foreman_cve_scanner 0.5.0 → 0.6.0

data/test/controllers/api/v2/cve_scans_controller_test.rb

@@ -7,8 +7,8 @@ module Api
     class CveScansControllerTest < ActionController::TestCase
       def setup
         @host = FactoryBot.create(:host)
-        @scan_old = create_scan(created_at: 2.hours.ago, total: 1, low: 1)
-        @scan_new = create_scan(created_at: 1.hour.ago, total: 2, high: 2)
+        @scan_old = create_scan(created_at: 2.hours.ago, scanned_at: 2.hours.ago, total: 1, low: 1)
+        @scan_new = create_scan(created_at: 1.hour.ago, scanned_at: 1.hour.ago, total: 2, high: 2)
       end
 
       test 'index returns scans for host' do
@@ -33,11 +33,130 @@ module Api
         assert_equal @scan_old.id, body['id']
       end
 
+      test 'import imports external scan for host' do
+        assert_difference('ForemanCveScanner::CveScan.count', 1) do
+          post :import, params: {
+            host_id: @host.id,
+            cve_scan: create_payload,
+          }
+        end
+
+        assert_response :created
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal 'external', body['source']
+        assert_equal 1, body['critical']
+      end
+
+      test 'import rejects scan without scanned_at' do
+        post :import, params: {
+          host_id: @host.id,
+          cve_scan: create_payload.except(:scanned_at),
+        }
+
+        assert_response :unprocessable_entity
+      end
+
+      test 'compare returns scan comparison for host' do
+        set_comparison_findings!
+
+        get :compare, params: {
+          host_id: @host.id,
+          first_id: @scan_old.id,
+          second_id: @scan_new.id,
+        }
+
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal @scan_old.id, body['previous']['id']
+        assert_equal 1, body['summary']['updated']
+        assert_equal 1, body['summary']['resolved']
+        assert_equal 1, body['summary']['new']
+      end
+
+      test 'compare includes diff payload for updated finding' do
+        set_comparison_findings!
+
+        get :compare, params: {
+          host_id: @host.id,
+          first_id: @scan_old.id,
+          second_id: @scan_new.id,
+        }
+
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        updated_row = body['results'].find { |row| row['id'] == 'CVE-1' }
+        assert_equal 'updated', updated_row['status']
+        assert_equal 'CRITICAL', updated_row['diff']['severity']['new']
+      end
+
+      test 'compare requires both scan ids' do
+        get :compare, params: { host_id: @host.id, first_id: @scan_old.id }
+
+        assert_response :unprocessable_entity
+      end
+
+      test 'export returns csv headers for scan by id' do
+        set_export_findings!
+
+        get :export, params: { host_id: @host.id, id: @scan_old.id }
+
+        assert_response :success
+        assert_export_headers
+      end
+
+      test 'export returns csv body for scan by id' do
+        set_export_findings!
+
+        get :export, params: { host_id: @host.id, id: @scan_old.id }
+
+        assert_response :success
+        assert_export_body
+      end
+
+      test 'show does not return a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :show, params: { host_id: @host.id, id: other_scan.id }
+        end
+      end
+
+      test 'export does not return a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :export, params: { host_id: @host.id, id: other_scan.id }
+        end
+      end
+
+      test 'compare does not return scans from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :compare, params: {
+            host_id: @host.id,
+            first_id: @scan_old.id,
+            second_id: other_scan.id,
+          }
+        end
+      end
+
       test 'index returns not found for unknown host' do
         get :index, params: { host_id: 'does-not-exist' }
         assert_response :not_found
       end
 
+      test 'index finds host by name' do
+        get :index, params: { host_id: @host.name }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_not_nil body['results']
+        assert_equal 2, body['results'].size
+      end
+
       test 'latest returns no content when no scans exist' do
         ForemanCveScanner::CveScan.delete_all
 
@@ -45,22 +164,44 @@ module Api
         assert_response :no_content
       end
 
+      test 'destroy deletes scan for host' do
+        assert_difference('ForemanCveScanner::CveScan.count', -1) do
+          delete :destroy, params: { host_id: @host.id, id: @scan_old.id }
+        end
+
+        assert_response :success
+      end
+
+      test 'destroy does not delete a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_no_difference('ForemanCveScanner::CveScan.count') do
+          assert_not_found do
+            delete :destroy, params: { host_id: @host.id, id: other_scan.id }
+          end
+        end
+      end
+
       private
 
