stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Initial commit (history squashed)
Some checks failed
Build Test Deploy / authority-container (push) Has been cancelled
Details
Build Test Deploy / docs (push) Has been cancelled
Details
Build Test Deploy / deploy (push) Has been cancelled
Details
Build Test Deploy / build-test (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
master
2025-10-07 10:14:21 +03:00
commit b97fc7685a
1132 changed files with 117842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

495
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-advisories.snapshot.json Normal file
View File

@@ -0,0 +1,495 @@
[
{
"advisoryKey": "oracle/cpuapr2024-01-html",
"affectedPackages": [
{
"identifier": "Oracle GraalVM for JDK::Libraries",
"platform": "Libraries",
"provenance": [
{
"fieldMask": [],
"kind": "affected",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle GraalVM for JDK::Libraries"
}
],
"statuses": [],
"type": "vendor",
"versionRanges": [
{
"fixedVersion": null,
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"oracle.product": "Oracle GraalVM for JDK",
"oracle.productRaw": "Oracle Java SE, Oracle GraalVM for JDK",
"oracle.component": "Libraries",
"oracle.componentRaw": "Libraries",
"oracle.segmentVersions": "21.3.8, 22.0.0",
"oracle.supportedVersions": "Oracle Java SE: 8u401, 11.0.22; Oracle GraalVM for JDK: 21.3.8, 22.0.0",
"oracle.rangeExpression": "21.3.8, 22.0.0 (notes: See Note A for mitigation)",
"oracle.baseExpression": "21.3.8, 22.0.0",
"oracle.notes": "See Note A for mitigation",
"oracle.versionTokens": "21.3.8|22.0.0",
"oracle.versionTokens.normalized": "21.3.8|22.0.0"
}
},
"provenance": {
"fieldMask": [],
"kind": "range",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle GraalVM for JDK::Libraries"
},
"rangeExpression": "21.3.8, 22.0.0 (notes: See Note A for mitigation)",
"rangeKind": "vendor"
}
]
},
{
"identifier": "Oracle Java SE::Hotspot",
"platform": "Hotspot",
"provenance": [
{
"fieldMask": [],
"kind": "affected",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Java SE::Hotspot"
}
],
"statuses": [],
"type": "vendor",
"versionRanges": [
{
"fixedVersion": "8u401",
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"oracle.product": "Oracle Java SE",
"oracle.productRaw": "Oracle Java SE",
"oracle.component": "Hotspot",
"oracle.componentRaw": "Hotspot",
"oracle.segmentVersions": "Oracle Java SE: 8u401, 11.0.22",
"oracle.supportedVersions": "Oracle Java SE: 8u401, 11.0.22",
"oracle.rangeExpression": "Oracle Java SE: 8u401, 11.0.22 (notes: Fixed in 8u401 Patch 123456)",
"oracle.baseExpression": "Oracle Java SE: 8u401, 11.0.22",
"oracle.notes": "Fixed in 8u401 Patch 123456",
"oracle.fixedVersion": "8u401",
"oracle.patchNumber": "123456",
"oracle.versionTokens": "Oracle Java SE: 8u401|11.0.22",
"oracle.versionTokens.normalized": "11.0.22"
}
},
"provenance": {
"fieldMask": [],
"kind": "range",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Java SE::Hotspot"
},
"rangeExpression": "Oracle Java SE: 8u401, 11.0.22 (notes: Fixed in 8u401 Patch 123456)",
"rangeKind": "vendor"
}
]
},
{
"identifier": "Oracle Java SE::Libraries",
"platform": "Libraries",
"provenance": [
{
"fieldMask": [],
"kind": "affected",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Java SE::Libraries"
}
],
"statuses": [],
"type": "vendor",
"versionRanges": [
{
"fixedVersion": null,
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"oracle.product": "Oracle Java SE",
"oracle.productRaw": "Oracle Java SE, Oracle GraalVM for JDK",
"oracle.component": "Libraries",
"oracle.componentRaw": "Libraries",
"oracle.segmentVersions": "8u401, 11.0.22",
"oracle.supportedVersions": "Oracle Java SE: 8u401, 11.0.22; Oracle GraalVM for JDK: 21.3.8, 22.0.0",
"oracle.rangeExpression": "8u401, 11.0.22 (notes: See Note A for mitigation)",
"oracle.baseExpression": "8u401, 11.0.22",
"oracle.notes": "See Note A for mitigation",
"oracle.versionTokens": "8u401|11.0.22",
"oracle.versionTokens.normalized": "11.0.22"
}
},
"provenance": {
"fieldMask": [],
"kind": "range",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Java SE::Libraries"
},
"rangeExpression": "8u401, 11.0.22 (notes: See Note A for mitigation)",
"rangeKind": "vendor"
