cmd/vulnreport/find_aliases.go - vulndb - Git at Google

 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package main

 import (
 	"context"
 	"fmt"

 	"golang.org/x/exp/slices"
 	"golang.org/x/vulndb/cmd/vulnreport/log"
 	"golang.org/x/vulndb/internal/cve5"
 	"golang.org/x/vulndb/internal/genericosv"
 	"golang.org/x/vulndb/internal/ghsa"
 	"golang.org/x/vulndb/internal/idstr"
 	"golang.org/x/vulndb/internal/report"
 )

 type aliasFinder struct {
 	gc *ghsa.Client
 }

 func (af *aliasFinder) setup(ctx context.Context) error {
 	if *githubToken == "" {
 		return fmt.Errorf("githubToken must be provided")
 	}
 	af.gc = ghsa.NewClient(ctx, *githubToken)
 	return nil
 }

 // addMissingAliases uses the existing aliases in a report to find
 // any missing aliases, and adds them to the report.
 func (af *aliasFinder) addMissingAliases(ctx context.Context, r *report.Report) (added int) {
 	all := af.allAliases(ctx, r.Aliases())
 	// If we have manually marked an identifier as "related", but
 	// not actually an alias, don't override this decision.
 	if len(r.Related) > 0 {
 		all = removeRelated(all, r.Related)
 	}
 	return r.AddAliases(all)
 }

 func removeRelated(all, related []string) []string {
 	// This is an uncommon operation, operating on short string slices,
 	// so it doesn't need to be optimized.
 	return slices.DeleteFunc(all, func(s string) bool {
 		return slices.Contains(related, s)
 	})
 }

 // allAliases returns a list of all aliases associated with the given knownAliases,
 // (including the knownAliases themselves).
 func (a *aliasFinder) allAliases(ctx context.Context, knownAliases []string) []string {
 	aliasesFor := func(ctx context.Context, alias string) ([]string, error) {
 		switch {
 		case idstr.IsGHSA(alias):
 			return aliasesForGHSA(ctx, alias, a.gc)
 		case idstr.IsCVE(alias):
 			return aliasesForCVE(ctx, alias, a.gc)
 		default:
 			return nil, fmt.Errorf("unsupported alias %s", alias)
 		}
 	}
 	return aliasesBFS(ctx, knownAliases, aliasesFor)
 }

 func aliasesBFS(ctx context.Context, knownAliases []string,
 	aliasesFor func(ctx context.Context, alias string) ([]string, error)) (all []string) {
 	var queue []string
 	var seen = make(map[string]bool)
 	queue = append(queue, knownAliases...)

 	for len(queue) > 0 {
 		alias := queue[0]
 		queue = queue[1:]

 		if seen[alias] {
 			continue
 		}

 		seen[alias] = true
 		all = append(all, alias)
 		aliases, err := aliasesFor(ctx, alias)
 		if err != nil {
 			log.Err(err)
 			continue
 		}
 		queue = append(queue, aliases...)
 	}

 	slices.Sort(all)
 	return slices.Compact(all)
 }

 func aliasesForGHSA(ctx context.Context, alias string, gc *ghsa.Client) (aliases []string, err error) {
 	sa, err := gc.FetchGHSA(ctx, alias)
 	if err != nil {
 		return nil, fmt.Errorf("aliasesForGHSA(%s): could not fetch GHSA record from GraphQL API", alias)
 	}
 	for _, id := range sa.Identifiers {
 		if id.Type == "CVE" || id.Type == "GHSA" {
 			aliases = append(aliases, id.Value)
 		}
 	}
 	return aliases, nil
 }

 func aliasesForCVE(ctx context.Context, cve string, gc *ghsa.Client) (aliases []string, err error) {
 	sas, err := gc.ListForCVE(ctx, cve)
 	if err != nil {
 		return nil, fmt.Errorf("aliasesForCVE(%s): could not find GHSAs from GraphQL API", cve)
 	}
 	for _, sa := range sas {
 		aliases = append(aliases, sa.ID)
 	}
 	return aliases, nil
 }

 // sourceFromBestAlias returns a report source fetched from the "best" alias in the list.
 // By default, it prefers the first GHSA in the list, followed by the first CVE in the list
 // (if no GHSA is present).
 // If "preferCVE" is true, it prefers CVEs instead.
 func (af *aliasFinder) sourceFromBestAlias(ctx context.Context, aliases []string, preferCVE bool) (report.Source, bool) {
 	firstChoice := idstr.IsGHSA
 	secondChoice := idstr.IsCVE
 	if preferCVE {
 		firstChoice, secondChoice = secondChoice, firstChoice
 	}

 	find := func(f func(string) bool) (report.Source, bool) {
 		for _, alias := range aliases {
 			if f(alias) {
 				src, err := af.fetch(ctx, alias)
 				if err != nil {
 					continue
 				}
 				return src, true
 			}
 		}
 		return nil, false
 	}

 	if src, found := find(firstChoice); found {
 		return src, true
 	}

 	if src, found := find(secondChoice); found {
 		return src, true
 	}

 	return report.Original(), false
 }

 func (a *aliasFinder) fetch(ctx context.Context, alias string) (report.Source, error) {
 	var f report.Fetcher
 	switch {
 	case idstr.IsGHSA(alias):
 		if *graphQL {
 			f = a.gc
 		} else {
 			f = genericosv.NewFetcher()
 		}
 	case idstr.IsCVE(alias):
 		f = cve5.NewFetcher()
 	default:
 		return nil, fmt.Errorf("alias %s is not supported", alias)
 	}

 	return f.Fetch(ctx, alias)
 }
	// Copyright 2023 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package main

	import (
	"context"
	"fmt"

