internal: delete
This code is moved to x/vuln.
Change-Id: Ide030bfcbf1bcaaed4a989e0f4b8c42c94fb0368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/362495
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/go.mod b/go.mod
index dcdc748..e04f78b 100644
--- a/go.mod
+++ b/go.mod
@@ -3,25 +3,13 @@
go 1.17
require (
- github.com/Microsoft/go-winio v0.4.16 // indirect
- github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
- github.com/acomagu/bufpipe v1.0.3 // indirect
- github.com/emirpasic/gods v1.12.0 // indirect
- github.com/go-git/gcfg v1.5.0 // indirect
- github.com/go-git/go-billy/v5 v5.3.1 // indirect
- github.com/go-git/go-git/v5 v5.4.2
- github.com/imdario/mergo v0.3.12 // indirect
- github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
- github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
- github.com/mitchellh/go-homedir v1.1.0 // indirect
- github.com/sergi/go-diff v1.1.0 // indirect
- github.com/xanzy/ssh-agent v0.3.0 // indirect
- golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
- golang.org/x/mod v0.4.1
- golang.org/x/net v0.0.0-20210326060303-6b1517762897 // indirect
- golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
golang.org/x/vuln v0.0.0-20211109030331-63d5d8171d01
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
- gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)
+
+require (
+ github.com/kr/text v0.2.0 // indirect
+ golang.org/x/mod v0.4.1 // indirect
+ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+)
diff --git a/go.sum b/go.sum
index 4311706..02eb744 100644
--- a/go.sum
+++ b/go.sum
@@ -1,41 +1,25 @@
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/go-winio v0.4.16 h1:FtSW/jqD+l4ba5iPBj9CODVtgfYAD8w2wS923g/cFDk=
github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 h1:YoJbenK9C67SkzkDfmQuVln04ygHj3vjZfd9FL+GmQQ=
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
-github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-billy/v5 v5.3.1 h1:CPiOUAzKtMRvolEKw+bG1PLRpT7D3LIs3/3ey4Aiu34=
github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-git-fixtures/v4 v4.2.1 h1:n9gGL1Ct/yIw+nfsfr8s4+sbhT+Ncu2SubfXjIWgci8=
github.com/go-git/go-git-fixtures/v4 v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0=
-github.com/go-git/go-git/v5 v5.4.2 h1:BXyZu9t0VkbiHtqrsvdq39UDhGJTl1h55VW6CSC4aY4=
github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
-github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 h1:DowS9hvgyYSX4TO5NpyC606/Z4SxnNYbT+WX27or6Ck=
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -45,40 +29,31 @@
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI=
github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY=
golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210326060303-6b1517762897 h1:KrsHThm5nFk34YtATK1LsThyGhGbGe1olrte/HInHvs=
golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -91,12 +66,9 @@
golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -111,12 +83,10 @@
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/internal/cvelist/cvelist.go b/internal/cvelist/cvelist.go
deleted file mode 100644
index f11a444..0000000
--- a/internal/cvelist/cvelist.go
+++ /dev/null
@@ -1,315 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package cvelist is used to fetch and parse information from
-// https://github.com/CVEProject/cvelist
-package cvelist
-
-import (
- "encoding/json"
- "fmt"
- "log"
- "net/http"
- "net/url"
- "path"
- "strings"
-
- "github.com/go-git/go-git/v5"
- "github.com/go-git/go-git/v5/plumbing"
- "github.com/go-git/go-git/v5/plumbing/filemode"
- "github.com/go-git/go-git/v5/plumbing/object"
- "github.com/go-git/go-git/v5/storage/memory"
- "golang.org/x/vulndb/internal/cveschema"
- "golang.org/x/vulndb/internal/derrors"
- "golang.org/x/vulndb/internal/report"
-)
-
-// Run clones the CVEProject/cvelist repository and compares the files to the
-// existing triaged-cve-list.
-func Run(triaged map[string]bool) (err error) {
- defer derrors.Wrap(&err, "Run(triaged)")
- log.Printf("Cloning %q...", cvelistRepoURL)
- repo, root, err := cloneRepo(cvelistRepoURL)
- if err != nil {
- return err
- }
- if err := createIssuesToTriage(repo, root, triaged); err != nil {
- return err
- }
- return nil
-}
-
-const cvelistRepoURL = "https://github.com/CVEProject/cvelist"
-
-// cloneRepo returns a repo and tree object for the repo at HEAD by
-// cloning the repo at repoURL.
