blob: 53198853f205d73ee8dbf4f95a025d0a80c25ce3 [file] [log] [blame]
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Command vulnreport provides a tool for creating a YAML vulnerability report for
// x/vulndb.
package main
import (
"context"
"errors"
"flag"
"fmt"
"io"
"log"
"os"
"path/filepath"
"regexp"
"runtime"
"runtime/pprof"
"strconv"
"strings"
"sync"
"time"
"github.com/go-git/go-git/v5"
"github.com/google/go-cmp/cmp"
"golang.org/x/exp/constraints"
"golang.org/x/exp/maps"
"golang.org/x/exp/slices"
"golang.org/x/vulndb/internal/cvelistrepo"
"golang.org/x/vulndb/internal/cveschema5"
"golang.org/x/vulndb/internal/database"
"golang.org/x/vulndb/internal/derrors"
"golang.org/x/vulndb/internal/genericosv"
"golang.org/x/vulndb/internal/ghsa"
"golang.org/x/vulndb/internal/gitrepo"
"golang.org/x/vulndb/internal/issues"
"golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/osvutils"
"golang.org/x/vulndb/internal/proxy"
"golang.org/x/vulndb/internal/report"
"golang.org/x/vulndb/internal/symbols"
)
var (
localRepoPath = flag.String("local-cve-repo", "", "path to local repo, instead of cloning remote")
issueRepo = flag.String("issue-repo", "github.com/golang/vulndb", "repo to create issues in")
githubToken = flag.String("ghtoken", "", "GitHub access token (default: value of VULN_GITHUB_ACCESS_TOKEN)")
skipSymbols = flag.Bool("skip-symbols", false, "for lint and fix, don't load package for symbols checks")
skipAlias = flag.Bool("skip-alias", false, "for fix, skip adding new GHSAs and CVEs")
graphQL = flag.Bool("graphql", false, "for create, fetch GHSAs from the Github GraphQL API instead of the OSV database")
preferCVE = flag.Bool("cve", false, "for create, prefer CVEs over GHSAs as canonical source")
updateIssue = flag.Bool("up", false, "for commit, create a CL that updates (doesn't fix) the tracking bug")
closedOk = flag.Bool("closed-ok", false, "for create & create-excluded, allow closed issues to be created")
cpuprofile = flag.String("cpuprofile", "", "write cpuprofile to file")
quiet = flag.Bool("q", false, "quiet mode (suppress info logs)")
force = flag.Bool("f", false, "for fix, force Fix to run even if there are no lint errors")
)
var (
infolog *log.Logger
outlog *log.Logger
warnlog *log.Logger
errlog *log.Logger
)
func init() {
infolog = log.New(os.Stdout, "info: ", 0)
outlog = log.New(os.Stdout, "", 0)
warnlog = log.New(os.Stderr, "WARNING: ", 0)
errlog = log.New(os.Stderr, "ERROR: ", 0)
}
func main() {
ctx := context.Background()
flag.Usage = func() {
fmt.Fprintf(flag.CommandLine.Output(), "usage: vulnreport [cmd] [filename.yaml]\n")
fmt.Fprintf(flag.CommandLine.Output(), " create [githubIssueNumber]: creates a new vulnerability YAML report\n")
fmt.Fprintf(flag.CommandLine.Output(), " create-excluded: creates and commits all open github issues marked as excluded\n")
fmt.Fprintf(flag.CommandLine.Output(), " lint filename.yaml ...: lints vulnerability YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " cve filename.yaml ...: creates and saves CVE 5.0 record from the provided YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " fix filename.yaml ...: fixes and reformats YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " osv filename.yaml ...: converts YAML reports to OSV JSON and writes to data/osv\n")
fmt.Fprintf(flag.CommandLine.Output(), " set-dates filename.yaml ...: sets PublishDate of YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " suggest filename.yaml ...: (EXPERIMENTAL) use AI to suggest summary and description for YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " commit filename.yaml ...: creates new commits for YAML reports\n")
fmt.Fprintf(flag.CommandLine.Output(), " xref filename.yaml ...: prints cross references for YAML reports\n")
flag.PrintDefaults()
}
flag.Parse()
if flag.NArg() < 1 {
flag.Usage()
log.Fatal("subcommand required")
}
if *githubToken == "" {
*githubToken = os.Getenv("VULN_GITHUB_ACCESS_TOKEN")
}
if *quiet {
infolog = log.New(io.Discard, "", 0)
}
var (
args []string
cmd = flag.Arg(0)
)
if cmd != "create-excluded" {
if flag.NArg() < 2 {
flag.Usage()
log.Fatal("not enough arguments")
}
args = flag.Args()[1:]
}
// Start CPU profiler.
