cmd: delete
Delete cmd/ files. These are moved to x/vuln.
Change-Id: Iee25b4b3652f71c012b6267fcdbf4d2a348ac448
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/362578
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/cmd/cvetriage/main.go b/cmd/cvetriage/main.go
deleted file mode 100644
index 358eae0..0000000
--- a/cmd/cvetriage/main.go
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Command cvetriage is used to manage the processing and triaging of CVE data
-// from the github.com/CVEProject/cvelist git repository. It is intended to be
-// run by a third-party scheduler, such as Cloud Run, at some predefined interval.
-//
-// Running this tool will do the following: run the tool does the following things:
-// 1. Reads each CVE JSON file, filtering them based on possible indicators
-// that the CVE is related to a Go project.
-// 2. Reads a list of already processed CVEs (currently stored at
-// triaged-cve-list, but will likely be moved to a database in the future), skipping
-// any CVEs from the previous step that have already been processed.
-// 3. For each unprocessed CVE, a preliminary YAML vulnerability report will be generated, and a
-// GitHub issue will be created.
-package main
-
-import (
- "fmt"
- "log"
- "strings"
-
- "golang.org/x/vulndb/internal"
- "golang.org/x/vulndb/internal/cvelist"
- "golang.org/x/vulndb/internal/derrors"
-)
-
-func main() {
- if err := run(); err != nil {
- log.Fatal(err)
- }
-}
-
-func run() (err error) {
- triaged, err := readTriagedCVEList()
- if err != nil {
- return err
- }
- return cvelist.Run(triaged)
-}
-
-const (
- triagedCVEList = "triaged-cve-list"
- statusFalsePositive = "false-positive"
- statusTriaged = "triaged"
-)
-
-func readTriagedCVEList() (_ map[string]bool, err error) {
- defer derrors.Wrap(&err, "readTriagedCVEList()")
- triaged := map[string]bool{}
- lines, err := internal.ReadFileLines(triagedCVEList)
- if err != nil {
- return nil, err
- }
- for _, l := range lines {
- vuln := strings.Fields(l)
- if len(vuln) < 2 {
- return nil, fmt.Errorf("unexpected syntax: %q", l)
- }
- var (
- cveID = vuln[0]
- status = vuln[1]
- )
- if status != statusFalsePositive && status != statusTriaged {
- return nil, fmt.Errorf("unexpected syntax: %q", l)
- }
- if status == statusTriaged {
- if len(vuln) != 3 {
- return nil, fmt.Errorf("unexpected syntax: %q", l)
- }
- triaged[cveID] = true
- }
- if status == statusFalsePositive {
- triaged[cveID] = true
- }
- }
- return triaged, nil
-}
diff --git a/cmd/dbdiff/main.go b/cmd/dbdiff/main.go
deleted file mode 100644
index ed06d8d..0000000
--- a/cmd/dbdiff/main.go
+++ /dev/null
@@ -1,101 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
- "encoding/json"
- "fmt"
- "io/ioutil"
- "os"
- "path/filepath"
- "strings"
-
- "github.com/google/go-cmp/cmp"
- "golang.org/x/vulndb/internal"
- "golang.org/x/vulndb/internal/derrors"
- "golang.org/x/vulndb/osv"
-)
-
-func loadDB(dbPath string) (_ osv.DBIndex, _ map[string][]osv.Entry, err error) {
- defer derrors.Wrap(&err, "loadDB(%q)", dbPath)
- index := osv.DBIndex{}
- dbMap := map[string][]osv.Entry{}
-
- var loadDir func(string) error
- loadDir = func(path string) error {
- dir, err := ioutil.ReadDir(path)
- if err != nil {
- return err
- }
- for _, f := range dir {
- fpath := filepath.Join(path, f.Name())
- if f.IsDir() {
- if err := loadDir(fpath); err != nil {
- return err
- }
- continue
- }
- content, err := ioutil.ReadFile(fpath)
- if err != nil {
- return err
- }
- if path == dbPath && f.Name() == "index.json" {
- if err := json.Unmarshal(content, &index); err != nil {
- return fmt.Errorf("unable to parse %q: %s", fpath, err)
- }
- } else if path == filepath.Join(dbPath, internal.IDDirectory) {
- if f.Name() == "index.json" {
- // The ID index is just a list of the entries' IDs; we'll
- // catch any diffs in the entries themselves.
