Now that the ID is in the YAML report, we don't need to call GoID() as
often, and we don't need to pass the Go ID to YAMLFilename or CVEFilename.
Change-Id: I80c161a3be47a54d97837e4d68e789f166c8907b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/498282
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Adds the ID field to all YAML reports and adds a lint check to enforce
that all reports have the correct value for the field. Also adds a
step to "vulnreport fix" to fix the ID if needed.
Change-Id: I51f4654e127528e1dbbfcb9c59da3658ad52098b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/498281
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Upgrade to non-vulerable version.
Also update tests because the behavior of yaml has slightly changed with
how whitespace is handled.
Change-Id: Ie6088046da9cd79ee6ad6e5aefb03fdc65cd707b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/499655
Auto-Submit: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
This allows us to directly read the ID from a report struct, instead
of needing to pass around the ID or the filename.
Change-Id: I3b233f02d65ee383994fc2cce6d92c8284aebea4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/498280
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Move the filename check out of Lint and into its own function. Now
a report can be linted independently of its filename.
We still check that filenames are correct in "vulnreport lint" and
other commands, and in the big TestLintReports test.
Change-Id: Ic7a5bb50de51aa72cb41179ef6a9303c7b5ecff3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/498279
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
No-op refactor to remove redundant words like "get" from function names.
Change-Id: I899556dbbe8caa790593bee8d952d1b3f557387b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/497499
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Aliases: CVE-2023-1732, GHSA-2q89-485c-9j2x
There were two edits in the fix CL that are not reflected in the
report: the ones in packages kem/kyber/templates and
kem/sike/templates. These contain Go files with a "//+ build ignore"
tag. They are actually templates that are probably used
to generated the other .go files.
I tried to add a comment to that effect to the yaml file,
but vulnreport removed it.
Fixesgolang/vulndb#1765
Change-Id: Ib48fae330230687178ea4b61e6202150e6f89d1b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494940
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
To remove the dependency on the now unsupported x/vuln client, clone
the vulndb repo and call Aliases to find all aliases. This is actually
an improvement, as the worker will now take into account excluded aliases
when determining if something is a duplicate.
With this change, we have now completely removed the dependency of this
repo on x/vuln.
Fixesgolang/go#60116
Change-Id: I12a837745d4eb2cc62cdb44522a52e2d016b4b6c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/497039
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Function Aliases returns a list of all aliases (CVEs and GHSAs) in the
given vulndb repo. This will be used by the worker in place of the old
x/vuln client.
This change also updates the GetAllExisting function to not use a strict
YAML decoder, which sometimes causes the worker to spuriously fail
if a new YAML field is added and the new worker hasn't yet been
deployed.
Change-Id: I5e1872752ce4954ee89df8c0a0e46b2c9ab1ea4a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/497038
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Instead of validating YAML version ranges directly, convert them
to OSV ranges and validate those to re-use the code.
Also add a lint check to ensure the vulnerable_at version is inside the
vulnerable range, and fix a report that had this error.
Change-Id: I315fd3e62902c115ea56b3111e3d77983d5a74fb
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495985
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Make Lint easier to test by creating test reports that can
be changed via a function, rather than needing to copy-and-paste the
test reports for each test case.
Change-Id: I13f7c3c699de4efb90b3ba621c00bb772ff48321
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495983
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Simplify the logic of AffectsSemver by requiring that all ranges
are valid (in particular, sorted), before operating on them.
AffectsSemver now returns an error if the ranges or version is invalid.
This allows the caller to distinguish between an invalid input and
a truly unaffected version.
Change-Id: Id7271c3acaca0980c9c0c57b3c6ef961e18a45de
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495982
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Refactor the exportedFunctions function to take in a single package
and module, which was how it was being used. (The caller,
"vulnreport fix", loops over all modules and packages and calls
exportedFunctions for each package).
Change-Id: I04f178efa9fc5cb0d9a06a49ea0059cbc032913d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495986
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
- Remove the type Version and use bare strings to avoid type casting.
- Move functions for dealing with versions to the version package
Change-Id: I0b811f70c7c21e64ee59bfdc57d149fc9dab93ff
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495981
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Moves AffectsSemver function to the internal/osvutils package, and
renames the internal semver package to "version" to avoid collision
with the x/mod/semver package.
Change-Id: I49e8875c18ec92578f5ab8300a54d1082b4f6c6d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495980
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds functions to validate OSV entries, and calls these functions in
both unit tests and pre-deploy checks.
Change-Id: Id5ddbb6c1a5c81b9176491d5cf1a88fbae928606
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495498
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
vulncheck is not exported any more so we cut ties with it here. This CL
replaces calls to vulncheck with a slightly modified copy of parts of
vulncheck.
The copy contains just enough logic to compute derived symbols, i.e.,
entries of call graph leading to vulnerable symbols. Hence, the copy
manifests as an internal package of vulnreport called vulnentries.
Other logic of vulncheck is not copied.
The copied code of vulncheck is unlikely to change in the future and has
not change pretty much from its outset in vuln. This will hopefully
minimize the maintenance burden of vulnreport going forward.
vulnreport now does not depend on golang.org/x/vuln.
Change-Id: Ie5e7bab639ad69144a9be64f1899c722c13db37c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/496475
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Allow multiple credits in YAML reports to move closer to format of
OSV and CVEs.
Change all the YAML reports to use this new field, and update any
OSVs/CVEs that now have multiple credits.
Change-Id: I6452cb51614b44c86ec6fa47a7bce68976be8f9e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/496163
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Remove function ToCVE, which is made obsolete by ToCVE5.
Change-Id: If95e2371350bb91b6b34a8733f9a590a6a4b0508
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/496162
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
DoNotExport is no longer used for anything, so remove it.
Change-Id: I11793d774a20e96e4ec84e2bdc238c28136630f4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/496161
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Adds schema version to all test OSV entries and ensures that test package
names are prefixed by test module names. This is to prepare for adding
stricter validation for OSV entries.
Change-Id: I06b37a8dd3ff753ad48e8cec8002a455d5676f35
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/495497
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
The intent is that a single-word line greater than 100 characters
is allowed. The code was checking the entire content, not
just the current line.
Also display the line in the error.
Change-Id: I8ad83d25c905e0a7ff13612cfe829df540897fb8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494936
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
For std and cmd reports with an introduced at 1.x.0 version, add the
suffix "-0" so that the vuln will be considered introduced before any
rc versions.
Change-Id: I4c69a7895b453f759924cefaa283570ee42b4858
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494218
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
This resolves some ssa/generics issues in computation of exported
symbols. These issues were discovered when creating a report for
GO-2023-1737.yaml.
Change-Id: Id75aa0be44844829374c034cc8c8ec1f0beb65e8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494316
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds a lint check to require a non-empty summary field in YAML reports,
and backfills summary field for all old reports with a TODO. (This TODO
is OK because the summary field is not yet published to OSV.)
For golang/go#56443
Change-Id: I368d48ceca35ed74a0461550d5386ae7ff85be1a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/493595
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Tatiana Bradley
Julie Qiu
Maceo Thompson
Jonathan Amsterdam
Zvonimir Pavlinovic