-func cloneRepo(repoURL string) (repo *git.Repository, root *object.Tree, err error) {
- defer derrors.Wrap(&err, "cloneRepo(%q)", repoURL)
- repo, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
- URL: repoURL,
- ReferenceName: plumbing.HEAD,
- SingleBranch: true,
- Depth: 1,
- Tags: git.NoTags,
- })
- if err != nil {
- return nil, nil, err
- }
- refName := plumbing.HEAD
- ref, err := repo.Reference(refName, true)
- if err != nil {
- return nil, nil, err
- }
- commit, err := repo.CommitObject(ref.Hash())
- if err != nil {
- return nil, nil, err
- }
- root, err = repo.TreeObject(commit.TreeHash)
- if err != nil {
- return nil, nil, err
- }
- return repo, root, nil
-}
-
-// createIssuesToTriage creates GitHub issues to be triaged by the Go security
-// team.
-// TODO: Create GitHub issues. At the moment, this just prints the number of
-// issues to be created.
-func createIssuesToTriage(r *git.Repository, t *object.Tree, triaged map[string]bool) (err error) {
- defer derrors.Wrap(&err, "createIssuesToTriage(r, t, triaged)")
- log.Printf("Finding new Go vulnerabilities from CVE list...")
- cves, issues, err := walkRepo(r, t, "", triaged)
- if err != nil {
- return err
- }
- // TODO: log CVE states in a CVE record.
- // TODO: create GitHub issues.
-
- var numRefs int
- for _, issue := range issues {
- if issue.AdditionalInfo.Reason == reasonReferenceData {
- numRefs += 1
- }
- }
- log.Printf("Found %d new issues from %d CVEs (%d based on reference data)",
- len(issues), len(cves), numRefs)
- return nil
-}
-
-// walkRepo looks at the files in t, recursively, and check if it is a CVE that
-// needs to be manually triaged.
-func walkRepo(r *git.Repository, t *object.Tree, dirpath string, triaged map[string]bool) (newCVEs map[string]bool, newIssues []*GoVulnIssue, err error) {
- defer derrors.Wrap(&err, "walkRepo(r, t, %q, triaged)", dirpath)
- newCVEs = map[string]bool{}
- for _, e := range t.Entries {
- fp := path.Join(dirpath, e.Name)
- if !strings.HasPrefix(fp, "202") {
- continue
- }
- switch e.Mode {
- case filemode.Dir:
- t2, err := r.TreeObject(e.Hash)
- if err != nil {
- return nil, nil, err
- }
- cves, issues, err := walkRepo(r, t2, fp, triaged)
- if err != nil {
- return nil, nil, err
- }
- for c := range cves {
- newCVEs[c] = true
- }
- newIssues = append(newIssues, issues...)
- default:
- if !strings.HasPrefix(e.Name, "CVE-") {
- continue
- }
- cveID := strings.TrimSuffix(e.Name, ".json")
- if triaged[cveID] {
- continue
- }
- newCVEs[cveID] = true
- c, err := parseCVE(r, e)
- if err != nil {
- return nil, nil, err
- }
- issue, err := cveToIssue(c)
- if err != nil {
- return nil, nil, err
- }
- if issue != nil {
- log.Printf("New CVE to triage: %q (%q)\n", cveID, issue.Report.Module)
- newIssues = append(newIssues, issue)
- }
- }
- }
- return newCVEs, newIssues, nil
-}
-
-// parseCVEJSON parses a CVE file following the CVE JSON format:
-// https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md
-func parseCVE(r *git.Repository, e object.TreeEntry) (_ *cveschema.CVE, err error) {
- defer derrors.Wrap(&err, "parseCVE(r, e)")
- blob, err := r.BlobObject(e.Hash)
- if err != nil {
- return nil, fmt.Errorf("r.BlobObject: %v", err)
- }
- src, err := blob.Reader()
- if err != nil {
- return nil, fmt.Errorf("blob.Reader: %v", err)
- }
- defer func() {
- cerr := src.Close()
- if err == nil {
- err = cerr
- }
- }()
- var c cveschema.CVE
- d := json.NewDecoder(src)
- if err := d.Decode(&c); err != nil {
- return nil, fmt.Errorf("d.Decode: %v", err)
- }
- if err != nil {
- return nil, err
- }
- return &c, nil
-}
-
-const goGitHubRepo = "github.com/golang/go"
-
-// cveToIssue creates a GoVulnIssue from a c *cveschema.CVE.