}
]
}
],
"aliases": [
"CVE-2024-9000",
"CVE-2024-9001",
"ORACLE:CPUAPR2024-01-HTML"
],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"fieldMask": [],
"kind": "document",
"recordedAt": "2024-04-18T00:00:00+00:00",
"source": "vndr-oracle",
"value": "https://www.oracle.com/security-alerts/cpuapr2024-01.html"
},
{
"fieldMask": [],
"kind": "mapping",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "cpuapr2024-01-html"
}
],
"published": "2024-04-18T12:30:00+00:00",
"references": [
{
"kind": "reference",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/kb/123456"
},
"sourceTag": null,
"summary": null,
"url": "https://support.oracle.com/kb/123456"
},
{
"kind": "patch",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/rs?type=doc&id=3010001.1"
},
"sourceTag": "oracle",
"summary": "Oracle Java SE",
"url": "https://support.oracle.com/rs?type=doc&id=3010001.1"
},
{
"kind": "patch",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/rs?type=doc&id=3010002.1"
},
"sourceTag": "oracle",
"summary": "Oracle GraalVM",
"url": "https://support.oracle.com/rs?type=doc&id=3010002.1"
},
{
"kind": "reference",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://updates.oracle.com/patches/fullpatch"
},
"sourceTag": null,
"summary": null,
"url": "https://updates.oracle.com/patches/fullpatch"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.cve.org/CVERecord?id=CVE-2024-9000"
},
"sourceTag": "CVE-2024-9000",
"summary": null,
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9000"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.cve.org/CVERecord?id=CVE-2024-9001"
},
"sourceTag": "CVE-2024-9001",
"summary": null,
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9001"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.oracle.com/security-alerts/cpuapr2024-01.html"
},
"sourceTag": "oracle",
"summary": "cpuapr2024 01 html",
"url": "https://www.oracle.com/security-alerts/cpuapr2024-01.html"
}
],
"severity": null,
"summary": "Oracle CPU April 2024 Advisory 1 Oracle Critical Patch Update Advisory - April 2024 (CPU01) This advisory addresses vulnerabilities in Oracle Java SE and Oracle GraalVM for JDK. It references CVE-2024-9000 and CVE-2024-9001 with additional remediation steps. Affected Products and Versions Patch Availability Document Oracle Java SE, versions 8u401, 11.0.22 Oracle Java SE Oracle GraalVM for JDK, versions 21.3.8, 22.0.0 Oracle GraalVM CVE ID Product Component Protocol Remote Exploit without Auth.? Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confidentiality Integrity Availability Supported Versions Affected Notes CVE-2024-9000 Oracle Java SE Hotspot Multiple Yes 9.8 Network Low None Required Changed High High High Oracle Java SE: 8u401, 11.0.22 Fixed in 8u401 Patch 123456 CVE-2024-9001 Oracle Java SE, Oracle GraalVM for JDK Libraries Multiple Yes 7.5 Network High None Required Changed Medium Medium Medium Oracle Java SE: 8u401, 11.0.22; Oracle GraalVM for JDK: 21.3.8, 22.0.0 See Note A for mitigation Note A: Apply interim update 22.0.0.1 for GraalVM. Patch download Support article",
"title": "cpuapr2024 01 html"
},
{
"advisoryKey": "oracle/cpuapr2024-02-html",
"affectedPackages": [
{
"identifier": "Oracle Database Server::SQL*Plus",
"platform": "SQL*Plus",
"provenance": [
{
"fieldMask": [],
"kind": "affected",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Database Server::SQL*Plus"
}
],
"statuses": [],
"type": "vendor",
"versionRanges": [
{
"fixedVersion": null,
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"oracle.product": "Oracle Database Server",
"oracle.productRaw": "Oracle Database Server",
"oracle.component": "SQL*Plus",
"oracle.componentRaw": "SQL*Plus",
"oracle.segmentVersions": "Oracle Database Server: 19c, 21c",
"oracle.supportedVersions": "Oracle Database Server: 19c, 21c",
"oracle.rangeExpression": "Oracle Database Server: 19c, 21c (notes: See Note B)",
"oracle.baseExpression": "Oracle Database Server: 19c, 21c",
"oracle.notes": "See Note B",
"oracle.versionTokens": "Oracle Database Server: 19c|21c"
}
},
"provenance": {
"fieldMask": [],
"kind": "range",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle Database Server::SQL*Plus"
},
"rangeExpression": "Oracle Database Server: 19c, 21c (notes: See Note B)",