if *cpuprofile != "" {
f, err := os.Create(*cpuprofile)
if err != nil {
log.Fatal(err)
}
_ = pprof.StartCPUProfile(f)
defer pprof.StopCPUProfile()
}
// setupCreate clones the CVEList repo and can be very slow,
// so commands that require this functionality are separated from other
// commands.
if cmd == "create-excluded" || cmd == "create" {
githubIDs, cfg, err := setupCreate(ctx, args)
if err != nil {
log.Fatal(err)
}
switch cmd {
case "create-excluded":
if err = createExcluded(ctx, cfg); err != nil {
log.Fatal(err)
}
case "create":
// Unlike commands below, create operates on github issue IDs
// instead of filenames.
for _, githubID := range githubIDs {
if err := create(ctx, githubID, cfg); err != nil {
errlog.Println(err)
}
}
}
return
}
ghsaClient := ghsa.NewClient(ctx, *githubToken)
pc := proxy.NewDefaultClient()
var cmdFunc func(context.Context, string) error
switch cmd {
case "lint":
cmdFunc = func(ctx context.Context, name string) error { return lint(ctx, name, pc) }
case "suggest":
cmdFunc = func(ctx context.Context, name string) error { return suggest(ctx, name) }
case "commit":
cmdFunc = func(ctx context.Context, name string) error { return commit(ctx, name, ghsaClient, pc, *force) }
case "cve":
cmdFunc = func(ctx context.Context, name string) error { return cveCmd(ctx, name) }
case "fix":
cmdFunc = func(ctx context.Context, name string) error { return fix(ctx, name, ghsaClient, pc, *force) }
case "osv":
cmdFunc = func(ctx context.Context, name string) error { return osvCmd(ctx, name, pc) }
case "set-dates":
repo, err := gitrepo.Open(ctx, ".")
if err != nil {
log.Fatal(err)
}
commitDates, err := gitrepo.AllCommitDates(repo, gitrepo.MainReference, report.YAMLDir)
if err != nil {
log.Fatal(err)
}
cmdFunc = func(ctx context.Context, name string) error { return setDates(ctx, name, commitDates) }
case "xref":
repo, err := gitrepo.Open(ctx, ".")
if err != nil {
log.Fatal(err)
}
_, existingByFile, err := report.All(repo)
if err != nil {
log.Fatal(err)
}
cmdFunc = func(ctx context.Context, name string) error {
r, err := report.Read(name)
if err != nil {
return err
}
outlog.Println(name)
outlog.Println(xref(name, r, existingByFile))
return nil
}
default:
flag.Usage()
log.Fatalf("unsupported command: %q", cmd)
}
// Run the command on each argument.
for _, arg := range args {
arg, err := argToFilename(arg)
if err != nil {
errlog.Println(err)
continue
}
if err := cmdFunc(ctx, arg); err != nil {
errlog.Println(err)
}
}
}
func argToFilename(arg string) (string, error) {
if _, err := os.Stat(arg); err != nil {
// If arg isn't a file, see if it might be an issue ID
// with an existing report.
