Граф коммитов

2084 Коммитов

Автор SHA1 Сообщение Дата
Tim King cc6101e39e data/reports: add GO-2024-2951
- data/reports/GO-2024-2951.yaml

Fixes golang/vulndb#2951

Change-Id: I3714b42140d6c974de899161111cd5d65ca0bd65
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596215
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
2024-07-02 17:39:03 +00:00
Tatiana Bradley 6b8d7686dc data/reports: review 3 reports, add 2 reports
- data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2698.yaml
  - data/reports/GO-2024-2785.yaml
  - data/reports/GO-2024-2912.yaml
  - data/reports/GO-2024-2918.yaml

Updates golang/vulndb#2491
Updates golang/vulndb#2698
Updates golang/vulndb#2785
Fixes golang/vulndb#2912
Fixes golang/vulndb#2918

Change-Id: I296bb2155b7a3ad7b8f8e7e3f1cc829a159c6cc8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595960
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
2024-07-01 21:50:42 +00:00
Tatiana Bradley 76e28a5b02 data/reports: review 7 reports
Review 7 vulns that need REVIEWED reports based on
estimated impact.

  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2572.yaml
  - data/reports/GO-2024-2575.yaml
  - data/reports/GO-2024-2846.yaml
  - data/reports/GO-2024-2913.yaml
  - data/reports/GO-2024-2914.yaml

Fixes golang/vulndb#2500
Fixes golang/vulndb#2512
Fixes golang/vulndb#2572
Fixes golang/vulndb#2575
Fixes golang/vulndb#2846
Fixes golang/vulndb#2913
Fixes golang/vulndb#2914

Change-Id: I65341fdb981196e44d09545d84e7b77261a549f3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595999
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-07-01 19:59:51 +00:00
Tatiana Bradley 95ad15a2c1 data/reports: add 5 reports
- data/reports/GO-2024-2920.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2930.yaml
  - data/reports/GO-2024-2936.yaml
  - data/reports/GO-2024-2943.yaml

Fixes golang/vulndb#2920
Fixes golang/vulndb#2921
Fixes golang/vulndb#2930
Fixes golang/vulndb#2936
Fixes golang/vulndb#2943

Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595957
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
2024-07-01 19:59:12 +00:00
Tatiana Bradley 3f3b024453 data/reports: withdraw GO-2024-2527
This report is a low impact vulnerability that is causing too many
false positives. Withdraw it for now to mitigate impact.

Updates golang/vulndb#2527
Updates golang/vulndb#2952

Change-Id: Iffad648eecbbda67e49a962592a33df9232f5fbb
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595995
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-07-01 15:41:10 +00:00
Zvonimir Pavlinovic 9373b6c4da data/reports: update GO-2024-2746
- data/reports/GO-2024-2746.yaml

Updates golang/vulndb#2746

Change-Id: Ib156e8b36cf9c768a58ead781bdabccfc4c0b2fb
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595975
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
2024-07-01 15:02:49 +00:00
Tim King db6401a8c2 data/reports: add GO-2024-2948
- data/reports/GO-2024-2948.yaml

Fixes golang/vulndb#2948

Change-Id: I2b875ed9ddeaa66f8e31cfd24732b08160f4143d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595255
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 18:33:10 +00:00
Tatiana Bradley e116d8a335 data/reports: unexclude 80 reports
- data/reports/GO-2024-2521.yaml
  - data/reports/GO-2024-2434.yaml
  - data/reports/GO-2024-2537.yaml
  - data/reports/GO-2024-2432.yaml
  - data/reports/GO-2024-2483.yaml
  - data/reports/GO-2024-2480.yaml
  - data/reports/GO-2024-2433.yaml
  - data/reports/GO-2024-2530.yaml
  - data/reports/GO-2024-2556.yaml
  - data/reports/GO-2024-2472.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2560.yaml
  - data/reports/GO-2024-2561.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2479.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2496.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2558.yaml
  - data/reports/GO-2024-2430.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2431.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2495.yaml
  - data/reports/GO-2024-2557.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2528.yaml
  - data/reports/GO-2024-2529.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2562.yaml
  - data/reports/GO-2024-2441.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2477.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2510.yaml
  - data/reports/GO-2024-2564.yaml
  - data/reports/GO-2024-2476.yaml
  - data/reports/GO-2024-2527.yaml
  - data/reports/GO-2024-2481.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2457.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2440.yaml
  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2550.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2516.yaml
  - data/reports/GO-2024-2531.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2563.yaml
  - data/reports/GO-2024-2532.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2535.yaml
  - data/reports/GO-2024-2458.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2549.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2559.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2565.yaml