-      # rubocop:disable Metrics/MethodLength
       def create_scan(options = {})
         defaults = {
           created_at: Time.now.utc,
+          scanned_at: Time.current,
           total: 0,
           critical: 0,
           high: 0,
           medium: 0,
           low: 0,
+          host: @host,
         }
         options = defaults.merge(options)
         ForemanCveScanner::CveScan.create!(
-          host: @host,
+          host: options[:host],
           scanner: 'trivy',
+          source: 'rex',
+          scanned_at: options[:scanned_at],
           created_at: options[:created_at],
           raw: { 'dummy' => true },
           summary: { 'worst' => 'low' },
@@ -72,7 +213,121 @@ module Api
           low: options[:low]
         )
       end
-      # rubocop:enable Metrics/MethodLength
+
+      def set_export_findings!
+        @scan_old.update!(
+          findings: [
+            {
+              'severity' => 'HIGH',
+              'published' => '2026-02-20',
+              'name' => 'openssl',
+              'version' => '1.1',
+              'fixed' => '1.2',
+              'status' => 'fixed',
+              'id' => 'CVE-2026-0001',
+              'title' => 'OpenSSL issue',
+              'url' => 'https://example.test/CVE-2026-0001',
+            },
+          ]
+        )
+      end
+
+      def create_payload
+        {
+          scanner: 'custom-scanner',
+          source: 'external',
+          scanned_at: '2026-05-14T08:00:00Z',
+          findings: [external_finding],
+        }
+      end
+
+      def set_comparison_findings!
+        @scan_old.update!(findings: old_comparison_findings)
+        @scan_new.update!(findings: new_comparison_findings)
+      end
+
+      def external_finding
+        {
+          id: 'CVE-2026-1111',
+          name: 'openssl',
+          severity: 'CRITICAL',
+          version: '1.0',
+          fixed: '1.1',
+          status: 'affected',
+          title: 'OpenSSL issue',
+          published: '2026-05-14T06:00:00Z',
+          url: 'https://example.test/CVE-2026-1111',
+        }
+      end
+
+      def old_comparison_findings
+        [
+          comparison_finding(
+            id: 'CVE-1',
+            name: 'openssl',
+            severity: 'HIGH',
+            version: '1.0',
+            title: 'OpenSSL issue'
+          ),
+          comparison_finding(
+            id: 'CVE-2',
+            name: 'curl',
+            severity: 'LOW',
+            version: '1.0',
+            title: 'Curl issue'
+          ),
+        ]
+      end
+
+      def new_comparison_findings
+        [
+          comparison_finding(
+            id: 'CVE-1',
+            name: 'openssl',
+            severity: 'CRITICAL',
+            version: '1.0',
+            title: 'OpenSSL issue'
+          ),
+          comparison_finding(
+            id: 'CVE-3',
+            name: 'bash',
+            severity: 'MEDIUM',
+            version: '2.0',
+            title: 'Bash issue',
+            published: '2026-02-21'
+          ),
+        ]
+      end
+
+      def comparison_finding(attributes)
+        {
+          'id' => attributes.fetch(:id),
+          'name' => attributes.fetch(:name),
+          'severity' => attributes.fetch(:severity),
+          'version' => attributes.fetch(:version),
+          'title' => attributes.fetch(:title),
+          'published' => attributes.fetch(:published, '2026-02-20'),
+        }
+      end
+
+      def assert_not_found
+        yield
+        assert_response :not_found
+      rescue ActiveRecord::RecordNotFound
+        assert true
+      end
+
+      def assert_export_headers
+        assert_includes @response.header['Content-Type'], 'text/csv'
+        assert_includes @response.header['Content-Disposition'], 'attachment'
+        assert_includes @response.header['Content-Disposition'], @host.shortname
+      end
+
+      def assert_export_body
+        assert_includes @response.body, 'Severity,Published,Package'
+        assert_includes @response.body, 'CVE-2026-0001'
+        assert_includes @response.body, 'openssl'
+      end
     end
   end
 end