"rangeKind": "vendor"
}
]
},
{
"identifier": "Oracle WebLogic Server::Console",
"platform": "Console",
"provenance": [
{
"fieldMask": [],
"kind": "affected",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle WebLogic Server::Console"
}
],
"statuses": [],
"type": "vendor",
"versionRanges": [
{
"fixedVersion": "99999999",
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"oracle.product": "Oracle WebLogic Server",
"oracle.productRaw": "Oracle WebLogic Server",
"oracle.component": "Console",
"oracle.componentRaw": "Console",
"oracle.segmentVersions": "Oracle WebLogic Server: 14.1.1.0.0",
"oracle.supportedVersions": "Oracle WebLogic Server: 14.1.1.0.0",
"oracle.rangeExpression": "Oracle WebLogic Server: 14.1.1.0.0 (notes: Patch 99999999 available)",
"oracle.baseExpression": "Oracle WebLogic Server: 14.1.1.0.0",
"oracle.notes": "Patch 99999999 available",
"oracle.fixedVersion": "99999999",
"oracle.patchNumber": "99999999",
"oracle.versionTokens": "Oracle WebLogic Server: 14.1.1.0.0"
}
},
"provenance": {
"fieldMask": [],
"kind": "range",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "Oracle WebLogic Server::Console"
},
"rangeExpression": "Oracle WebLogic Server: 14.1.1.0.0 (notes: Patch 99999999 available)",
"rangeKind": "vendor"
}
]
}
],
"aliases": [
"CVE-2024-9100",
"CVE-2024-9101",
"ORACLE:CPUAPR2024-02-HTML"
],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"fieldMask": [],
"kind": "document",
"recordedAt": "2024-04-18T00:00:00+00:00",
"source": "vndr-oracle",
"value": "https://www.oracle.com/security-alerts/cpuapr2024-02.html"
},
{
"fieldMask": [],
"kind": "mapping",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "cpuapr2024-02-html"
}
],
"published": "2024-04-19T08:15:00+00:00",
"references": [
{
"kind": "reference",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/kb/789012"
},
"sourceTag": null,
"summary": null,
"url": "https://support.oracle.com/kb/789012"
},
{
"kind": "patch",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/rs?type=doc&id=3010100.1"
},
"sourceTag": "oracle",
"summary": "Fusion Middleware",
"url": "https://support.oracle.com/rs?type=doc&id=3010100.1"
},
{
"kind": "patch",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://support.oracle.com/rs?type=doc&id=3010101.1"
},
"sourceTag": "oracle",
"summary": "Database",
"url": "https://support.oracle.com/rs?type=doc&id=3010101.1"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.cve.org/CVERecord?id=CVE-2024-9100"
},
"sourceTag": "CVE-2024-9100",
"summary": null,
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9100"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.cve.org/CVERecord?id=CVE-2024-9101"
},
"sourceTag": "CVE-2024-9101",
"summary": null,
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9101"
},
{
"kind": "advisory",
"provenance": {
"fieldMask": [],
"kind": "reference",
"recordedAt": "2024-04-18T00:01:00+00:00",
"source": "vndr-oracle",
"value": "https://www.oracle.com/security-alerts/cpuapr2024-02.html"
},
"sourceTag": "oracle",
"summary": "cpuapr2024 02 html",
"url": "https://www.oracle.com/security-alerts/cpuapr2024-02.html"
}
],
"severity": null,
"summary": "Oracle CPU April 2024 Advisory 2 Oracle Security Alert Advisory - April 2024 (CPU02) Mitigations for Oracle WebLogic Server and Oracle Database Server. Includes references to CVE-2024-9100 with additional product components. Affected Products and Versions Patch Availability Document Oracle WebLogic Server, versions 14.1.1.0.0 Fusion Middleware Oracle Database Server, versions 19c, 21c Database CVE ID Product Component Protocol Remote Exploit without Auth.? Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confidentiality Integrity Availability Supported Versions Affected Notes CVE-2024-9100 Oracle WebLogic Server Console HTTP Yes 8.1 Network Low Low Required Changed High High High Oracle WebLogic Server: 14.1.1.0.0 Patch 99999999 available CVE-2024-9101 Oracle Database Server SQL*Plus Multiple No 5.4 Local Low Low None Unchanged Medium Low Low Oracle Database Server: 19c, 21c See Note B Note B: Customers should review Support Doc 3010101.1 for mitigation guidance. More details at Support KB .",
"title": "cpuapr2024 02 html"
}
]

