internal/ghsa: allow listing advisories with CVEs
The List method previously listed only security advisories that did
not correspond to CVEs. Add an argument that allows the caller to
choose this behavior or the opposite, to list the advisories that do
have CVEs.
Change-Id: I286d4671d7bebe729eeef224acf8ce3fda9c21df
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/388674
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/cmd/worker/main.go b/cmd/worker/main.go
index cb78b12..d31d9cb 100644
--- a/cmd/worker/main.go
+++ b/cmd/worker/main.go
@@ -211,7 +211,8 @@
return nil
}
listSAs := func(ctx context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error) {
- return ghsa.List(ctx, cfg.GitHubAccessToken, since)
+ const withoutCVES = false
+ return ghsa.List(ctx, cfg.GitHubAccessToken, since, withoutCVES)
}
_, err = worker.UpdateGHSAs(ctx, listSAs, cfg.Store)
return err
diff --git a/internal/ghsa/ghsa.go b/internal/ghsa/ghsa.go
index 55775fe..f4838da 100644
--- a/internal/ghsa/ghsa.go
+++ b/internal/ghsa/ghsa.go
@@ -58,9 +58,12 @@
UpdatedAt time.Time
}
-// List returns all SecurityAdvisories that are not CVEs and that affect Go,
+// List returns all SecurityAdvisories that affect Go,
// published or updated since the given time.
-func List(ctx context.Context, accessToken string, since time.Time) ([]*SecurityAdvisory, error) {
+// The withCVE argument controls whether to select advisories that are
+// connected to CVEs.
+
+func List(ctx context.Context, accessToken string, since time.Time, withCVE bool) ([]*SecurityAdvisory, error) {
ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: accessToken})
tc := oauth2.NewClient(context.Background(), ts)
client := githubv4.NewClient(tc)
@@ -115,7 +118,7 @@
if sa.PublishedAt.After(sa.UpdatedAt) {
return nil, fmt.Errorf("%s: published at %s, after updated at %s", sa.ID, sa.PublishedAt, sa.UpdatedAt)
}
- if isCVE(sa.Identifiers) {
+ if withCVE != isCVE(sa.Identifiers) {
continue
}
if len(sa.Vulnerabilities.Nodes) == 0 {
diff --git a/internal/ghsa/ghsa_test.go b/internal/ghsa/ghsa_test.go
index 664b33e..d147844 100644
--- a/internal/ghsa/ghsa_test.go
+++ b/internal/ghsa/ghsa_test.go
@@ -25,8 +25,10 @@
t.Fatal(err)
}
accessToken := strings.TrimSpace(string(bytes))
- // There were three relevant SAs From Jan 1 to Feb 7 2022.
- got, err := List(context.Background(), accessToken, time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC))
+ // There were at least three relevant SAs since this date.
+ since := time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC)
+ const withoutCVEs = false
+ got, err := List(context.Background(), accessToken, since, withoutCVEs)
if err != nil {
t.Fatal(err)
}
@@ -34,4 +36,9 @@
if len(got) < want {
t.Errorf("got %d, want at least %d", len(got), want)
}
+ for _, g := range got {
+ if isCVE(g.Identifiers) {
+ t.Errorf("isCVE true, want false for %+v", g)
+ }
+ }
}
diff --git a/internal/worker/server.go b/internal/worker/server.go
index 618786c..de5d8c8 100644
--- a/internal/worker/server.go
+++ b/internal/worker/server.go
@@ -313,7 +313,8 @@
return err
}
listSAs := func(ctx context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error) {
- return ghsa.List(ctx, s.cfg.GitHubAccessToken, since)
+ const withoutCVES = false
+ return ghsa.List(ctx, s.cfg.GitHubAccessToken, since, withoutCVES)
}
_, err = UpdateGHSAs(r.Context(), listSAs, s.cfg.Store)
return err
