all: fix lints

Fix small issues like unused symbols, unchecked errors etc.

Bump dependency on protobuf, which has a vulnerability.

Change-Id: I10385ff41302d1446c35af43ae72219fc9687150
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/601376
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

cmd/gendb/main.go

@@ -19,7 +19,6 @@ var (
 	repoDir = flag.String("repo", ".", "Directory containing vulndb repo")
 	jsonDir = flag.String("out", "out", "Directory to write JSON database to")
 	zipFile = flag.String("zip", "", "if provided, file to write zipped database to (for v1 database only)")
-	indent  = flag.Bool("indent", false, "Indent JSON for debugging")
 )
 
 func main() {

cmd/modinfo/internal/pkgsitedb/db.go

@@ -12,7 +12,6 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
-	"regexp"
 
 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
 	smpb "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
@@ -88,12 +87,6 @@ func QueryModule(ctx context.Context, db *sql.DB, modulePath string) (*Module, e
 	return m, nil
 }
 
-var passwordRegexp = regexp.MustCompile(`password=\S+`)
-
-func redactPassword(dbinfo string) string {
-	return passwordRegexp.ReplaceAllLiteralString(dbinfo, "password=REDACTED")
-}
-
 // getSecret retrieves a secret from the GCP Secret Manager.
 // secretFullName should be of the form "projects/PROJECT/secrets/NAME".
 func getSecret(ctx context.Context, secretFullName string) (_ string, err error) {

cmd/worker/main.go

@@ -54,8 +54,6 @@ func init() {
 	flag.StringVar(&cfg.IssueRepo, "issue-repo", os.Getenv("VULN_WORKER_ISSUE_REPO"), "repo to create issues in")
 }
 
-const pkgsiteURL = "https://pkg.go.dev"
-
 func main() {
 	flag.Usage = func() {
 		out := flag.CommandLine.Output()

go.mod

@@ -83,6 +83,6 @@ require (
 	google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231211222908-989df2bf70f3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231211222908-989df2bf70f3 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )

go.sum

@@ -329,6 +329,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

internal/cve5/fetch.go

@@ -11,8 +11,7 @@ import (
 )
 
 // Fetch returns the CVE record associated with the ID.
-// It is intended one-off (non-batch) requests, and
-// is much faster than cvelistrepo.FetchCVE.
+// It is intended one-off (non-batch) requests.
 func Fetch(id string) (*CVERecord, error) {
 	c := NewClient(Config{
 		Endpoint: ProdEndpoint,

internal/cvelistrepo/cvelistrepo.go

@@ -7,7 +7,6 @@
 package cvelistrepo
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -112,37 +111,6 @@ func blobReader(repo *git.Repository, hash plumbing.Hash) (io.Reader, error) {
 	return blob.Reader()
 }
 
-// FetchCVE fetches the CVE file for cveID from the CVElist repo and returns
-// the parsed info.
-func FetchCVE[T any](ctx context.Context, repo *git.Repository, cveID string) (_ T, err error) {
-	defer derrors.Wrap(&err, "FetchCVE(repo, commit, %s)", cveID)
-	var zero T
-
-	ref, err := repo.Reference(plumbing.HEAD, true)
-	if err != nil {
-		return zero, err
-	}
-	ch := ref.Hash()
-	commit, err := repo.CommitObject(ch)
-	if err != nil {
-		return zero, err
-	}
-	files, err := Files(repo, commit)
-	if err != nil {
-		return zero, err
-	}
-	for _, f := range files {
-		if strings.Contains(f.Filename, cveID) {
-			cve, err := Parse[T](repo, f)
-			if err != nil {
-				return zero, err
-			}
-			return cve, nil
-		}
-	}
-	return zero, fmt.Errorf("%s not found", cveID)
-}
-
 // Parse unmarshals the contents of f.
 func Parse[T any](repo *git.Repository, f File) (T, error) {
 	var zero T

