blob: 0ebdab9c1551c27291e11fc3d66ffa761fdb7a77 [file] [log] [blame]
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package worker
import (
"context"
"errors"
"fmt"
"net/http"
"os"
"os/exec"
"path/filepath"
"strings"
"syscall"
"time"
"cloud.google.com/go/storage"
"golang.org/x/exp/event"
"golang.org/x/pkgsite-metrics/internal/bigquery"
"golang.org/x/pkgsite-metrics/internal/config"
"golang.org/x/pkgsite-metrics/internal/derrors"
"golang.org/x/pkgsite-metrics/internal/govulncheck"
"golang.org/x/pkgsite-metrics/internal/log"
"golang.org/x/pkgsite-metrics/internal/proxy"
"golang.org/x/pkgsite-metrics/internal/sandbox"
"golang.org/x/pkgsite-metrics/internal/version"
vulnclient "golang.org/x/vuln/client"
govulncheckapi "golang.org/x/vuln/exp/govulncheck"
)
const (
// modeImports is used to report results of
// vulnerability detection at imports level
// precision. It cannot be directly triggered
// by scan endpoints. Instead, ModeGovulncheck
// mode reports its results to show difference
// in precision of vulnerability detection.
modeImports string = "IMPORTS"
// ModeBinary runs the govulncheck binary in
// binary mode.
ModeBinary string = "BINARY"
// ModeGovulncheck runs the govulncheck binary in
// default (source) mode.
ModeGovulncheck = "GOVULNCHECK"
)
// modes is a set of supported vulncheck modes
var modes = map[string]bool{
ModeBinary: true,
ModeGovulncheck: true,
}
func IsValidGovulncheckMode(mode string) bool {
return modes[mode]
}
// TODO(b/241402488): shouldSkip is the list of modules that we are not
// currently scanning due to previous issues that need investigation.
var shouldSkip = map[string]bool{}
var scanCounter = event.NewCounter("scans", &event.MetricOptions{Namespace: metricNamespace})
// path: /govulncheck/scan/MODULE_VERSION_SUFFIX?params
// See internal/govulncheck.ParseRequest for allowed path forms and query params.
func (h *GovulncheckServer) handleScan(w http.ResponseWriter, r *http.Request) (err error) {
defer derrors.Wrap(&err, "handleScan")
defer func() {
scanCounter.Record(r.Context(), 1, event.Bool("success", err == nil))
}()
ctx := r.Context()
sreq, err := govulncheck.ParseRequest(r, "/govulncheck/scan")
if err != nil {
return fmt.Errorf("%w: %v", derrors.InvalidArgument, err)
}
if sreq.Mode == "" {
sreq.Mode = ModeGovulncheck
}
if shouldSkip[sreq.Module] {
log.Infof(ctx, "skipping (module in shouldSkip list): %s", sreq.Path())
return nil
}
if err := h.readGovulncheckWorkVersions(ctx); err != nil {
return err
}
scanner, err := newScanner(ctx, h)
if err != nil {
return err
}
// An explicit "insecure" query param overrides the default.
if sreq.Insecure {
scanner.insecure = sreq.Insecure
}
wv := h.storedWorkVersions[[2]string{sreq.Module, sreq.Version}]
if scanner.workVersion.Equal(wv) {
log.Infof(ctx, "skipping (work version unchanged): %s@%s", sreq.Module, sreq.Version)
return nil
}
return scanner.ScanModule(ctx, w, sreq)
}
func (h *GovulncheckServer) readGovulncheckWorkVersions(ctx context.Context) error {
h.mu.Lock()
defer h.mu.Unlock()
if h.storedWorkVersions != nil {
return nil
}
if h.bqClient == nil {
return nil
}
var err error
h.storedWorkVersions, err = govulncheck.ReadWorkVersions(ctx, h.bqClient)
return err
}
// A scanner holds state for scanning modules.