Updates golang/vulndb#2521
Updates golang/vulndb#2434
Updates golang/vulndb#2537
Updates golang/vulndb#2432
Updates golang/vulndb#2483
Updates golang/vulndb#2480
Updates golang/vulndb#2433
Updates golang/vulndb#2530
Updates golang/vulndb#2556
Updates golang/vulndb#2472
Updates golang/vulndb#2540
Updates golang/vulndb#2560
Updates golang/vulndb#2561
Updates golang/vulndb#2590
Updates golang/vulndb#2428
Updates golang/vulndb#2508
Updates golang/vulndb#2592
Updates golang/vulndb#2511
Updates golang/vulndb#2491
Updates golang/vulndb#2479
Updates golang/vulndb#2509
Updates golang/vulndb#2589
Updates golang/vulndb#2496
Updates golang/vulndb#2505
Updates golang/vulndb#2558
Updates golang/vulndb#2430
Updates golang/vulndb#2594
Updates golang/vulndb#2431
Updates golang/vulndb#2488
Updates golang/vulndb#2495
Updates golang/vulndb#2557
Updates golang/vulndb#2442
Updates golang/vulndb#2593
Updates golang/vulndb#2512
Updates golang/vulndb#2528
Updates golang/vulndb#2529
Updates golang/vulndb#2588
Updates golang/vulndb#2562
Updates golang/vulndb#2441
Updates golang/vulndb#2591
Updates golang/vulndb#2477
Updates golang/vulndb#2448
Updates golang/vulndb#2510
Updates golang/vulndb#2564
Updates golang/vulndb#2476
Updates golang/vulndb#2527
Updates golang/vulndb#2481
Updates golang/vulndb#2445
Updates golang/vulndb#2457
Updates golang/vulndb#2446
Updates golang/vulndb#2447
Updates golang/vulndb#2501
Updates golang/vulndb#2440
Updates golang/vulndb#2500
Updates golang/vulndb#2444
Updates golang/vulndb#2550
Updates golang/vulndb#2523
Updates golang/vulndb#2516
Updates golang/vulndb#2531
Updates golang/vulndb#2595
Updates golang/vulndb#2520
Updates golang/vulndb#2582
Updates golang/vulndb#2485
Updates golang/vulndb#2541
Updates golang/vulndb#2563
Updates golang/vulndb#2532
Updates golang/vulndb#2450
Updates golang/vulndb#2515
Updates golang/vulndb#2499
Updates golang/vulndb#2514
Updates golang/vulndb#2535
Updates golang/vulndb#2458
Updates golang/vulndb#2449
Updates golang/vulndb#2549
Updates golang/vulndb#2517
Updates golang/vulndb#2478
Updates golang/vulndb#2559
Updates golang/vulndb#2486
Updates golang/vulndb#2513
Updates golang/vulndb#2565

Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:53 +00:00
Tatiana Bradley ca4ec54f49 data/reports: regenerate unreviewed reports
Regenerate existing unreviewed reports with improved algorithm.

Change-Id: I1603d4cbb87068497e686e238c070fdb7a2d28b1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595276
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:40 +00:00
Tatiana Bradley 1b6c74b893 data/reports: add 15 unreviewed reports
- data/reports/GO-2024-2898.yaml
  - data/reports/GO-2024-2905.yaml
  - data/reports/GO-2024-2924.yaml
  - data/reports/GO-2024-2926.yaml
  - data/reports/GO-2024-2927.yaml
  - data/reports/GO-2024-2928.yaml
  - data/reports/GO-2024-2929.yaml
  - data/reports/GO-2024-2931.yaml
  - data/reports/GO-2024-2932.yaml
  - data/reports/GO-2024-2933.yaml
  - data/reports/GO-2024-2934.yaml
  - data/reports/GO-2024-2938.yaml
  - data/reports/GO-2024-2939.yaml
  - data/reports/GO-2024-2940.yaml
  - data/reports/GO-2024-2941.yaml