-func cveToIssue(c *cveschema.CVE) (_ *GoVulnIssue, err error) {
- defer derrors.Wrap(&err, "cveToIssue(c)")
- if isPendingCVE(c) {
- return nil, nil
- }
- mp, err := modulePathFromCVE(c)
- if err != nil {
- return nil, fmt.Errorf("modulePathFromCVE: %v", err)
- }
-
- if mp == "" {
- return nil, nil
- }
- // TODO: implement additional checks on description and vendor information.
-
- var links report.Links
- for _, r := range c.References.ReferenceData {
- if links.Commit == "" && strings.Contains(r.URL, "/commit/") {
- links.Commit = r.URL
- } else if links.PR == "" && strings.Contains(r.URL, "/pull/") {
- links.PR = r.URL
- } else {
- links.Context = append(links.Context, r.URL)
- }
- }
-
- var cwe string
- for _, pt := range c.Problemtype.ProblemtypeData {
- for _, d := range pt.Description {
- if strings.Contains(d.Value, "CWE") {
- cwe = d.Value
- }
- }
- }
- r := report.Report{
- Module: mp,
- Links: links,
- CVE: c.CVEDataMeta.ID,
- Description: description(c),
- }
- if mp == goGitHubRepo {
- r.Stdlib = true
- }
- info := AdditionalInfo{
- Products: products(c),
- CWE: cwe,
- Reason: reasonReferenceData,
- }
- return &GoVulnIssue{Report: r, AdditionalInfo: info}, nil
-}
-
-// isPendingCVE reports if the CVE is still waiting on information and not
-// ready to be triaged.
-func isPendingCVE(c *cveschema.CVE) bool {
- return c.CVEDataMeta.STATE == cveschema.StateReserved
-}
-
-var vcsHostsWithThreeElementRepoName = map[string]bool{
- "bitbucket.org": true,
- "gitea.com": true,
- "gitee.com": true,
- "github.com": true,
- "gitlab.com": true,
- "golang.org": true,
-}
-
-// modulePathFromCVE returns a Go module path for a CVE, if we can determine
-// what it is.
-func modulePathFromCVE(c *cveschema.CVE) (_ string, err error) {
- defer derrors.Wrap(&err, "modulePathFromCVE(c)")
- for _, r := range c.References.ReferenceData {
- if r.URL == "" {
- continue
- }
- for host := range vcsHostsWithThreeElementRepoName {
- if !strings.Contains(r.URL, host) {
- continue
- }
- refURL, err := url.Parse(r.URL)
- if err != nil {
- return "", fmt.Errorf("url.Parse(%q): %v", r.URL, err)
- }
- u := refURL.Host + refURL.Path
- parts := strings.Split(u, "/")
- if len(parts) < 3 {
- continue
- }
- mod := strings.Join(parts[0:3], "/")
- r, err := http.DefaultClient.Get(fmt.Sprintf("https://pkg.go.dev/%s", mod))
- if err != nil {
- return "", err
- }
- if r.StatusCode == http.StatusOK {
- return mod, nil
- }
- }
- }
- return "", nil
-}
-
-const reasonReferenceData = "This CVE was identified as a go vuln because a Go module path was found in reference data."
-
-// GoVulnIssue represents a GitHub issue to be created about a Go
-// vulnerability.
-type GoVulnIssue struct {
- AdditionalInfo AdditionalInfo
- Report report.Report
-}
-
-// AdditionalInfo contains additional information about the CVE not captured by
-// report.Report.
