report,osv,client: update schema to current state Match the current state of https://tinyurl.com/vuln-json, also fix a minor bug in deploy-db.sh. Change-Id: Ib6c225637cb538ef263b7bf182d30e36e76a43e3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/321509 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
diff --git a/client/client_test.go b/client/client_test.go index eef1e3a..51b3f21 100644 --- a/client/client_test.go +++ b/client/client_test.go
@@ -18,13 +18,13 @@ var testVuln1 string = `[ {"ID":"ID1","Package":{"Name":"golang.org/example/one","Ecosystem":"go"}, "Summary":"", - "Severity":2,"Affects":{"Ranges":[{"Type":2,"Introduced":"","Fixed":"v2.2.0"}]}, + "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.0"}]}, "ecosystem_specific":{"Symbols":["some_symbol_1"] }}]` var testVuln2 string = `[ {"ID":"ID2","Package":{"Name":"golang.org/example/two","Ecosystem":"go"}, "Summary":"", - "Severity":2,"Affects":{"Ranges":[{"Type":2,"Introduced":"","Fixed":"v2.1.0"}]}, + "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.1.0"}]}, "ecosystem_specific":{"Symbols":["some_symbol_2"] }}]`
diff --git a/deploy-db.sh b/deploy-db.sh index 38a3d2f..ee712f2 100644 --- a/deploy-db.sh +++ b/deploy-db.sh
@@ -2,6 +2,6 @@ tmp_dir=$(mktemp -d -t vulndb-XXXX) go run ./cmd/gendb -reports reports -out $tmp_dir cd $tmp_dir -gsutil cp -m -r . gs://go-vulndb +gsutil -m cp -r . gs://go-vulndb cd - -rm -rf $tmp_dir \ No newline at end of file +rm -rf $tmp_dir
diff --git a/osv/json.go b/osv/json.go index 9938b53..1ee0867 100644 --- a/osv/json.go +++ b/osv/json.go
@@ -34,27 +34,27 @@ // vulndb implementatiion detail. type DBIndex map[string]time.Time -type AffectsRangeType int +type AffectsRangeType string const ( - TypeUnspecified AffectsRangeType = iota - TypeGit - TypeSemver + TypeUnspecified AffectsRangeType = "UNSPECIFIED" + TypeGit AffectsRangeType = "GIT" + TypeSemver AffectsRangeType = "SEMVER" ) type Ecosystem string -const GoEcosystem Ecosystem = "go" +const GoEcosystem Ecosystem = "Go" type Package struct { - Name string - Ecosystem Ecosystem + Name string `json:"name"` + Ecosystem Ecosystem `json:"ecosystem"` } type AffectsRange struct { - Type AffectsRangeType - Introduced string - Fixed string + Type AffectsRangeType `json:"type"` + Introduced string `json:"introduced"` + Fixed string `json:"fixed"` } func (ar AffectsRange) containsSemver(v string) bool { @@ -108,29 +108,27 @@ Symbols []string `json:",omitempty"` GOOS []string `json:",omitempty"` GOARCH []string `json:",omitempty"` - URL string + URL string `json:"url"` } type Reference struct { - Type string - URL string + Type string `json:"type"` + URL string `json:"url"` } // Entry represents a OSV style JSON vulnerability database // entry type Entry struct { - ID string - Published time.Time - Modified time.Time - Withdrawn *time.Time `json:",omitempty"` - Aliases []string `json:",omitempty"` - Package Package - Details string - Affects Affects - References []Reference `json:",omitempty"` - Extra struct { - Go GoSpecific - } + ID string `json:"id"` + Published time.Time `json:"published"` + Modified time.Time `json:"modified"` + Withdrawn *time.Time `json:"withdrawn,omitempty"` + Aliases []string `json:"aliases,omitempty"` + Package Package `json:"package"` + Details string `json:"details"` + Affects Affects `json:"affects"` + References []Reference `json:"references,omitempty"` + EcosystemSpecific GoSpecific `json:"ecosystem_specific"` } func Generate(id string, url string, r report.Report) []Entry { @@ -153,24 +151,22 @@ }, Details: r.Description, Affects: generateAffects(r.Versions), - Extra: struct{ Go GoSpecific }{ - Go: GoSpecific{ - Symbols: r.Symbols, - GOOS: r.OS, - GOARCH: r.Arch, - URL: url, - }, + EcosystemSpecific: GoSpecific{ + Symbols: r.Symbols, + GOOS: r.OS, + GOARCH: r.Arch, + URL: url, }, } if r.Links.PR != "" { - entry.References = append(entry.References, Reference{Type: "code review", URL: r.Links.PR}) + entry.References = append(entry.References, Reference{Type: "FIX", URL: r.Links.PR}) } if r.Links.Commit != "" { - entry.References = append(entry.References, Reference{Type: "fix", URL: r.Links.Commit}) + entry.References = append(entry.References, Reference{Type: "FIX", URL: r.Links.Commit}) } for _, link := range r.Links.Context { - entry.References = append(entry.References, Reference{Type: "misc", URL: link}) + entry.References = append(entry.References, Reference{Type: "WEB", URL: link}) } if r.CVE != "" { @@ -187,7 +183,7 @@ additionalImportPath = additional.Package } entryCopy.Package.Name = additionalImportPath - entryCopy.Extra.Go.Symbols = additional.Symbols + entryCopy.EcosystemSpecific.Symbols = additional.Symbols entryCopy.Affects = generateAffects(additional.Versions) entries = append(entries, entryCopy)
diff --git a/osv/json_test.go b/osv/json_test.go index 545c8df..39bfa5d 100644 --- a/osv/json_test.go +++ b/osv/json_test.go
@@ -15,12 +15,7 @@ func TestGenerate(t *testing.T) { r := report.Report{ Module: "example.com/vulnerable/v2", - AdditionalPackages: []struct { - Module string - Package string - Symbols []string - Versions []report.VersionRange - }{ + AdditionalPackages: []report.Additional{ { Module: "vanity.host/vulnerable", Package: "vanity.host/vulnerable/package", @@ -43,11 +38,7 @@ Symbols: []string{"A", "B.b"}, OS: []string{"windows"}, Arch: []string{"arm64"}, - Links: struct { - PR string - Commit string - Context []string - }{ + Links: report.Links{ PR: "pr", Commit: "commit", Context: []string{"issue-a", "issue-b"}, @@ -59,7 +50,7 @@ ID: "GO-1991-0001", Package: Package{ Name: "example.com/vulnerable/v2", - Ecosystem: "go", + Ecosystem: "Go", }, Details: "It's a real bad one, I'll tell you that", Affects: Affects{ @@ -80,19 +71,17 @@ }, }, References: []Reference{ - Reference{Type: "code review", URL: "pr"}, - Reference{Type: "fix", URL: "commit"}, - Reference{Type: "misc", URL: "issue-a"}, - Reference{Type: "misc", URL: "issue-b"}, + Reference{Type: "FIX", URL: "pr"}, + Reference{Type: "FIX", URL: "commit"}, + Reference{Type: "WEB", URL: "issue-a"}, + Reference{Type: "WEB", URL: "issue-b"}, }, Aliases: []string{"CVE-0000-0000"}, - Extra: struct{ Go GoSpecific }{ - Go: GoSpecific{ - Symbols: []string{"A", "B.b"}, - GOOS: []string{"windows"}, - GOARCH: []string{"arm64"}, - URL: "https://vulns.golang.org/GO-1991-0001.html", - }, + EcosystemSpecific: GoSpecific{ + Symbols: []string{"A", "B.b"}, + GOOS: []string{"windows"}, + GOARCH: []string{"arm64"}, + URL: "https://vulns.golang.org/GO-1991-0001.html", }, }, { @@ -100,7 +89,7 @@ ID: "GO-1991-0001", Package: Package{ Name: "vanity.host/vulnerable/package", - Ecosystem: "go", + Ecosystem: "Go", }, Details: "It's a real bad one, I'll tell you that", Affects: Affects{ @@ -121,19 +110,17 @@ }, }, References: []Reference{ - Reference{Type: "code review", URL: "pr"}, - Reference{Type: "fix", URL: "commit"}, - Reference{Type: "misc", URL: "issue-a"}, - Reference{Type: "misc", URL: "issue-b"}, + Reference{Type: "FIX", URL: "pr"}, + Reference{Type: "FIX", URL: "commit"}, + Reference{Type: "WEB", URL: "issue-a"}, + Reference{Type: "WEB", URL: "issue-b"}, }, Aliases: []string{"CVE-0000-0000"}, - Extra: struct{ Go GoSpecific }{ - Go: GoSpecific{ - Symbols: []string{"b", "A.b"}, - GOOS: []string{"windows"}, - GOARCH: []string{"arm64"}, - URL: "https://vulns.golang.org/GO-1991-0001.html", - }, + EcosystemSpecific: GoSpecific{ + Symbols: []string{"b", "A.b"}, + GOOS: []string{"windows"}, + GOARCH: []string{"arm64"}, + URL: "https://vulns.golang.org/GO-1991-0001.html", }, }, }
diff --git a/report/report.go b/report/report.go index 57cd733..a400a00 100644 --- a/report/report.go +++ b/report/report.go
@@ -11,6 +11,25 @@ Fixed string `yaml:",omitempty"` } +type Additional struct { + Module string `yaml:",omitempty"` + Package string `yaml:",omitempty"` + Symbols []string `yaml:",omitempty"` + Versions []VersionRange `yaml:",omitempty"` +} + +type Links struct { + PR string `yaml:",omitempty"` + Commit string `yaml:",omitempty"` + Context []string `yaml:",omitempty"` +} + +type CVEMeta struct { + ID string `yaml:",omitempty"` + CWE string `yaml:",omitempty"` + Description string `yaml:",omitempty"` +} + type Report struct { Module string `yaml:",omitempty"` Package string `yaml:",omitempty"` @@ -26,30 +45,17 @@ // really be replaced with 'aliases', we'll still need // additional packages for some cases, but it's too heavy // for most - AdditionalPackages []struct { - Module string `yaml:",omitempty"` - Package string `yaml:",omitempty"` - Symbols []string `yaml:",omitempty"` - Versions []VersionRange `yaml:",omitempty"` - } `yaml:"additional_packages,omitempty"` - Versions []VersionRange `yaml:",omitempty"` - Description string `yaml:",omitempty"` - Published time.Time `yaml:",omitempty"` - LastModified *time.Time `yaml:"last_modified,omitempty"` - Withdrawn *time.Time `yaml:",omitempty"` - CVE string `yaml:",omitempty"` - Credit string `yaml:",omitempty"` - Symbols []string `yaml:",omitempty"` - OS []string `yaml:",omitempty"` - Arch []string `yaml:",omitempty"` - Links struct { - PR string `yaml:",omitempty"` - Commit string `yaml:",omitempty"` - Context []string `yaml:",omitempty"` - } `yaml:",omitempty"` - CVEMetadata *struct { - ID string `yaml:",omitempty"` - CWE string `yaml:",omitempty"` - Description string `yaml:",omitempty"` - } `yaml:"cve_metadata,omitempty"` + AdditionalPackages []Additional `yaml:"additional_packages,omitempty"` + Versions []VersionRange `yaml:",omitempty"` + Description string `yaml:",omitempty"` + Published time.Time `yaml:",omitempty"` + LastModified *time.Time `yaml:"last_modified,omitempty"` + Withdrawn *time.Time `yaml:",omitempty"` + CVE string `yaml:",omitempty"` + Credit string `yaml:",omitempty"` + Symbols []string `yaml:",omitempty"` + OS []string `yaml:",omitempty"` + Arch []string `yaml:",omitempty"` + Links Links `yaml:",omitempty"` + CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"` }