Fixes golang/vulndb#2898
Fixes golang/vulndb#2905
Fixes golang/vulndb#2924
Fixes golang/vulndb#2926
Fixes golang/vulndb#2927
Fixes golang/vulndb#2928
Fixes golang/vulndb#2929
Fixes golang/vulndb#2931
Fixes golang/vulndb#2932
Fixes golang/vulndb#2933
Fixes golang/vulndb#2934
Fixes golang/vulndb#2938
Fixes golang/vulndb#2939
Fixes golang/vulndb#2940
Fixes golang/vulndb#2941

Change-Id: I235c85ba4f067ada8ca1ff0dc33bb4fb14f13f80
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595636
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:30 +00:00
Tatiana Bradley 4ad8671bd5 cmd/vulnreport: further unify code of vulnreport regen and review
Change-Id: I1da43b41d7972860760121211de6f47abf0a2c30
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595635
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:22 +00:00
Tatiana Bradley f8ec56095d internal/report: move some functionality from vulnreport to report.New
Move removal of description and packages (for UNREVIEWED reports)
to report.New so that these actions can be tested more easily.

Change-Id: Ie533f3ef5642f0866c91c28010482eec1d844739
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595275
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:10 +00:00
Tatiana Bradley 68fb04d013 internal/report: improve version handling
A number of improvements to automatic version handling, including:
    - Split version lists by major version rather than failing if they
    are inconsistent
    - Assume all previous major versions (that exist) are affected
    - Put "non-Go" and "unsupported" version lists in their corresponding
    major version (if it exists)
    - Improve the guessVulnerableAt algorithm by adding consistency checks

Change-Id: I9737dbd7d21848570b8e469804628c0e0a3b0a89
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594899
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:28:00 +00:00
Tatiana Bradley d10c878bff internal/proxy: use latest instead of list to test existence
Change-Id: I144dc8b0a9b32620172b48a92da5443ac65911b4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594898
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-28 15:27:33 +00:00
Tatiana Bradley 19650a23d2 internal/report,checks.bash: fix spellcheck issue
Don't spellcheck testdata/ files or the file containing known
misspellings.

Change-Id: Id9b7ff1050a091901904722fc6bdc7bb595b4574
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595384
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-27 19:36:30 +00:00
Tatiana Bradley ea3c130a11 data: preserve CVE references
Change-Id: I2c5b3c302d53e94b8def479d1beb9d9d0a46761d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595595
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-27 19:21:07 +00:00
Tim King 51d7f16845 data/reports: unexclude GO-2023-2331
- data/reports/GO-2023-2331.yaml

Updates golang/vulndb#2331
Fixes golang/vulndb#2949

Change-Id: I91ada0560d396d18dab946ddcc6f60edcb183e80
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595257
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-27 18:00:06 +00:00
Tim King 4408037c17 data/reports: update GO-2024-2937
- data/reports/GO-2024-2937.yaml

Updates golang/vulndb#2937
Fixes golang/vulndb#2950

Change-Id: I1f5e5c6ab7dbc398b4a184c8cf99279b6238fb76
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595256
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-26 23:00:22 +00:00
Tatiana Bradley 85d976cf49 internal/report: fix spelling in summaries
For now, use a hard-coded list of words we've seen spelled
incorrectly.

Change-Id: I48ac311eb87214463d5c20a685dbfcb96a96df0a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595315
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-26 22:50:26 +00:00
Tatiana Bradley c65b9da434 cmd/vulnreport: preserve unexcluded reason in vulnreport regen
Change-Id: Id3ba7aa4b4183658023dd198879ada0f0be3e49b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594900
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
2024-06-26 22:50:24 +00:00
Tatiana Bradley 903809da80 internal/genericosv: update proxy responses
Change-Id: Ibf4bdf0a3fdb95b6c1e1017ba0c9822bf583bc1b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594897
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-26 14:53:48 +00:00
Tatiana Bradley ede84b0123 internal/genericosv: add more test cases for GHSAs
Change-Id: I3a5d44924615a093c91a0ec70d456e805a065ebc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594896
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-26 14:53:37 +00:00
Tatiana Bradley b2598231f8 all: update YAML versions to closely match OSV versions
Instead of storing version ranges as structs with paired
Introduced/Fixed versions, follow the OSV convention of
considering each version as its own object with an associated
type.