-type AdditionalInfo struct {
- CWE string
- Products []*cveschema.ProductDataItem
- Reason string
-}
-
-func description(c *cveschema.CVE) string {
- var ds []string
- for _, d := range c.Description.DescriptionData {
- ds = append(ds, d.Value)
- }
- return strings.Join(ds, "| \n ")
-}
-
-func products(c *cveschema.CVE) []*cveschema.ProductDataItem {
- var pds []*cveschema.ProductDataItem
- for _, v := range c.Affects.Vendor.VendorData {
- for _, pd := range v.Product.ProductData {
- pds = append(pds, &pd)
- }
- }
- return pds
-}
diff --git a/internal/cveschema/cveschema.go b/internal/cveschema/cveschema.go
deleted file mode 100644
index 85fb4ed..0000000
--- a/internal/cveschema/cveschema.go
+++ /dev/null
@@ -1,217 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package cveschema contains the schema for a CVE, as derived from
-// https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
-package cveschema
-
-const (
- // StateReserved is the initial state for a CVE Record; when the associated
- // CVE ID is Reserved by a CNA.
- StateReserved = "RESERVED"
-
- // StatePublished is when a CNA populates the data associated with a CVE ID
- // as a CVE Record, the state of the CVE Record is Published. The
- // associated data must contain an identification number (CVE ID), a prose
- // description, and at least one public reference.
- StatePublished = "PUBLISHED"
-
- // StateRejected is when the CVE ID and associated CVE Record should no
- // longer be used, the CVE Record is placed in the Rejected state. A Rejected
- // CVE Record remains on the CVE List so that users can know when it is
- // invalid.
- StateRejected = "REJECTED"
-)
-
-// CVE represents a "Common Vulnerabilities and Exposures" record, which is
-// associated with a CVE ID and provided by a CNA.
-//
-// A CVE corresponds to a flaw in a software, firmware, hardware, or service
-// component resulting from a weakness that can be exploited, causing a negative
-// impact to the confidentiality, integrity, or availability of an impacted
-// component or components.
-type CVE struct {
- // DataType identifies what kind of data is held in this JSON file. This is
- // mandatory and designed to prevent problems with attempting to detect
- // what kind of file this is. Valid values for this string are CVE, CNA,
- // CVEMENTOR.
- DataType string `json:"data_type"`
-
- // DataFormat identifies what data format is used in this JSON file. This
- // is mandatory and designed to prevent problems with attempting to detect
- // what format of data is used. Valid values for this string are MITRE, it can
- // also be user defined (e.g. for internal use).
- DataFormat string `json:"data_format"`
-
- // DataVersion identifies which version of the data format is in use. This
- // is mandatory and designed to prevent problems with attempting to detect
- // what format of data is used.
- DataVersion string `json:"data_version"`
-
- // CVEDataMeta is meta data about the CVE ID such as the CVE ID, who
- // requested it, who assigned it, when it was requested, when it was assigned,
- // the current state (PUBLIC, REJECT, etc.) and so on.
- CVEDataMeta CVEDataMeta `json:"CVE_data_meta"`
-
- // Affects is the root level container for affected vendors and in turn
- // their affected technologies, products, hardware, etc. It only goes in
- // the root level.
- Affects Affects `json:"affects"`
-
- // Description is a description of the issue. It can exist in the root
- // level or within virtually any other container, the intent being that for
- // example different products, and configurations may result in different
- // impacts and thus descriptions of the issue.
- Description Description `json:"description"`
-
- // ProblemType is problem type information (e.g. CWE identifier).
- Problemtype Problemtype `json:"problemtype"`
-
- // References is reference data in the form of URLs or file objects
- // (uuencoded and embedded within the JSON file, exact format to be
- // decided, e.g. we may require a compressed format so the objects require
- // unpacking before they are "dangerous").
- References References `json:"references"`
-}
-
-// CVEDataMeta is meta data about the CVE ID such as the CVE ID, who requested
-// it, who assigned it, when it was requested, when it was assigned, the
-// current state (PUBLIC, REJECT, etc.) and so on.
-type CVEDataMeta struct {
- ASSIGNER string `json:"ASSIGNER"`
- ID string `json:"ID"`
- STATE string `json:"STATE"`
-}
-
-// Affects is the root level container for affected vendors and in turn their
-// affected technologies, products, hardware, etc. It only goes in the root
-// level.
