Граф коммитов

9 Коммитов

Автор SHA1 Сообщение Дата
Tatiana Bradley 7aa642d280 cmd/vulnreport: add a check for basic reference URL existence
Adds a check to "vulnreport fix" that errors if any URLs in the
"references" section return an error or status 404 on HTTP HEAD.
We don't check for other status codes yet.

An experiment to error on all non-200 status codes brought up some
ambiguous cases where the link is still viewable in a browser, e.g.:
    - 429 Too Many Requests (https://vuldb.com/?id.256304)
    - 503 Service Unavailable (http://blog.recurity-labs.com/2017-08-10/scm-vulns):
    - 403 Forbidden (https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html)

For now, this is a fix check and not a lint check, meaning it only
applies to new reports, and can technically be ignored (by manually
creating a CL that adds the report).

This CL also deletes existing URLs in the corpus that don't exist
according to this check.

Change-Id: Id14fb79fc2f2c2d4c8145fdc88d11aa33708c94b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588761
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-03 20:51:31 +00:00
Tatiana Bradley 69d9a200a8 data: apply REVIEWED status to all existing reports and osv
Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-05-20 16:03:47 +00:00
Tatiana Bradley 4d4a361097 internal/{osv,report}, data: publish summaries to OSV
Modify ToOSV to publish the summary from the YAML report to OSV, and
apply this change to each existing OSV report.

For golang/go#56443

Change-Id: Iee78fe75f42fe9a52c6e4023ee9ad8dfa5feba8d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501203
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
2023-06-12 18:45:41 +00:00
Tatiana Bradley 69f5b83308 data/reports: add -0 suffix to stdlib report versions
For std and cmd reports with an introduced at 1.x.0 version, add the
suffix "-0" so that the vuln will be considered introduced before any
rc versions.

Change-Id: I4c69a7895b453f759924cefaa283570ee42b4858
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494218
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
2023-05-11 15:31:00 +00:00
Tatiana Bradley 264b406b71 internal/osv, all: move DatabaseSpecific osv field
Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead
of a subfield of the Affected field.

Change-Id: I8c80f8af268b51d57833268b89947838c53e407a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2023-04-03 15:57:51 +00:00
Maceo Thompson 93f50fcb7c internal/report, data/osv: populate schema_version field in osv entries
The vulnreport osv command now populates all generated osvs with the current schema version (1.3.1).
This CL also updates all previous OSV entries to also have the current schema version.

Change-Id: Ie95c91aae0ee623bbf50ff047190a0bbe59893d9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452440
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
2022-11-21 19:50:45 +00:00
Tatiana Bradley e21719caff internal/database, data/osv: trim whitespace characters in OSV description
In GenerateOSVEntry, replace all whitespace characters with single spaces
except for paragraph breaks represented by "\n\n".

Change-Id: Ia03f0b53c94979fada6316be1346df3f48b9fabe
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/439044
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
2022-10-26 17:44:45 +00:00
Aaqa Ishtyaq 4c804906bd internal/database: add credits in the osv report
- Update `golang.org/x/vuln/osv`.
- Output credits in the OSV report from the YAML report.
- Update `data/osv` to include `credits`.

Fixes golang/go#55956

Change-Id: I8b1a81f33ca7b2832394be316b7d015c8a281220
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435976
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-10-21 20:22:39 +00:00
Damien Neil ea89353760 data/osv: add OSV entries for all reports
Create data/osv, containing the OSV version for all reports.
This directory will be used as the source for database generation
in the future.

Set creation times on all existing reports; future reports will
take the creation time from the OSV entry history.

Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
2022-09-20 15:16:04 +00:00