worker

worker is a binary that can act as both a CLI and a web server.

With no command-line arguments, it listens for HTTP traffic at the PORT environment variable. There is no reason to run the server locally (except debugging), so this document describes only the CLI.

The CLI can display Firestore database of CVE records, update the database from commits of the CVE repo github.com/CVEProject/cvelist, and file issues.

Setup

You will need a Google Cloud account and a project to run the worker. If you don't already have default credentials on your machine, set them up with

gcloud auth application-default login

To run most CLI commands you'll need a -project flag, to specify the GCP project where the Firestore DB resides. Since there is only one Firestore DB per project and we want multiple, independent DBs, we also require a string called the “namespace,” specified with -namespace.

update COMMIT

The update command takes a commit hash from the github.com/CVEProject/cvelist repo, and modifies the DB to match the commit, creating and modifying CVE records as needed. It does not file any issues; it only categorizes CVEs as needing issues, not requiring action, and so on.

The command

worker -project go-vuln -namespace test update HEAD

will clone the cvelist repo from github and update the test namespace with the most recent commit of the repo. It will contact pkg.go.dev to determine whether URLs are modules.

To update at a different commit, or just to avoid the clone, clone the repo locally and provide a path to it:

worker -project go-vuln -namespace test \
    -local-cve-repo ~/repos/github.com/CVEProject/cvelist \
    update cb2d8ae8ac0afed043d0fd99669e1aaac42e8b69

To avoid hitting pkg.go.dev, compile a file of known module paths, one per line, and pass it as well:

worker -project go-vuln -namespace test \
    -local-cve-repo ~/repos/github.com/CVEProject/cvelist \
    -known-module-file ~/module-paths.txt \
    update cb2d8ae8ac0afed043d0fd99669e1aaac42e8b69

If an update is interrupted or fails to complete, subsequent calls to worker update will fail. If you're sure there is no concurrent update in progress, it is safe to pass the -force flag to force the update.

list-cves

The command

worker -project go-vuln -namespace test list-cves NeedsIssue

will list all CVE records that need an issue. You can also use these other argument values (from internal/worker/store/store.go:TriageState):

  • IssueCreated
  • UpdatedSinceIssueCreation
  • HasVuln
  • FalsePositive

It's not recommended to pass the “NoActionNeeded” triage state, because the vast majority of records have this state and listing them takes a long time.

create-issues

To create issues from records that need them, use the create-issues subcommand and provide a repo and the path to a file that holds a GitHub access token. You can also limit the number of issues created.

worker -project go-vuln -namespace test \
    -issue-repo myorg/myrepo \
    -ghtokenfile ~/github-token \
    -limit 10 \
    create-issues

list-updates

This subcommand shows the update operations that have run, most to least recent.

show

Run show with a list of CVE IDs to display the corresponding CVE records.