CVEs alerts inventory for Vulnerability Detector: partial scan type

deps/wazuh_testing/wazuh_testing/tools/__init__.py

@@ -89,6 +89,7 @@ def get_service():
 _data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
 WAZUH_LOGS_PATH = os.path.join(WAZUH_PATH, 'logs')
 ALERT_FILE_PATH = os.path.join(WAZUH_LOGS_PATH, 'alerts', 'alerts.json')
+ALERT_LOGS_PATH = os.path.join(WAZUH_LOGS_PATH, 'alerts', 'alerts.log')
 CLUSTER_LOGS_PATH = os.path.join(WAZUH_LOGS_PATH, 'cluster.log')
 
 QUEUE_SOCKETS_PATH = os.path.join(WAZUH_PATH, 'queue', 'sockets')
@@ -97,8 +98,8 @@ def get_service():
 CLUSTER_SOCKET_PATH = os.path.join(WAZUH_PATH, 'queue', 'cluster')
 
 
-ANALYSISD_ANALISIS_SOCKET_PATH= os.path.join(QUEUE_SOCKETS_PATH, 'analysis')
-ANALYSISD_QUEUE_SOCKET_PATH= os.path.join(QUEUE_SOCKETS_PATH, 'queue')
+ANALYSISD_ANALISIS_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'analysis')
+ANALYSISD_QUEUE_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'queue')
 AUTHD_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'auth')
 EXECD_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'com')
 LOGCOLLECTOR_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'logcollector')
@@ -111,7 +112,7 @@ def get_service():
 MODULESD_CONTROL_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'control')
 MODULESD_KREQUEST_SOCKET_PATH = os.path.join(QUEUE_SOCKETS_PATH, 'krequest')
 MODULESD_C_INTERNAL_SOCKET_PATH = os.path.join(CLUSTER_SOCKET_PATH, 'c-internal.sock')
-ACTIVE_RESPONSE_SOCKET_PATH = os.path.join(QUEUE_ALERTS_PATH,'ar')
+ACTIVE_RESPONSE_SOCKET_PATH = os.path.join(QUEUE_ALERTS_PATH, 'ar')
 
 WAZUH_SOCKETS = {
     'wazuh-agentd': [],

deps/wazuh_testing/wazuh_testing/vulnerability_detector.py

@@ -15,6 +15,7 @@
 from wazuh_testing.tools import file
 from wazuh_testing.tools import agent_simulator as ag
 from wazuh_testing.tools.services import control_service, check_if_process_is_running
+from wazuh_testing.tools.utils import retry
 from wazuh_testing.wazuh_db import query_wdb
 
 VULN_DETECTOR_GLOBAL_TIMEOUT = 20
@@ -813,6 +814,22 @@ def modify_metadata_vuldet_feed(feed, timestamp):
     control_service('start', daemon='wazuh-db')
 
 
+def modify_nvd_metadata_vuldet(timestamp):
+    """Function to modify the timestamp value of the nvd_metadata table.
+
+    Args:
+        timestamp (int): The new timestamp value to set.
+    """
+    query_string = f"UPDATE NVD_METADATA SET LAST_UPDATE={timestamp};"
+    for _ in range(VULN_DETECTOR_GLOBAL_TIMEOUT):
+        try:
+            make_query(CVE_DB_PATH, [query_string])
+            return
+        except sqlite3.OperationalError:
+            sleep(1)
+    raise sqlite3.OperationalError
+
+
 def check_vulnerability_scan_event(wazuh_log_monitor, package, cve):
     """Check if inserted vulnerable packages are reported by vulnerability detector.
 
@@ -928,17 +945,18 @@ def create_mocked_agent(name="centos8-agent", ip="127.0.0.1", register_ip="127.0
     return agent_id_str
 
 
-def create_simulated_agent(manager_address="localhost", os="debian10"):
+@retry(AttributeError, attempts=2, delay=2, delay_multiplier=1)
+def create_simulated_agent(manager_address="localhost", operating_system="debian10"):
     """Create a new agent using the Agent class of agent_simulator module with a minimal functionality.
 
     Args:
         manager_address (str, optional): Manager address. Defaults to "localhost".
-        os (str, optional): Operating system of the simulated agent. Defaults to "Debian 10".
+        operating_system (str, optional): Operating system of the simulated agent. Defaults to "Debian 10".
 
     Returns:
         (str, Sender, Injector): A tuple with the id, the Sender and the Injector of the simulated agent.
     """
-    agent = ag.Agent(manager_address=manager_address, os=os)
+    agent = ag.Agent(manager_address=manager_address, os=operating_system)
     agent.set_module_status('syscollector', 'enabled')
     agent.set_module_status('fim', 'disabled')
     sender, injector = ag.connect(agent)

docs/tests/integration/test_vulnerability_detector/index.md

@@ -19,6 +19,9 @@ Vulnerability Detector in the configuration file.
 - **[test_scan_results](test_scan_results#test-scan-results)** Tests that check if Vulnerability Detector generates
 alerts in the right cases.
 