- continue
- }
- var entry osv.Entry
- if err := json.Unmarshal(content, &entry); err != nil {
- return fmt.Errorf("unable to parse %q: %s", fpath, err)
- }
- fname := strings.TrimPrefix(fpath, dbPath)
- dbMap[fname] = []osv.Entry{entry}
- } else {
- var entries []osv.Entry
- if err := json.Unmarshal(content, &entries); err != nil {
- return fmt.Errorf("unable to parse %q: %s", fpath, err)
- }
- module := strings.TrimPrefix(fpath, dbPath)
- dbMap[module] = entries
- }
- }
- return nil
- }
- if err := loadDir(dbPath); err != nil {
- return nil, nil, err
- }
- return index, dbMap, nil
-}
-
-func main() {
- if len(os.Args) != 3 {
- fmt.Fprintln(os.Stderr, "usage: dbdiff db-a db-b")
- os.Exit(1)
- }
- indexA, dbA, err := loadDB(os.Args[1])
- if err != nil {
- fmt.Fprintf(os.Stderr, "unable to load %q: %s\n", os.Args[1], err)
- os.Exit(1)
- }
- indexB, dbB, err := loadDB(os.Args[2])
- if err != nil {
- fmt.Fprintf(os.Stderr, "unable to load %q: %s\n", os.Args[2], err)
- os.Exit(1)
- }
- indexDiff := cmp.Diff(indexA, indexB)
- if indexDiff == "" {
- indexDiff = "(no change)"
- }
- dbDiff := cmp.Diff(dbA, dbB)
- if dbDiff == "" {
- dbDiff = "(no change)"
- }
- fmt.Printf("# index\n%s\n\n# db\n%s\n", indexDiff, dbDiff)
-}
diff --git a/cmd/gendb/main.go b/cmd/gendb/main.go
deleted file mode 100644
index befd156..0000000
--- a/cmd/gendb/main.go
+++ /dev/null
@@ -1,130 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
- "encoding/json"
- "flag"
- "fmt"
- "io/ioutil"
- "os"
- "path/filepath"
- "strings"
-
- "golang.org/x/vulndb/internal"
- "golang.org/x/vulndb/internal/report"
- "golang.org/x/vulndb/osv"
- "gopkg.in/yaml.v2"
-)
-
-func failf(format string, args ...interface{}) {
- why := fmt.Sprintf(format, args...)
- fmt.Fprintln(os.Stderr, why)
- os.Exit(1)
-}
-
-// TODO(rolandshoemaker): once we have the HTML representation ready this should
-// be the prefix for that.
-const dbURL = "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/"
-
-func main() {
- yamlDir := flag.String("reports", "reports", "Directory containing yaml reports")
- jsonDir := flag.String("out", "out", "Directory to write JSON database to")
- flag.Parse()
-
- yamlFiles, err := ioutil.ReadDir(*yamlDir)
- if err != nil {
- failf("can't read %q: %s", *yamlDir, err)
- }
-
- jsonVulns := map[string][]osv.Entry{}
- var entries []osv.Entry
- for _, f := range yamlFiles {
- if !strings.HasSuffix(f.Name(), ".yaml") {
- continue
- }
- content, err := ioutil.ReadFile(filepath.Join(*yamlDir, f.Name()))
- if err != nil {
- failf("can't read %q: %s", f.Name(), err)
- }
- var vuln report.Report
- if err := yaml.UnmarshalStrict(content, &vuln); err != nil {
- failf("unable to unmarshal %q: %s", f.Name(), err)
- }
- if lints := vuln.Lint(); len(lints) > 0 {
- fmt.Fprintf(os.Stderr, "invalid vulnerability file %q:\n", os.Args[1])
- for _, lint := range lints {
- fmt.Fprintf(os.Stderr, "\t%s\n", lint)
- }
- os.Exit(1)
- }
-
- name := strings.TrimSuffix(filepath.Base(f.Name()), filepath.Ext(f.Name()))
-
- // TODO(rolandshoemaker): once the HTML representation is ready this should be
- // the link to the HTML page.