for _, padding := range []string{"", "0", "00", "000"} {
m, _ := filepath.Glob("data/*/GO-*-" + padding + arg + ".yaml")
if len(m) == 1 {
return m[0], nil
}
}
return "", fmt.Errorf("%s is not a valid filename or issue ID with existing report: %w", arg, err)
}
return arg, nil
}
func parseArgsToGithubIDs(args []string, existingByIssue map[int]*report.Report) ([]int, error) {
var githubIDs []int
parseGithubID := func(s string) (int, error) {
id, err := strconv.Atoi(s)
if err != nil {
return 0, fmt.Errorf("invalid GitHub issue ID: %q", s)
}
return id, nil
}
for _, arg := range args {
if !strings.Contains(arg, "-") {
id, err := parseGithubID(arg)
if err != nil {
return nil, err
}
githubIDs = append(githubIDs, id)
continue
}
from, to, _ := strings.Cut(arg, "-")
fromID, err := parseGithubID(from)
if err != nil {
return nil, err
}
toID, err := parseGithubID(to)
if err != nil {
return nil, err
}
if fromID > toID {
return nil, fmt.Errorf("%v > %v", fromID, toID)
}
for id := fromID; id <= toID; id++ {
if existingByIssue[id] != nil {
continue
}
githubIDs = append(githubIDs, id)
}
}
return githubIDs, nil
}
type createCfg struct {
ghsaClient *ghsa.Client
issuesClient *issues.Client
proxyClient *proxy.Client
existingByFile map[string]*report.Report
existingByIssue map[int]*report.Report
allowClosed bool
}
var (
once sync.Once
cveRepo *git.Repository
)
func loadCVERepo(ctx context.Context) *git.Repository {
// Loading the CVE git repo takes a while, so do it on demand only.
once.Do(func() {
infolog.Println("cloning CVE repo (this takes a while)")
repoPath := cvelistrepo.URL
if *localRepoPath != "" {
repoPath = *localRepoPath
}
var err error
cveRepo, err = gitrepo.CloneOrOpen(ctx, repoPath)
if err != nil {
log.Fatal(err)
}
})
return cveRepo
}
func setupCreate(ctx context.Context, args []string) ([]int, *createCfg, error) {
if *githubToken == "" {
return nil, nil, fmt.Errorf("githubToken must be provided")
}
localRepo, err := gitrepo.Open(ctx, ".")
if err != nil {
return nil, nil, err
}
existingByIssue, existingByFile, err := report.All(localRepo)
if err != nil {
return nil, nil, err
}
githubIDs, err := parseArgsToGithubIDs(args, existingByIssue)
if err != nil {
return nil, nil, err
}
owner, repoName, err := gitrepo.ParseGitHubRepo(*issueRepo)
if err != nil {
return nil, nil, err
}
return githubIDs, &createCfg{
issuesClient: issues.NewClient(ctx, &issues.Config{Owner: owner, Repo: repoName, Token: *githubToken}),
ghsaClient: ghsa.NewClient(ctx, *githubToken),
proxyClient: proxy.NewDefaultClient(),
existingByFile: existingByFile,
existingByIssue: existingByIssue,
allowClosed: *closedOk,
}, nil
}
func createReport(ctx context.Context, cfg *createCfg, iss *issues.Issue) (r *report.Report, err error) {
defer derrors.Wrap(&err, "createReport(%d)", iss.Number)
parsed, err := parseGithubIssue(iss, cfg.proxyClient, cfg.allowClosed)
if err != nil {
return nil, err
}
aliases := allAliases(ctx, parsed.aliases, cfg.ghsaClient)
if alias, ok := pickBestAlias(aliases, *preferCVE); ok {
infolog.Printf("creating report %s based on %s (picked from [%s])", parsed.id, alias, strings.Join(aliases, ", "))
r, err = reportFromAlias(ctx, parsed.id, parsed.modulePath, alias, cfg)
if err != nil {
return nil, err
}
} else {
infolog.Printf("no alias found, creating empty report %s", parsed.id)
r = &report.Report{ID: parsed.id}
}
if parsed.excluded != "" {
r = &report.Report{
ID: parsed.id,
Modules: []*report.Module{
{
Module: parsed.modulePath,
},
},
Excluded: parsed.excluded,
CVEs: r.CVEs,
GHSAs: r.GHSAs,
}
}
// Ensure all source aliases are added to the report.
