From fb4cf0f62d57e89bd63fe3c4a828997b89e5a218 Mon Sep 17 00:00:00 2001
From: Deblintrake09 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 10:27:08 -0300
Subject: [PATCH 1/6] feat(#4045): add custom feed

---
 ..._feed_updated_packace_still_vulnerable.xml | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml

diff --git a/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml b/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml
new file mode 100644
index 0000000000..68f4b15ad6
--- /dev/null
+++ b/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml
@@ -0,0 +1,51 @@
+<oval_definitions
+    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+    xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+    xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+    xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#macos linux-definitions-schema.xsd">
+
+    <generator>
+        <oval:product_name>Canonical CVE OVAL Generator</oval:product_name>
+        <oval:product_version>1.1</oval:product_version>
+        <oval:schema_version>5.11.1</oval:schema_version>
+        <oval:timestamp>2021-11-16T15:30:28</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition class="vulnerability" id="oval:com.ubuntu.focal:def:1" version="1">
+            <metadata>
+                <title>CVE-2023 custom-package-0</title>
+                <affected family="unix">
+                    <platform>Ubuntu 22.04 LTS</platform>
+                    <platform>Ubuntu 20.04 LTS</platform>
+                    <platform>Ubuntu 18.04 LTS</platform>
+                    <platform>Ubuntu 16.04 LTS</platform>
+                    <platform>Ubuntu 14.04 LTS</platform>
+                </affected>
+                <reference source="CVE" ref_id="CVE-2023" ref_url="https://github.com/wazuh/wazuh-qa" />
+            </metadata>
+            <criteria>
+                <criteria operator="OR">
+                    <criterion test_ref="oval:com.ubuntu.focal:tst:1" comment="custom-package-0 package in focal, is related to the CVE in some way and has been fixed (note: '10.0.0')." />
+                </criteria>
+            </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <linux-def:dpkginfo_test id="oval:com.ubuntu.focal:tst:1" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'custom-package-0' package exist and is the version less than '10.0.0'?">
+            <linux-def:object object_ref="oval:com.ubuntu.focal:obj:1"/>
+            <linux-def:state state_ref="oval:com.ubuntu.focal:ste:1" />
+        </linux-def:dpkginfo_test>
+    </tests>
+    <objects>
+        <linux-def:dpkginfo_object id="oval:com.ubuntu.focal:obj:1" version="1" comment="The 'custom-package-0' package binary.">
+            <linux-def:name>custom-package-0</linux-def:name>
+        </linux-def:dpkginfo_object>
+    </objects>
+    <states>
+        <linux-def:dpkginfo_state id="oval:com.ubuntu.focal:ste:1" version="1" comment="The package version is less than '10.0.0'.">
+            <linux-def:evr datatype="debian_evr_string" operation="less than">10.0.0</linux-def:evr>
+        </linux-def:dpkginfo_state>
+    </states>
+</oval_definitions>
\ No newline at end of file

From 482de02668045909dcc67c81564ce78a5dc830e5 Mon Sep 17 00:00:00 2001
From: Deblintrake09 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 10:27:24 -0300
Subject: [PATCH 2/6] feat(#4045): add test cases and configuration

---
 ...scan_updated_package_still_vulnerable.yaml | 59 +++++++++++++++++++
 ...scan_updated_package_still_vulnerable.yaml | 14 +++++
 2 files changed, 73 insertions(+)
 create mode 100644 tests/integration/test_vulnerability_detector/test_scan_results/data/configuration_template/configuration_scan_updated_package_still_vulnerable.yaml
 create mode 100644 tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml

