut","Namespace.Delete","Namespace.Filter","Namespace.Get","Namespace.Handler","Namespace.Head","Namespace.Include","Namespace.Namespace","Namespace.Options","Namespace.Patch","Namespace.Post","Namespace.Put","Namespace.Router","NewControllerRegister","NewControllerRegisterWithCfg","NewHttpServerWithCfg","NewHttpSever","NewNamespace","NotNil","Options","ParseForm","Patch","Policy","Post","PrintTree","Put","RESTRouter","ReadFromRequest","RenderForm","Router","RouterWithOpts","Run","RunWithMiddleWares","TestBeegoInit","Tree.AddRouter","Tree.AddTree","Tree.Match","Tree.match","URLFor","URLMap.GetMap","URLMap.GetMapData","Walk","adminApp.Run","adminController.AdminIndex","adminController.Healthcheck","adminController.ListConf","adminController.ProfIndex","adminController.PrometheusMetrics","adminController.QpsIndex","adminController.TaskStatus","beegoAppConfig.Bool","beegoAppConfig.DefaultBool","beegoAppConfig.SaveConfigFile","beegoAppConfig.Unmarshaler"]}]}}],"references":[{"type":"FIX","url":"https://github.com/beego/beego/pull/4958"},{"type":"FIX","url":"https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd"},{"type":"WEB","url":"https://beego.vip"},{"type":"WEB","url":"https://github.com/beego/beego/issues/4946"},{"type":"WEB","url":"https://github.com/beego/beego/pull/4954"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0463","review_status":"REVIEWED"}}
+{"schema_version":"1.3.1","id":"GO-2022-0463","modified":"2024-06-03T20:51:31Z","published":"2022-07-01T20:06:59Z","aliases":["CVE-2022-31259","GHSA-qx32-f6g6-fcfr"],"summary":"Access control bypass due to broad route matching in github.com/beego/beego and beego/v2","details":"Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\". This may bypass access control applied to the prefix \"/a/\".","affected":[{"package":{"name":"github.com/astaxie/beego","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/astaxie/beego","symbols":["App.Run","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.ServeHTTP","FilterRouter.ValidRouter","InitBeegoBeforeTest","Run","RunWithMiddleWares","TestBeegoInit","Tree.Match","adminApp.Run"]}]}},{"package":{"name":"github.com/beego/beego","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.12.9"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/beego/beego","symbols":["App.Run","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.ServeHTTP","FilterRouter.ValidRouter","InitBeegoBeforeTest","Run","RunWithMiddleWares","TestBeegoInit","Tree.Match","Tree.match","adminApp.Run"]}]}},{"package":{"name":"github.com/beego/beego/v2","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.3"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/beego/beego/v2/server/web","symbols":["AddNamespace","AddViewPath","Any","AutoPrefix","AutoRouter","BuildTemplate","Compare","CompareNot","Controller.Abort","Controller.Bind","Controller.BindForm","Controller.BindJSON","Controller.BindProtobuf","Controller.BindXML","Controller.BindYAML","Controller.CheckXSRFCookie","Controller.CustomAbort","Controller.Delete","Controller.DestroySession","Controller.Get","Controller.GetBool","Controller.GetFile","Controller.GetFloat","Controller.GetInt","Controller.GetInt16","Controller.GetInt32","Controller.GetInt64","Controller.GetInt8","Controller.GetSecureCookie","Controller.GetString","Controller.GetStrings","Controller.GetUint16","Controller.GetUint32","Controller.GetUint64","Controller.GetUint8","Controller.Head","Controller.Input","Controller.IsAjax","Controller.JSONResp","Controller.Options","Controller.ParseForm","Controller.Patch","Controller.Post","Controller.Put","Controller.Redirect","Controller.Render","Controller.RenderBytes","Controller.RenderString","Controller.Resp","Controller.SaveToFile","Controller.SaveToFileWithBuffer","Controller.ServeFormatted","Controller.ServeJSON","Controller.ServeJSONP","Controller.ServeXML","Controller.ServeYAML","Controller.SessionRegenerateID","Controller.SetData","Controller.SetSecureCookie","Controller.Trace","Controller.URLFor","Controller.XMLResp","Controller.XSRFFormHTML","Controller.XSRFToken","Controller.YamlResp","ControllerRegister.Add","ControllerRegister.AddAuto","ControllerRegister.AddAutoPrefix","ControllerRegister.AddMethod","ControllerRegister.AddRouterMethod","ControllerRegister.Any","ControllerRegister.CtrlAny","ControllerRegister.CtrlDelete","ControllerRegister.CtrlGet","ControllerRegister.CtrlHead","ControllerRegister.CtrlOptions","ControllerRegister.CtrlPatch","ControllerRegister.CtrlPost","ControllerRegister.CtrlPut","ControllerRegister.Delete","ControllerRegister.FindPolicy","ControllerRegister.FindRouter","ControllerRegister.Get","ControllerRegister.GetContext","ControllerRegister.Handler","ControllerRegister.Head","ControllerRegister.Include","ControllerRegister.Init","ControllerRegister.InsertFilter","ControllerRegister.Options","ControllerRegister.Patch","ControllerRegister.Post","ControllerRegister.Put","ControllerRegister.ServeHTTP","ControllerRegister.URLFor","CtrlAny","CtrlDelete","CtrlGet","CtrlHead","CtrlOptions","CtrlPatch","CtrlPost","CtrlPut","Date","DateFormat","DateParse","Delete","Exception","ExecuteTemplate","ExecuteViewPathTemplate","FileSystem.Open","FilterRouter.ValidRouter","FlashData.Error","FlashData.Notice","FlashData.Set","FlashData.Store","FlashData.Success","FlashData.Warning","Get","GetConfig","HTML2str","Handler","Head","Htmlquote","Htmlunquote","HttpServer.Any","HttpServer.AutoPrefix","HttpServer.AutoRouter","HttpServer.CtrlAny","HttpServer.CtrlDelete","HttpServer.CtrlGet","HttpServer.CtrlHead","HttpServer.CtrlOptions","HttpServer.CtrlPatch","HttpServer.CtrlPost","HttpServer.CtrlPut","HttpServer.Delete","HttpServer.Get","HttpServer.Handler","HttpServer.Head","HttpServer.Include","HttpServer.InsertFilter","HttpServer.LogAccess","HttpServer.Options","HttpServer.Patch","HttpServer.Post","HttpServer.PrintTree","HttpServer.Put","HttpServer.RESTRouter","HttpServer.Router","HttpServer.RouterWithOpts","HttpServer.Run","Include","InitBeegoBeforeTest","InsertFilter","LoadAppConfig","LogAccess","MapGet","Namespace.Any","Namespace.AutoPrefix","Namespace.AutoRouter","Namespace.Cond","Namespace.CtrlAny","Namespace.CtrlDelete","Namespace.CtrlGet","Namespace.CtrlHead","Namespace.CtrlOptions","Namespace.CtrlPatch","Namespace.CtrlPost","Namespace.CtrlPut","Namespace.Delete","Namespace.Filter","Namespace.Get","Namespace.Handler","Namespace.Head","Namespace.Include","Namespace.Namespace","Namespace.Options","Namespace.Patch","Namespace.Post","Namespace.Put","Namespace.Router","NewControllerRegister","NewControllerRegisterWithCfg","NewHttpServerWithCfg","NewHttpSever","NewNamespace","NotNil","Options","ParseForm","Patch","Policy","Post","PrintTree","Put","RESTRouter","ReadFromRequest","RenderForm","Router","RouterWithOpts","Run","RunWithMiddleWares","TestBeegoInit","Tree.AddRouter","Tree.AddTree","Tree.Match","Tree.match","URLFor","URLMap.GetMap","URLMap.GetMapData","Walk","adminApp.Run","adminController.AdminIndex","adminController.Healthcheck","adminController.ListConf","adminController.ProfIndex","adminController.PrometheusMetrics","adminController.QpsIndex","adminController.TaskStatus","beegoAppConfig.Bool","beegoAppConfig.DefaultBool","beegoAppConfig.SaveConfigFile","beegoAppConfig.Unmarshaler"]}]}}],"references":[{"type":"FIX","url":"https://github.com/beego/beego/pull/4958"},{"type":"FIX","url":"https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd"},{"type":"WEB","url":"https://github.com/beego/beego/issues/4946"},{"type":"WEB","url":"https://github.com/beego/beego/pull/4954"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0463","review_status":"REVIEWED"}}