internal/cvelistrepo/cvelistrepo_test.go

@@ -101,33 +101,6 @@ func TestFiles(t *testing.T) {
 	}
 }
 
-func TestFetchCVE(t *testing.T) {
-	testFetchCVE[*cve4.CVE](t, "v4", v4txtar)
-	testFetchCVE[*cve5.CVERecord](t, "v5", v5txtar)
-}
-
-func testFetchCVE[S report.Source](t *testing.T, name, txtarFile string) {
-	t.Run(name, func(t *testing.T) {
-		ctx := context.Background()
-		repo, _, err := gitrepo.TxtarRepoAndHead(txtarFile)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		for _, id := range cveIDs {
-			t.Run(id, func(t *testing.T) {
-				cve, err := FetchCVE[S](ctx, repo, id)
-				if err != nil {
-					t.Fatal(err)
-				}
-				if got, want := cve.SourceID(), id; got != want {
-					t.Errorf("FetchCVE(%s) ID = %s, want %s", id, got, want)
-				}
-			})
-		}
-	})
-}
-
 func TestParse(t *testing.T) {
 	testParse[*cve4.CVE](t, "v4", v4txtar)
 	testParse[*cve5.CVERecord](t, "v5", v5txtar)

internal/cveutils/triage.go

@@ -6,7 +6,6 @@ package cveutils
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -18,8 +17,6 @@ import (
 	"golang.org/x/vulndb/internal/worker/log"
 )
 
-var errCVEVersionUnsupported = errors.New("unsupported CVE version")
-
 // stdlibReferenceDataKeywords are words found in the reference data URL that
 // indicate the CVE is about the standard library or a Go x-repo owned by the
 // Go team.

internal/database/gzip.go

@@ -7,7 +7,7 @@ package database
 import (
 	"bytes"
 	"compress/gzip"
-	"io/ioutil"
+	"io"
 	"os"
 )
 
@@ -48,5 +48,5 @@ func readGzipped(filename string) ([]byte, error) {
 	}
 	defer r.Close()
 
-	return ioutil.ReadAll(r)
+	return io.ReadAll(r)
 }

internal/symbols/patched_functions.go

@@ -90,8 +90,8 @@ func Patched(module, commitHash string, r *repository) (_ map[string][]string, e
 
 // resetWorktree takes a repository and its worktree and resets it to MAIN/MASTER@HEAD
 func resetWorktree(r *git.Repository, w *git.Worktree) {
-	r.Fetch(&git.FetchOptions{})
-	w.Reset(&git.ResetOptions{
+	_ = r.Fetch(&git.FetchOptions{})
+	_ = w.Reset(&git.ResetOptions{
 		Mode: git.HardReset,
 	})
 }

internal/worker/store/store_test.go

@@ -186,7 +186,7 @@ func testDirHashes(t *testing.T, s Store) {
 }
 
 var (
-	ghsa1, ghsa2, ghsa3, ghsa4, ghsa5 = "GHSA-xxxx-yyyy-1111", "GHSA-xxxx-yyyy-2222", "GHSA-xxxx-yyyy-3333", "GHSA-xxxx-yyyy-4444", "GHSA-xxxx-yyyy-5555"
+	ghsa1, ghsa2 = "GHSA-xxxx-yyyy-1111", "GHSA-xxxx-yyyy-2222"
 )
 
 func testGHSAs(t *testing.T, s Store) {

internal/worker/update_test.go

@@ -349,7 +349,9 @@ func TestDoUpdate(t *testing.T) {
 			mstore := store.NewMemStore()
 			createCVE4Records(t, mstore, test.curCVEs)
 			createLegacyGHSARecords(t, mstore, test.curGHSAs)
-			newCVEUpdater(repo, commit, mstore, rc, needsIssue).update(ctx)
+			if err := newCVEUpdater(repo, commit, mstore, rc, needsIssue).update(ctx); err != nil {
+				t.Fatal(err)
+			}
 			got := mstore.CVE4Records()
 			want := map[string]*store.CVE4Record{}
 			for _, cr := range test.want {

internal/worker/worker.go

@@ -116,11 +116,6 @@ func (c *CheckUpdateError) Error() string {
 	return c.msg
 }
 
-const (
-	vulnDBBucket = "go-vulndb"
-	vulnDBURL    = "https://storage.googleapis.com/" + vulnDBBucket
-)
-
 // GHSAListFunc is the type of a function that lists GitHub security advisories.
 type GHSAListFunc func(_ context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error)