internal/worker: use function Aliases instead of x/vuln client
To remove the dependency on the now unsupported x/vuln client, clone
the vulndb repo and call Aliases to find all aliases. This is actually
an improvement, as the worker will now take into account excluded aliases
when determining if something is a duplicate.
With this change, we have now completely removed the dependency of this
repo on x/vuln.
Fixes golang/go#60116
Change-Id: I12a837745d4eb2cc62cdb44522a52e2d016b4b6c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/497039
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
diff --git a/go.mod b/go.mod
index a3aea9f..5e358a1 100644
--- a/go.mod
+++ b/go.mod
@@ -2,10 +2,7 @@
go 1.18
-require (
- golang.org/x/vuln v0.0.0-20230217204342-b91abcc5ae3c
- golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-)
+require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
require (
cloud.google.com/go/errorreporting v0.1.0
diff --git a/go.sum b/go.sum
index 6b9abc6..63d760a 100644
--- a/go.sum
+++ b/go.sum
@@ -585,8 +585,6 @@
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
-golang.org/x/vuln v0.0.0-20230217204342-b91abcc5ae3c h1:7/jJkMpaKZMxdyOQ7IP7aPbJQaDk4cOUxtXtWHQ1cSk=
-golang.org/x/vuln v0.0.0-20230217204342-b91abcc5ae3c/go.mod h1:LTLnfk/dpXDNKsX6aCg/cI4LyCVnTyrQhgV/yLJuly0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/worker/worker.go b/internal/worker/worker.go
index ec52c30..45dbbe7 100644
--- a/internal/worker/worker.go
+++ b/internal/worker/worker.go
@@ -12,7 +12,6 @@
"fmt"
"strconv"
"strings"
- "sync"
"text/template"
"time"
@@ -21,9 +20,7 @@
"golang.org/x/exp/event"
"golang.org/x/exp/maps"
"golang.org/x/exp/slices"
- "golang.org/x/sync/errgroup"
"golang.org/x/time/rate"
- vulnc "golang.org/x/vuln/client"
"golang.org/x/vulndb/internal/cvelistrepo"
"golang.org/x/vulndb/internal/cveschema"
"golang.org/x/vulndb/internal/derrors"
@@ -68,7 +65,11 @@
return err
}
}
- knownVulnIDs, err := getAllCVEsAndGHSAsInVulnDB(ctx)
+ vulndb, err := gitrepo.Clone(ctx, "https://github.com/golang/vulndb")
+ if err != nil {
+ return err
+ }
+ knownVulnIDs, err := report.Aliases(vulndb)
if err != nil {
return err
}
@@ -127,47 +128,6 @@
vulnDBURL = "https://storage.googleapis.com/" + vulnDBBucket
)
-// getAllCVEsAndGHSAsInVulnDB returns a list of all CVE IDs and
-// GHSA IDs in the Go vuln DB.
-func getAllCVEsAndGHSAsInVulnDB(ctx context.Context) ([]string, error) {
- const concurrency = 4
-
- client, err := vulnc.NewClient([]string{vulnDBURL}, vulnc.Options{})
- if err != nil {
- return nil, err
- }
-
- goIDs, err := client.ListIDs(ctx)
- if err != nil {
- return nil, err
- }
- var (
- mu sync.Mutex
- vulnIDs []string
- )
- sem := make(chan struct{}, concurrency)
- g, ctx := errgroup.WithContext(ctx)
- for _, id := range goIDs {
- id := id
- sem <- struct{}{}
- g.Go(func() error {
- defer func() { <-sem }()
- e, err := client.GetByID(ctx, id)
- if err != nil {
- return err
- }
- mu.Lock()
- vulnIDs = append(vulnIDs, e.Aliases...)
- mu.Unlock()
- return nil
- })
- }
- if err := g.Wait(); err != nil {
- return nil, err
- }
- return vulnIDs, nil
-}
-
// GHSAListFunc is the type of a function that lists GitHub security advisories.
type GHSAListFunc func(_ context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error)