tests/screentest/testdata/vulndb-v1/ID/GO-2024-2527.json

@@ -0,0 +1 @@
+{"schema_version":"1.3.1","id":"GO-2024-2527","modified":"2024-07-09T21:52:25Z","published":"2024-06-28T15:28:53Z","aliases":["GHSA-5x4g-q5rc-36jp"],"summary":"Insecure ciphers are allowed by default in go.etcd.io/etcd","details":"The TLS ciphers list supported by etcd contains insecure cipher suites. Users may specify that an insecure cipher is used via “--cipher-suites” flag. A list of secure suites is used by default.","affected":[{"package":{"name":"go.etcd.io/etcd","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.5.0-alpha.5.0.20221102000833-1f054980bc27"}]}],"ecosystem_specific":{"imports":[{"path":"go.etcd.io/etcd/pkg/tlsutil"}],"custom_ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.22"},{"fixed":"3.4.22"}]}]}}],"references":[{"type":"ADVISORY","url":"https://github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2527","review_status":"REVIEWED"}}

tests/screentest/testdata/vulndb-v1/ID/GO-2024-2979.json

@@ -0,0 +1 @@
+{"schema_version":"1.3.1","id":"GO-2024-2979","modified":"2024-07-10T17:05:50Z","published":"2024-07-10T17:05:50Z","aliases":["CVE-2024-39897","GHSA-55r9-5mx9-qq7r"],"summary":"Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot","details":"Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: zotregistry.dev/zot before v2.1.0.; zotregistry.io/zot before v2.1.0.","affected":[{"package":{"name":"zotregistry.dev/zot","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"custom_ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0"}]}]}},{"package":{"name":"zotregistry.io/zot","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"custom_ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0"}]}]}}],"references":[{"type":"ADVISORY","url":"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39897"},{"type":"WEB","url":"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2979","review_status":"UNREVIEWED"}}

tests/screentest/testdata/vulndb-v1/index/db.json

@@ -1 +1 @@
-{"modified":"2024-05-20T16:07:13Z"}
+{"modified":"2024-07-10T17:05:50Z"}