wazuh · snaow · Nov 2, 2021 · Jun 9, 2021 · Jun 9, 2021 · Jun 9, 2021
diff --git a/deps/wazuh_testing/wazuh_testing/vulnerability_detector.py b/deps/wazuh_testing/wazuh_testing/vulnerability_detector.py
@@ -43,29 +43,78 @@
 CUSTOM_NVD_VULNERABILITIES_2 = 'nvd_vulnerabilities_2.json'
 CUSTOM_MSU_JSON_FEED = 'custom_msu.json'
 CUSTOM_ARCHLINUX_JSON_FEED = 'custom_archlinux_feed.json'
+CUSTOM_ALAS_JSON_FEED = 'custom_alas_feed.json'
+CUSTOM_ALAS2_JSON_FEED = 'custom_alas2_feed.json'
 INVALID_RHEL_FEEDS_CONF = 'wazuh_invalid_redhat_feed.yaml'
 INVALID_CANONICAL_FEEDS_CONF = 'wazuh_invalid_canonical_feed.yaml'
 INVALID_ARCHLINUX_FEEDS_CONF = 'wazuh_invalid_archlinux_feed.yaml'
 INVALID_DEBIAN_FEEDS_CONF = 'wazuh_invalid_debian_feed.yaml'
 INVALID_MSU_FEEDS_CONF = 'wazuh_invalid_msu_feed.yaml'
+INVALID_ALAS_FEEDS_CONF = 'wazuh_invalid_alas_feed.yaml'
+INVALID_ALAS2_FEEDS_CONF = 'wazuh_invalid_alas2_feed.yaml'
 
 REDHAT_NUM_CUSTOM_VULNERABILITIES = 1
 CANONICAL_NUM_CUSTOM_VULNERABILITIES = 1
 DEBIAN_NUM_CUSTOM_VULNERABILITIES = 3
 NVD_NUM_CUSTOM_VULNERABILITIES = 5
 ARCH_NUM_CUSTOM_VULNERABILITIES = 50
+ALAS_NUM_CUSTOM_VULNERABILITIES = 36
+ALAS2_NUM_CUSTOM_VULNERABILITIES = 18
 
