Separate triage-related code to its own internal
package so it can be re-used throughout.
Change-Id: I1c143624d718b896edb64afa020875925210b094
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/601378
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Fix a bug in which the "likely duplicate" label was applied
to all issues that have duplicates on the tracker. (For example,
if #1 and #2 both refer to GHSA-xxxx-yyyy-zzzz, only one of
these should be marked as a duplicate).
This also revealed some bugs in the fake in-memory implementation
of the GHSA API, which are now fixed.
Change-Id: Ifd98befdf3e23f1fc95df38533107de9c921b195
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599456
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add a simple check for package existence in vulnreport fix, which
pings pkg.go.dev to determine if a package exists.
This is more likely to succeed (and faster) than the package/symbol
check which downloads the whole package. We now skip this symbol-check
when there are no symbols listed.
There are still some cases in which this fails incorrectly (e.g. if pkgsite
for some reason couldn't cache the given package/version), so the check
can be bypassed.
Change-Id: I922eae0dec9a376210f0f0fd1d70a67da934ffaa
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599180
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Before writing YAML/OSV/CVE files, check if their contents would
be modified. The main benefit of this is that we now only print
out the written filename if its contents change, which is helpful
for determining the impact of batch operations.
Change-Id: Ieae133a1697d98b99cb40dda56826a5c46f40487
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599179
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Adds a test framework that allows tests to inject fake/mock
dependencies into the vulnreport commands and record the expected
output of commands.
Some subcommand tests are left as TODOs, as they require additional
fake/mock dependencies that haven't been implemented yet.
Change-Id: I25f6085f2297e5b9d916f0927c1111ac2b49bef8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590038
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tatiana Bradley