7
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-calendar-cpuapr2024-single.html Normal file
View File

@@ -0,0 +1,7 @@
<html>
<body>
<ul>
<li><a href="cpuapr2024-01.html">CPU April 2024 Advisory 1</a></li>
</ul>
</body>
</html>

8
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-calendar-cpuapr2024.html Normal file
View File

@@ -0,0 +1,8 @@
<html>
<body>
<ul>
<li><a href="cpuapr2024-01.html">CPU April 2024 Advisory 1</a></li>
<li><a href="cpuapr2024-02.html">CPU April 2024 Advisory 2</a></li>
</ul>
</body>
</html>

108
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-cpuapr2024-01.html Normal file
View File

@@ -0,0 +1,108 @@
<html>
<head>
<title>Oracle CPU April 2024 Advisory 1</title>
<meta name="Updated Date" content="2024-04-18T12:30:00Z" />
</head>
<body>
<h1>Oracle Critical Patch Update Advisory - April 2024 (CPU01)</h1>
<p>
This advisory addresses vulnerabilities in Oracle Java SE and Oracle GraalVM for JDK.
It references CVE-2024-9000 and CVE-2024-9001 with additional remediation steps.
</p>
<div class="otable otable-sticky otable-tech">
<div class="otable-w1">
<table class="otable-tech-basic otable-w2">
<thead>
<tr>
<th>Affected Products and Versions</th>
<th>Patch Availability Document</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#AppendixJAVA">Oracle Java SE, versions 8u401, 11.0.22</a></td>
<td><a href="https://support.oracle.com/rs?type=doc&amp;id=3010001.1" target="_blank">Oracle Java SE</a></td>
</tr>
<tr>
<td><a href="#AppendixGRAAL">Oracle GraalVM for JDK, versions 21.3.8, 22.0.0</a></td>
<td><a href="https://support.oracle.com/rs?type=doc&amp;id=3010002.1" target="_blank">Oracle GraalVM</a></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="otable otable-sticky otable-tech">
<div class="otable-w1">
<table class="otable-tech-basic otable-w2">
<thead>
<tr>
<th class="otable-col-sticky">CVE ID</th>
<th>Product</th>
<th>Component</th>
<th>Protocol</th>
<th>Remote Exploit without Auth.?</th>
<th>Base Score</th>
<th>Attack Vector</th>
<th>Attack Complex</th>
<th>Privs Req'd</th>
<th>User Interact</th>
<th>Scope</th>
<th>Confidentiality</th>
<th>Integrity</th>
<th>Availability</th>
<th>Supported Versions Affected</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<th class="otable-col-sticky">CVE-2024-9000</th>
<td>Oracle Java SE</td>
<td>Hotspot</td>
<td>Multiple</td>
<td>Yes</td>
<td>9.8</td>
<td>Network</td>
<td>Low</td>
<td>None</td>
<td>Required</td>
<td>Changed</td>
<td>High</td>
<td>High</td>
<td>High</td>
<td>Oracle Java SE: 8u401, 11.0.22</td>
<td>Fixed in 8u401 Patch 123456</td>
</tr>
<tr>
<th class="otable-col-sticky">CVE-2024-9001</th>
<td>Oracle Java SE, Oracle GraalVM for JDK</td>
<td>Libraries</td>
<td>Multiple</td>
<td>Yes</td>
<td>7.5</td>
<td>Network</td>
<td>High</td>
<td>None</td>
<td>Required</td>
<td>Changed</td>
<td>Medium</td>
<td>Medium</td>
<td>Medium</td>
<td>Oracle Java SE: 8u401, 11.0.22; Oracle GraalVM for JDK: 21.3.8, 22.0.0</td>
<td>See Note&nbsp;A for mitigation</td>
</tr>
</tbody>
</table>
</div>
</div>
<p id="note-a"><strong>Note A:</strong> Apply interim update 22.0.0.1 for GraalVM.</p>
<ul>
<li><a href="https://updates.oracle.com/patches/fullpatch">Patch download</a></li>
<li><a href="https://support.oracle.com/kb/123456">Support article</a></li>
</ul>
</body>
</html>

105
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-cpuapr2024-02.html Normal file
View File