	"golang.org/x/exp/slices"
	"golang.org/x/vulndb/cmd/vulnreport/log"
	"golang.org/x/vulndb/internal/cve5"
	"golang.org/x/vulndb/internal/genericosv"
	"golang.org/x/vulndb/internal/ghsa"
	"golang.org/x/vulndb/internal/idstr"
	"golang.org/x/vulndb/internal/report"
	)

	type aliasFinder struct {
	gc *ghsa.Client
	}

	func (af *aliasFinder) setup(ctx context.Context) error {
	if *githubToken == "" {
	return fmt.Errorf("githubToken must be provided")
	}
	af.gc = ghsa.NewClient(ctx, *githubToken)
	return nil
	}

	// addMissingAliases uses the existing aliases in a report to find
	// any missing aliases, and adds them to the report.
	func (af aliasFinder) addMissingAliases(ctx context.Context, r report.Report) (added int) {
	all := af.allAliases(ctx, r.Aliases())
	// If we have manually marked an identifier as "related", but
	// not actually an alias, don't override this decision.
	if len(r.Related) > 0 {
	all = removeRelated(all, r.Related)
	}
	return r.AddAliases(all)
	}

	func removeRelated(all, related []string) []string {
	// This is an uncommon operation, operating on short string slices,
	// so it doesn't need to be optimized.
	return slices.DeleteFunc(all, func(s string) bool {
	return slices.Contains(related, s)
	})
	}

	// allAliases returns a list of all aliases associated with the given knownAliases,
	// (including the knownAliases themselves).
	func (a *aliasFinder) allAliases(ctx context.Context, knownAliases []string) []string {
	aliasesFor := func(ctx context.Context, alias string) ([]string, error) {
	switch {
	case idstr.IsGHSA(alias):
	return aliasesForGHSA(ctx, alias, a.gc)
	case idstr.IsCVE(alias):
	return aliasesForCVE(ctx, alias, a.gc)
	default:
	return nil, fmt.Errorf("unsupported alias %s", alias)
	}
	}
	return aliasesBFS(ctx, knownAliases, aliasesFor)
	}

	func aliasesBFS(ctx context.Context, knownAliases []string,
	aliasesFor func(ctx context.Context, alias string) ([]string, error)) (all []string) {
	var queue []string
	var seen = make(map[string]bool)
	queue = append(queue, knownAliases...)

	for len(queue) > 0 {
	alias := queue[0]
	queue = queue[1:]

	if seen[alias] {
	continue
	}

	seen[alias] = true
	all = append(all, alias)
	aliases, err := aliasesFor(ctx, alias)
	if err != nil {
	log.Err(err)
	continue
	}
	queue = append(queue, aliases...)
	}

	slices.Sort(all)
	return slices.Compact(all)
	}

	func aliasesForGHSA(ctx context.Context, alias string, gc *ghsa.Client) (aliases []string, err error) {
	sa, err := gc.FetchGHSA(ctx, alias)
	if err != nil {
	return nil, fmt.Errorf("aliasesForGHSA(%s): could not fetch GHSA record from GraphQL API", alias)
	}
	for _, id := range sa.Identifiers {
	if id.Type == "CVE" \|\| id.Type == "GHSA" {
	aliases = append(aliases, id.Value)
	}
	}
	return aliases, nil
	}

	func aliasesForCVE(ctx context.Context, cve string, gc *ghsa.Client) (aliases []string, err error) {
	sas, err := gc.ListForCVE(ctx, cve)
	if err != nil {
	return nil, fmt.Errorf("aliasesForCVE(%s): could not find GHSAs from GraphQL API", cve)
	}
	for _, sa := range sas {
	aliases = append(aliases, sa.ID)
	}
	return aliases, nil
	}

	// sourceFromBestAlias returns a report source fetched from the "best" alias in the list.
	// By default, it prefers the first GHSA in the list, followed by the first CVE in the list
	// (if no GHSA is present).
	// If "preferCVE" is true, it prefers CVEs instead.
	func (af *aliasFinder) sourceFromBestAlias(ctx context.Context, aliases []string, preferCVE bool) (report.Source, bool) {
	firstChoice := idstr.IsGHSA
	secondChoice := idstr.IsCVE
	if preferCVE {
	firstChoice, secondChoice = secondChoice, firstChoice
	}

	find := func(f func(string) bool) (report.Source, bool) {
	for _, alias := range aliases {
	if f(alias) {
	src, err := af.fetch(ctx, alias)
	if err != nil {
	continue
	}
	return src, true
	}
	}
	return nil, false
	}

	if src, found := find(firstChoice); found {
	return src, true
	}

	if src, found := find(secondChoice); found {
	return src, true
	}

	return report.Original(), false
	}

	func (a *aliasFinder) fetch(ctx context.Context, alias string) (report.Source, error) {
	var f report.Fetcher
	switch {
	case idstr.IsGHSA(alias):
	if *graphQL {
	f = a.gc
	} else {
	f = genericosv.NewFetcher()
	}
	case idstr.IsCVE(alias):
	f = cve5.NewFetcher()
	default:
	return nil, fmt.Errorf("alias %s is not supported", alias)
	}

	return f.Fetch(ctx, alias)
	}