r.AddAliases(aliases)
// Find any additional aliases referenced by the source aliases.
addMissingAliases(ctx, r, cfg.ghsaClient)
addTODOs(r)
return r, nil
}
func create(ctx context.Context, issueNumber int, cfg *createCfg) (err error) {
defer derrors.Wrap(&err, "create(%d)", issueNumber)
// Get GitHub issue.
iss, err := cfg.issuesClient.Issue(ctx, issueNumber)
if err != nil {
return err
}
r, err := createReport(ctx, cfg, iss)
if err != nil {
return err
}
filename, err := writeReport(r)
if err != nil {
return err
}
outlog.Println(filename)
infolog.Print(xref(filename, r, cfg.existingByFile))
return nil
}
func writeReport(r *report.Report) (string, error) {
filename, err := r.YAMLFilename()
if err != nil {
return "", err
}
if err := r.Write(filename); err != nil {
return "", err
}
return filename, nil
}
func createExcluded(ctx context.Context, cfg *createCfg) (err error) {
defer derrors.Wrap(&err, "createExcluded()")
isses := []*issues.Issue{}
stateOption := "open"
if cfg.allowClosed {
stateOption = "all"
}
for _, er := range report.ExcludedReasons {
label := er.ToLabel()
tempIssues, err :=
cfg.issuesClient.Issues(ctx, issues.IssuesOptions{Labels: []string{label}, State: stateOption})
if err != nil {
return err
}
infolog.Printf("found %d issues with label %s\n", len(tempIssues), label)
isses = append(isses, tempIssues...)
}
var created []string
for _, iss := range isses {
// Don't create a report for an issue that already has a report.
if _, ok := cfg.existingByIssue[iss.Number]; ok {
infolog.Printf("skipped issue %d which already has a report\n", iss.Number)
continue
}
r, err := createReport(ctx, cfg, iss)
if err != nil {
errlog.Printf("skipped issue %d: %v\n", iss.Number, err)
continue
}
filename, err := writeReport(r)
if err != nil {
return err
}
created = append(created, filename)
}
skipped := len(isses) - len(created)
if skipped > 0 {
infolog.Printf("skipped %d issue(s)\n", skipped)
}
if len(created) == 0 {
infolog.Printf("no files to commit, exiting")
return nil
}
msg, err := excludedCommitMsg(created)
if err != nil {
return err
}
if err := gitAdd(created...); err != nil {
return err
}
return gitCommit(msg, created...)
}
func excludedCommitMsg(fs []string) (string, error) {
var issNums []string
for _, f := range fs {
_, _, iss, err := report.ParseFilepath(f)
if err != nil {
return "", err
}
issNums = append(issNums, fmt.Sprintf("Fixes golang/vulndb#%d", iss))
}
return fmt.Sprintf(
`%s: batch add %d excluded reports
Adds excluded reports:
- %s
%s`,
report.ExcludedDir,
len(fs),
strings.Join(fs, "\n\t- "),
strings.Join(issNums, "\n")), nil
}
// pickBestAlias returns the "best" alias in the list.
// By default, it prefers the first GHSA in the list, followed by the first CVE in the list
// (if no GHSA is present).
// If "preferCVE" is true, it prefers CVEs instead.