This simplifies operations such as sorting and merging version
lists, making it easier for us to improve automation.

The only effect on the user (vulndb maintainer) is that the
YAML syntax is now:

    - introduced: xxx
    - fixed: xxx

instead of

    - introduced: xxx
      fixed: xxx

As a convenience, however, the old format is still accepted for
writing reports. (However, it will be automatically converted to the
new format when vulnreport fix is run).

A follow up CL will make this change for all existing YAML reports.
This will NOT affect the published OSV files.

Change-Id: I91c524b311be5230db5d382f77de4a8e0cd1dda7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593820
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-26 14:53:24 +00:00
Tatiana Bradley 42ebd5293a internal/report: fix bug with adding advisory link in fix
Fix a bug in which an advisory link was sometimes not added.

This bug occurred because, if an existing link containing the source
alias was found (regardless of whether the link was marked as an
advisory), no advisory was added.

Change-Id: I21357453d6610f9ecd58da44feb8020a8cfa1444
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593819
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-26 14:52:55 +00:00
Tatiana Bradley 7e022159cc cmd/vulnreport: don't run fix twice for unreviewed reports
Change-Id: Iad59d70e0b7302db4e1d444a488936d5a564a1a1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593818
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-26 14:52:33 +00:00
Tatiana Bradley 50d94f1316 internal/genericosv: work around bug in Severity unmarshal
There is an unknown bug causing unmarshal for OSV Severity field
to not work.

We don't use this field, so to work around this issue for now,
simply ignore the Severity field.

To do this, the dependency on osv-scanner was removed and the
relevant files were copied and modified as needed.

Change-Id: I956ea5d2c9c19f2992e6a1c9b723cea35f5e92d6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593817
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-25 22:45:44 +00:00
Damien Neil b702d91f8b data/reports: add GO-2024-2937
- data/reports/GO-2024-2937.yaml

Fixes golang/vulndb#2937

Change-Id: I4b6df50dd34bd45e3dad61061a0b0992f5bc2131
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593515
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
2024-06-25 22:06:09 +00:00
Tim King 1997cf0a48 data/excluded: add GO-2024-2946
- data/excluded/GO-2024-2946.yaml

Fixes golang/vulndb#2946

Change-Id: I174d7cd3c6c91de9e941eded1e138d6540073c02
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594995
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
2024-06-25 20:21:06 +00:00
Tim King 5b4532f94d data/reports: add GO-2024-2947
- data/reports/GO-2024-2947.yaml

Fixes golang/vulndb#2947

Change-Id: Ia91993e7295ecc21c37f98e11c0379fbe6ce30a5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594915
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
2024-06-25 19:47:45 +00:00
Tatiana Bradley e0d78a2476 data/excluded,data/reports: add 10 reports
- data/excluded/GO-2024-2890.yaml
  - data/excluded/GO-2024-2892.yaml
  - data/excluded/GO-2024-2893.yaml
  - data/excluded/GO-2024-2894.yaml
  - data/excluded/GO-2024-2895.yaml
  - data/excluded/GO-2024-2896.yaml
  - data/excluded/GO-2024-2897.yaml
  - data/reports/GO-2024-2922.yaml
  - data/reports/GO-2024-2923.yaml
  - data/excluded/GO-2024-2925.yaml

Fixes golang/vulndb#2890
Fixes golang/vulndb#2892
Fixes golang/vulndb#2893
Fixes golang/vulndb#2894
Fixes golang/vulndb#2895
Fixes golang/vulndb#2896
Fixes golang/vulndb#2897
Fixes golang/vulndb#2922
Fixes golang/vulndb#2923
Fixes golang/vulndb#2925

Change-Id: Ice699e7a8ddc84e18684a19a15e7ada897f3596f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592765
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:18:26 +00:00
Tatiana Bradley 4ec3107262 internal/report: add field unexcluded to YAML
Record the reason a report was previously excluded when
unexcluding it. This will allow us to take this info into account
when deciding the priority of new reports.