-type Affects struct {
- Vendor Vendor `json:"vendor"`
-}
-
-// Description is a description of the issue. It can exist in the root level or
-// within virtually any other container, the intent being that for example
-// different products, and configurations may result in different impacts and
-// thus descriptions of the issue.
-//
-// The description could include:
-//
-// An explanation of an attack type using the vulnerability;
-// The impact of the vulnerability;
-// The software components within a software product that are affected by the
-// vulnerability; and
-// Any attack vectors that can make use of the vulnerability.
-//
-// Descriptions often follow this template:
-//
-// [PROBLEM TYPE] in [PRODUCT/VERSION] causes [IMPACT] when [ATTACK]
-//
-// where impact and attack are arbitrary terms that should be relevant to the
-// nature of the vulnerability.
-type Description struct {
- DescriptionData []LangString `json:"description_data"`
-}
-
-// ProblemType is problem type information (e.g. CWE identifier).
-//
-// It can include an arbitrary summary of the problem, though Common Weakness
-// Enumerations (CWEs) are a standard to use in this field.
-type Problemtype struct {
- ProblemtypeData []ProblemtypeDataItems `json:"problemtype_data"`
-}
-
-// ProblemtypeDataItems are the entries in a ProblemType.
-type ProblemtypeDataItems struct {
- Description []LangString `json:"description"`
-}
-
-// LangString is a JSON data type containing the language that a description is
-// written in and the text string.
-type LangString struct {
- Lang string `json:"lang"`
- Value string `json:"value"`
-}
-
-// References is reference data in the form of URLs or file objects (uuencoded
-// and embedded within the JSON file, exact format to be decided, e.g. we may
-// require a compressed format so the objects require unpacking before they are
-// "dangerous").
-type References struct {
- ReferenceData []Reference `json:"reference_data"`
-}
-
-// A reference is a URL pointing to a world-wide-web-based resource. For
-// CSV and flat-file formats, they should be separated by a space. References
-// should point to content that is relevant to the vulnerability and include at
-// least all the details included in the CVE entry. Ideally, references should
-// point to content that includes the CVE ID itself whenever possible. References
-// must also be publicly available, as described in Section 2.1.1 of the CVE
-// Numbering Authorities (CNA) Rules.
-type Reference struct {
- URL string `json:"url"`
-}
-
-// Vendor is the container for affected vendors, it only goes in the affects
-// container.
-type Vendor struct {
- // VendorData is an array of version values (vulnerable and not); we use an
- // array so that different entities can make statements about the same
- // vendor and they are separate (if we used a JSON object we'd essentially
- // be keying on the vendor name and they would have to overlap). Also this
- // allows things like data_version or description to be applied directly to
- // the vendor entry.
- VendorData []VendorDataItems `json:"vendor_data"`
-}
-
-// VendorDataItems represents a single vendor name and product.
-type VendorDataItems struct {
- Product Product `json:"product"`
- VendorName string `json:"vendor_name"`
-}
-
-// Product is the container for affected technologies, products, hardware, etc.
-//
-// As a general guideline, the product should include the vendor, developer, or
-// project name as well as the name of the actual software or hardware in which
-// the vulnerability exists.
-type Product struct {
- // ProductData is an array of version values (vulnerable and not); we use
- // an array so that we can make multiple statements about the same product and
- // they are separate (if we used a JSON object we'd essentially be keying on
- // the product name and they would have to overlap). Also this allows things
- // like data_version or description to be applied directly to the product
- // entry.
- ProductData []ProductDataItem `json:"product_data"`
-}
-
-// ProductDataItem represents a single product name and version that belongs to
-// a product container.
-type ProductDataItem struct {
- ProductName string `json:"product_name"`
- Version VersionData `json:"version"`
-}
-
-// VersionData is an array of version values (vulnerable and not); we use an
-// array so that we can make multiple statements about the same version and they
-// are separate (if we used a JSON object we'd essentially be keying on the
-// version name/number and they would have to overlap). Also this allows things
-// like data_version or description to be applied directly to the product entry.
-// This also allows more complex statements such as "Product X between versions
-// 10.2 and 10.8" to be put in a machine-readable format. As well since multiple
-// statements can be used multiple branches of the same product can be defined
-// here.