// If no GHSAs or CVEs are present, it returns ("", false).
func pickBestAlias(aliases []string, preferCVE bool) (_ string, ok bool) {
firstChoice := ghsa.IsGHSA
secondChoice := cveschema5.IsCVE
if preferCVE {
firstChoice, secondChoice = secondChoice, firstChoice
}
for _, alias := range aliases {
if firstChoice(alias) {
return alias, true
}
}
for _, alias := range aliases {
if secondChoice(alias) {
return alias, true
}
}
return "", false
}
// reportFromBestAlias returns a new report created from the "best" alias in the list.
// For now, it prefers the first GHSA in the list, followed by the first CVE in the list
// (if no GHSA is present). If no GHSAs or CVEs are present, it returns a new empty Report.
func reportFromAlias(ctx context.Context, id, modulePath, alias string, cfg *createCfg) (*report.Report, error) {
var r *report.Report
switch {
case ghsa.IsGHSA(alias) && *graphQL:
ghsa, err := cfg.ghsaClient.FetchGHSA(ctx, alias)
if err != nil {
return nil, err
}
r = report.GHSAToReport(ghsa, modulePath, cfg.proxyClient)
case ghsa.IsGHSA(alias):
ghsa, err := genericosv.Fetch(alias)
if err != nil {
return nil, err
}
r = ghsa.ToReport(id, cfg.proxyClient)
case cveschema5.IsCVE(alias):
cve, err := cvelistrepo.FetchCVE(ctx, loadCVERepo(ctx), alias)
if err != nil {
return nil, err
}
r = report.CVEToReport(cve, modulePath, cfg.proxyClient)
default:
r = &report.Report{}
}
r.ID = id
return r, nil
}
type parsedIssue struct {
id string
modulePath string
aliases []string
excluded report.ExcludedReason
}
func parseGithubIssue(iss *issues.Issue, pc *proxy.Client, allowClosed bool) (*parsedIssue, error) {
parsed := &parsedIssue{
id: iss.NewGoID(),
}
if !allowClosed && iss.State == "closed" {
return nil, errors.New("issue is closed")
}
// Parse labels for excluded and duplicate issues.
for _, label := range iss.Labels {
if reason, ok := report.FromLabel(label); ok {
if parsed.excluded == "" {
parsed.excluded = reason
} else {
return nil, fmt.Errorf("issue has multiple excluded reasons")
}
}
if label == "duplicate" {
return nil, fmt.Errorf("duplicate issue")
}
}
// Parse elements from GitHub issue title.
parts := strings.Fields(iss.Title)
for _, p := range parts {
switch {
case p == "x/vulndb:":
continue
case strings.HasSuffix(p, ":"):
// Remove backslashes.
parsed.modulePath = strings.ReplaceAll(strings.TrimSuffix(p, ":"), "\"", "")
// Find the underlying module if this is a package path.
if module, err := pc.FindModule(parsed.modulePath); err == nil { // no error
parsed.modulePath = module
}
case cveschema5.IsCVE(p) || ghsa.IsGHSA(p):
parsed.aliases = append(parsed.aliases, strings.TrimSuffix(p, ","))
}
}
if len(parsed.aliases) == 0 {
return nil, fmt.Errorf("%q has no CVE or GHSA IDs", iss.Title)
}
return parsed, nil
}
// xref returns cross-references for a report: Information about other reports
// for the same CVE, GHSA, or module.
func xref(rname string, r *report.Report, existingByFile map[string]*report.Report) string {
out := &strings.Builder{}
matches := report.XRef(r, existingByFile)
delete(matches, rname)
// This sorts as CVEs, GHSAs, and then modules.
for _, fname := range sorted(maps.Keys(matches)) {
for _, id := range sorted(matches[fname]) {
fmt.Fprintf(out, "%v appears in %v", id, fname)
e := existingByFile[fname].Excluded
if e != "" {
fmt.Fprintf(out, " %v", e)
}
fmt.Fprintf(out, "\n")
}
}
return out.String()
}
func sorted[E constraints.Ordered](s []E) []E {
s = slices.Clone(s)
slices.Sort(s)
return s
}
const todo = "TODO: "
// addTODOs adds "TODO" comments to unfilled fields of r.