@@ -0,0 +1,105 @@
<html>
<head>
<title>Oracle CPU April 2024 Advisory 2</title>
<meta name="Updated Date" content="2024-04-19T08:15:00Z" />
</head>
<body>
<h1>Oracle Security Alert Advisory - April 2024 (CPU02)</h1>
<p>
Mitigations for Oracle WebLogic Server and Oracle Database Server.
Includes references to CVE-2024-9100 with additional product components.
</p>
<div class="otable otable-sticky otable-tech">
<div class="otable-w1">
<table class="otable-tech-basic otable-w2">
<thead>
<tr>
<th>Affected Products and Versions</th>
<th>Patch Availability Document</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#AppendixFMW">Oracle WebLogic Server, versions 14.1.1.0.0</a></td>
<td><a href="https://support.oracle.com/rs?type=doc&amp;id=3010100.1" target="_blank">Fusion Middleware</a></td>
</tr>
<tr>
<td><a href="#AppendixDB">Oracle Database Server, versions 19c, 21c</a></td>
<td><a href="https://support.oracle.com/rs?type=doc&amp;id=3010101.1" target="_blank">Database</a></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="otable otable-sticky otable-tech">
<div class="otable-w1">
<table class="otable-tech-basic otable-w2">
<thead>
<tr>
<th class="otable-col-sticky">CVE ID</th>
<th>Product</th>
<th>Component</th>
<th>Protocol</th>
<th>Remote Exploit without Auth.?</th>
<th>Base Score</th>
<th>Attack Vector</th>
<th>Attack Complex</th>
<th>Privs Req'd</th>
<th>User Interact</th>
<th>Scope</th>
<th>Confidentiality</th>
<th>Integrity</th>
<th>Availability</th>
<th>Supported Versions Affected</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<th class="otable-col-sticky">CVE-2024-9100</th>
<td>Oracle WebLogic Server</td>
<td>Console</td>
<td>HTTP</td>
<td>Yes</td>
<td>8.1</td>
<td>Network</td>
<td>Low</td>
<td>Low</td>
<td>Required</td>
<td>Changed</td>
<td>High</td>
<td>High</td>
<td>High</td>
<td>Oracle WebLogic Server: 14.1.1.0.0</td>
<td>Patch 99999999 available</td>
</tr>
<tr>
<th class="otable-col-sticky">CVE-2024-9101</th>
<td>Oracle Database Server</td>
<td>SQL*Plus</td>
<td>Multiple</td>
<td>No</td>
<td>5.4</td>
<td>Local</td>
<td>Low</td>
<td>Low</td>
<td>None</td>
<td>Unchanged</td>
<td>Medium</td>
<td>Low</td>
<td>Low</td>
<td>Oracle Database Server: 19c, 21c</td>
<td>See Note&nbsp;B</td>
</tr>
</tbody>
</table>
</div>
</div>
<p id="note-b"><strong>Note B:</strong> Customers should review Support Doc 3010101.1 for mitigation guidance.</p>
<p>More details at <a href="https://support.oracle.com/kb/789012">Support KB</a>.</p>
</body>
</html>

4
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-invalid.html Normal file
View File

@@ -0,0 +1,4 @@
<html>
<head></head>
<body></body>
</html>

353
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/Oracle/OracleConnectorTests.cs Normal file
View File