- linkName := fmt.Sprintf("%s%s.yaml", dbURL, name)
- entry, paths := osv.Generate(name, linkName, vuln)
- for _, path := range paths {
- jsonVulns[path] = append(jsonVulns[path], entry)
- }
- entries = append(entries, entry)
- }
-
- index := make(osv.DBIndex, len(jsonVulns))
- for path, vulns := range jsonVulns {
- outPath := filepath.Join(*jsonDir, path)
- content, err := json.Marshal(vulns)
- if err != nil {
- failf("failed to marshal json: %s", err)
- }
- if err := os.MkdirAll(filepath.Dir(outPath), 0700); err != nil {
- failf("failed to create directory %q: %s", filepath.Dir(outPath), err)
- }
- if err := ioutil.WriteFile(outPath+".json", content, 0644); err != nil {
- failf("failed to write %q: %s", outPath+".json", err)
- }
- for _, v := range vulns {
- if v.Modified.After(index[path]) || v.Published.After(index[path]) {
- index[path] = v.Modified
- }
- }
- }
-
- indexJSON, err := json.Marshal(index)
- if err != nil {
- failf("failed to marshal index json: %s", err)
- }
- if err := ioutil.WriteFile(filepath.Join(*jsonDir, "index.json"), indexJSON, 0644); err != nil {
- failf("failed to write index: %s", err)
- }
-
- // Write a directory containing entries by ID.
- idDir := filepath.Join(*jsonDir, internal.IDDirectory)
- if err := os.MkdirAll(idDir, 0700); err != nil {
- failf("failed to create directory %q: %v", idDir, err)
- }
- var idIndex []string
- for _, e := range entries {
- outPath := filepath.Join(idDir, e.ID+".json")
- content, err := json.Marshal(e)
- if err != nil {
- failf("failed to marshal json: %v", err)
- }
- if err := ioutil.WriteFile(outPath, content, 0644); err != nil {
- failf("failed to write %q: %v", outPath, err)
- }
- idIndex = append(idIndex, e.ID)
- }
-
- // Write an index.json in the ID directory with a list of all the IDs.
- idIndexJSON, err := json.Marshal(idIndex)
- if err != nil {
- failf("failed to marshal index json: %s", err)
- }
- if err := ioutil.WriteFile(filepath.Join(idDir, "index.json"), idIndexJSON, 0644); err != nil {
- failf("failed to write index: %s", err)
- }
-}
diff --git a/cmd/linter/main.go b/cmd/linter/main.go
deleted file mode 100644
index 803aee3..0000000
--- a/cmd/linter/main.go
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
- "fmt"
- "io/ioutil"
- "os"
-
- "golang.org/x/vulndb/internal/report"
- "gopkg.in/yaml.v2"
-)
-
-func main() {
- if len(os.Args) != 2 {
- fmt.Fprintln(os.Stderr, "only expect a single argument")
- os.Exit(1)
- }
-
- content, err := ioutil.ReadFile(os.Args[1])
- if err != nil {
- fmt.Fprintf(os.Stderr, "unable to read %q: %s\n", os.Args[1], err)
- os.Exit(1)
- }
-
- var vuln report.Report
- err = yaml.UnmarshalStrict(content, &vuln)
- if err != nil {
- fmt.Fprintf(os.Stderr, "unable to parse %q: %s\n", os.Args[1], err)
- os.Exit(1)
- }
-
- if lints := vuln.Lint(); len(lints) > 0 {
- fmt.Fprintf(os.Stderr, "invalid vulnerability file %q:\n", os.Args[1])
- for _, lint := range lints {
- fmt.Fprintf(os.Stderr, "\t%s\n", lint)
- }
- os.Exit(1)
- }
-}
diff --git a/cmd/report2cve/main.go b/cmd/report2cve/main.go
deleted file mode 100644
index e81e15f..0000000
--- a/cmd/report2cve/main.go
+++ /dev/null
@@ -1,164 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
- "encoding/json"
- "errors"
- "fmt"
- "io/ioutil"
- "os"
- "strings"
-
- "golang.org/x/vulndb/internal/cveschema"
- "golang.org/x/vulndb/internal/derrors"
