blob: 42b735368e676572bb9ade3e14c963079bb6eed9 [file] [log] [blame]
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package osvutils provides utilities for working with Go OSV entries.
// It is separated from package osv because that package
// promises to only import from the standard library.
package osvutils
import (
"errors"
"fmt"
"regexp"
"strings"
"golang.org/x/vulndb/internal/cveschema5"
"golang.org/x/vulndb/internal/derrors"
"golang.org/x/vulndb/internal/ghsa"
"golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/version"
)
// Validate errors if there are any problems with the OSV Entry.
// It is used to validate OSV entries before publishing them to the
// Go vulnerability database, and has stricter requirements than
// the general OSV format.
func Validate(e *osv.Entry) (err error) {
derrors.Wrap(&err, "Validate(%s)", e.ID)
return validate(e, true)
}
// ValidateExceptTimestamps errors if there are any problems with the
// OSV Entry, with the exception of the timestamps (published, modified and
// withdrawn) which are not checked.
// This is used to validate entries at CL submit time, before their timestamps
// are corrected.
func ValidateExceptTimestamps(e *osv.Entry) (err error) {
derrors.Wrap(&err, "ValidateExceptTimestamps(%s)", e.ID)
return validate(e, false)
}
var (
// Errors for incorrect timestamps.
errNoModified = errors.New("modified time must be non-zero")
errNoPublished = errors.New("published time must be non-zero")
errPublishedAfterModified = errors.New("published time cannot be after modified time")
// Errors for missing fields.
errNoID = errors.New("id field is empty")
errNoSchemaVersion = errors.New("schema_version field is empty")
errNoSummary = errors.New("summary field is empty")
errNoDetails = errors.New("details field is empty")
errNoAffected = errors.New("affected field is empty")
errNoReferences = errors.New("references field is empty")
errNoDatabaseSpecific = errors.New("database_specific field is empty")
errNoModule = errors.New("affected field missing module path")
errNotGoEcosystem = errors.New("affected ecosystem is not Go")
errNoRanges = errors.New("affected field contains no ranges")
errNoEcosystemSpecific = errors.New("affected field contains no ecosystem_specific field")
errNoPackagePath = errors.New("affected.ecosystem_specific.imports field has no package path")
// Errors for invalid fields.
errInvalidAlias = errors.New("alias must be CVE or GHSA ID")
errInvalidPkgsiteURL = errors.New("database_specific.URL must be a link to https://pkg.go.dev/vuln/<Go id>")
errInvalidPackagePath = errors.New("package path must be prefixed by module path")
errTooManyRanges = errors.New("each module should have exactly one version range")
errRangeTypeNotSemver = errors.New("range type must be SEMVER")
errNoRangeEvents = errors.New("range must contain one or more events")
errOutOfOrderRange = errors.New("introduced and fixed versions must alternate")
errUnsortedRange = errors.New("range events must be in strictly ascending order")
errNoIntroducedOrFixed = errors.New("introduced or fixed must be set")
errBothIntroducedAndFixed = errors.New("introduced and fixed cannot both be set in same event")
errInvalidSemver = errors.New("invalid or non-canonical semver version")
pkgsiteLinkRegex = regexp.MustCompile(`^https://pkg.go.dev/vuln/GO-\d{4}-\d{4,}$`)
)
func validate(e *osv.Entry, checkTimestamps bool) (err error) {
if checkTimestamps {
switch {
case e.Modified.IsZero():
return errNoModified
case e.Published.IsZero():
return errNoPublished
case e.Published.After(e.Modified.Time):
return fmt.Errorf("%w (published=%s, modified=%s)", errPublishedAfterModified, e.Published, e.Modified)
}
}
// Check for missing required fields.
