blob: 29d0eb3efeebdb3751c1516abb66e3ee0a8ba3a5 [file] [log] [blame]
// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"context"
"fmt"
"net/http"
"os"
"strings"
"golang.org/x/exp/slices"
"golang.org/x/vulndb/cmd/vulnreport/log"
"golang.org/x/vulndb/internal/idstr"
"golang.org/x/vulndb/internal/issues"
"golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/report"
"golang.org/x/vulndb/internal/symbols"
"golang.org/x/vulndb/internal/triage/priority"
)
type creator struct {
assignee string
created []*yamlReport
// If non-zero, use this review status
// instead of the default for new reports.
reviewStatus report.ReviewStatus
*fixer
*xrefer
*suggester
}
func (c *creator) setup(ctx context.Context, env environment) (err error) {
user := *user
if user == "" {
user = os.Getenv("GITHUB_USER")
}
c.assignee = user
rs, ok := report.ToReviewStatus(*reviewStatus)
if !ok {
return fmt.Errorf("invalid -status=%s", rs)
}
c.reviewStatus = rs
c.fixer = new(fixer)
c.xrefer = new(xrefer)
if *useAI {
c.suggester = new(suggester)
}
return setupAll(ctx, env, c.fixer, c.xrefer, c.suggester)
}
func (c *creator) skip(input any) string {
iss := input.(*issues.Issue)
if c.assignee != "" && iss.Assignee != c.assignee {
return fmt.Sprintf("assignee = %q, not %q", iss.Assignee, c.assignee)
}
return skip(iss, c.xrefer)
}
func skip(iss *issues.Issue, x *xrefer) string {
if iss.HasLabel(labelOutOfScope) {
return "out of scope"
}
if iss.HasLabel(labelDuplicate) {
return "duplicate issue"
}
if iss.HasLabel(labelSuggestedEdit) {
return "suggested edit"
}
// indicates that there is already a report for this
// vuln but the report needs to be updated
if iss.HasLabel(labelNeedsAlias) {
return "existing report needs alias"
}
if iss.HasLabel(labelPossiblyNotGo) {
return "possibly not Go"
}
if x.rc.HasReport(iss.Number) {
return "already has report"
}
return ""
}
func (c *creator) newReportFromIssue(ctx context.Context, iss *issues.Issue) error {
id := iss.NewGoID()
r, err := c.reportFromMeta(ctx, &reportMeta{
id: id,
excluded: excludedReason(iss),
modulePath: modulePath(iss),
aliases: aliases(iss),
reviewStatus: reviewStatusOf(iss, c.reviewStatus),
originalCVE: originalCVE(iss),
})
if err != nil {
return err
}
if r.Withdrawn != nil {
return fmt.Errorf("new regular report should not be created for withdrawn vulnerability; %s", withdrawnGuidance(id, iss.Number))
}
return c.write(ctx, r)
}
func originalCVE(iss *issues.Issue) string {
aliases := aliases(iss)
if iss.HasLabel(labelFirstParty) && len(aliases) == 1 && idstr.IsCVE(aliases[0]) {
return aliases[0]
}
return ""
}
func reviewStatusOf(iss *issues.Issue, reviewStatus report.ReviewStatus) report.ReviewStatus {
d := defaultReviewStatus(iss)
// If a valid review status is provided, it overrides the priority label.