+- **[test_scan_types](test_scan_types#test-scan-types)** Tests that check if the scan types of the 
+Vulnerability Detector are working as expected.
+
 We can specify the set of tests that we want to launch, either individually, module, package or custom. Normally,
 the tests are selected in a personalized way called **tier**.
 
@@ -72,6 +75,13 @@ Detector generates the alerts from NVD feed.
 Tests mock RedHat, Ubuntu and Debian systems, and insert custom vulnerabilities and vulnerable packages to see if
 Vulnerability Detector generates the alerts from NVD and providers feed.
 
+#### Test scan types
+
+- **[test_partial_scan_type](test_scan_types/test_partial_scan_type.md#test-partial-scan-type)**:
+Test that adds a simulated agent to the system with a test package containing a vulnerability then starts 
+a `BASELINE` scan and, after finishing it, adds a new test package with another vulnerability. 
+It then launches a `PARTIAL_SCAN` and checks that the alert has only been generated for the last package installed.
+
 ---
 
 ### Tier 1

docs/tests/integration/test_vulnerability_detector/test_scan_types/index.md

@@ -0,0 +1,29 @@
+# Overview
+
+## Objective
+
+The purpose of testing general settings is to check the scan types of the Vulnerability Detector module are working as
+expected. These are the general scan types:
+
+- `PARTIAL_SCAN`
+
+## General info
+
+|Tier | Number of tests | Time spent |
+|:--:|:--:|:--:|
+| 0 | 1 | 0:02:40  |
+
+## Expected behavior
+
+- `PARTIAL_SCAN`: Alerts should be generated only for vulnerabilities detected in new packages installed during 
+  this kind of scanning.
+
+## Testing
+
+### Generic tests
+
+- **[test_partial_scan_type](test_partial_scan_type.md#test-partial-scan-type)**:
+  Test that adds a simulated agent to the system with a test package containing a vulnerability then starts 
+  a `BASELINE` scan and, after finishing it, adds a new test package with another vulnerability. 
+  It then launches a `PARTIAL_SCAN` and checks that the alert has only been generated for the last package installed.
+

docs/tests/integration/test_vulnerability_detector/test_scan_types/test_partial_scan_type.md

@@ -0,0 +1,33 @@
+# Test partial scan type
+
+The test will check if the Vulnerability Detector module performs the `PARTIAL_SCAN` type correctly.
+
+## General info
+
+|Tier | Number of tests | Time spent| Test file | 
+|:--:|:--:|:--:|:--:| 
+| 0 | 1 | 2m40s | test_partial_scan_type.py |
+
+## Test logic
+
+The manager is configured to use custom feeds that include vulnerabilities associated with the test packages. 
+The first package is added to the database of the simulated agent and, after enrollment of the agent, 
+the vulnerability detector must launch the first scan on it, which is of `BASELINE` type.
+
+When the `BASELINE` scan is done, we will insert a new test package and wait for the `PARTIAL_SCAN` to start.
+Once the `PARTIAL_SCAN` is completed, it will check that a new vulnerability has been detected and an alert
+has been generated for that vulnerability by analyzing its respective logs. It will also be checked that
+no alerts have been generated for the first package that had already been previously analyzed by
+the `BASELINE` scan.
+
+
+## Checks
+
+- [x] The `BASELINE` and `PARTIAL_SCAN` scan startup, checking messages in the logs file.
+- [x] The NVD vulnerabilities for the test packages are detected during the scans, checking messages in the logs file.
+- [x] Completion of the scans, checking messages in the logs file.
+- [x] Alert is generated only for the vulnerability detected during `PARTIAL_SCAN` scanning, checking messages in the alerts file.
+
+## Code documentation
+
+::: tests.integration.test_vulnerability_detector.test_scan_types.test_partial_scan_type

mkdocs.yml

@@ -83,6 +83,9 @@ nav:
             - Test scan different cves:  tests/integration/test_vulnerability_detector/test_scan_results/test_scan_different_cves.md
             - Test scan nvd feed: tests/integration/test_vulnerability_detector/test_scan_results/test_scan_nvd_feed.md
             - Test scan providers and nvd feed: tests/integration/test_vulnerability_detector/test_scan_results/test_scan_providers_and_nvd_feed.md
+          - Tests SCAN types:
+            - tests/integration/test_vulnerability_detector/test_scan_types/index.md
+            - Test partial scan type: tests/integration/test_vulnerability_detector/test_scan_types/test_partial_scan_type.md
           - Tests Windows:
             - tests/integration/test_vulnerability_detector/test_windows/index.md
             - Test CPE indexing: tests/integration/test_vulnerability_detector/test_windows/test_cpe_indexing.md