Google Git
Sign in
go / vulndb / 81b4a2e11774a59ea994663024af51ad7574f67e
commit81b4a2e11774a59ea994663024af51ad7574f67e[log] [tgz]
authorJonathan Amsterdam <jba@google.com>Tue Dec 21 16:39:56 2021 -0500
committerJonathan Amsterdam <jba@google.com>Wed Dec 22 14:06:59 2021 +0000
tree756e057609c344b72bc8acfc4be479c1f72b8264
parenta16c2408ae12df6190509a33beecc866e608ac7e [diff]
internal/worker: combine structured and printf logging

Previously, the worker used structured logging almost completely:
anything that would have been a format string parameter was made a
label instead.

This led to a poor experience with the GCP logging UI.  You could see
the message of each log entry at a glance, but it took two clicks to
look at the labels. For example, when the worker created a GitHub
issue for a CVE, you'd see "created issue", but you wouldn't know the
CVE or number of the issue unless you opened the log entry.

This CL rethinks the log "frontend" -- the API that programmers
actually use to write log messages -- to allow a mix of labels
and printf-style formatting. The previous approach made it easy
to do one or the other, but not to mix both in a single log entry.
You could either write

   log.Info(message, labels...)

or

    log.Infof(format, args...)

but not both, since you can't have two "..." parameters in a function.
In this CL's design, one can write

    log.With(namesAndValues...).Infof(format, args...)

To further improve the ergonomics, the With function takes key-value
pairs rather than labels. Thus

    event.Int64("limit", int64(limit))

becomes

    log.With("limit", limit)

The performance is significantly worse, but for this server it
doesn't matter.

The CL also revisits each log message and makes a choice about whether
to display a value in the message, or to make a label out of it, or
both. As I said, putting the value in the message lets you see it at a
glance. The advantage of a label is you can easily query on it.

Most values only make sense as one or the other. For example, we'd
like to see the number of CVEs added during an update, but it doesn't
seem interesting to query the logs on that field. So that was put into
the message.

Change-Id: Iba2c70a14ea951c4d74335da6ac4e8265d652ded
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373894
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
6 files changed
tree: 756e057609c344b72bc8acfc4be479c1f72b8264
  1. cmd/
  2. deploy/
  3. devtools/
  4. doc/
  5. internal/
  6. reports/
  7. terraform/
  8. .gitignore
  9. all_test.go
  10. AUTHORS
  11. checks.bash
  12. CONTRIBUTING.md
  13. CONTRIBUTORS
  14. go.mod
  15. go.sum
  16. LICENSE
  17. PATENTS
  18. README.md
  19. tools_test.go
README.md

The Go Vulnerability Database

This repository contains the reports for the Go Vulnerability Database.

If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.

Reporting a vulnerability

We are not accepting new vulnerability reports at this time. We will update this README.md once we are ready to receive reports.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.