- "golang.org/x/vulndb/internal/report"
- "gopkg.in/yaml.v2"
-)
-
-func fromReport(r *report.Report) (_ *cveschema.CVE, err error) {
- defer derrors.Wrap(&err, "fromReport(r)")
- if r.CVE != "" {
- return nil, errors.New("report has CVE ID is wrong section (should be in cve_metadata for self-issued CVEs)")
- }
- if r.CVEMetadata == nil {
- return nil, errors.New("report missing cve_metadata section")
- }
- if r.CVEMetadata.ID == "" {
- return nil, errors.New("report missing CVE ID")
- }
-
- c := &cveschema.CVE{
- DataType: "CVE",
- DataFormat: "MITRE",
- DataVersion: "4.0",
- CVEDataMeta: cveschema.CVEDataMeta{
- ID: r.CVEMetadata.ID,
- ASSIGNER: "security@golang.org",
- STATE: "PUBLIC",
- },
-
- Description: cveschema.Description{
- DescriptionData: []cveschema.LangString{
- {
- Lang: "eng",
- Value: strings.TrimSuffix(r.CVEMetadata.Description, "\n"),
- },
- },
- },
-
- Problemtype: cveschema.Problemtype{
- ProblemtypeData: []cveschema.ProblemtypeDataItems{
- {
- Description: []cveschema.LangString{
- {
- Lang: "eng",
- Value: r.CVEMetadata.CWE,
- },
- },
- },
- },
- },
-
- Affects: cveschema.Affects{
- Vendor: cveschema.Vendor{
- VendorData: []cveschema.VendorDataItems{
- {
- VendorName: "n/a", // ???
- Product: cveschema.Product{
- ProductData: []cveschema.ProductDataItem{
- {
- ProductName: r.Package,
- Version: versionToVersion(r.Versions),
- },
- },
- },
- },
- },
- },
- },
- }
-
- for _, additional := range r.AdditionalPackages {
- c.Affects.Vendor.VendorData = append(c.Affects.Vendor.VendorData, cveschema.VendorDataItems{
- VendorName: "n/a",
- Product: cveschema.Product{
- ProductData: []cveschema.ProductDataItem{
- {
- ProductName: additional.Package,
- Version: versionToVersion(additional.Versions),
- },
- },
- },
- })
- }
-
- if r.Links.PR != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.PR})
- }
- if r.Links.Commit != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.Commit})
- }
- for _, url := range r.Links.Context {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: url})
- }
-
- return c, nil
-}
-
-func versionToVersion(versions []report.VersionRange) cveschema.VersionData {
- vd := cveschema.VersionData{}
- for _, vr := range versions {
- if vr.Introduced != "" {
- vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
- VersionValue: vr.Introduced,
- VersionAffected: ">=",
- })
- }
- if vr.Fixed != "" {
- vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
- VersionValue: vr.Fixed,
- VersionAffected: "<",
- })
- }
- }
- return vd
-}
-
-func main() {
- if len(os.Args) != 2 {
- fmt.Fprint(os.Stderr, "usage: report2cve report.yaml")
- os.Exit(1)
- }
-
- reportPath := os.Args[1]
- b, err := ioutil.ReadFile(reportPath)
- if err != nil {
- fmt.Fprintf(os.Stderr, "failed to read %q: %s\n", reportPath, err)
- os.Exit(1)
- }
-
- var r report.Report
- if err = yaml.UnmarshalStrict(b, &r); err != nil {
- fmt.Fprintf(os.Stderr, "failed to parse %q: %s\n", reportPath, err)
- os.Exit(1)
- }
-
- cve, err := fromReport(&r)
- if err != nil {
- fmt.Fprintf(os.Stderr, "failed to generate CVE: %s\n", err)
- os.Exit(1)
- }
-
- // We need to use an encoder so that it doesn't escape angle
- // brackets.
- e := json.NewEncoder(os.Stdout)
- e.SetEscapeHTML(false)
- e.SetIndent("", "\t")
- if err = e.Encode(cve); err != nil {
- fmt.Fprintf(os.Stderr, "failed to marshal CVE: %s\n", err)
- os.Exit(1)
- }
-}