type scanner struct {
proxyClient *proxy.Client
dbClient vulnclient.Client
bqClient *bigquery.Client
workVersion *govulncheck.WorkVersion
gcsBucket *storage.BucketHandle
insecure bool
sbox *sandbox.Sandbox
}
func newScanner(ctx context.Context, h *GovulncheckServer) (*scanner, error) {
workVersion, err := h.getWorkVersion(ctx)
if err != nil {
return nil, err
}
var bucket *storage.BucketHandle
if h.cfg.BinaryBucket != "" {
c, err := storage.NewClient(ctx)
if err != nil {
return nil, err
}
bucket = c.Bucket(h.cfg.BinaryBucket)
}
sbox := sandbox.New("/bundle")
sbox.Runsc = "/usr/local/bin/runsc"
return &scanner{
proxyClient: h.proxyClient,
bqClient: h.bqClient,
dbClient: h.vulndbClient,
workVersion: workVersion,
gcsBucket: bucket,
insecure: h.cfg.Insecure,
sbox: sbox,
}, nil
}
type scanError struct {
err error
}
func (s scanError) Error() string {
return s.err.Error()
}
func (s scanError) Unwrap() error {
return s.err
}
func (s *scanner) ScanModule(ctx context.Context, w http.ResponseWriter, sreq *govulncheck.Request) error {
if sreq.Module == "std" {
return nil // ignore the standard library
}
row := &govulncheck.Result{
ModulePath: sreq.Module,
Suffix: sreq.Suffix,
WorkVersion: *s.workVersion,
}
// Scan the version.
log.Debugf(ctx, "fetching proxy info: %s@%s", sreq.Path(), sreq.Version)
info, err := s.proxyClient.Info(ctx, sreq.Module, sreq.Version)
if err != nil {
log.Errorf(ctx, err, "proxy error")
row.AddError(fmt.Errorf("%v: %w", err, derrors.ProxyError))
return nil
}
row.Version = info.Version
row.SortVersion = version.ForSorting(row.Version)
row.CommitTime = info.Time
row.ImportedBy = sreq.ImportedBy
row.VulnDBLastModified = s.workVersion.VulnDBLastModified
row.ScanMode = sreq.Mode
log.Infof(ctx, "running scanner.runScanModule: %s@%s", sreq.Path(), sreq.Version)
stats := &scanStats{}
vulns, err := s.runScanModule(ctx, sreq.Module, info.Version, sreq.Suffix, sreq.Mode, stats)
row.ScanSeconds = stats.scanSeconds
row.ScanMemory = int64(stats.scanMemory)
row.Workers = config.GetEnvInt("CLOUD_RUN_CONCURRENCY", "0", -1)
if err != nil {
switch {
case errors.Is(err, derrors.LoadPackagesNoGoModError) ||
errors.Is(err, derrors.LoadPackagesNoGoSumError):
// errors already classified by package loading.
case isMissingGoMod(err):
// specific for govulncheck
err = fmt.Errorf("%v: %w", err, derrors.LoadPackagesNoGoModError)
case isNoRequiredModule(err):
err = fmt.Errorf("%v: %w", err, derrors.LoadPackagesNoRequiredModuleError)
case isMissingGoSumEntry(err):
err = fmt.Errorf("%v: %w", err, derrors.LoadPackagesMissingGoSumEntryError)
case errors.Is(err, derrors.LoadPackagesError):
// general load packages error
case isVulnDBConnection(err):
err = fmt.Errorf("%v: %w", err, derrors.ScanModuleGovulncheckDBConnectionError)
default:
err = fmt.Errorf("%v: %w", err, derrors.ScanModuleGovulncheckError)
}
row.AddError(err)
} else {
row.Vulns = vulnsForMode(vulns, sreq.Mode)
}
log.Infof(ctx, "scanner.runScanModule returned %d vulns for %s: row.Vulns=%d err=%v", len(vulns), sreq.Path(), len(row.Vulns), err)
if err := writeResult(ctx, sreq.Serve, w, s.bqClient, govulncheck.TableName, row); err != nil {
return err
}
if sreq.Mode != ModeGovulncheck {
return nil
}
// For ModeGovulncheck, add the copy of row and report
// each vulnerability as imported. We set the performance
// numbers to 0 since we don't actually perform a scan
// at the level of import chains. Also makes a copy if
// the original row has an error and no vulns.
impRow := *row
impRow.ScanMode = modeImports
impRow.ScanSeconds = 0
impRow.ScanMemory = 0
impRow.Vulns = vulnsForMode(vulns, modeImports)
log.Infof(ctx, "scanner.runScanModule also storing imports vulns for %s: row.Vulns=%d", sreq.Path(), len(impRow.Vulns))
return writeResult(ctx, sreq.Serve, w, s.bqClient, govulncheck.TableName, &impRow)
}
// vulnsForMode returns vulns that make sense to report for
// a particular mode.