data/test/lib/foreman_cve_scanner/profiles_uploader_test.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class ProfilesUploaderTest < ActiveSupport::TestCase
+    class DummyUploader
+      prepend ForemanCveScanner::ProfilesUploader
+
+      def initialize(host:, result:)
+        @host = host
+        @result = result
+      end
+
+      def upload
+        @result
+      end
+    end
+
+    def setup
+      skip 'Katello is not installed' unless Foreman::Plugin.installed?(:katello)
+
+      @host = FactoryBot.create(:host)
+      @previous_preferred_scanner = Setting[:preferred_cve_scanner]
+      @previous_run_after_upload = Setting[:run_cve_scan_after_host_profiles_upload]
+    end
+
+    def teardown
+      return unless Foreman::Plugin.installed?(:katello)
+
+      Setting[:preferred_cve_scanner] = @previous_preferred_scanner
+      Setting[:run_cve_scan_after_host_profiles_upload] = @previous_run_after_upload
+    end
+
+    test 'upload schedules cve scan when setting is enabled' do
+      Setting[:preferred_cve_scanner] = 'grype'
+      Setting[:run_cve_scan_after_host_profiles_upload] = true
+
+      captured = {}
+      triggering = Struct.new(:mode).new
+      composer = Struct.new(:triggering) do
+        attr_reader :triggered
+
+        def trigger!
+          @triggered = true
+        end
+      end.new(triggering)
+
+      JobInvocationComposer.stub(:for_feature, lambda { |feature, host, scanner:|
+        captured[:feature] = feature
+        captured[:host] = host
+        captured[:scanner] = scanner
+        composer
+      }) do
+        assert DummyUploader.new(host: @host, result: true).upload
+      end
+
+      assert_equal [:run_cve_scan, @host, 'grype'],
+        [captured[:feature], captured[:host], captured[:scanner]]
+      assert_equal :future, triggering.mode
+      assert composer.triggered
+    end
+
+    test 'upload keeps upstream result when scan scheduling fails' do
+      Setting[:run_cve_scan_after_host_profiles_upload] = true
+
+      JobInvocationComposer.stub(:for_feature, lambda { |_feature, _host, scanner:|
+        raise StandardError, scanner
+      }) do
+        assert DummyUploader.new(host: @host, result: true).upload
+      end
+    end
+
+    test 'upload does not schedule cve scan when setting is disabled' do
+      Setting[:run_cve_scan_after_host_profiles_upload] = false
+
+      JobInvocationComposer.stub(:for_feature, lambda { |_feature, _host, scanner:|
+        flunk("unexpected scanner #{scanner}")
+      }) do
+        assert DummyUploader.new(host: @host, result: true).upload
+      end
+    end
+  end
+end

data/test/lib/foreman_cve_scanner/template_helpers_test.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class TemplateHelpersTest < ActiveSupport::TestCase
+    include ForemanCveScanner::TemplateHelpers
+
+    def setup
+      @previous_preferred_scanner = Setting[:preferred_cve_scanner]
+    end
+
+    def teardown
+      Setting[:preferred_cve_scanner] = @previous_preferred_scanner
+    end
+
+    test 'foreman_cve_scanner returns preferred scanner setting' do
+      Setting[:preferred_cve_scanner] = 'grype'
+
+      assert_equal 'grype', foreman_cve_scanner('preferred_scanner')
+    end
+
+    test 'foreman_cve_scanner raises for unknown setting name' do
+      assert_raises(::Foreman::Exception) do
+        foreman_cve_scanner('unknown_setting')
+      end
+    end
+  end
+end

data/test/models/foreman_cve_scanner/cve_scan_test.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class CveScanTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+    end
+
+    test 'is invalid without required host, scanner, source and scanned_at attributes' do
+      scan = CveScan.new
+
+      assert_not scan.valid?
+      assert_includes scan.errors.attribute_names, :host_id
+      assert_includes scan.errors.attribute_names, :scanner
+      assert_includes scan.errors.attribute_names, :source
+      assert_includes scan.errors.attribute_names, :scanned_at
+    end
+
+    test 'is invalid without required raw and summary payload attributes' do
+      scan = CveScan.new
+
+      assert_not scan.valid?
+      assert_includes scan.errors.attribute_names, :raw
+      assert_includes scan.errors.attribute_names, :summary
+    end
+
+    test 'is invalid with nil findings' do
+      scan = CveScan.new(
+        host: @host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: Time.current,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'none' },
+        findings: nil,
+        total: 0,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0
+      )
+
+      assert_not scan.valid?
+      assert_includes scan.errors.attribute_names, :findings
+    end
+
+    test 'is valid with empty findings' do
+      scan = CveScan.new(
+        host: @host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: Time.current,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'none' },
+        findings: [],
+        total: 0,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0
+      )
+
+      assert scan.valid?
+    end
+
+    test 'for_host returns only scans for the given host' do
+      other_host = FactoryBot.create(:host)
+      host_scan = create_scan(host: @host, total: 1)
+      other_scan = create_scan(host: other_host, total: 2)
+
+      result = CveScan.for_host(@host.id)
+
+      assert_includes result, host_scan
+      assert_not_includes result, other_scan
+    end
+
+    test 'recent_first orders by scanned_at desc and id desc' do
+      older = create_scan(host: @host, scanned_at: 2.hours.ago)
+      newer = create_scan(host: @host, scanned_at: 1.hour.ago)
+      timestamp = Time.zone.parse('2026-05-13 10:00:00')
+      same_time_a = create_scan(host: @host, scanned_at: timestamp)
+      same_time_b = create_scan(host: @host, scanned_at: timestamp)
+
+      result = CveScan.recent_first.to_a
+
+      assert_operator result.index(newer), :<, result.index(older)
+      assert_operator result.index(same_time_b), :<, result.index(same_time_a)
+    end
+
+    test 'destroying a host destroys its cve scans' do
+      create_scan(host: @host, total: 1)
+      create_scan(host: @host, total: 2)
+
+      assert_difference('ForemanCveScanner::CveScan.count', -2) do
+        @host.destroy
+      end
+    end
+
+    private
+
+    def create_scan(host:, scanned_at: Time.current, total: 0)
+      CveScan.create!(
+        host: host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: scanned_at,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'low' },
+        findings: [{ 'id' => 'CVE-0000-0000' }],
+        total: total,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: total
+      )
+    end
+  end
+end