 SYSTEM_DATA = {
- 'RHEL8': {'target': 'RHEL8', 'os_name': 'CentOS Linux', 'os_major': '8', 'os_minor': '1', 'name': 'centos8'},
- 'BIONIC': {'target': 'BIONIC', 'os_name': 'Ubuntu', 'os_major': '18', 'os_minor': '04', 'name': 'Ubuntu-bionic'},
- 'BUSTER': {'target': 'BUSTER', 'os_name': 'Debian GNU/Linux', 'os_major': '10', 'os_minor': '0', 'name': 'debian10'},
- 'ARCH': {'target': 'ARCH', 'os_name': 'Arch Linux', 'os_major': '', 'os_minor': '', 'name': 'archlinux'}
+ 'WINDOWS10': {'target': 'WINDOWS10', 'os_name': 'Microsoft Windows Server 2016 Datacenter Evaluation',
+ 'os_major': '10', 'os_minor': '0', 'os_platform': 'windows', 'name': 'windows', 'format': 'win'},
+ 'MAC': {'target': 'MAC', 'os_name': 'Mac OS X', 'os_major': '10', 'os_minor': '15', 'os_platform': 'darwin',
+ 'name': 'macos-catalina', 'format': 'pkg'},
+ 'MACS': {'target': 'MAC', 'os_name': 'Mac OS X Server', 'os_major': '5', 'os_minor': '10', 'os_platform': 'darwin',
+ "name": "macos-server", 'format': 'pkg'},
+ 'ARCH': {'target': 'ARCH', 'os_name': 'Arch Linux', 'os_major': '', 'os_minor': '', 'os_platform': '',
+ 'name': 'archlinux', 'format': 'rpm'},
+ 'ALAS': {'target': 'Amazon-Linux', 'os_name': 'Amazon Linux AMI', 'os_major': '2018', 'os_minor': '03',
+ 'os_platform': 'amzn', 'name': 'amazonlinux', 'format': 'rpm'},
+ 'ALAS2': {'target': 'Amazon-Linux-2', 'os_name': 'Amazon Linux', 'os_major': '2', 'os_minor': '',
+ 'os_platform': 'amzn', 'name': 'amazonlinux2', 'format': 'rpm'},
+ 'RHEL8': {'target': 'RHEL8', 'os_name': 'CentOS Linux', 'os_major': '8', 'os_minor': '1', 'os_platform': 'centos',
+ 'name': 'centos8', 'format': 'rpm'},
+ 'RHEL7': {'target': 'RHEL7', 'os_name': 'CentOS Linux', 'os_major': '7', 'os_minor': '1', 'os_platform': 'centos',
+ 'name': 'centos7', 'format': 'rpm'},
+ 'RHEL6': {'target': 'RHEL6', 'os_name': 'CentOS Linux', 'os_major': '6', 'os_minor': '1', 'os_platform': 'centos',
+ 'name': 'centos6', 'format': 'rpm'},
+ 'RHEL5': {'target': 'RHEL5', 'os_name': 'CentOS Linux', 'os_major': '5', 'os_minor': '1', 'os_platform': 'centos',
+ 'name': 'centos5', 'format': 'rpm'},
+ 'BIONIC': {'target': 'BIONIC', 'os_name': 'Ubuntu', 'os_major': '18', 'os_minor': '04', 'os_platform': 'ubuntu',
+ 'name': 'Ubuntu-bionic', 'format': 'deb'},
+ 'XENIAL': {'target': 'XENIAL', 'os_name': 'Ubuntu', 'os_major': '16', 'os_minor': '04', 'os_platform': 'ubuntu',
+ 'name': 'Ubuntu-xenial', 'format': 'deb'},
+ 'TRUSTY': {'target': 'TRUSTY', 'os_name': 'Ubuntu', 'os_major': '14', 'os_minor': '04', 'os_platform': 'ubuntu',
+ 'name': 'Ubuntu-trusty', 'format': 'deb'},
+ 'BUSTER': {'target': 'BUSTER', 'os_name': 'Debian GNU/Linux', 'os_major': '10', 'os_minor': '0',
+ 'os_platform': 'debian', 'name': 'debian10', 'format': 'deb'},
+ 'STRETCH': {'target': 'STRETCH', 'os_name': 'Debian GNU/Linux', 'os_major': '9', 'os_minor': '0',
+ 'os_platform': 'debian', 'name': 'debian9', 'format': 'deb'}
+}
+
+VENDOR = {
+ 'RHEL8': 'Red Hat, Inc.',
+ 'RHEL7': 'Red Hat, Inc.',
+ 'RHEL6': 'Red Hat, Inc.',
+ 'RHEL5': 'Red Hat, Inc.',
+ 'BIONIC': 'canonical',
+ 'XENIAL': 'canonical',
+ 'TRUSTY': 'canonical',
+ 'BUSTER': 'debian',
+ 'STRETCH': 'debian',
+ 'Amazon-Linux': 'Amazon.com',
+ 'Amazon-Linux-2': 'Amazon.com',
+ 'ARCH': 'Arch Linux',
 }
 
 NVD_LOG = 'National Vulnerability Database'
 REDHAT_LOG = 'Red Hat Enterprise Linux'
 BIONIC_LOG = 'Ubuntu Bionic'
 ARCH_LOG = 'Arch Linux'
+ALAS_LOG = 'Amazon Linux 1'
+ALAS2_LOG = 'Amazon Linux 2'
 BUSTER_LOG = 'Debian Buster'
 MSU_LOG = 'Microsoft Security Update'
 CUSTOM_MSU = 'custom_msu.json'
@@ -119,6 +168,7 @@ def mock_cve_db(func):
  @vd.mock_cve_db
  def mock_vulnerability_scan(request, mock_agent):
  """
+
  @functools.wraps(func)
  def magic(*args, **kwargs):
  control_service('stop', daemon='wazuh-modulesd')
@@ -358,7 +408,7 @@ def insert_osinfo(agent="000", scan_id=int(time()), scan_time=datetime.datetime.
 