func addTODOs(r *report.Report) {
if r.Excluded != "" {
return
}
if len(r.Modules) == 0 {
r.Modules = append(r.Modules, &report.Module{
Packages: []*report.Package{{}},
})
}
for _, m := range r.Modules {
if m.Module == "" {
m.Module = todo + "affected module path"
}
if len(m.Versions) == 0 {
m.Versions = []report.VersionRange{{
Introduced: todo + "introduced version (blank if unknown)",
Fixed: todo + "fixed version",
}}
}
if m.VulnerableAt == "" {
m.VulnerableAt = todo + "a version at which the package is vulnerable"
}
if len(m.Packages) == 0 {
m.Packages = []*report.Package{
{
Package: todo + "affected package path(s) - blank if all",
},
}
}
for _, p := range m.Packages {
if p.Package == "" {
p.Package = todo + "affected package path"
}
if len(p.Symbols) == 0 {
p.Symbols = []string{todo + "affected symbol(s) - blank if all"}
}
}
}
if r.Summary == "" {
r.Summary = todo + "short (one phrase) summary of the form '<Problem> in <module>(s)'"
}
if r.Description == "" {
r.Description = todo + "description of the vulnerability"
}
if len(r.Credits) == 0 {
r.Credits = []string{todo + "who discovered/reported this vulnerability (optional)"}
}
if len(r.CVEs) == 0 {
r.CVEs = []string{todo + "CVE id(s) for this vulnerability"}
}
addReferenceTODOs(r)
}
// hasUnaddressedTodos returns true if report has any unaddressed todos in the
// report, i.e. starts with "TODO:".
func hasUnaddressedTodos(r *report.Report) bool {
is := func(s string) bool { return strings.HasPrefix(s, "TODO:") }
any := func(ss []string) bool { return slices.IndexFunc(ss, is) >= 0 }
if is(string(r.Excluded)) {
return true
}
for _, m := range r.Modules {
if is(m.Module) {
return true
}
for _, v := range m.Versions {
if is(string(v.Introduced)) {
return true
}
if is(string(v.Fixed)) {
return true
}
}
if is(string(m.VulnerableAt)) {
return true
}
for _, p := range m.Packages {
if is(p.Package) || is(p.SkipFix) || any(p.Symbols) || any(p.DerivedSymbols) {
return true
}
}
}
for _, ref := range r.References {
if is(ref.URL) {
return true
}
}
if any(r.CVEs) || any(r.GHSAs) {
return true
}
return is(r.Summary.String()) || is(r.Description.String()) || any(r.Credits)
}
// addReferenceTODOs adds a TODO for each important reference type not
// already present in the report.
func addReferenceTODOs(r *report.Report) {
todos := []*report.Reference{
{Type: osv.ReferenceTypeAdvisory, URL: "TODO: canonical security advisory"},
{Type: osv.ReferenceTypeReport, URL: "TODO: issue tracker link"},
{Type: osv.ReferenceTypeFix, URL: "TODO: PR or commit (commit preferred)"}}
types := make(map[osv.ReferenceType]bool)
for _, r := range r.References {
types[r.Type] = true
}
for _, todo := range todos {
if !types[todo.Type] {
r.References = append(r.References, todo)
}
}
}
func lint(_ context.Context, filename string, pc *proxy.Client) (err error) {
defer derrors.Wrap(&err, "lint(%q)", filename)
infolog.Printf("lint %s\n", filename)
_, err = report.ReadAndLint(filename, pc)
return err
}
func fix(ctx context.Context, filename string, ghsaClient *ghsa.Client, pc *proxy.Client, force bool) (err error) {
defer derrors.Wrap(&err, "fix(%q)", filename)
infolog.Printf("fix %s\n", filename)
r, err := report.Read(filename)
if err != nil {
return err
}
if err := r.CheckFilename(filename); err != nil {
return err
}
// We may make partial progress on fixing a report, so write the
// report even if a fatal error occurs somewhere.