-type VersionData struct {
- VersionData []VersionDataItems `json:"version_data"`
-}
-
-// VersionDataItems represents a version, the date of release, or whatever
-// indicator that is used by vendors, developers, or projects to differentiate
-// between releases. The version can be described with specific version
-// numbers, ranges of versions, or “all versions before/after” a version number or
-// date.
-type VersionDataItems struct {
- VersionValue string `json:"version_value"`
- VersionAffected string `json:"version_affected"`
-}
diff --git a/internal/derrors/derrors.go b/internal/derrors/derrors.go
deleted file mode 100644
index 209a59c..0000000
--- a/internal/derrors/derrors.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package derrors defines internal error values to categorize the different
-// types error semantics supported by the vulndb.
-package derrors
-
-import "fmt"
-
-// Wrap adds context to the error and allows
-// unwrapping the result to recover the original error.
-//
-// Example:
-//
-// defer derrors.Wrap(&err, "copy(%s, %s)", dst, src)
-func Wrap(errp *error, format string, args ...interface{}) {
- if *errp != nil {
- *errp = fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), *errp)
- }
-}
diff --git a/internal/internal.go b/internal/internal.go
deleted file mode 100644
index 2b0aa00..0000000
--- a/internal/internal.go
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package internal contains functionality for x/vulndb.
-package internal
-
-import (
- "bufio"
- "os"
- "strings"
-
- "golang.org/x/vulndb/internal/derrors"
-)
-
-// IDDirectory is the name of the directory that contains entries
-// listed by their IDs.
-const IDDirectory = "ID"
-
-// Readfilelines reads and returns the lines from a file.
-// Whitespace on each line is trimmed.
-// Blank lines and lines beginning with '#' are ignored.
-func ReadFileLines(filename string) (lines []string, err error) {
- defer derrors.Wrap(&err, "ReadFileLines(%q)", filename)
- f, err := os.Open(filename)
- if err != nil {
- return nil, err
- }
- defer f.Close()
-
- s := bufio.NewScanner(f)
- for s.Scan() {
- line := strings.TrimSpace(s.Text())
- if line == "" || strings.HasPrefix(line, "#") {
- continue
- }
- lines = append(lines, line)
- }
- if s.Err() != nil {
- return nil, s.Err()
- }
- return lines, nil
-}
diff --git a/internal/report/lint.go b/internal/report/lint.go
deleted file mode 100644
index 0b9baab..0000000
--- a/internal/report/lint.go
+++ /dev/null
@@ -1,235 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package report
-
-import (
- "errors"
- "fmt"
- "io/ioutil"
- "net/http"
- "os"
- "regexp"
- "strings"
-
- "golang.org/x/mod/modfile"
- "golang.org/x/mod/module"
- "golang.org/x/mod/semver"
- "golang.org/x/vulndb/internal/derrors"
-)
-
-// TODO: getting things from the proxy should all be cached so we
-// aren't re-requesting the same stuff over and over.
-
-var proxyURL = "https://proxy.golang.org"
-
-func init() {
- if proxy, ok := os.LookupEnv("GOPROXY"); ok {
- proxyURL = proxy
- }
-}
-
-func getModVersions(module string) (_ map[string]bool, err error) {
- defer derrors.Wrap(&err, "getModVersions(%q)", module)
- resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, module))
- if err != nil {
- return nil, err
- }
- defer resp.Body.Close()
- b, err := ioutil.ReadAll(resp.Body)
- if err != nil {
- return nil, err
- }
- versions := map[string]bool{}
- for _, v := range strings.Split(string(b), "\n") {
- versions[v] = true
- }
- return versions, nil
-}
-
-func getCanonicalModName(module string, version string) (_ string, err error) {
- defer derrors.Wrap(&err, "getCanonicalModName(%q, %q)", module, version)
- resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, module, version))
- if err != nil {
- return "", err
- }
- defer resp.Body.Close()
- b, err := ioutil.ReadAll(resp.Body)
- if err != nil {
- return "", err
- }
- m, err := modfile.ParseLax("go.mod", b, nil)
- if err != nil {
- return "", err
- }
- if m.Module == nil {
- return "", fmt.Errorf("unable to retrieve module information for %s", module)
- }
- return m.Module.Mod.Path, nil
-}
-
-var pseudoVersionRE = regexp.MustCompile(`^v[0-9]+\.(0\.0-|\d+\.\d+-([^+]*\.)?0\.)\d{14}-[A-Za-z0-9]+(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$`)
-
-// isPseudoVersion reports whether v is a pseudo-version.