 def insert_package(agent="000", scan_id=int(time()), format="rpm", name=DEFAULT_PACKAGE_NAME,
  priority="", section="Unspecified", size=99, vendor="wazuhintegrationtests", version="1.0.0-1.el7",
- architecture="x86_64", multiarch="", description="Wazuh Integration tests mock package",
+ architecture="noarch", multiarch="", description="Wazuh Integration tests mock package",
- architecture="noarch", multiarch="", description="Wazuh Integration tests mock package",
+ architecture='noarch', multiarch='', description='Wazuh Integration tests mock package',
- architecture="noarch", multiarch="", description="Wazuh Integration tests mock package",
+ architecture='noarch', multiarch='', description='Wazuh Integration tests mock package',
  source="Wazuh Integration tests mock package", location="", triaged=0,
  install_time=datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"),
  scan_time=datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"), checksum="dummychecksum"):
@@ -671,7 +721,7 @@ def check_feed_imported_successfully(wazuh_log_monitor, log_system_name, expecte
 
 
 def check_failure_when_importing_feed(wazuh_log_monitor, expected_vulnerabilities_number=0, update_position=False,
- timeout=VULN_DETECTOR_GLOBAL_TIMEOUT, parser_error=False):
+ timeout=VULN_DETECTOR_EXTENDED_GLOBAL_TIMEOUT, parser_error=False):
  """Check an error message when importing redhat OVAL feeds and checks that the vulnerabilities table is empty
 
  Args:
@@ -727,14 +777,15 @@ def set_system(system):
  pass
 
 
-def insert_data_json_feed(data, field_name, field_value, append_data):
+def insert_data_json_feed(data, field_name, field_value, append_data, brackets=True):
  """Allow insert key:value pair as string, since otherwise, you could not insert lists or dictionaries as a key
 
  Args:
  data (dict): data dictionary
  field_name (str): field name to insert
  field_value (str): field value to insert
  append_data (dict): additional data to insert
+ brackets (bool): insert data between brackets
 
  Returns:
  str: JSON string
@@ -747,9 +798,15 @@ def insert_data_json_feed(data, field_name, field_value, append_data):
  raw_data = json.dumps(data, indent=4, ensure_ascii=False).replace('"replace_me"', f"{field_name}")
 
  if append_data:
- return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]"
+ if brackets:
+ return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]"
+ else:
+ return f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n"
- if brackets:
- return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]"
- else:
- return f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n"
+ response = f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n"
+ return f"[{response}]" if brackets else response
- if brackets:
- return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]"
- else:
- return f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n"
+ response = f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n"
+ return f"[{response}]" if brackets else response
  else:
- return f"[\n{raw_data}]"
+ if brackets:
+ return f"[\n{raw_data}]"
+ else:
+ return f"\n{raw_data}"
- if brackets:
- return f"[\n{raw_data}]"
- else:
- return f"\n{raw_data}"
+ return f"[\n{raw_data}]" if brackets else f"\n{raw_data}"
- if brackets:
- return f"[\n{raw_data}]"
- else:
- return f"\n{raw_data}"
+ return f"[\n{raw_data}]" if brackets else f"\n{raw_data}"
 
 
 def check_if_modulesd_is_running():

diff --git a/docs/tests/integration/index.md b/docs/tests/integration/index.md
@@ -3,25 +3,25 @@
 
 Our newest integration tests are located in `wazuh-qa/tests/integration/`. They are organized by capabilities:
 
-- **[_test_active_response_](test_active_response#test_active_response)**
-- **[_test_agentd_](test_agentd#test_active_response)**
+- **[_test_active_response_](test_active_response/#test-active-response)**
+- **[_test_agentd_](test_agentd/#test-active-response)**
 - _test_analysisd_
 - _test_api_
 - _test_cluster_
 - _test_fim_
 - _test_gcloud_
 - _test_mitre_
 - _test_sca_
-- **[_test_remoted_](test_remoted#test_remoted)**
-- **[_test_vulnerability_detector_](test_vulnerability_detector#tests-vulnerability-detector)**
-- **[_test_wazuh_db_](test_wazuh_db#test_wazuh_db)**
-- **[_test_logcollector_](test_logcollector#test_logcollector)**
+- **[_test_remoted_](test_remoted/#test-remoted)**
+- **[_test_vulnerability_detector_](test_vulnerability_detector/#test-vulnerability-detector)**
+- **[_test_wazuh_db_](test_wazuh_db/#test-wazuh-db)**
+- **[_test_logcollector_](test_logcollector/#test-logcollector)**
 
 ## How to setup the test environment
 
 To run the tests you need to have `python3 >= 3.6` installed along with a set of additional dependencies.
 