//
// For ModeGovulncheck, these are all vulns that are actually
// called (CallSink!=0). For modeImports, these are all vulns
// modified to have CallSink=0. For ModeBinary, these are
// exactly the input vulns since binary analysis does not
// distinguish between called and imported vulnerabilities.
func vulnsForMode(vulns []*govulncheck.Vuln, mode string) []*govulncheck.Vuln {
if mode == ModeBinary {
return vulns
}
var vs []*govulncheck.Vuln
for _, v := range vulns {
if mode == ModeGovulncheck {
// Return only the called vulns for ModeGovulncheck.
if v.CallSink.Valid && v.CallSink.Int64 != 0 {
vs = append(vs, v)
}
} else if mode == modeImports {
// For imports mode, return the vulnerability as it
// is imported, but not called.
nv := *v
nv.CallSink = bigquery.NullInt(0)
vs = append(vs, &nv)
} else {
panic(fmt.Sprintf("vulnsForMode unsupported mode %s", mode))
}
}
return vs
}
type scanStats struct {
scanSeconds float64
scanMemory uint64
}
// Inside the sandbox, the user is root and their $HOME directory is /root.
const (
// The Go cache resides in its default location, $HOME/.cache/go-build.
sandboxGoCache = "root/.cache/go-build"
// Where the govulncheck binary lives.
govulncheckPath = binaryDir + "/govulncheck"
)
// runScanModule fetches the module version from the proxy, and analyzes it for
// vulnerabilities.
func (s *scanner) runScanModule(ctx context.Context, modulePath, version, binaryDir, mode string, stats *scanStats) (bvulns []*govulncheck.Vuln, err error) {
err = doScan(ctx, modulePath, version, s.insecure, func() error {
var vulns []*govulncheckapi.Vuln
if s.insecure {
vulns, err = s.runGovulncheckScanInsecure(ctx, modulePath, version, binaryDir, mode, stats)
} else {
vulns, err = s.runGovulncheckScanSandbox(ctx, modulePath, version, binaryDir, mode, stats)
}
if err != nil {
return err
}
for _, v := range vulns {
bvulns = append(bvulns, govulncheck.ConvertGovulncheckOutput(v)...)
}
return nil
})
return bvulns, err
}
func (s *scanner) runGovulncheckScanSandbox(ctx context.Context, modulePath, version, binDir, mode string, stats *scanStats) (_ []*govulncheckapi.Vuln, err error) {
if mode == ModeBinary {
return s.runBinaryScanSandbox(ctx, modulePath, version, binDir, stats)
}
mdir := moduleDir(modulePath, version)
defer cleanup(&err, func() error { return os.RemoveAll(mdir) })
const insecure = false
if err := prepareModule(ctx, modulePath, version, mdir, s.proxyClient, insecure); err != nil {
return nil, err
}
log.Infof(ctx, "running govulncheck in sandbox: %s@%s", modulePath, version)
smdir := strings.TrimPrefix(mdir, sandboxRoot)
err = s.sbox.Validate()
log.Debugf(ctx, "sandbox Validate returned %v", err)
if err != nil {
return nil, err
}
stdout, err := s.sbox.Command(binaryDir+"/govulncheck_sandbox", govulncheckPath, ModeGovulncheck, smdir).Output()
log.Infof(ctx, "done with govulncheck in sandbox: %s@%s err=%v", modulePath, version, err)
if err != nil {
return nil, errors.New(derrors.IncludeStderr(err))
}
response, err := govulncheck.UnmarshalSandboxResponse(stdout)
if err != nil {
return nil, err
}
stats.scanMemory = response.Stats.ScanMemory
stats.scanSeconds = response.Stats.ScanSeconds
log.Debugf(ctx, "govulncheck stats: %dkb | Seconds: %vs", stats.scanMemory, stats.scanSeconds)
return response.Res.Vulns, nil
}
func (s *scanner) runBinaryScanSandbox(ctx context.Context, modulePath, version, binDir string, stats *scanStats) ([]*govulncheckapi.Vuln, error) {
if s.gcsBucket == nil {
return nil, errors.New("binary bucket not configured; set GO_ECOSYSTEM_BINARY_BUCKET")
}
// Copy the binary from GCS to the local disk, because vulncheck.Binary
// ultimately requires a ReaderAt and GCS doesn't provide that.