-// NOTE: this is taken from cmd/go/internal/modfetch/pseudo.go but
-// uses regexp instead of the internal lazyregex package.
-func isPseudoVersion(v string) bool {
- return strings.Count(v, "-") >= 2 && semver.IsValid(v) && pseudoVersionRE.MatchString(v)
-}
-
-func versionExists(version string, versions map[string]bool) (err error) {
- defer derrors.Wrap(&err, "versionExists(%q, %v)", version, versions)
- // TODO: for now, just skip pseudo-versions. at some point we should verify that
- // it is a likely pseudo-version, i.e. one that could feasibly exist given the
- // actual versions that we know about.
- //
- // pseudo-version check should take into account the canonical import path
- // probably? (I think cmd/go/internal/modfetch/coderepo.go has something like
- // this, check the error containing "has post-%v module path")
- if isPseudoVersion(version) {
- return nil
- }
- if !versions[version] {
- return fmt.Errorf("proxy unaware of version")
- }
- return nil
-}
-
-func checkModVersions(path string, vr []VersionRange) (err error) {
- defer derrors.Wrap(&err, "checkModVersions(%q, vr)", path)
- realVersions, err := getModVersions(path)
- if err != nil {
- return fmt.Errorf("unable to retrieve module versions from proxy: %s", err)
- }
- checkVersion := func(version string) error {
- if !semver.IsValid(version) {
- return errors.New("invalid module semver")
- }
- if err := module.Check(path, version); err != nil {
- return err
- }
- if err := versionExists(version, realVersions); err != nil {
- return err
- }
- canonicalPath, err := getCanonicalModName(path, version)
- if err != nil {
- return err
- }
- if canonicalPath != path {
- return fmt.Errorf("invalid module path at version (canonical path is %s)", canonicalPath)
- }
- return nil
- }
- for _, version := range vr {
- if version.Introduced != "" {
- if err := checkVersion(version.Introduced); err != nil {
- return fmt.Errorf("bad version.introduced %q: %s", version.Introduced, err)
- }
- }
- if version.Fixed != "" {
- if err := checkVersion(version.Fixed); err != nil {
- return fmt.Errorf("bad version.fixed %q: %s", version.Fixed, err)
- }
- }
- }
- return nil
-}
-
-var cveRegex = regexp.MustCompile(`^CVE-\d{4}-\d{4,}$`)
-
-// Lint checks the content of a Report.
-// TODO: instead of returning a single error we may want to return a slice, so that
-// we aren't fixing one thing at a time. Similarly it might make sense to include
-// warnings or informational things alongside errors, especially during for use
-// during the triage process.
-func (vuln *Report) Lint() []string {
- var issues []string
-
- var importPath string
- if !vuln.Stdlib {
- if vuln.Module == "" {
- issues = append(issues, "missing module")
- }
- if vuln.Module != "" && vuln.Package == vuln.Module {
- issues = append(issues, "package is redundant and can be removed")
- }
- if vuln.Package != "" && !strings.HasPrefix(vuln.Package, vuln.Module) {
- issues = append(issues, "module must be a prefix of package")
- }
- if vuln.Package == "" {
- importPath = vuln.Module
- } else {
- importPath = vuln.Package
- }
- if vuln.Module != "" && importPath != "" {
- if err := checkModVersions(vuln.Module, vuln.Versions); err != nil {
- issues = append(issues, err.Error())
- }
-
- if err := module.CheckImportPath(importPath); err != nil {
- issues = append(issues, err.Error())
- }
- }
- } else if vuln.Package == "" {
- issues = append(issues, "missing package")
- }
-
- for _, additionalPackage := range vuln.AdditionalPackages {
- var additionalImportPath string
- if additionalPackage.Module == "" {
- issues = append(issues, "missing additional_package.module")
- }
- if additionalPackage.Package == additionalPackage.Module {
- issues = append(issues, "package is redundant and can be removed")
- }
- if additionalPackage.Package != "" && !strings.HasPrefix(additionalPackage.Package, additionalPackage.Module) {