-You can see all the information about it **[here](set_up_environment.md#setting-up-a-test-environment)**
+You can see all the information about it **[here](setting_up_test_environment.md#setting-up-a-test-environment)**
 
 ## About test structure
 

diff --git a/docs/tests/integration/test_vulnerability_detector/index.md b/docs/tests/integration/test_vulnerability_detector/index.md
@@ -2,21 +2,21 @@
 
 Wazuh is able to detect vulnerabilities in the applications installed in agents using the `Vulnerability Detector`
 module. This software audit is performed through the integration of vulnerability feeds indexed by `Canonical`,
-`Debian`, `RedHat`, and the `National Vulnerability Database`.
+`Debian`, `RedHat`, `Amazon Linux` and the `National Vulnerability Database`.
 
 This directory includes all the integration tests developed to test the correct functioning of this module.
 
 These tests can be classified in these categories:
 
-- **[test_feeds](test_feeds#test-feeds)**: Tests that check the behavior of Vulnerability Detector when a feed with an
-unexpected content/type is imported, feeds downloads...
+- **[test_feeds](test_feeds/#test-feeds)**: Tests that check the behavior of Vulnerability Detector when a feed with an
+unexpected content/type is imported, check feeds downloads, etc.
 
-- **[test_general_settings](test_general_settings#test-general-settings)**: Tests that check basic configuration of the
+- **[test_general_settings](test_general_settings/#test-general-settings)**: Tests that check basic configuration of the
 Vulnerability Detector in the `ossec.conf`.
 
-- **[test_providers](test_providers#test-providers)**: Tests that check the providers configuration in the `ossec.conf`.
+- **[test_providers](test_providers/#test-providers)**: Tests that check the providers configuration in the `ossec.conf`.
 
-- **[test_scan_results](test_scan_results#test-scan-results)** Tests that check if Vulnerability Detector generates
+- **[test_scan_results](test_scan_results/#test-scan-results)** Tests that check if Vulnerability Detector generates
 alerts in the right cases.
 
 We can specify the set of tests that we want to launch, either individually, module, package or custom. Normally,
@@ -71,15 +71,22 @@ Detector generates the alerts from NVD feed.
 Tests mock RedHat, Ubuntu and Debian systems, and insert custom vulnerabilities and vulnerable packages to see if
 Vulnerability Detector generates the alerts from NVD and providers feed.
 
+- **[test_alas_inventory_alas_feed](test_scan_results/test_alas_inventory_alas_feed.md#test-amazon-linux-inventory-alas-feed)**:
+Tests that mock Amazon Linux systems and insert custom vulnerabilities and vulnerable packages to check if Vulnerability
+Detector generates alerts from ALAS provider feed.
 ---
 
 ### Tier 1
 
 #### Test feeds
 
-- **[test_download_feeds](test_feeds/test_download_feed.md)**: The tests download
-the different feeds (Redhat, Canonical, Debian, and NVD), import them, and check if the confirmation message appears
+- **[test_download_feeds](test_feeds/test_download_feeds.md)**: The tests download
+the different feeds (Redhat, Canonical, Debian, Amazon Linux and NVD), import them, and check if the confirmation message appears
 in the logs.
+- **[test_invalid_type_custom_feeds](test_feeds/test_invalid_type_custom_feeds.md#test-invalid-type-custom-feeds)**:
+Tests that import files of several different types (`.mp3`, `.jpg`, `.pdf` ...) as custom feed, and check the response
+of Vulnerability Detector.
+- **[test_invalid_type_url_feeds](test_feeds/test_invalid_type_url_feeds.md)**: The tests check that when importing feed files from a bad url, vulnerability report a log parse error otherwise they are imported correctly.
 
 #### Test providers
 
@@ -103,10 +110,6 @@ result in `ossec.log`.
 
