From f039c485ccb95e9428c908464b196505dce0b7dc Mon Sep 17 00:00:00 2001 From: Yi Li Date: Thu, 9 Apr 2026 09:14:50 -0500 Subject: [PATCH 1/3] Fix some e2e failures (#3054) Co-authored-by: David Caravello <119438707+dcaravel@users.noreply.github.com> --- e2etests/grpc_full_test.go | 4 ++++ e2etests/sanity_test.go | 10 ++++++++++ e2etests/testcase_test.go | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/e2etests/grpc_full_test.go b/e2etests/grpc_full_test.go index 67d43d3fa..d065c637e 100644 --- a/e2etests/grpc_full_test.go +++ b/e2etests/grpc_full_test.go @@ -153,6 +153,10 @@ func checkGRPCMatch(t *testing.T, expectedVuln, matchingVuln *v1.Vulnerability) } expectedVuln.MetadataV2 = nil matchingVuln.MetadataV2 = nil + + expectedVuln.Description = normalizeString(expectedVuln.Description) + matchingVuln.Description = normalizeString(matchingVuln.Description) + assert.Equal(t, expectedVuln, matchingVuln) } diff --git a/e2etests/sanity_test.go b/e2etests/sanity_test.go index bca846a75..dbf503f7c 100644 --- a/e2etests/sanity_test.go +++ b/e2etests/sanity_test.go @@ -7,6 +7,7 @@ import ( "encoding/json" "fmt" "sort" + "strings" "testing" v1 "github.com/stackrox/scanner/api/v1" @@ -58,6 +59,10 @@ func checkMatch(t *testing.T, source string, expectedVuln, matchingVuln v1.Vulne } expectedVuln.Metadata = nil matchingVuln.Metadata = nil + + expectedVuln.Description = normalizeString(expectedVuln.Description) + matchingVuln.Description = normalizeString(matchingVuln.Description) + assert.Equal(t, expectedVuln, matchingVuln) } @@ -183,3 +188,8 @@ func deepGet(m map[string]interface{}, keys ...string) interface{} { } return currVal } + +// normalizeString removes newlines and collapses multiple spaces into one. +func normalizeString(s string) string { + return strings.Join(strings.Fields(s), " ") +} diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go index dbefbceb3..b9fe3b644 100644 --- a/e2etests/testcase_test.go +++ b/e2etests/testcase_test.go @@ -991,7 +991,7 @@ var testCases = []testCase{ { Name: "CVE-2018-1125", NamespaceName: "centos:7", - Description: "DOCUMENTATION: If a process inspected by pgrep has an argument longer than INT_MAX bytes, \"int bytes\" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat(). MITIGATION: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash.", + Description: "DOCUMENTATION: If a process inspected by pgrep has an argument longer than INT_MAX bytes, \"int bytes\" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat(). MITIGATION: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash.", Link: "https://access.redhat.com/security/cve/CVE-2018-1125", Severity: "Low", Metadata: map[string]interface{}{ From eb84de5d4bff1b36d6cd910c91089619dc96a357 Mon Sep 17 00:00:00 2001 From: David House <105243888+davdhacs@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:25:42 -0600 Subject: [PATCH 2/3] fix(e2e): Update CVE descriptions to match current NVD feed (#2888) --- e2etests/testcase_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go index b9fe3b644..1ab075a09 100644 --- a/e2etests/testcase_test.go +++ b/e2etests/testcase_test.go @@ -1351,7 +1351,7 @@ var testCases = []testCase{ }, { Name: "CVE-2020-1045", - Description: "

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.

\n

The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.

\n

The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.

\n", + Description: "

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.

\n

The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.

\n

The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.

", Link: "https://nvd.nist.gov/vuln/detail/CVE-2020-1045", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ @@ -1402,7 +1402,7 @@ var testCases = []testCase{ }, { Name: "CVE-2020-1597", - Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.\n", + Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.", Link: "https://nvd.nist.gov/vuln/detail/CVE-2020-1597", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ From 30af3263abce9e95cff1ed07ec97b6fa6752fc21 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 14:29:14 -0500 Subject: [PATCH 3/3] build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#3030) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index df1cf76ff..091498e85 100644 --- a/go.mod +++ b/go.mod @@ -95,7 +95,7 @@ require ( github.com/felixge/httpsnoop v1.0.4 // indirect github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect - github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect diff --git a/go.sum b/go.sum index 60f470398..9e0777ef0 100644 --- a/go.sum +++ b/go.sum @@ -244,8 +244,8 @@ github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lo github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= -github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=