Change-Id: I6ad08f28ca7f9bec78280f30db35b0b6546085db
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592776
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:18:17 +00:00
Tatiana Bradley 0fee238f8c all_test: only error once per duplicate report
Change-Id: Ia1ca09efd16420f6343c3f6f970e037cb32e2de0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592779
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:18:05 +00:00
Tatiana Bradley 35a8b0bd5d cmd/vulnreport: add two convenience flags
1) For commit, allow the user to specify a batch size with -batch=X
2) For fix, allow the user to skip all non-lint checks with -skip-checks

Change-Id: I1a42e793cecae6f3086c613e63f410e664f4cce8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592758
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:17:52 +00:00
Tatiana Bradley 906b621fbf cmd/vulnreport/priority: take unexcluded reports into account
When using the existing corpus to prioritize new vulnerabilities,
treat unreviewed unexcluded reports the same as likely-binary excluded
reports.

Change-Id: Id803d05ecd33b4486086acac8ff124977b3725ef
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592777
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-20 18:17:33 +00:00
Tatiana Bradley 55acf55625 cmd/vulreport: fix duplicate finding in vulnreport triage
Previously, vulnreport triage only considered a subset of open
issues (namely, the ones being processed by the command) when
looking for duplicates. This meant that the command only worked
properly when operating on all open issues.

The command now considers all open issues when looking for duplicates.

Change-Id: Iefe17a46503e50bccdd7dc43561999aa1fae4db0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592757
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:17:18 +00:00
Tatiana Bradley c87828f329 cmd/vulnreport: add command vulnreport review
Command vulnreport review converts an unreviewed report
to a reviewed one, regenerating the report from the latest
version of the source and leaving TODOs as appropriate.

Change-Id: Ifc2bf85b00e5495852af6bd5086b6dc402cbebb2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592775
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-20 18:17:06 +00:00
Tatiana Bradley 1514991de8 cmd/cve: add command cve reject
Adds a command that allows the user (authenticated as a CNA) to
"reject" a CVE that will never be published.

This is intended for CVEs that were reserved but will never be assigned
to a vulnerability because, e.g, the year is not current.

Change-Id: Id60a0e5417d43e791ada898ff83bcef2563c2322
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592435
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-17 20:07:56 +00:00
Tatiana Bradley f6caf5ced6 cmd/vulnreport: fix nil pointer deref in vulnreport regen
Change-Id: I734d49b73f1924c2aea7c126b253d3d328dd09ee
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592756
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
2024-06-17 20:07:17 +00:00
Tatiana Bradley 06cdadde54 data/reports: add 16 unreviewed reports
- data/reports/GO-2024-2902.yaml
  - data/reports/GO-2024-2915.yaml
  - data/reports/GO-2024-2901.yaml
  - data/reports/GO-2024-2913.yaml
  - data/reports/GO-2024-2911.yaml
  - data/reports/GO-2024-2914.yaml
  - data/reports/GO-2024-2916.yaml
  - data/reports/GO-2024-2891.yaml
  - data/reports/GO-2024-2907.yaml
  - data/reports/GO-2024-2919.yaml
  - data/reports/GO-2024-2899.yaml
  - data/reports/GO-2024-2904.yaml
  - data/reports/GO-2024-2906.yaml
  - data/reports/GO-2024-2917.yaml
  - data/reports/GO-2024-2903.yaml
  - data/reports/GO-2024-2900.yaml

Fixes golang/vulndb#2902
Fixes golang/vulndb#2915
Fixes golang/vulndb#2901
Fixes golang/vulndb#2913
Fixes golang/vulndb#2911
Fixes golang/vulndb#2914
Fixes golang/vulndb#2916
Fixes golang/vulndb#2891
Fixes golang/vulndb#2907
Fixes golang/vulndb#2919
Fixes golang/vulndb#2899
Fixes golang/vulndb#2904
Fixes golang/vulndb#2906
Fixes golang/vulndb#2917
Fixes golang/vulndb#2903
Fixes golang/vulndb#2900

Change-Id: I9f2058ccf726462824192c0a7da1c227a8224661
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592457
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-14 13:41:08 +00:00
Tatiana Bradley 12d366acf9 cmd/vulnreport: skip issues that are out of scope
Issues labeled OUT_OF_SCOPE should not get a report at all,
so skip them in "vulnreport create".

Change-Id: Ic7051c1ca96e1836653f4f5fc5633a771ccec805
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592455
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-14 13:40:59 +00:00
Tatiana Bradley a5e41834b9 cmd/vulnreport: add test framework for vulnreport
Adds a test framework that allows tests to inject fake/mock
dependencies into the vulnreport commands and record the expected
output of commands.