@@ -0,0 +1,353 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Http;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Time.Testing;
using MongoDB.Bson;
using MongoDB.Bson.Serialization;
using MongoDB.Bson.Serialization.Serializers;
using MongoDB.Driver;
using StellaOps.Feedser.Models;
using StellaOps.Feedser.Source.Common;
using StellaOps.Feedser.Source.Common.Http;
using StellaOps.Feedser.Source.Common.Testing;
using StellaOps.Feedser.Source.Vndr.Oracle;
using StellaOps.Feedser.Source.Vndr.Oracle.Configuration;
using StellaOps.Feedser.Source.Vndr.Oracle.Internal;
using StellaOps.Feedser.Storage.Mongo;
using StellaOps.Feedser.Storage.Mongo.Advisories;
using StellaOps.Feedser.Storage.Mongo.Documents;
using StellaOps.Feedser.Storage.Mongo.Dtos;
using StellaOps.Feedser.Testing;
using Xunit.Abstractions;
namespace StellaOps.Feedser.Source.Vndr.Oracle.Tests;
[Collection("mongo-fixture")]
public sealed class OracleConnectorTests : IAsyncLifetime
{
private readonly MongoIntegrationFixture _fixture;
private readonly FakeTimeProvider _timeProvider;
private readonly CannedHttpMessageHandler _handler;
private readonly ITestOutputHelper _output;
private static readonly Uri AdvisoryOne = new("https://www.oracle.com/security-alerts/cpuapr2024-01.html");
private static readonly Uri AdvisoryTwo = new("https://www.oracle.com/security-alerts/cpuapr2024-02.html");
private static readonly Uri CalendarUri = new("https://www.oracle.com/security-alerts/cpuapr2024.html");
public OracleConnectorTests(MongoIntegrationFixture fixture, ITestOutputHelper output)
{
_fixture = fixture;
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2024, 4, 18, 0, 0, 0, TimeSpan.Zero));
_handler = new CannedHttpMessageHandler();
_output = output;
}
[Fact]
public async Task FetchParseMap_EmitsOraclePsirtSnapshot()
{
await using var provider = await BuildServiceProviderAsync();
SeedDetails();
var calendarFetcher = provider.GetRequiredService<OracleCalendarFetcher>();
var discovered = await calendarFetcher.GetAdvisoryUrisAsync(CancellationToken.None);
_output.WriteLine("Calendar URIs: " + string.Join(", ", discovered.Select(static uri => uri.AbsoluteUri)));
Assert.Equal(2, discovered.Count);
// Re-seed fixtures because calendar fetch consumes canned responses.
SeedDetails();
var connector = provider.GetRequiredService<OracleConnector>();
await connector.FetchAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.ParseAsync(provider, CancellationToken.None);
await connector.MapAsync(provider, CancellationToken.None);
var advisoryStore = provider.GetRequiredService<IAdvisoryStore>();
var advisories = await advisoryStore.GetRecentAsync(10, CancellationToken.None);
_output.WriteLine("Advisories fetched: " + string.Join(", ", advisories.Select(static a => a.AdvisoryKey)));
_output.WriteLine($"Advisory count: {advisories.Count}");
Assert.Equal(2, advisories.Count);
var first = advisories.Single(advisory => advisory.AdvisoryKey == "oracle/cpuapr2024-01-html");
var second = advisories.Single(advisory => advisory.AdvisoryKey == "oracle/cpuapr2024-02-html");
Assert.Equal(new DateTimeOffset(2024, 4, 18, 12, 30, 0, TimeSpan.Zero), first.Published);
Assert.Equal(new DateTimeOffset(2024, 4, 19, 8, 15, 0, TimeSpan.Zero), second.Published);
Assert.All(advisories, advisory =>
{
Assert.True(advisory.Aliases.Any(alias => alias.StartsWith("CVE-", StringComparison.Ordinal)), $"Expected CVE alias for {advisory.AdvisoryKey}");
Assert.NotEmpty(advisory.AffectedPackages);
});
var snapshot = SnapshotSerializer.ToSnapshot(advisories.OrderBy(static a => a.AdvisoryKey, StringComparer.Ordinal).ToArray());
var expected = ReadFixture("oracle-advisories.snapshot.json");
var normalizedSnapshot = Normalize(snapshot);
var normalizedExpected = Normalize(expected);
if (!string.Equals(normalizedExpected, normalizedSnapshot, StringComparison.Ordinal))
{
var actualPath = Path.Combine(AppContext.BaseDirectory, "Source", "Vndr", "Oracle", "Fixtures", "oracle-advisories.actual.json");
var actualDirectory = Path.GetDirectoryName(actualPath);
if (!string.IsNullOrEmpty(actualDirectory))
{
Directory.CreateDirectory(actualDirectory);
}
File.WriteAllText(actualPath, snapshot);
}
Assert.Equal(normalizedExpected, normalizedSnapshot);
var psirtCollection = _fixture.Database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.PsirtFlags);
var flags = await psirtCollection.Find(Builders<BsonDocument>.Filter.Empty).ToListAsync();
_output.WriteLine("Psirt flags: " + string.Join(", ", flags.Select(doc => doc.GetValue("_id", BsonValue.Create("<missing>")).ToString())));
Assert.Equal(2, flags.Count);
Assert.All(flags, doc => Assert.Equal("Oracle", doc["vendor"].AsString));
}
[Fact]
public async Task FetchAsync_IdempotentForUnchangedAdvisories()