defer func() {
if err := r.Write(filename); err != nil {
errlog.Println(err)
}
}()
if lints := r.Lint(pc); force || len(lints) > 0 {
r.Fix(pc)
}
if lints := r.Lint(pc); len(lints) > 0 {
warnlog.Printf("%s still has lint errors after fix:\n\t- %s", filename, strings.Join(lints, "\n\t- "))
}
if !*skipSymbols {
infolog.Printf("%s: checking packages and symbols (use -skip-symbols to skip this)", r.ID)
if err := checkReportSymbols(r); err != nil {
return err
}
}
if !*skipAlias {
infolog.Printf("%s: checking for missing GHSAs and CVEs (use -skip-alias to skip this)", r.ID)
if added := addMissingAliases(ctx, r, ghsaClient); added > 0 {
infolog.Printf("%s: added %d missing aliases", r.ID, added)
}
}
if !r.IsExcluded() {
if err := writeOSV(r); err != nil {
return err
}
}
if r.CVEMetadata != nil {
if err := writeCVE(r); err != nil {
return err
}
}
return nil
}
func checkReportSymbols(r *report.Report) error {
if r.IsExcluded() {
infolog.Printf("%s is excluded, skipping symbol checks\n", r.ID)
return nil
}
for _, m := range r.Modules {
if m.IsFirstParty() {
gover := runtime.Version()
ver := semverForGoVersion(gover)
// If some symbol is in the std library at a different version,
// we may derive the wrong symbols for this package and other.
// In this case, skip updating DerivedSymbols.
affected, err := osvutils.AffectsSemver(report.AffectedRanges(m.Versions), ver)
if err != nil {
return err
}
if ver == "" || !affected {
warnlog.Printf("%s: current Go version %q is not in a vulnerable range, skipping symbol checks for module %s\n", r.ID, gover, m.Module)
continue
}
if ver != m.VulnerableAt {
warnlog.Printf("%s: current Go version %q does not match vulnerable_at version (%s) for module %s\n", r.ID, ver, m.VulnerableAt, m.Module)
}
}
for _, p := range m.Packages {
if p.SkipFix != "" {
infolog.Printf("%s: skipping symbol checks for package %s (reason: %q)\n", r.ID, p.Package, p.SkipFix)
continue
}
syms, err := symbols.Exported(m, p, errlog)
if err != nil {
return fmt.Errorf("package %s: %w", p.Package, err)
}
if !cmp.Equal(syms, p.DerivedSymbols) {
p.DerivedSymbols = syms
infolog.Printf("%s: updated derived symbols for package %s\n", r.ID, p.Package)
}
}
}
return nil
}
func osvCmd(_ context.Context, filename string, pc *proxy.Client) (err error) {
defer derrors.Wrap(&err, "osv(%q)", filename)
r, err := report.ReadAndLint(filename, pc)
if err != nil {
return err
}
if !r.IsExcluded() {
if err := writeOSV(r); err != nil {
return err
}
outlog.Println(r.OSVFilename())
}
return nil
}
func writeOSV(r *report.Report) error {
return database.WriteJSON(r.OSVFilename(), r.ToOSV(time.Time{}), true)
}
func cveCmd(_ context.Context, filename string) (err error) {
defer derrors.Wrap(&err, "cve(%q)", filename)
r, err := report.Read(filename)
if err != nil {
return err
}
if r.CVEMetadata != nil {
if err := writeCVE(r); err != nil {
return err
}
outlog.Println(r.CVEFilename())
}
return nil
}
// writeCVE converts a report to JSON CVE5 record and writes it to
// data/cve/v5.
func writeCVE(r *report.Report) error {
cve, err := r.ToCVE5()
if err != nil {
return err
}
return database.WriteJSON(r.CVEFilename(), cve, true)
}
func commit(ctx context.Context, filename string, ghsaClient *ghsa.Client, pc *proxy.Client, force bool) (err error) {
defer derrors.Wrap(&err, "commit(%q)", filename)
// Clean up the report file and lint the result.
