This change removes all code related to generating and validating
vulnerability databases in the legacy format.
Fixesgolang/go#65320
Change-Id: I83522efec90aa04df54976d5c29d485acd13e53c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/558658
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
In the deploy script, additionally publish the Go vulnerability database
as a zip file.
This will allow clients to easily download the database and, for example,
run govulncheck offline.
Once deployed, this new endpoint will be accessible via
https://vuln.go.dev/vulndb.zip
Change-Id: I8e5f3c4e957d3d980e692ac6ad2ca7afefc42086
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/557895
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Generate and validate, but don't actually deploy, the v1 database
in the deploy script. Once we have confidence that this works, we
can deploy the v1 database.
For golang/go#58816
Change-Id: I69340c76d2514b11ed3d1937b604478903706afc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/472884
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Adds a new package "legacydb" to contain all code related to generating
and validating the Go vulnerability database according to the legacy
schema, which will be replaced soon.
This will make it easier to delete this code once it is no
longer needed.
Change-Id: Iaf57213fd720d8d9293c018b1f302928dd239bf8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/471215
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Modify Generate to take in a *git.Repository instead of a directory
string, so it can be more easily unit tested. Add a unit test.
For golang/go#56417
Change-Id: I3eaa84b41568e9582ac1f16be8c979d7b71d5ad3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/457017
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Add an -indent flag to produce indented JSON, useful when debugging
the database generation.
Change-Id: I3207ba7b592a84cbb92c864ea092262470a5103f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424897
Reviewed-by: Julie Qiu <julieqiu@google.com>
When a report has no 'published' field set, populate it from the
submitter timestamp of the commit that added the report to the
vulndb repo.
Fixesgolang/go#50434
Change-Id: I21ef234ffe78457ff42db3ffa4decb1199a129f3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/376154
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
golang.org/x/vuln/srv is moved to this repository. Originally, the
motivation for creating x/vuln was to split the YAML reports and Go code
into two separate repositories. However, this resulted in a few
issues:
1. The structure of the YAML reports is tightly coupled with the structs
in internal/report, and changing one without the other would result
in errors when linting the reports.
2. The vlint package itself needed to be exported, even though the only
consumer was the test in x/vulndb.
3. The deploy/build.yaml script depends on cmd/gendb@latest, so updating
that command could easily break the script (for example, submitting
CL 373004 without changing the reference in deploy/build.yaml).
Additionally, the original location of this code was x/vuln, which
contained two types of packages.
(1) Packages meant for consumption by other clients (for example,
x/vuln/client), and
(2) Internal packages that were only meant for use to spin up the
worker.
The internal packages resulted in many dependencies since they pulled in
GCP, which we don't want clients of the vulncheck library to
have to pull in. This problem was originally solved by creating a nested
module inside x/vuln, but nicer separation that would also solve the
issues above is the following:
* x/vuln: contains Go code meant to be imported by others
* x/vulndb: contains internal code only used to maintain the vulndb
For golang/go#50247
Change-Id: I74a7b7f9b8fc5b0ad48a45fc3156f93c08aa9955
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373495
Trust: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Delete cmd/ files. These are moved to x/vuln.
Change-Id: Iee25b4b3652f71c012b6267fcdbf4d2a348ac448
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/362578
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Write ID/index.json, which contains a list of the IDs in the ID
directory.
Clients can use this to list the IDs even if there is no way to list
the contents of a directory.
Change-Id: I9a22a71f7f086302f19e228cd6caf1845c319e77
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/358548
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Running staticcheck found that matchesCurrent is unsed, so the function
is deleted.
Staticccheck error:
cmd/gendb/main.go:32:6: func matchesCurrent is unused (U1000)
Change-Id: I36d36e9ceebf09abd70712e824ba0247852491ab
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/356172
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Rename from "byID" to "ID".
Change-Id: I51f07a4fe85255579e59754c7b9ad8b23d269ed2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/356150
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Package report is moved to internal/report, since that package is only
used by the vulndb module.
Change-Id: I773f6e00f4d99327ba65a28f8ba7ba4ed24d5bd6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/355269
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
kokoro uses old go, so we need to use the pre-1.16 functions.
Change-Id: I1bb3695cf513091440d2838e83d1bdcefb99d836
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/355352
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Vulndb-Deploy: Roland Shoemaker <bracewell@google.com>
Create a new directory in the database, called byID, and write one
file there for each osv.Entry, named by the Entry's ID. This provides
a way to quickly get an entry by ID, rather than by affected package.
Change-Id: I9971bbd5b5f8ef384f930915f6bcdc03d1dd05cf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/352890
Trust: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Vulndb-Deploy: Roland Shoemaker <bracewell@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
- Use `if err := ...; err != nil` when feasible.
- Remove references to the deprecated io/ioutil package.
Change-Id: I94dacacd5d982531b658d629e0dd691f15405098
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/352889
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Rename `fail` to `failf` and have it take a format string and args
like printf-style functions.
Change-Id: Ifd363e372b40ed3da38fa3e3c82a966f65ced587
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/352749
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
An implementation of the specification change proposed by
https://github.com/ossf/osv-schema/pull/1. The significant change here
is that instead of generating multiple entries for reports with
multiple packages (in the additional_packages section), we instead
generate a single entry that covers all of the packages, and write the
same entry for each module path.
Change-Id: Ia9d8e0a82081ab7f5becd20c6adf976f4d6966db
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/340210
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Vulndb-Deploy: Roland Shoemaker <bracewell@google.com>
Rather than structuring the database around packages. This results
in larger JSON files, but provides a more obvious grouping for
vulnerabilities.
Change-Id: Ica3301f4f88e7aa5e704dc9e390ec336515d3a4e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/339269
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Vulndb-Deploy: Roland Shoemaker <bracewell@google.com>
Lint all reports in main unit test.
Change-Id: Ib605dc109128581f8209a6a2088313bd0dbc4801
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/337851
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Avoids hard to spot typos.
Change-Id: I0ec2f93ede22217beb4be6b9b6f881e7f8e9e6a1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/335689
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Tatiana Bradley
Damien Neil
Julie Qiu
Jonathan Amsterdam
Roland Shoemaker
Roland Shoemaker
knqyf263
Filippo Valsorda