diff --git a/tests/integration/test_vulnerability_detector/test_scan_results/data/configuration_template/configuration_scan_updated_package_still_vulnerable.yaml b/tests/integration/test_vulnerability_detector/test_scan_results/data/configuration_template/configuration_scan_updated_package_still_vulnerable.yaml
new file mode 100644
index 0000000000..80fa40a54b
--- /dev/null
+++ b/tests/integration/test_vulnerability_detector/test_scan_results/data/configuration_template/configuration_scan_updated_package_still_vulnerable.yaml
@@ -0,0 +1,59 @@
+# Canonical Configuration
+- sections:
+    - section: vulnerability-detector
+      elements:
+        - enabled:
+            value: 'yes'
+        - interval:
+            value: 5s
+        - min_full_scan_interval:
+            value: 5s
+        - run_on_start:
+            value: 'yes'
+        - provider:
+            attributes:
+              - name: canonical
+            elements:
+              - enabled:
+                  value: 'yes'
+              - os:
+                  attributes:
+                    - path: CUSTOM_OVAL_FEED
+                  value: focal
+        - provider:
+            attributes:
+              - name: nvd
+            elements:
+              - enabled:
+                  value: 'yes'
+              - path:
+                  value: CUSTOM_NVD_JSON_FEED
+              - update_interval:
+                  value: 10s
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: auth
+      elements:
+        - disabled:
+            value: 'no'
diff --git a/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
new file mode 100644
index 0000000000..9d418fdb0f
--- /dev/null
+++ b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
@@ -0,0 +1,14 @@
+- name: no_alert_updated_package_still_vulnerable
+  description: When a package is updated to still vulnerable version, no alert appears showing package vuln as solved
+  configuration_parameters: null
+  metadata:
+    provider_name: canonical
+    system: FOCAL
+    oval_feed: custom_feed_updated_packace_still_vulnerable.xml
+    nvd_feed: real_nvd_feed.json
+    oval_feed_tag: CUSTOM_OVAL_FEED
+    nvd_feed_tag: CUSTOM_NVD_JSON_FEED
+    test_package_version: 1.0.0
+    test_package_version_still_vulnerable: 9.0.0
+    test_package_name: custom-package-0
+    cve: CVE-2023

From 93d5702edf03c60bc5c3158c4fd901aabd0fe043 Mon Sep 17 00:00:00 2001
From: Deblintrake09 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 10:27:33 -0300
Subject: [PATCH 3/6] feat(#4045): add test module

---
 ...t_scan_updated_package_still_vulnerable.py | 186 ++++++++++++++++++
 1 file changed, 186 insertions(+)
 create mode 100644 tests/integration/test_vulnerability_detector/test_scan_results/test_scan_updated_package_still_vulnerable.py