{
await using var provider = await BuildServiceProviderAsync();
SeedDetails();
var connector = provider.GetRequiredService<OracleConnector>();
await connector.FetchAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.ParseAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.MapAsync(provider, CancellationToken.None);
// Second run with unchanged documents should rely on fetch cache.
SeedDetails();
await connector.FetchAsync(provider, CancellationToken.None);
await connector.ParseAsync(provider, CancellationToken.None);
await connector.MapAsync(provider, CancellationToken.None);
var stateRepository = provider.GetRequiredService<ISourceStateRepository>();
var state = await stateRepository.TryGetAsync(VndrOracleConnectorPlugin.SourceName, CancellationToken.None);
Assert.NotNull(state);
var cursor = OracleCursor.FromBson(state!.Cursor);
Assert.Empty(cursor.PendingDocuments);
Assert.Empty(cursor.PendingMappings);
Assert.Equal(2, cursor.FetchCache.Count);
Assert.All(cursor.FetchCache.Values, entry => Assert.False(string.IsNullOrWhiteSpace(entry.Sha256)));
var documentStore = provider.GetRequiredService<IDocumentStore>();
var first = await documentStore.FindBySourceAndUriAsync(VndrOracleConnectorPlugin.SourceName, AdvisoryOne.ToString(), CancellationToken.None);
Assert.NotNull(first);
Assert.Equal(DocumentStatuses.Mapped, first!.Status);
var second = await documentStore.FindBySourceAndUriAsync(VndrOracleConnectorPlugin.SourceName, AdvisoryTwo.ToString(), CancellationToken.None);
Assert.NotNull(second);
Assert.Equal(DocumentStatuses.Mapped, second!.Status);
var dtoCollection = _fixture.Database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Dto);
var dtoCount = await dtoCollection.CountDocumentsAsync(Builders<BsonDocument>.Filter.Empty);
Assert.Equal(2, dtoCount);
}
[Fact]
public async Task FetchAsync_ResumeProcessesNewCalendarEntries()
{
await using var provider = await BuildServiceProviderAsync();
AddCalendarResponse(CalendarUri, "oracle-calendar-cpuapr2024-single.html");
AddDetailResponse(AdvisoryOne, "oracle-detail-cpuapr2024-01.html", "\"oracle-001\"");
var connector = provider.GetRequiredService<OracleConnector>();
await connector.FetchAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.ParseAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.MapAsync(provider, CancellationToken.None);
var advisoryStore = provider.GetRequiredService<IAdvisoryStore>();
var advisories = await advisoryStore.GetRecentAsync(10, CancellationToken.None);
Assert.Single(advisories);
Assert.Equal("oracle/cpuapr2024-01-html", advisories[0].AdvisoryKey);
_handler.Clear();
AddCalendarResponse(CalendarUri, "oracle-calendar-cpuapr2024.html");
AddDetailResponse(AdvisoryOne, "oracle-detail-cpuapr2024-01.html", "\"oracle-001\"");
AddDetailResponse(AdvisoryTwo, "oracle-detail-cpuapr2024-02.html", "\"oracle-002\"");
await connector.FetchAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.ParseAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.MapAsync(provider, CancellationToken.None);
advisories = await advisoryStore.GetRecentAsync(10, CancellationToken.None);
Assert.Equal(2, advisories.Count);
Assert.Contains(advisories, advisory => advisory.AdvisoryKey == "oracle/cpuapr2024-02-html");
}
[Fact]
public async Task ParseAsync_InvalidDocumentIsQuarantined()
{
await using var provider = await BuildServiceProviderAsync();
AddCalendarResponse(CalendarUri, "oracle-calendar-cpuapr2024.html");
AddDetailResponse(AdvisoryOne, "oracle-detail-invalid.html", "\"oracle-001\"");
AddDetailResponse(AdvisoryTwo, "oracle-detail-cpuapr2024-02.html", "\"oracle-002\"");
var connector = provider.GetRequiredService<OracleConnector>();
await connector.FetchAsync(provider, CancellationToken.None);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.ParseAsync(provider, CancellationToken.None);
var documentStore = provider.GetRequiredService<IDocumentStore>();
var invalidDocument = await documentStore.FindBySourceAndUriAsync(VndrOracleConnectorPlugin.SourceName, AdvisoryOne.ToString(), CancellationToken.None);
Assert.NotNull(invalidDocument);
_output.WriteLine($"Invalid document status: {invalidDocument!.Status}");
var rawDoc = await _fixture.Database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Document)
.Find(Builders<BsonDocument>.Filter.Eq("uri", AdvisoryOne.ToString()))
.FirstOrDefaultAsync();
if (rawDoc is not null)
{
_output.WriteLine("Raw document: " + rawDoc.ToJson());
}
var dtoStore = provider.GetRequiredService<IDtoStore>();
var invalidDto = await dtoStore.FindByDocumentIdAsync(invalidDocument.Id, CancellationToken.None);
if (invalidDto is not null)
{
_output.WriteLine("Validation unexpectedly succeeded. DTO: " + invalidDto.Payload.ToJson());
