- Move some functions related to CVE/GHSA regex matching
to a new "idstr" package, as they are not related specifically to the
CVE5 or GHSA GraphQL format.
- Move all logic related to the cve5, cve4 and legacyGHSA formats in
the "internal/report" package to their own files, so it is easier to
(potentially) move these to their own packages in the future.
The goal of this CL is to reduce the risk of import cycles
for some upcoming refactors.
Change-Id: I7e14c31c17882230b783cc62e1ecdf43dcb98995
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/581717
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Restore the check for unused parameters and remove unused parameters
found by the check.
Change-Id: I80fe9b1cab507eeae8eb1f27e2395824330868c5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551436
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
In the "cve publish" command, allow the user to choose to automatically
update a report & its CVE record with missing CVE references.
Change-Id: I2a3e45aa896e6bd69cc8b9697a227ca7aaf4144a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547496
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Consolidate regular expressions for CVEs and GHSAs and update a TODO
related to CVEs to reference a bug.
Change-Id: If7837fe3fa7ccb7dd205dc73b259462df2023cd5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/507908
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
The CVE program sometimes adds references to a CVE record beyond what
we initially populated. We would like to preserve these references in
CVE records, but not publish them in OSV, because they often do not
meet our style requirements.
To do this, this CL:
1) introduces a field "cve_metadata.references" to
our YAML reports which can be used to list such externally-added
references.
2) adds this field to all YAML reports where 1 or more references
have been externally added.
3) adds a warning to the "cve publish" command to warn the user if
a publish might overwrite an externally-added reference.
Change-Id: I71cce89d2099e9f34b25e9939d755ff9dfd653ba
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/502635
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
No-op refactor to remove redundant words like "get" from function names.
Change-Id: I899556dbbe8caa790593bee8d952d1b3f557387b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/497499
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Modify cve publish to:
1) support the new MITRE web test instance, which displays test CVE
records
2) print out a link to the existing CVE record if it exists
3) not print out the full published CVE record
Also moves the logic for computing the web link to the cveclient instead
of the reports package.
Change-Id: I04b0ef8b93650b834908b29b7a2fa10eb41bf12a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459597
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
In "cve publish", allow argument to be a Github issue ID instead of
a filename.
Change-Id: I975030f0a5c9f771dbb1e85fca28b5a88098500e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454016
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Instead of asking the user to provide a flag -update indicating whether
a record is already published, use the CVE Services API to determine this
automatically.
Change-Id: I6e5bf7d6e095360335043424eb3330aeaf23b297
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/446218
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
MITRE now supports publishing and looking up CVEs via a prod API
(https://github.com/CVEProject/cve-services), so our "cve" command no
longer errors when a user attempts to publish or view a record in the
prod environment.
This CL also fixes the endpoint for the "cve record" command which was
incorrect.
For golang/go#53256
Change-Id: I1a28f9607de1253a5e9bdeb1249f44de4b8f7e47
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/446216
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
This allows for easier testing without having to change the values
of environment variables.
Change-Id: I76b5d91d75066cf175bd8ffd9cef7efd1689fd8f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/445896
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Print out a newline-separated list of CVEs instead of a comma-separated
one, to make it quicker to copy the list into a spreadsheet.
Change-Id: Ie9e2e406e4fd9a771e04fb82454322e4e12bcd1f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435457
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
NIST provides a more readable version of the CVE information than
cve.mitre.org, and cve.mitre.org also links to it prominently, so link
to the NIST page instead.
Change-Id: Ia8044b92af5e7816098fcaec81fada1dff92c6f4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/423094
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Auto-Submit: Julie Qiu <julieqiu@google.com>
Adds a new command, cve publish, which can be used to publish CVE
Records to MITRE from YAML reports or JSON files. Also adds a cve record
command to look up existing CVE records by ID. The commands are
currently only supported in the test environment as the MITRE API does
not yet support the commands in production.
To support these commands, this CL also contains logic to convert YAML
report files to the new CVE JSON 5.0 format.
For golang/go#53256
Change-Id: I024bb18a2ece851724ca97f2f6d77f6aafc956b0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/411514
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Adds new internal package cveclient, a Go client for the MITRE CVE
Services API. Implements functionality to reserve new IDs, lookup
existing IDs, lookup quota, and list IDs for an organization.
Also adds a command line tool 'cve' to call the client functions.
For golang/go#53256
Change-Id: I10fad48adbdac32485ddf05975e2604021607079
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/409995
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Tatiana Bradley
Julie Qiu
Tatiana Bradley