gcsPathname := fmt.Sprintf("%s/%s@%s/%s", gcsBinaryDir, modulePath, version, binDir)
const destDir = binaryDir
log.Debug(ctx, "copying",
"from", gcsPathname,
"to", destDir,
"module", modulePath, "version", version,
"dir", binDir)
destf, err := os.CreateTemp(destDir, "govulncheck-binary-")
if err != nil {
return nil, err
}
defer os.Remove(destf.Name())
rc, err := s.gcsBucket.Object(gcsPathname).NewReader(ctx)
if err != nil {
return nil, err
}
defer rc.Close()
if err := copyAndClose(destf, rc); err != nil {
return nil, err
}
log.Infof(ctx, "running govulncheck in sandbox on %s: %s@%s/%s", modulePath, version, binDir, destf.Name())
stdout, err := s.sbox.Command(binaryDir+"/govulncheck_sandbox", govulncheckPath, ModeBinary, destf.Name()).Output()
log.Infof(ctx, "done with govulncheck in sandbox on %s: %s@%s/%s err=%v", modulePath, version, binDir, destf.Name(), err)
if err != nil {
return nil, errors.New(derrors.IncludeStderr(err))
}
response, err := govulncheck.UnmarshalSandboxResponse(stdout)
if err != nil {
return nil, err
}
stats.scanMemory = response.Stats.ScanMemory
stats.scanSeconds = response.Stats.ScanSeconds
log.Debugf(ctx, "govulncheck stats: %dkb | Seconds: %vs", stats.scanMemory, stats.scanSeconds)
return response.Res.Vulns, nil
}
func (s *scanner) runGovulncheckScanInsecure(ctx context.Context, modulePath, version, binaryDir, mode string, stats *scanStats) (_ []*govulncheckapi.Vuln, err error) {
if mode == ModeBinary {
return s.runBinaryScanInsecure(ctx, modulePath, version, binaryDir, os.TempDir(), stats)
}
mdir := moduleDir(modulePath, version)
defer cleanup(&err, func() error { return os.RemoveAll(mdir) })
if err := prepareModule(ctx, modulePath, version, mdir, s.proxyClient, true); err != nil {
return nil, err
}
vulns, err := runGovulncheckCmd("./...", mdir, stats)
if err != nil {
return nil, err
}
return vulns, nil
}
func (s *scanner) runBinaryScanInsecure(ctx context.Context, modulePath, version, binDir, tempDir string, stats *scanStats) ([]*govulncheckapi.Vuln, error) {
if s.gcsBucket == nil {
return nil, errors.New("binary bucket not configured; set GO_ECOSYSTEM_BINARY_BUCKET")
}
// Copy the binary from GCS to the local disk, because govulncheck
// ultimately requires a ReaderAt and GCS doesn't provide that.
gcsPathname := fmt.Sprintf("%s/%s@%s/%s", gcsBinaryDir, modulePath, version, binDir)
log.Debug(ctx, "copying to temp dir",
"from", gcsPathname, "module", modulePath, "version", version, "dir", binDir)
localPathname := filepath.Join(tempDir, "binary")
if err := copyToLocalFile(localPathname, false, gcsPathname, gcsOpenFileFunc(ctx, s.gcsBucket)); err != nil {
return nil, err
}
vulns, err := runGovulncheckCmd(localPathname, "", stats)
if err != nil {
return nil, err
}
return vulns, nil
}
func runGovulncheckCmd(pattern, tempDir string, stats *scanStats) ([]*govulncheckapi.Vuln, error) {
govulncheckName := govulncheckPath
if !fileExists(govulncheckName) {
govulncheckName = "govulncheck"
}
start := time.Now()
govulncheckCmd := exec.Command(govulncheckName, "-json", pattern)
govulncheckCmd.Dir = tempDir
output, err := govulncheckCmd.Output()
if e := (&exec.ExitError{}); !errors.As(err, &e) && e.ProcessState.ExitCode() != 3 {
return nil, err
}
stats.scanSeconds = time.Since(start).Seconds()
stats.scanMemory = uint64(govulncheckCmd.ProcessState.SysUsage().(*syscall.Rusage).Maxrss)
res, err := govulncheck.UnmarshalGovulncheckResult(output)
if err != nil {
return nil, err
}
return res.Vulns, nil
}
func isNoRequiredModule(err error) bool {
return strings.Contains(err.Error(), "no required module")
}
func isMissingGoSumEntry(err error) bool {
return strings.Contains(err.Error(), "missing go.sum entry")
}
func isMissingGoMod(err error) bool {
return strings.Contains(err.Error(), "no go.mod file")
}
func isVulnDBConnection(err error) bool {
s := err.Error()
return strings.Contains(s, "https://vuln.go.dev") &&
strings.Contains(s, "connection")
}
// fileExists checks if file path exists. Returns true
// if the file exists or it cannot prove that it does
// not exist. Otherwise, returns false.
func fileExists(file string) bool {
if _, err := os.Stat(file); err == nil {
return true
} else if errors.Is(err, os.ErrNotExist) {
return false
}
// Conservatively return true if os.Stat fails
// for some other reason.
return true
}