Tests fail during feed downloads and others finished with setup errors in the VD suite

[roronoasins]

Description

During the 4.5.0 Alpha 1 Integration testing, some Vulnerability tests failed:

• test_vulnerability_detector/test_feeds/test_download_feeds.py
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Desktop 15

The error reported is a TimeoutError when monitoring the log (.*) feed finished log, whereas the expected values are:

• SUSE Linux Enterprise Server 12
• SUSE Linux Enterprise Server 15
• SUSE Linux Enterprise Desktop 15

This issue needs to be investigated and addressed to ensure the proper functioning of the Vulnerability tests for the mentioned distributions. It's possible that the timeout duration does not align with the download time required for the mentioned feeds.

[mauromalara]

Evidence of the test

HTML-report.zip
TXT-report.txt

Analysis of errors in the test's setup

There are also some tests with errors:

ERROR test_vulnerability_detector/test_feeds/test_validate_feed_content.py::test_validate_xml_feed_content[Red Hat Enterprise Linux0]
ERROR test_vulnerability_detector/test_feeds/test_validate_feed_content.py::test_validate_xml_feed_content[Canonical Focal]
ERROR test_vulnerability_detector/test_feeds/test_validate_feed_content.py::test_validate_xml_feed_content[Canonical Bionic]
ERROR test_vulnerability_detector/test_feeds/test_validate_feed_content.py::test_validate_xml_feed_content[Canonical Xenial]
ERROR test_vulnerability_detector/test_feeds/test_validate_feed_content.py::test_validate_xml_feed_content[Canonical Trusty]

The test has a fixture to download the feed before the test starts and then it decompress the data from the feed. But, when the provider has changed the URL or the file is not available, the test will fail as it tries to decompress HTML data, for instance:

data = b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>N...server.</p>\n<hr>\n<address>Apache/2.4.29 (Ubuntu) Server at people.canonical.com Port 443</address>\n</body></html>\n'

    def decompress(data):
        """Decompress a block of data.
    
        For incremental decompression, use a BZ2Decompressor object instead.
        """
        results = []
        while data:
            decomp = BZ2Decompressor()
            try:
>               res = decomp.decompress(data)
E               OSError: Invalid data stream

Conclusion

That test is flaky because it does not handle this kind of error at startup preventing the test from being executed. The test should control this kind of scenario and let the test continue its normal execution.

⚠️ Anyway, I don't think we should download the feed here. I think that this is not something related to our product and we are trying to verify Wazuh's capabilities.

[mauromalara]

Evidence of the test

HTML-report.zip
TXT-report.txt

Analysis of failures in the test

FAILED test_vulnerability_detector/test_feeds/test_download_feeds.py::test_download_feeds[SUSE Linux Enterprise Server 12]
FAILED test_vulnerability_detector/test_feeds/test_download_feeds.py::test_download_feeds[SUSE Linux Enterprise Server 15]
FAILED test_vulnerability_detector/test_feeds/test_download_feeds.py::test_download_feeds[SUSE Linux Enterprise Desktop 15]

• Test timeout: 6 minutes
• Wazuh manager timeout: 5 minutes

So, when I tried to get the feed through wget:

$ wget https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.12.xml
--2023-07-28 16:54:35--  https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.12.xml
Resolving ftp.suse.com (ftp.suse.com)... 195.135.221.132
Connecting to ftp.suse.com (ftp.suse.com)|195.135.221.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 185753599 (177M) [text/xml]
Saving to: ‘suse.linux.enterprise.server.12.xml’

      suse.linux.enterprise.s   0%[                                                 ] 447.49K  70.4KB/s    eta 42m 49s

The ETA is above the test and manager timeouts. So, the test is failing as expected. Also, the manager is detecting this timeout and reporting it in the logs:

DEBUG: CURL ERROR: Operation timed out after 300000 milliseconds with 72121841 out of 185753599 bytes received

Conclusion

The failures are not related to the test itself or the product but to SUSE's servers.

⚠️ Anyway, I don't think this test is well designed as we cannot infinitely wait for the vendor to return their vulnerability information. I think that this test should verify that Wazuh is able to download a feed, but not a production one, and also the test should verify that Wazuh can handle timeouts or format errors.

We cannot say that a test fails because a provider has a problem. Because we want to test our product.

[davidjiglesias]

Based on the conclusions above from @mauromalara I will move this issue to @wazuh/core for them to fix or refactor accordingly.

[Deblintrake09]

This issue errorss where present in 4.5.1 - Alpha 1 wazuh/wazuh#18286

[MarcelKemp]

This issue is related to the following development:

• SUSE OVAL feeds download are too slow wazuh#18593

So they should be fixed after completion.

[MarcelKemp]

• Done in PR: Update SUSE OVAL URL to download compressed feeds wazuh#18783 (4.5.3)