 #### Test feeds - GENERIC
 
-- **[test_invalid_type_custom_feeds](test_feeds/test_invalid_type_custom_feeds.md#test-invalid-type-custom-feeds)**:
-Tests that import files of several different types (`.mp3`, `.jpg`, `.pdf` ...) as custom feed, and check the response
-of Vulnerability Detector.
-
 - **[test_validate_feed_content](test_feeds/test_validate_feed_content.md#test-validate-feed-content)**:
 Tests that download the feeds of all providers, verify the format of each feed is as expected and their content is also
 `XML` or `JSON` parseable.
@@ -152,3 +155,17 @@ Set of tests that check the behavior of vulnerability detector when the value of
 
 - **[test_missing_tags_debian_feed](test_feeds/debian/test_missing_tags_debian_feed.md#test-missing-tags-debian-feed)**:
 Set of tests that check the behavior of Vulnerability Detector when any tag is missing from the feed.
+
+#### Test feeds - AMAZON LINUX
+
+- **[test_extra_tags_alas_feed](test_feeds/alas/test_extra_tags_alas_feed.md#test-extra-tags-alas-feed)**:
+Set of tests that check the behavior of Vulnerability Detector when there is any extra tag in the feed.
+
+- **[test_invalid_syntax_alas_feed](test_feeds/alas/test_invalid_syntax_alas_feed.md#test-invalid-syntax-alas-feed)**:
+Set of tests check the behavior of Vulnerability Detector when the feed has some kind of syntactic error.
+
+- **[test_invalid_values_alas_feed](test_feeds/alas/test_invalid_values_alas_feed.md#test-invalid-values-alas-feed)**:
+Set of tests that check the behavior of vulnerability detector when the value of a tag is not correct.
+
+- **[test_missing_tags_alas_feed](test_feeds/alas/test_missing_tags_alas_feed.md#test-missing-tags-alas-feed)**:
+Set of tests that check the behavior of Vulnerability Detector when any tag is missing from the feed.
diff --git a/...ration/test_vulnerability_detector/test_feeds/alas/test_extra_tags_alas_feed.md b/...ration/test_vulnerability_detector/test_feeds/alas/test_extra_tags_alas_feed.md
@@ -0,0 +1,63 @@
+# Test extra tags Amazon Linux feed
+
+Set of tests that are based on checking the behavior of Vulnerability Detector when there is an extra tag in the feed.
+
+## General info
+
+|Tier | Number of tests | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 2 | 244 | 0:46:20 | test_extra_tags_alas_feed.py |
+
+## Test logic
+
+For each of the following values a new label `<x>y</x>` will be created.
+
+```
+[[1, 2, 3], {"a": 1, "b": 2}, "extra_tag", 12345, "ñ", "テスト", "ИСПЫТАНИЕ", "测试", "اختبار", " ", ""]
+```
+
+For instance:
+
+```
+<[1, 2, 3]>[1, 2, 3]</[1, 2, 3]>, <[1, 2, 3]>{"a": 1, "b": 2}</[1, 2, 3]>, ...
+```
+
+## Tests
+
+- `test_no_feed_changes`: Check the original feed is successfully imported.
+- `test_extra_tags_alas_feed`: Check if the feeds are successfully imported when they contain new extra labels.
+
+## Checks
+
+- [x] Feed is imported successfully with the original feed.
+- [x] Vulnerabilities are inserted into the `vulnerabilities` database.
+- [x] Action status message displayed in `ossec.log`.
+- [x] `wazuh-modulesd` is still running once the test has finished (it didn't crash).
+
+## Observed behavior
+
+The feed will be successfully imported if:
+
+- The original feed is successfully imported.
+- The modified feed contains valid tags. Those tags are not empty and the type of inserted tag is `string`.
+
+For other cases, the feed will not be imported.
+
+## Execution result
+
+```
+=============================================================== test session starts ================================================================
+platform linux -- Python 3.7.3, pytest-6.2.3, py-1.10.0, pluggy-0.13.1
+OS: CentOS 8, CPU: 2, memory: 2048
+collected 244 items
+
+tests/integration/test_vulnerability_detector/test_feeds/alas/test_extra_tags_alas_feed.py ................................................. [ 20%]
+............................................................................................................................................ [ 77%]
+....................................................... [100%]
+
+========================================================= 244 passed in 2780.03s (0:46:20) =========================================================
+```
+
+## Code documentation
+
+::: tests.integration.test_vulnerability_detector.test_feeds.alas.test_extra_tags_alas_feed