diff --git a/tests/integration/test_vulnerability_detector/test_scan_results/test_scan_updated_package_still_vulnerable.py b/tests/integration/test_vulnerability_detector/test_scan_results/test_scan_updated_package_still_vulnerable.py
new file mode 100644
index 0000000000..a1d90a3ef5
--- /dev/null
+++ b/tests/integration/test_vulnerability_detector/test_scan_results/test_scan_updated_package_still_vulnerable.py
@@ -0,0 +1,186 @@
+'''
+copyright: Copyright (C) 2015-2023, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: Wazuh is able to detect vulnerabilities in the applications installed in agents using the Vulnerability Detector
+       module. This software audit is performed through the integration of vulnerability feeds indexed by Redhat,
+       Canonical, Debian, SUSE, Amazon Linux and NVD Database.
+
+components:
+    - vulnerability_detector
+
+suite: scan_results
+
+targets:
+    - manager
+
+daemons:
+    - wazuh-modulesd
+    - wazuh-db
+    - wazuh-analysisd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2022
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Suse Enterprise Linux Server 15
+    - Suse Enterprise Linux Server 12
+    - Suse Enterprise Linux Server 11
+    - Suse Enterprise Linux Desktop 15
+    - Suse Enterprise Linux Desktop 12
+    - Suse Enterprise Linux Desktop 11
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/vuln-detector.html#provider
+
+tags:
+    - settings
+    - vulnerability
+    - vulnerability_detector
+    - providers
+'''
+import os
+import pytest
+import time
+
+from wazuh_testing.tools import configuration
+from wazuh_testing.tools.file import read_yaml
+from wazuh_testing.db_interface import agent_db, cve_db
+from wazuh_testing.tools.time import get_current_timestamp
+from wazuh_testing.modules import vulnerability_detector as vd
+from wazuh_testing.modules.vulnerability_detector import event_monitor as evm
+
+
+# Reference paths
+TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template')
+TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases')
+TEST_FEEDS_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data', 'feeds')
+
+# Configuration and cases data
+configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_scan_updated_package_still_vulnerable.yaml')
+cases_path = os.path.join(TEST_CASES_PATH, 'cases_scan_updated_package_still_vulnerable.yaml')
+
+
+# Test configurations
+configurations = read_yaml(configurations_path)
+metadata = [item['metadata'] for item in read_yaml(cases_path)]
+configuration_parameters, configuration_metadata, test_case_ids = configuration.get_test_cases_data(cases_path)
+configurations = vd.update_feed_path_configurations(configurations, metadata, TEST_FEEDS_PATH)
+systems = [metadata['system'] for metadata in configuration_metadata]
+
+
+@pytest.mark.tier(level=1)
+@pytest.mark.parametrize('configuration, metadata, agent_system', zip(configurations, configuration_metadata, systems),
+                         ids=test_case_ids)
+def test_vulnerability_updated_package_still_vulnerable(configuration, metadata, agent_system,
+                                                        set_wazuh_configuration_vdt, truncate_monitored_files,
+                                                        clean_cve_tables_func, setup_log_monitor,
+                                                        prepare_full_scan_with_vuln_packages_and_custom_system,
+                                                        restart_modulesd_function):
+    '''
+    description: Check that the Vulnerability Detector module does not generates an alert when a vulnerability is
+                 updated to a version that is still vulnerable for a given CVE.
+
+    test_phases:
+        - Set a custom Wazuh configuration.
+        - Mock an agent with a custom system and vulnerable packages.
+        - Force a full scan.
+        - Restart wazuh-modulesd.
+        - Wait for full scan event log.
+        - Update one vulnerable package to a non-vulnerable version.
+        - Force again a full scan and wait for the full scan event log.
+        - Check that package update has been detected and an alert with new version is generated.
+        - Check no alert is generated for the removal of the older version.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - configuration:
+            type: dict
+            brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
+        - metadata:
+            type: dict
+            brief: Wazuh configuration metadata
+        - agent_system:
+            type: str
+            brief: System to set to the mocked agent.
+        - set_wazuh_configuration_vdt:
+            type: fixture
+            brief: Set the wazuh configuration according to the configuration data.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - clean_cve_tables_func:
+            type: fixture
+            brief: Clean all the vulnerabilities tables before and after running the test.
+        - prepare_full_scan_with_vuln_packages_and_custom_system:
+            type: fixture
+            brief: Insert vulnerable packages to an agent with a custom system and finally clean the database.
+        - setup_log_monitor:
+            type: fixture
+            brief: Create the log monitor.
+        - restart_modulesd_function:
+            type: fixture
+            brief: Restart the wazuh-modulesd daemon.
+
+    assertions:
+        - The full scan will start for the agent.
+        - The full scan finish for the agent.
+        - The package with new version is vulnerable.
+        - The package's older version is not shown as solved
+
+    input_description:
+        -  The `cases_scan_updated_package_still_vulnerable.yaml` file provides the module configuration for this test.
+
+    expected_output:
+        - 'A full scan will be run on agent <agent_id>'
+        - 'Finished vulnerability assessment for agent <agent_id>'
+        - '<test_package_cve> affecting <test_package_name> was eliminated'
+        - Package '<test_package_name>' not vulnerable to '<test_package_cve>'
+    '''
+    agent_id = prepare_full_scan_with_vuln_packages_and_custom_system
+    log_monitor = setup_log_monitor
+
+    # Wait for full scan event log
+    evm.check_full_scan_start_finish(log_monitor=log_monitor, agent_id=agent_id)
+
+    # Check the package has been marked as vulnerable and generated an alert
+    evm.check_vulnerability_affects_alert(package=metadata['test_package_name'], cve=metadata['cve'],
+                                          agent_id=agent_id)
+
+    # Update test package 1 to a vulnerable version 2.0.
+    agent_db.update_package(agent_id=agent_id, package=metadata['test_package_name'],
+                            version=metadata['test_package_version_still_vulnerable'])
+
+    # Force a full scan again after simulating the update the NVD feed and passing the min_full_scan_interval
+    cve_db.update_nvd_metadata_vuldet(int(get_current_timestamp()))
+
+    # Check again the full scan event
+    evm.check_full_scan_start_finish(log_monitor=log_monitor, agent_id=agent_id)
+
+    # Check the new version of the package generates and alert
+    evm.check_vulnerability_affects_alert(package=metadata['test_package_name'], cve=metadata['cve'],
+                                          agent_id=agent_id)
+
+    # Check the old version of the package being removed is not shown as solved
+    with pytest.raises(TimeoutError):
+        evm.check_vulnerability_scan_remove_alert(metadata['test_package_name'], metadata['cve'], agent_id=agent_id)