}
Assert.Equal(DocumentStatuses.Failed, invalidDocument.Status);
Assert.Null(invalidDto);
var validDocument = await documentStore.FindBySourceAndUriAsync(VndrOracleConnectorPlugin.SourceName, AdvisoryTwo.ToString(), CancellationToken.None);
Assert.NotNull(validDocument);
Assert.Equal(DocumentStatuses.PendingMap, validDocument!.Status);
_timeProvider.Advance(TimeSpan.FromMinutes(1));
await connector.MapAsync(provider, CancellationToken.None);
var advisories = await provider.GetRequiredService<IAdvisoryStore>().GetRecentAsync(10, CancellationToken.None);
Assert.Single(advisories);
Assert.Equal("oracle/cpuapr2024-02-html", advisories[0].AdvisoryKey);
var psirtCollection = _fixture.Database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.PsirtFlags);
var flagCount = await psirtCollection.CountDocumentsAsync(Builders<BsonDocument>.Filter.Empty);
Assert.Equal(1, flagCount);
var stateRepository = provider.GetRequiredService<ISourceStateRepository>();
var state = await stateRepository.TryGetAsync(VndrOracleConnectorPlugin.SourceName, CancellationToken.None);
Assert.NotNull(state);
var cursor = OracleCursor.FromBson(state!.Cursor);
Assert.Empty(cursor.PendingDocuments);
Assert.Empty(cursor.PendingMappings);
}
private async Task<ServiceProvider> BuildServiceProviderAsync()
{
await _fixture.Client.DropDatabaseAsync(_fixture.Database.DatabaseNamespace.DatabaseName);
_handler.Clear();
var services = new ServiceCollection();
services.AddLogging(builder => builder.AddProvider(NullLoggerProvider.Instance));
services.AddSingleton<TimeProvider>(_timeProvider);
services.AddSingleton(_handler);
services.AddMongoStorage(options =>
{
options.ConnectionString = _fixture.Runner.ConnectionString;
options.DatabaseName = _fixture.Database.DatabaseNamespace.DatabaseName;
options.CommandTimeout = TimeSpan.FromSeconds(5);
});
services.AddSourceCommon();
services.AddOracleConnector(opts =>
{
opts.CalendarUris = new List<Uri> { CalendarUri };
opts.RequestDelay = TimeSpan.Zero;
});
services.Configure<HttpClientFactoryOptions>(OracleOptions.HttpClientName, builderOptions =>
{
builderOptions.HttpMessageHandlerBuilderActions.Add(builder =>
{
builder.PrimaryHandler = _handler;
});
});
var provider = services.BuildServiceProvider();
var bootstrapper = provider.GetRequiredService<MongoBootstrapper>();
await bootstrapper.InitializeAsync(CancellationToken.None);
return provider;
}
private void SeedDetails()
{
AddCalendarResponse(CalendarUri, "oracle-calendar-cpuapr2024.html");
AddDetailResponse(AdvisoryOne, "oracle-detail-cpuapr2024-01.html", "\"oracle-001\"");
AddDetailResponse(AdvisoryTwo, "oracle-detail-cpuapr2024-02.html", "\"oracle-002\"");
}
private void AddCalendarResponse(Uri uri, string fixture)
{
_handler.AddResponse(uri, () =>
{
var response = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(ReadFixture(fixture), Encoding.UTF8, "text/html"),
};
return response;
});
}
private void AddDetailResponse(Uri uri, string fixture, string? etag)
{
_handler.AddResponse(uri, () =>
{
var response = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(ReadFixture(fixture), Encoding.UTF8, "text/html"),
};
if (!string.IsNullOrEmpty(etag))
{
response.Headers.ETag = new EntityTagHeaderValue(etag);
}
return response;
});
}
private static string ReadFixture(string filename)
{
var primary = Path.Combine(AppContext.BaseDirectory, "Source", "Vndr", "Oracle", "Fixtures", filename);
if (File.Exists(primary))
{
return File.ReadAllText(primary);
}
var fallback = Path.Combine(AppContext.BaseDirectory, "Oracle", "Fixtures", filename);
if (File.Exists(fallback))
{
return File.ReadAllText(fallback);
}
throw new FileNotFoundException($"Fixture '{filename}' not found in test output.", filename);
}
private static string Normalize(string value)
=> value.Replace("\r\n", "\n", StringComparison.Ordinal);
public Task InitializeAsync() => Task.CompletedTask;
public Task DisposeAsync() => Task.CompletedTask;
}

17
src/StellaOps.Feedser.Source.Vndr.Oracle.Tests/StellaOps.Feedser.Source.Vndr.Oracle.Tests.csproj Normal file
View File

@@ -0,0 +1,17 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../StellaOps.Feedser.Models/StellaOps.Feedser.Models.csproj" />
<ProjectReference Include="../StellaOps.Feedser.Source.Common/StellaOps.Feedser.Source.Common.csproj" />
<ProjectReference Include="../StellaOps.Feedser.Source.Vndr.Oracle/StellaOps.Feedser.Source.Vndr.Oracle.csproj" />
<ProjectReference Include="../StellaOps.Feedser.Storage.Mongo/StellaOps.Feedser.Storage.Mongo.csproj" />
</ItemGroup>
<ItemGroup>
<None Include="Oracle/Fixtures/**/*.json" CopyToOutputDirectory="Always" />
<None Include="Oracle/Fixtures/**/*.html" CopyToOutputDirectory="Always" />
</ItemGroup>
</Project>