Backport e2e test fix (#3054) (#3070)

daynewlee · dcaravel · davdhacs · web-flow · commit b2dcdbb07d27 · 2026-04-10T07:31:14.000-05:00
Co-authored-by: David Caravello &lt;119438707+dcaravel@users.noreply.github.com&gt;
Co-authored-by: David House &lt;105243888+davdhacs@users.noreply.github.com&gt;
diff --git a/.openshift-ci/pre_tests.py b/.openshift-ci/pre_tests.py
@@ -12,7 +12,7 @@ class Deployer:
     Deployer - Deploys Scanner and ScannerDB resources and port-forwards the necessary endpoints.
     """
 
-    DEPLOY_TIMEOUT = 31 * 60
+    DEPLOY_TIMEOUT = 41 * 60
 
     def __init__(self, slim=False):
         self.slim = slim
diff --git a/cmd/clair/testdata/config.yaml b/cmd/clair/testdata/config.yaml
@@ -8,7 +8,7 @@ scanner:
     options:
       # PostgreSQL Connection string
       # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
-      source: host=scanner-db.stackrox.svc port=5432 user=postgres sslmode=verify-full statement_timeout=60000
+      source: host=scanner-db.stackrox.svc port=5432 user=postgres sslmode=verify-full statement_timeout=180000
 
       # Number of elements kept in the cache
       # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
diff --git a/e2etests/grpc_full_test.go b/e2etests/grpc_full_test.go
@@ -153,6 +153,10 @@ func checkGRPCMatch(t *testing.T, expectedVuln, matchingVuln *v1.Vulnerability)
 	}
 	expectedVuln.MetadataV2 = nil
 	matchingVuln.MetadataV2 = nil
+
+	expectedVuln.Description = normalizeString(expectedVuln.Description)
+	matchingVuln.Description = normalizeString(matchingVuln.Description)
+
 	assert.Equal(t, expectedVuln, matchingVuln)
 }
 
diff --git a/e2etests/sanity_test.go b/e2etests/sanity_test.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
+	"strings"
 	"testing"
 
 	v1 "github.com/stackrox/scanner/api/v1"
@@ -58,6 +59,10 @@ func checkMatch(t *testing.T, source string, expectedVuln, matchingVuln v1.Vulne
 	}
 	expectedVuln.Metadata = nil
 	matchingVuln.Metadata = nil
+
+	expectedVuln.Description = normalizeString(expectedVuln.Description)
+	matchingVuln.Description = normalizeString(matchingVuln.Description)
+
 	assert.Equal(t, expectedVuln, matchingVuln)
 }
 
@@ -183,3 +188,8 @@ func deepGet(m map[string]interface{}, keys ...string) interface{} {
 	}
 	return currVal
 }
+
+// normalizeString removes newlines and collapses multiple spaces into one.
+func normalizeString(s string) string {
+	return strings.Join(strings.Fields(s), " ")
+}
diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go
@@ -991,7 +991,7 @@ var testCases = []testCase{
 					{
 						Name:          "CVE-2018-1125",
 						NamespaceName: "centos:7",
-						Description:   "DOCUMENTATION: If a process inspected by pgrep has an argument longer than INT_MAX bytes, \"int bytes\" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat().                          MITIGATION: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash.",
+						Description:   "DOCUMENTATION: If a process inspected by pgrep has an argument longer than INT_MAX bytes, \"int bytes\" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat().                           MITIGATION: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash.",
 						Link:          "https://access.redhat.com/security/cve/CVE-2018-1125",
 						Severity:      "Low",
 						Metadata: map[string]interface{}{
@@ -1351,7 +1351,7 @@ var testCases = []testCase{
 					},
 					{
 						Name:        "CVE-2020-1045",
-						Description: "<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>\n<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>\n<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>\n",
+						Description: "<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>\n<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>\n<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>",
 						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
 						Metadata: map[string]interface{}{
 							"NVD": map[string]interface{}{
@@ -1402,7 +1402,7 @@ var testCases = []testCase{
 					},
 					{
 						Name:        "CVE-2020-1597",
-						Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.\n",
+						Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.",
 						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2020-1597",
 						Metadata: map[string]interface{}{
 							"NVD": map[string]interface{}{
@@ -3032,10 +3032,33 @@ var testCases = []testCase{
 						},
 						FixedBy: "2.12.3",
 					},
+					{
+						Name:        "CVE-2025-68161",
+						Description: "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
+						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2025-68161",
+						Severity:    "Moderate",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 2.2,
+									"ImpactScore":         2.5,
+									"Score":               4.8,
+									"Vectors":             "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+								},
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+							},
+						},
+						FixedBy: "2.25.3",
+					},
 				},
 				AddedBy:  "sha256:477d0b4ccc14566aec80c3360aba6c84208c9d337727434c3914bd87b023dab3",
 				Location: "usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.10-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.10/logstash-input-tcp-6.0.10.jar:log4j-core",
-				FixedBy:  "2.12.4",
+				FixedBy:  "2.25.3",
 			},
 			{
 				Name:          "log4j",
@@ -3134,10 +3157,33 @@ var testCases = []testCase{
 						},
 						FixedBy: "2.17.0",
 					},
+					{
+						Name:        "CVE-2025-68161",
+						Description: "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
+						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2025-68161",
+						Severity:    "Moderate",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 2.2,
+									"ImpactScore":         2.5,
+									"Score":               4.8,
+									"Vectors":             "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+								},
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+							},
+						},
+						FixedBy: "2.25.3",
+					},
 				},
 				AddedBy:  "sha256:477d0b4ccc14566aec80c3360aba6c84208c9d337727434c3914bd87b023dab3",
 				Location: "usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar",
-				FixedBy:  "2.17.1",
+				FixedBy:  "2.25.3",
 			},
 		},
 	},
@@ -3223,10 +3269,33 @@ var testCases = []testCase{
 						},
 						FixedBy: "2.12.3",
 					},
+					{
+						Name:        "CVE-2025-68161",
+						Description: "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
+						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2025-68161",
+						Severity:    "Moderate",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 2.2,
+									"ImpactScore":         2.5,
+									"Score":               4.8,
+									"Vectors":             "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+								},
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+							},
+						},
+						FixedBy: "2.25.3",
+					},
 				},
 				AddedBy:  "sha256:d84ba7ea7803fa43fca06730523d264b31c562968cfd7020f0584f5ec1b26225",
 				Location: "log4j-core-2.12.2.jar",
-				FixedBy:  "2.12.4",
+				FixedBy:  "2.25.3",
 			},
 		},
 	},
diff --git a/scripts/ci/deploy.sh b/scripts/ci/deploy.sh
@@ -32,7 +32,7 @@ _wait_for_scanner() {
     kubectl -n stackrox get pod
     POD="$(kubectl -n stackrox get pod -o jsonpath='{.items[?(@.metadata.labels.app=="scanner")].metadata.name}')"
     [[ -n "${POD}" ]]
-    kubectl -n stackrox wait "--for=condition=Ready" "pod/${POD}" --timeout=30m
+    kubectl -n stackrox wait "--for=condition=Ready" "pod/${POD}" --timeout=40m
     kubectl -n stackrox get pod
 }
 

Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,10 @@ func checkGRPCMatch(t testing.T, expectedVuln, matchingVuln v1.Vulnerability)`
`153`	`153`	`}`
`154`	`154`	`expectedVuln.MetadataV2 = nil`
`155`	`155`	`matchingVuln.MetadataV2 = nil`
	`156`	`+`
	`157`	`+ expectedVuln.Description = normalizeString(expectedVuln.Description)`
	`158`	`+ matchingVuln.Description = normalizeString(matchingVuln.Description)`
	`159`	`+`
`156`	`160`	`assert.Equal(t, expectedVuln, matchingVuln)`
`157`	`161`	`}`
`158`	`162`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"encoding/json"`
`8`	`8`	`"fmt"`
`9`	`9`	`"sort"`
	`10`	`+ "strings"`
`10`	`11`	`"testing"`
`11`	`12`
`12`	`13`	`v1 "github.com/stackrox/scanner/api/v1"`
`@@ -58,6 +59,10 @@ func checkMatch(t *testing.T, source string, expectedVuln, matchingVuln v1.Vulne`
`58`	`59`	`}`
`59`	`60`	`expectedVuln.Metadata = nil`
`60`	`61`	`matchingVuln.Metadata = nil`
	`62`	`+`
	`63`	`+ expectedVuln.Description = normalizeString(expectedVuln.Description)`
	`64`	`+ matchingVuln.Description = normalizeString(matchingVuln.Description)`
	`65`	`+`
`61`	`66`	`assert.Equal(t, expectedVuln, matchingVuln)`
`62`	`67`	`}`
`63`	`68`
`@@ -183,3 +188,8 @@ func deepGet(m map[string]interface{}, keys ...string) interface{} {`
`183`	`188`	`}`
`184`	`189`	`return currVal`
`185`	`190`	`}`
	`191`	`+`
	`192`	`+// normalizeString removes newlines and collapses multiple spaces into one.`
	`193`	`+func normalizeString(s string) string {`
	`194`	`+ return strings.Join(strings.Fields(s), " ")`
	`195`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ _wait_for_scanner() {`
`32`	`32`	`kubectl -n stackrox get pod`
`33`	`33`	`POD="$(kubectl -n stackrox get pod -o jsonpath='{.items[?(@.metadata.labels.app=="scanner")].metadata.name}')"`
`34`	`34`	`[[ -n "${POD}" ]]`
`35`		`- kubectl -n stackrox wait "--for=condition=Ready" "pod/${POD}" --timeout=30m`
	`35`	`+ kubectl -n stackrox wait "--for=condition=Ready" "pod/${POD}" --timeout=40m`
`36`	`36`	`kubectl -n stackrox get pod`
`37`	`37`	`}`
`38`	`38`