switch {
case e.ID == "":
return errNoID
case e.SchemaVersion == "":
return errNoSchemaVersion
case e.Summary == "":
return errNoSummary
case e.Details == "" && !hasAdvisory(e):
return errNoDetails
case len(e.Affected) == 0:
return errNoAffected
case len(e.References) == 0:
return errNoReferences
case e.DatabaseSpecific == nil:
return errNoDatabaseSpecific
}
for _, a := range e.Affected {
if err := validateAffected(&a); err != nil {
return err
}
}
for _, alias := range e.Aliases {
if !ghsa.IsGHSA(alias) && !cveschema5.IsCVE(alias) {
return fmt.Errorf("%w (found alias %s)", errInvalidAlias, alias)
}
}
return validateDatabaseSpecific(e.DatabaseSpecific)
}
func hasAdvisory(entry *osv.Entry) bool {
for _, ref := range entry.References {
if ref.Type == osv.ReferenceTypeAdvisory {
return true
}
}
return false
}
func validateAffected(a *osv.Affected) error {
switch {
case a.Module.Path == "":
return errNoModule
case a.Module.Ecosystem != osv.GoEcosystem:
return errNotGoEcosystem
}
if err := ValidateRanges(a.Ranges); err != nil {
return err
}
return validateEcosystemSpecific(a.EcosystemSpecific, a.Module.Path)
}
func ValidateRanges(ranges []osv.Range) error {
switch {
case len(ranges) == 0:
return errNoRanges
case len(ranges) > 1:
return fmt.Errorf("%w (found %d ranges)", errTooManyRanges, len(ranges))
}
return validateRange(&ranges[0])
}
func validateRange(r *osv.Range) error {
switch {
case r.Type != osv.RangeTypeSemver:
return fmt.Errorf("%w (found range type %q)",
errRangeTypeNotSemver, r.Type)
case len(r.Events) == 0:
return errNoRangeEvents
}
// Check that all the events are valid and sorted in ascending order.
prev, err := parseRangeEvent(&r.Events[0])
if err != nil {
return err
}
for _, event := range r.Events[1:] {
current, err := parseRangeEvent(&event)
if err != nil {
return fmt.Errorf("invalid range event: %w", err)
}
// Introduced and fixed versions must alternate.
if current.introduced == prev.introduced {
return errOutOfOrderRange
}
if !less(prev.v, current.v) {
return fmt.Errorf("%w (found %s>=%s)", errUnsortedRange, prev.v, current.v)
}
prev = current
}
return nil
}
func less(v, w string) bool {
// Ensure that version 0 is always lowest.
if v == "0" {
return true
}
if w == "0" {
return false
}
return version.Before(v, w)
}
type event struct {
v string
introduced bool
}
func parseRangeEvent(e *osv.RangeEvent) (*event, error) {
introduced, fixed := e.Introduced, e.Fixed
var v string
var isIntroduced bool
switch {
case introduced == "" && fixed == "":
return nil, errNoIntroducedOrFixed
case introduced != "" && fixed != "":
return nil, errBothIntroducedAndFixed
case introduced == "0":
return &event{v: "0", introduced: true}, nil
case introduced != "":
v = introduced
isIntroduced = true
case fixed != "":
v = fixed
isIntroduced = false
}
if !version.IsValid(v) || v != version.Canonical(v) {
return nil, fmt.Errorf("%w (found %s)", errInvalidSemver, v)
}
return &event{v: v, introduced: isIntroduced}, nil
}
func validateEcosystemSpecific(es *osv.EcosystemSpecific, module string) error {
if es == nil {
return errNoEcosystemSpecific
}
for _, pkg := range es.Packages {
if pkg.Path == "" {
return errNoPackagePath
}
// Package path must be prefixed by module path unless it is
// in the Go standard library or toolchain.
if (module != osv.GoStdModulePath && module != osv.GoCmdModulePath) &&
!strings.HasPrefix(pkg.Path, module) {
return fmt.Errorf("%w (found module=%q, package=%q)", errInvalidPackagePath, module, pkg.Path)
}
}
return nil
}
func validateDatabaseSpecific(d *osv.DatabaseSpecific) error {
if !pkgsiteLinkRegex.MatchString(d.URL) {
return fmt.Errorf("%w (found URL %q)", errInvalidPkgsiteURL, d.URL)
}
return nil
}