internal/cveutils/pkgsite.go - vulndb - Git at Google

 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package cveutils

 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
 	"strings"
 	"testing"
 	"time"

 	"golang.org/x/time/rate"
 	"golang.org/x/vulndb/internal/worker/log"
 )

 // Limit pkgsite requests to this many per second.
 const pkgsiteQPS = 5

 var (
 	// The limiter used to throttle pkgsite requests.
 	// The second argument to rate.NewLimiter is the burst, which
 	// basically lets you exceed the rate briefly.
 	pkgsiteRateLimiter = rate.NewLimiter(rate.Every(time.Duration(1000/float64(pkgsiteQPS))*time.Millisecond), 3)

 	// Cache of module paths already seen.
 	seenModulePath = map[string]bool{}
 	// Does seenModulePath contain all known modules?
 	cacheComplete = false
 )

 // SetKnownModules provides a list of all known modules,
 // so that no requests need to be made to pkg.go.dev.
 func SetKnownModules(mods []string) {
 	for _, m := range mods {
 		seenModulePath[m] = true
 	}
 	cacheComplete = true
 }

 var pkgsiteURL = "https://pkg.go.dev"

 // knownToPkgsite reports whether pkgsite knows that modulePath actually refers
 // to a module.
 func knownToPkgsite(ctx context.Context, baseURL, modulePath string) (bool, error) {
 	// If we've seen it before, no need to call.
 	if b, ok := seenModulePath[modulePath]; ok {
 		return b, nil
 	}
 	if cacheComplete {
 		return false, nil
 	}
 	// Pause to maintain a max QPS.
 	if err := pkgsiteRateLimiter.Wait(ctx); err != nil {
 		return false, err
 	}
 	start := time.Now()

 	url := baseURL + "/mod/" + modulePath
 	res, err := http.Head(url)
 	var status string
 	if err == nil {
 		status = strconv.Quote(res.Status)
 	}
 	log.With(
 		"latency", time.Since(start),
 		"status", status,
 		"error", err,
 	).Debugf(ctx, "checked if %s is known to pkgsite at HEAD", url)
 	if err != nil {
 		return false, err
 	}
 	known := res.StatusCode == http.StatusOK
 	seenModulePath[modulePath] = known
 	return known, nil
 }

 // GetPkgsiteURL returns a URL to either a fake server or the real pkg.go.dev,
 // depending on the useRealPkgsite value.
 //
 // For testing.
 func GetPkgsiteURL(t *testing.T, useRealPkgsite bool) string {
 	if useRealPkgsite {
 		return pkgsiteURL
 	}
 	// Start a test server that recognizes anything from golang.org and bitbucket.org/foo/bar/baz.
 	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		modulePath := strings.TrimPrefix(r.URL.Path, "/mod/")
 		if !strings.HasPrefix(modulePath, "golang.org/") &&
 			!strings.HasPrefix(modulePath, "bitbucket.org/foo/bar/baz") {
 			http.Error(w, "unknown", http.StatusNotFound)
 		}
 	}))
 	t.Cleanup(s.Close)
 	return s.URL
 }
	// Copyright 2023 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package cveutils

	import (
	"context"
	"net/http"
	"net/http/httptest"
	"strconv"
	"strings"
	"testing"
	"time"

	"golang.org/x/time/rate"
	"golang.org/x/vulndb/internal/worker/log"
	)

	// Limit pkgsite requests to this many per second.
	const pkgsiteQPS = 5

	var (
	// The limiter used to throttle pkgsite requests.
	// The second argument to rate.NewLimiter is the burst, which
	// basically lets you exceed the rate briefly.
	pkgsiteRateLimiter = rate.NewLimiter(rate.Every(time.Duration(1000/float64(pkgsiteQPS))*time.Millisecond), 3)

	// Cache of module paths already seen.
	seenModulePath = map[string]bool{}
	// Does seenModulePath contain all known modules?
	cacheComplete = false
	)

	// SetKnownModules provides a list of all known modules,
	// so that no requests need to be made to pkg.go.dev.
	func SetKnownModules(mods []string) {
	for _, m := range mods {
	seenModulePath[m] = true
	}
	cacheComplete = true
	}

	var pkgsiteURL = "https://pkg.go.dev"

	// knownToPkgsite reports whether pkgsite knows that modulePath actually refers
	// to a module.
	func knownToPkgsite(ctx context.Context, baseURL, modulePath string) (bool, error) {
	// If we've seen it before, no need to call.
	if b, ok := seenModulePath[modulePath]; ok {
	return b, nil
	}
	if cacheComplete {
	return false, nil
	}
	// Pause to maintain a max QPS.
	if err := pkgsiteRateLimiter.Wait(ctx); err != nil {
	return false, err
	}
	start := time.Now()

	url := baseURL + "/mod/" + modulePath
	res, err := http.Head(url)
	var status string
	if err == nil {
	status = strconv.Quote(res.Status)
	}
	log.With(
	"latency", time.Since(start),
	"status", status,
	"error", err,
	).Debugf(ctx, "checked if %s is known to pkgsite at HEAD", url)
	if err != nil {
	return false, err
	}
	known := res.StatusCode == http.StatusOK
	seenModulePath[modulePath] = known
	return known, nil
	}

	// GetPkgsiteURL returns a URL to either a fake server or the real pkg.go.dev,
	// depending on the useRealPkgsite value.
	//
	// For testing.
	func GetPkgsiteURL(t *testing.T, useRealPkgsite bool) string {
	if useRealPkgsite {
	return pkgsiteURL
	}
	// Start a test server that recognizes anything from golang.org and bitbucket.org/foo/bar/baz.
	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	modulePath := strings.TrimPrefix(r.URL.Path, "/mod/")
	if !strings.HasPrefix(modulePath, "golang.org/") &&
	!strings.HasPrefix(modulePath, "bitbucket.org/foo/bar/baz") {
	http.Error(w, "unknown", http.StatusNotFound)
	}
	}))
	t.Cleanup(s.Close)
	return s.URL
	}