// Stop if there any problems.
if err := fix(ctx, filename, ghsaClient, pc, force); err != nil {
return err
}
r, err := report.ReadAndLint(filename, pc)
if err != nil {
return err
}
if hasUnaddressedTodos(r) {
// Check after fix() as it can add new TODOs.
return fmt.Errorf("file %q has unaddressed %q fields", filename, "TODO:")
}
// Find all derived files (OSV and CVE).
files := []string{filename}
if r.Excluded == "" {
files = append(files, r.OSVFilename())
}
if r.CVEMetadata != nil {
files = append(files, r.CVEFilename())
}
// Add the files to git.
if err := gitAdd(files...); err != nil {
return err
}
// Commit the files, allowing the user to edit the default commit message.
msg, err := newCommitMsg(r)
if err != nil {
return err
}
return gitCommit(msg, files...)
}
func newCommitMsg(r *report.Report) (string, error) {
f, err := r.YAMLFilename()
if err != nil {
return "", err
}
folder, filename, issueID, err := report.ParseFilepath(f)
if err != nil {
return "", err
}
issueAction := "Fixes"
fileAction := "add"
if *updateIssue {
fileAction = "update"
issueAction = "Updates"
}
// For now, we need to manually publish the CVE record so the issue
// should not be auto-closed on add.
if r.CVEMetadata != nil {
issueAction = "Updates"
}
return fmt.Sprintf(
"%s: %s %s\n\nAliases: %s\n\n%s golang/vulndb#%d",
folder, fileAction, filename, strings.Join(r.Aliases(), ", "),
issueAction, issueID), nil
}
// Regexp for matching go tags. The groups are:
// 1 the major.minor version
// 2 the patch version, or empty if none
// 3 the entire prerelease, if present
// 4 the prerelease type ("beta" or "rc")
// 5 the prerelease number
var tagRegexp = regexp.MustCompile(`^go(\d+\.\d+)(\.\d+|)((beta|rc)(\d+))?$`)
// versionForTag returns the semantic version for a Go version string,
// or "" if the version string doesn't correspond to a Go release or beta.
func semverForGoVersion(v string) string {
m := tagRegexp.FindStringSubmatch(v)
if m == nil {
return ""
}
version := m[1]
if m[2] != "" {
version += m[2]
} else {
version += ".0"
}
if m[3] != "" {
version += "-" + m[4] + "." + m[5]
}
return version
}
// setDates sets the PublishedDate of the report at filename to the oldest
// commit date in the repo that contains that file. (It may someday also set a
// last-modified date, hence the plural.) Since it looks at the commits from
// origin/master, it will only work for reports that are already submitted. Thus
// it isn't useful to run when you're working on a report, only at a later time.
//
// It isn't crucial to run this for every report, because the same logic exists
// in gendb, ensuring that every report has a PublishedDate before being
// transformed into a DB entry. The advantage of using this command is that
// the dates become permanent (if you create and submit a CL after running it).
//
// This intentionally does not set the LastModified of the report: While the
// publication date of a report may be expected not to change, the modification
// date can. Always using the git history as the source of truth for the
// last-modified date avoids confusion if the report YAML and the git history
// disagree.
func setDates(_ context.Context, filename string, dates map[string]gitrepo.Dates) (err error) {
defer derrors.Wrap(&err, "setDates(%q)", filename)
r, err := report.Read(filename)
if err != nil {
return err
}
if !r.Published.IsZero() {
return nil
}
d, ok := dates[filename]
if !ok {
return fmt.Errorf("can't find git repo commit dates for %q", filename)
}
r.Published = d.Oldest
return r.Write(filename)
}