| # worker |
| |
| `worker` is a binary that can act as both a CLI and a web server. |
| |
| With no command-line arguments, it listens for HTTP traffic at the `PORT` |
| environment variable. There is no reason to run the server locally (except |
| debugging), so this document describes only the CLI. |
| |
| The CLI can display Firestore database of CVE records, update the database from |
| commits of the CVE repo github.com/CVEProject/cvelist, and file issues. |
| |
| ## Setup |
| |
| You will need a Google Cloud account and a project to run the worker. If you |
| don't already have default credentials on your machine, set them up with |
| ``` |
| gcloud auth application-default login |
| ``` |
| |
| To run most CLI commands you'll need a `-project` flag, to specify the GCP |
| project where the Firestore DB resides. Since there is only one Firestore DB per |
| project and we want multiple, independent DBs, we also require a string called the |
| "namespace," specified with `-namespace`. |
| |
| ## update COMMIT |
| |
| The update command takes a commit hash from the github.com/CVEProject/cvelist |
| repo, and modifies the DB to match the commit, creating and modifying CVE |
| records as needed. It does not file any issues; it only categorizes CVEs as |
| needing issues, not requiring action, and so on. |
| |
| The command |
| |
| ``` |
| worker -project go-vuln -namespace test update HEAD |
| ``` |
| |
| will clone the cvelist repo from github and update the `test` namespace with the |
| most recent commit of the repo. It will contact pkg.go.dev to determine whether |
| URLs are modules. |
| |
| To update at a different commit, or just to avoid the clone, clone the repo |
| locally and provide a path to it: |
| |
| ``` |
| worker -project go-vuln -namespace test \ |
| -local-cve-repo ~/repos/github.com/CVEProject/cvelist \ |
| update cb2d8ae8ac0afed043d0fd99669e1aaac42e8b69 |
| ``` |
| |
| To avoid hitting pkg.go.dev, compile a file of known module paths, one per line, |
| and pass it as well: |
| |
| ``` |
| worker -project go-vuln -namespace test \ |
| -local-cve-repo ~/repos/github.com/CVEProject/cvelist \ |
| -known-module-file ~/module-paths.txt \ |
| update cb2d8ae8ac0afed043d0fd99669e1aaac42e8b69 |
| ``` |
| |
| If an update is interrupted or fails to complete, subsequent calls to `worker |
| update` will fail. If you're sure there is no concurrent update in progress, it |
| is safe to pass the `-force` flag to force the update. |
| |
| ## list-cves |
| |
| The command |
| ``` |
| worker -project go-vuln -namespace test list-cves NeedsIssue |
| ``` |
| will list all CVE records that need an issue. You can also use these other |
| argument values (from internal/worker/store/store.go:TriageState): |
| |
| - IssueCreated |
| - UpdatedSinceIssueCreation |
| - HasVuln |
| - FalsePositive |
| |
| It's not recommended to pass the "NoActionNeeded" triage state, because the vast |
| majority of records have this state and listing them takes a long time. |
| |
| ## create-issues |
| |
| To create issues from records that need them, use the `create-issues` subcommand |
| and provide a repo and the path to a file that holds a GitHub access token. |
| You can also limit the number of issues created. |
| |
| ``` |
| worker -project go-vuln -namespace test \ |
| -issue-repo myorg/myrepo \ |
| -ghtokenfile ~/github-token \ |
| -limit 10 \ |
| create-issues |
| ``` |
| |
| ## list-updates |
| |
| This subcommand shows the update operations that have run, most to least recent. |
| |
| ## show |
| |
| Run `show` with a list of CVE IDs to display the corresponding CVE records. |