Some subcommand tests are left as TODOs, as they require additional
fake/mock dependencies that haven't been implemented yet.

Change-Id: I25f6085f2297e5b9d916f0927c1111ac2b49bef8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590038
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-13 15:59:21 +00:00
Tatiana Bradley c8438c3abf internal/cve*: support triage for cve v5
Change-Id: I051f96165ce9bcfbff233cdf22ba0a9793859fa2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592016
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-13 13:53:13 +00:00
Tatiana Bradley 9fb6dc4144 internal/cve5: consider ref tags in CVE5
Change-Id: I32814fc82a305170453b36089104348cc0281e3e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592015
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-13 13:53:00 +00:00
Tatiana Bradley f75e9af142 internal/worker: remove code related to module scanning
The module scanning functionality is no longer used, so remove it.

Change-Id: Iade894e3f0bb3efa55b3a75082896a1070bdc326
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588760
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-13 13:52:49 +00:00
Tatiana Bradley a2650ed283 internal/worker: unify some firestore functions
Where possible, unify Firestore operations so that there
are not separate functions for adding/updating/fetching
a record based on its type (CVE/GHSA). The intended operation
is inferred by given ID(s).

Change-Id: Ic82e3ab4c9d519c3101f95444bc0ad306fa2a14e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588759
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-06-13 13:52:38 +00:00
Tatiana Bradley 1283e469ae internal/worker: rename CVERecord and GHSARecord
Rename CVERecord->CVE4Record and GHSARecord->LegacyGHSARecord.

Both of these need to be updated to support CVE JSON 5 and
GHSA OSV record formats, respectively, so this change makes
it more clear where the old formats are being relied on.

Change-Id: Ib339f0addbc16c37ed03383d64e7cdb30165f366
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588758
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-13 13:52:24 +00:00
Tatiana Bradley 09e5a2e740 internal/worker: unify issue template for CVEs and GHSAs
Refactor worker code so that the body of issues created from
CVEs and GHSAs have the same basic structure.

Change-Id: Icf082de5642fbb2c13bbb0478916afed52548585
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586139
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-13 13:52:07 +00:00
Tatiana Bradley fab13c96e6 data/excluded: add 2 excluded reports
- data/excluded/GO-2024-2686.yaml
  - data/excluded/GO-2024-2708.yaml

Fixes golang/vulndb#2686
Fixes golang/vulndb#2708

Change-Id: I27e3a0c5cad74994dcea13a1dce4cdf585650dc4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591203
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-10 16:39:14 +00:00
Tatiana Bradley 4dfc374b65 data/reports: add 9 unreviewed reports
Adds some unreviewed reports that needed small manual edits
to pass lint checks.

  - data/reports/GO-2024-2731.yaml
  - data/reports/GO-2024-2753.yaml
  - data/reports/GO-2024-2768.yaml
  - data/reports/GO-2024-2778.yaml
  - data/reports/GO-2024-2780.yaml
  - data/reports/GO-2024-2784.yaml
  - data/reports/GO-2024-2801.yaml
  - data/reports/GO-2024-2815.yaml
  - data/reports/GO-2024-2858.yaml

Fixes golang/vulndb#2731
Fixes golang/vulndb#2753
Fixes golang/vulndb#2768
Fixes golang/vulndb#2778
Fixes golang/vulndb#2780
Fixes golang/vulndb#2784
Fixes golang/vulndb#2801
Fixes golang/vulndb#2815
Fixes golang/vulndb#2858

Change-Id: Iac9abf51e35220e8133a43606b2709e949c9ada3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591202
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
2024-06-10 16:39:03 +00:00
Tatiana Bradley f74ecab81b data/reports: add 5 unreviewed reports
- data/reports/GO-2024-2612.yaml
  - data/reports/GO-2024-2684.yaml
  - data/reports/GO-2024-2699.yaml
  - data/reports/GO-2024-2776.yaml
  - data/reports/GO-2024-2769.yaml

Fixes golang/vulndb#2612
Fixes golang/vulndb#2684
Fixes golang/vulndb#2699
Fixes golang/vulndb#2776
Fixes golang/vulndb#2769

Change-Id: I233aeca23f767773c1238eeec2450617801ae69b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591199
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
2024-06-10 16:38:54 +00:00