if reviewStatus != 0 {
if d != reviewStatus {
log.Warnf("issue #%d: should be %s based on label(s) but this was overridden with the -status=%s flag", iss.Number, d, reviewStatus)
}
return reviewStatus
}
return d
}
func defaultReviewStatus(iss *issues.Issue) report.ReviewStatus {
if iss.HasLabel(labelHighPriority) ||
iss.HasLabel(labelDirect) ||
iss.HasLabel(labelFirstParty) {
return report.Reviewed
}
return report.Unreviewed
}
func (c *creator) metaToSource(ctx context.Context, meta *reportMeta) report.Source {
if cveID := meta.originalCVE; cveID != "" {
log.Infof("%s: creating original report for Go-CNA-assigned %s", meta.id, cveID)
return report.OriginalCVE(cveID)
}
if src := c.sourceFromBestAlias(ctx, meta.aliases, *preferCVE); src != nil {
log.Infof("%s: picked %s as best source alias (from [%s])", meta.id, src.SourceID(),
strings.Join(meta.aliases, ", "))
return src
}
log.Infof("%s: no suitable alias found, creating basic report", meta.id)
return report.Original()
}
func (c *creator) rawReport(ctx context.Context, meta *reportMeta) *report.Report {
return report.New(c.metaToSource(ctx, meta), c.pxc,
report.WithGoID(meta.id),
report.WithModulePath(meta.modulePath),
report.WithAliases(meta.aliases),
report.WithReviewStatus(meta.reviewStatus),
report.WithUnexcluded(meta.unexcluded),
)
}
func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlReport, error) {
// Find the underlying module if the "module" provided is actually a package path.
if module, err := c.pxc.FindModule(meta.modulePath); err == nil { // no error
meta.modulePath = module
}
meta.aliases = c.allAliases(ctx, meta.aliases)
raw := c.rawReport(ctx, meta)
if meta.excluded != "" {
raw = &report.Report{
ID: meta.id,
Modules: []*report.Module{
{
Module: meta.modulePath,
},
},
Excluded: meta.excluded,
CVEs: raw.CVEs,
GHSAs: raw.GHSAs,
}
}
// The initial quick triage algorithm doesn't know about all
// affected modules, so double check the priority after the
// report is created.
if raw.IsUnreviewed() {
pr, _ := c.reportPriority(raw)
if pr.Priority == priority.High {
log.Warnf("%s: re-generating; vuln is high priority and should be REVIEWED; reason: %s", raw.ID, pr.Reason)
meta.reviewStatus = report.Reviewed
raw = c.rawReport(ctx, meta)
}
}
fname, err := raw.YAMLFilename()
if err != nil {
return nil, err
}
r := &yamlReport{Report: raw, Filename: fname}
// Find any additional aliases referenced by the source aliases.
r.addMissingAliases(ctx, c.aliasFinder)
if c.suggester != nil {
suggestions, err := c.suggest(ctx, r, 1)
if err != nil {
r.AddNote(report.NoteTypeCreate, "failed to get AI-generated suggestions")
log.Warnf("%s: failed to get AI-generated suggestions: %v", r.ID, err)
} else {
log.Infof("%s: applying AI-generated suggestion", r.ID)
r.applySuggestion(suggestions[0])
}
}
if *populateSymbols {
log.Infof("%s: attempting to auto-populate symbols (this may take a while...)", r.ID)
if err := symbols.Populate(r.Report, false); err != nil {
r.AddNote(report.NoteTypeCreate, "failed to auto-populate symbols")
log.Warnf("%s: could not auto-populate symbols: %s", r.ID, err)
} else {
if err := r.checkSymbols(); err != nil {
log.Warnf("%s: auto-populated symbols have error(s): %s", r.ID, err)
}
}
}
switch {
case raw.IsExcluded():
// nothing
case raw.IsUnreviewed():
r.removeUnreachableRefs()
default:
// Regular, full-length reports.