data/test/models/host_status/cve_status_test.rb

@@ -39,6 +39,14 @@ module HostStatus
       assert_equal 1, status.to_status
     end
 
+    test 'zero findings scan returns ok status' do
+      create_scan(critical: 0, high: 0, medium: 0, low: 0)
+      status = @host.get_status(HostStatus::CveStatus)
+      assert_equal 'No CVEs found', status.to_label
+      assert_equal HostStatus::Global::OK, status.to_global
+      assert_equal 0, status.to_status
+    end
+
     test 'status is registered in registry' do
       assert_includes HostStatus.status_registry, HostStatus::CveStatus
     end
@@ -50,10 +58,11 @@ module HostStatus
       ForemanCveScanner::CveScan.create!(
         host: @host,
         scanner: 'trivy',
-        created_at: Time.now.utc,
+        source: 'rex',
+        scanned_at: Time.current,
         raw: { 'dummy' => true },
-        summary: { 'worst' => 'low' },
-        findings: [{ 'id' => 'CVE-0000-0000' }],
+        summary: { 'worst' => total.zero? ? 'none' : 'low' },
+        findings: total.zero? ? [] : [{ 'id' => 'CVE-0000-0000' }],
         total: total,
         critical: critical,
         high: high,

data/test/services/foreman_cve_scanner/scan_cleanup_test.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class ScanCleanupTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+      @previous_setting = Setting[:cve_scan_delete_after_days]
+    end
+
+    def teardown
+      Setting[:cve_scan_delete_after_days] = @previous_setting
+    end
+
+    test 'cleanup! does nothing when retention is disabled' do
+      Setting[:cve_scan_delete_after_days] = 0
+      old_scan = create_scan(10.days.ago)
+
+      deleted = ScanCleanup.new(scope: @host.cve_scans).cleanup!
+
+      assert_equal 0, deleted
+      assert ForemanCveScanner::CveScan.exists?(old_scan.id)
+    end
+
+    test 'cleanup! removes scans older than configured retention' do
+      Setting[:cve_scan_delete_after_days] = 5
+      old_scan = create_scan(10.days.ago)
+      recent_scan = create_scan(2.days.ago)
+
+      deleted = ScanCleanup.new(scope: @host.cve_scans).cleanup!
+
+      assert_equal 1, deleted
+      assert_not ForemanCveScanner::CveScan.exists?(old_scan.id)
+      assert ForemanCveScanner::CveScan.exists?(recent_scan.id)
+    end
+
+    test 'cleanup! uses explicit day override' do
+      Setting[:cve_scan_delete_after_days] = 30
+      old_scan = create_scan(10.days.ago)
+      recent_scan = create_scan(2.days.ago)
+
+      deleted = ScanCleanup.new(scope: @host.cve_scans, days: 5).cleanup!
+
+      assert_equal 1, deleted
+      assert_not ForemanCveScanner::CveScan.exists?(old_scan.id)
+      assert ForemanCveScanner::CveScan.exists?(recent_scan.id)
+    end
+
+    private
+
+    def create_scan(scanned_at)
+      ForemanCveScanner::CveScan.create!(
+        host: @host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: scanned_at,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'low' },
+        findings: [{ 'id' => 'CVE-0000-0000' }],
+        total: 1,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 1
+      )
+    end
+  end
+end