- issues = append(issues, "additional_package.module must be a prefix of additional_package.package")
- }
- if additionalPackage.Package == "" {
- additionalImportPath = additionalPackage.Module
- } else {
- additionalImportPath = additionalPackage.Package
- }
- if err := module.CheckImportPath(additionalImportPath); err != nil {
- issues = append(issues, err.Error())
- }
- if !vuln.Stdlib {
- if err := checkModVersions(additionalPackage.Module, additionalPackage.Versions); err != nil {
- issues = append(issues, err.Error())
- }
- }
- }
-
- if vuln.Description == "" {
- issues = append(issues, "missing description")
- }
-
- if vuln.Published.IsZero() {
- issues = append(issues, "missing published")
- }
-
- if vuln.LastModified != nil && vuln.LastModified.Before(vuln.Published) {
- issues = append(issues, "last_modified is before published")
- }
-
- if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {
- // TODO: may just want to use one of these? :shrug:
- issues = append(issues, "only one of cve and cve_metadata.id should be present")
- }
-
- if vuln.CVE != "" && !cveRegex.MatchString(vuln.CVE) {
- issues = append(issues, "malformed cve identifier")
- }
-
- if vuln.CVEMetadata != nil {
- if vuln.CVEMetadata.ID == "" {
- issues = append(issues, "cve_metadata.id is required")
- }
- if !cveRegex.MatchString(vuln.CVEMetadata.ID) {
- issues = append(issues, "malformed cve_metadata.id identifier")
- }
- }
-
- return issues
-}
diff --git a/internal/report/report.go b/internal/report/report.go
deleted file mode 100644
index f0a54d2..0000000
--- a/internal/report/report.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package report contains functionality for parsing and linting YAML reports
-// in reports/.
-package report
-
-import "time"
-
-type VersionRange struct {
- Introduced string `yaml:",omitempty"`
- Fixed string `yaml:",omitempty"`
-}
-
-type Additional struct {
- Module string `yaml:",omitempty"`
- Package string `yaml:",omitempty"`
- Symbols []string `yaml:",omitempty"`
- Versions []VersionRange `yaml:",omitempty"`
-}
-
-type Links struct {
- PR string `yaml:",omitempty"`
- Commit string `yaml:",omitempty"`
- Context []string `yaml:",omitempty"`
-}
-
-type CVEMeta struct {
- ID string `yaml:",omitempty"`
- CWE string `yaml:",omitempty"`
- Description string `yaml:",omitempty"`
-}
-
-type Report struct {
- Module string `yaml:",omitempty"`
- Package string `yaml:",omitempty"`
- // TODO: could also be GoToolchain, but we might want
- // this for other things?
- //
- // could we also automate this by just looking for
- // things prefixed with cmd/go?
- DoNotExport bool `yaml:"do_not_export,omitempty"`
- // TODO: how does this interact with Versions etc?
- Stdlib bool `yaml:",omitempty"`
- // TODO: the most common usage of additional package should
- // really be replaced with 'aliases', we'll still need
- // additional packages for some cases, but it's too heavy
- // for most
- AdditionalPackages []Additional `yaml:"additional_packages,omitempty"`
- Versions []VersionRange `yaml:",omitempty"`
-
- // Description is the CVE description from an existing CVE. If we are
- // assigning a CVE ID ourselves, use CVEMetadata.Description instead.
- Description string `yaml:",omitempty"`
- Published time.Time `yaml:",omitempty"`
- LastModified *time.Time `yaml:"last_modified,omitempty"`
- Withdrawn *time.Time `yaml:",omitempty"`
-
- // CVE is the CVE ID for an existing CVE. If we are assigning a CVE ID
- // ourselves, use CVEMetdata.ID instead.
- CVE string `yaml:",omitempty"`
- Credit string `yaml:",omitempty"`
- Symbols []string `yaml:",omitempty"`
- OS []string `yaml:",omitempty"`
- Arch []string `yaml:",omitempty"`
- Links Links `yaml:",omitempty"`
-
- // CVEMetdata is used to capture CVE information when we want to assign a
- // CVE ourselves. If a CVE already exists for an issue, use the CVE field
- // to fill in the ID string.
- CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
-}