addTODOs(r)
if xrefs := c.xref(r); len(xrefs) != 0 {
log.Infof("%s: found cross-references: %s", r.ID, xrefs)
}
}
return r, nil
}
func (r *yamlReport) removeUnreachableRefs() {
r.Report.References = slices.DeleteFunc(r.Report.References, func(r *report.Reference) bool {
resp, err := http.Head(r.URL)
if err != nil {
return true
}
defer resp.Body.Close()
return resp.StatusCode == http.StatusNotFound
})
}
func (c *creator) write(ctx context.Context, r *yamlReport) error {
if r.IsReviewed() || r.IsExcluded() {
if err := c.fileWriter.write(r); err != nil {
return err
}
} else { // unreviewed
addNotes := true
if err := c.fixAndWriteAll(ctx, r, addNotes); err != nil {
return err
}
}
c.created = append(c.created, r)
return nil
}
const (
labelDuplicate = "duplicate"
labelDirect = "Direct External Report"
labelSuggestedEdit = "Suggested Edit"
labelNeedsAlias = "NeedsAlias"
labelTriaged = "triaged"
labelHighPriority = "high priority"
labelFirstParty = "first party"
labelPossiblyNotGo = "possibly not Go"
labelOutOfScope = "excluded: OUT_OF_SCOPE"
)
func excludedReason(iss *issues.Issue) report.ExcludedType {
for _, label := range iss.Labels {
if reason, ok := report.FromLabel(label); ok {
return reason
}
}
return ""
}
func modulePath(iss *issues.Issue) string {
for _, p := range strings.Fields(iss.Title) {
if p == "x/vulndb:" {
continue
}
if strings.HasSuffix(p, ":") || strings.Contains(p, "/") {
// Remove backslashes.
return strings.ReplaceAll(strings.TrimSuffix(p, ":"), "\"", "")
}
}
return ""
}
func aliases(iss *issues.Issue) (aliases []string) {
for _, p := range strings.Fields(iss.Title) {
if idstr.IsAliasType(p) {
aliases = append(aliases, strings.TrimSuffix(p, ","))
}
}
return aliases
}
// Data that can be combined with a source vulnerability
// to create a new report.
type reportMeta struct {
id string
modulePath string
aliases []string
excluded, unexcluded report.ExcludedType
reviewStatus report.ReviewStatus
originalCVE string
}
const todo = "TODO: "
// addTODOs adds "TODO" comments to unfilled fields of r.
func addTODOs(r *yamlReport) {
if r.Excluded != "" {
return
}
if len(r.Modules) == 0 {
r.Modules = append(r.Modules, &report.Module{
Packages: []*report.Package{{}},
})
}
for _, m := range r.Modules {
if m.Module == "" {
m.Module = todo + "affected module path"
}
if len(m.Versions) == 0 {
m.Versions = report.Versions{
report.Introduced(todo + "introduced version (blank if unknown)"),
report.Fixed(todo + "fixed version"),
}
}
if m.VulnerableAt == nil {
m.VulnerableAt = report.VulnerableAt(todo + "a version at which the package is vulnerable")
}
if len(m.Packages) == 0 {
m.Packages = []*report.Package{
{
Package: todo + "affected package path(s) - blank if all",
},
}
}
for _, p := range m.Packages {
if p.Package == "" {
p.Package = todo + "affected package path"
}
if len(p.Symbols) == 0 {
p.Symbols = []string{todo + "affected symbol(s) - blank if all"}
}
}
}
if r.Summary == "" {
r.Summary = todo + "short (one phrase) summary of the form '<Problem> in <module>(s)'"
}
if r.Description == "" {
r.Description = todo + "description of the vulnerability"
}
if len(r.Credits) == 0 {
r.Credits = []string{todo + "who discovered/reported this vulnerability (optional)"}
}
if r.CVEMetadata == nil && len(r.CVEs) == 0 {
r.CVEs = []string{todo + "CVE id(s) for this vulnerability"}
}
if r.CVEMetadata != nil && r.CVEMetadata.CWE == "" {
r.CVEMetadata.CWE = todo + "CWE ID"
}
addReferenceTODOs(r)
}
// addReferenceTODOs adds a TODO for each important reference type not
// already present in the report.
func addReferenceTODOs(r *yamlReport) {
todos := []*report.Reference{
{Type: osv.ReferenceTypeAdvisory, URL: "TODO: canonical security advisory"},
{Type: osv.ReferenceTypeReport, URL: "TODO: issue tracker link"},
{Type: osv.ReferenceTypeFix, URL: "TODO: PR or commit (commit preferred)"}}
types := make(map[osv.ReferenceType]bool)
for _, r := range r.References {
types[r.Type] = true
}
for _, todo := range todos {
if !types[todo.Type] {
r.References = append(r.References, todo)
}
}
}