From 18fa7b86f2c5959cfc8fd859de82e4f5ad17bd2a Mon Sep 17 00:00:00 2001
From: Deblintrake09 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 17:52:31 -0300
Subject: [PATCH 4/6] docs(#4045): case name and description

---
 .../cases_scan_updated_package_still_vulnerable.yaml      | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
index 9d418fdb0f..8ff547db5c 100644
--- a/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
+++ b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
@@ -1,10 +1,12 @@
-- name: no_alert_updated_package_still_vulnerable
-  description: When a package is updated to still vulnerable version, no alert appears showing package vuln as solved
+- name: VULN_REMAINS_IN_PACKAGE_AFTER_UPDATE
+  description: Verify that when updating a vulnerable package to another version that is still vulnerable to the same
+    CVE, the system triggers an alert for the new package installed but does not generate an alert notifying
+    that the vulnerability was solved.
   configuration_parameters: null
   metadata:
     provider_name: canonical
     system: FOCAL
-    oval_feed: custom_feed_updated_packace_still_vulnerable.xml
+    oval_feed: custom_feed_updated_package_still_vulnerable.xml
     nvd_feed: real_nvd_feed.json
     oval_feed_tag: CUSTOM_OVAL_FEED
     nvd_feed_tag: CUSTOM_NVD_JSON_FEED

From 308bc8c4b492b99c117039f889eef100fbdd668d Mon Sep 17 00:00:00 2001
From: Deblintrake09 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 17:52:52 -0300
Subject: [PATCH 5/6] style(#4045): rename feed file name

---
 ...ble.xml => custom_feed_updated_package_still_vulnerable.xml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename tests/integration/test_vulnerability_detector/data/feeds/canonical/{custom_feed_updated_packace_still_vulnerable.xml => custom_feed_updated_package_still_vulnerable.xml} (99%)

diff --git a/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml b/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_package_still_vulnerable.xml
similarity index 99%
rename from tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml
rename to tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_package_still_vulnerable.xml
index 68f4b15ad6..1ead72476d 100644
--- a/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_packace_still_vulnerable.xml
+++ b/tests/integration/test_vulnerability_detector/data/feeds/canonical/custom_feed_updated_package_still_vulnerable.xml
@@ -48,4 +48,4 @@
             <linux-def:evr datatype="debian_evr_string" operation="less than">10.0.0</linux-def:evr>
         </linux-def:dpkginfo_state>
     </states>
-</oval_definitions>
\ No newline at end of file
+</oval_definitions>

From 25ad72d561b6f97e97a494e3dffd67adf0343728 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi=20Casali?=
 <amicalizzi2005@gmail.com>
Date: Thu, 3 Aug 2023 18:35:15 -0300
Subject: [PATCH 6/6] style(#4045): fix description indentation

---
 .../cases_scan_updated_package_still_vulnerable.yaml          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
index 8ff547db5c..ca51ba2d57 100644
--- a/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
+++ b/tests/integration/test_vulnerability_detector/test_scan_results/data/test_cases/cases_scan_updated_package_still_vulnerable.yaml
@@ -1,7 +1,7 @@
 - name: VULN_REMAINS_IN_PACKAGE_AFTER_UPDATE
   description: Verify that when updating a vulnerable package to another version that is still vulnerable to the same
-    CVE, the system triggers an alert for the new package installed but does not generate an alert notifying
-    that the vulnerability was solved.
+               CVE, the system triggers an alert for the new package installed but does not generate an alert notifying
+               that the vulnerability was solved.
   configuration_parameters: null
   metadata:
     provider_name: canonical