Modify the corpus-wide report lint check to allow unreviewed reports
to have the same summary as other (reviewed or unreviwed) reports.
Reviewed reports must still have unique summaries (but may share a summary
with one or more unreviewed reports).
Change-Id: I8ab4fc259e019c0fb529ed0ef332cc9cfe634483
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590279
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Add a lint check to ensure that original reports created
by the Go team are always marked REVIEWED.
Change-Id: I5d72998be1597e42ec5ae5e05d4a5d9a4324cb40
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590276
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Fix bug in which excluded reports would be published to the wrong
folder. This was accidentally introduced in a recent refactor
and no reports were actually published to the wrong folder (this would
have been caught before submit if it had occurred).
Change-Id: Icc9eb99b2ceb185310e99eaa39e45072e0ae6c80
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590280
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Add tests to check contents of the update record and for error
cases. This is to prep for a change to this function's behavior.
Change-Id: I9380f661725aa4a50db0691906d3d6a5a925f8d1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/589995
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Remove error return value from xref, which always returns nil.
(Caught by unparam and blocking deploy of vulndb)
Change-Id: I4c9423f0d333d7beb9422ee558ed83f3dd99aebf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590115
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
With no arguments, "vulnreport commit" now individually commits all
reports that have been added/changed (according to git status).
(To commit them all as a single commit, use "vulnreport -batch commit").
The flag "-status=<REVIEW_STATUS>" can additionally be used
to only commit reports with a certain review status.
Change-Id: I4efb4e866166b6153d556409408021dc861656fb
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590035
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds a check to "vulnreport fix" that errors if any URLs in the
"references" section return an error or status 404 on HTTP HEAD.
We don't check for other status codes yet.
An experiment to error on all non-200 status codes brought up some
ambiguous cases where the link is still viewable in a browser, e.g.:
- 429 Too Many Requests (https://vuldb.com/?id.256304)
- 503 Service Unavailable (http://blog.recurity-labs.com/2017-08-10/scm-vulns):
- 403 Forbidden (https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html)
For now, this is a fix check and not a lint check, meaning it only
applies to new reports, and can technically be ignored (by manually
creating a CL that adds the report).
This CL also deletes existing URLs in the corpus that don't exist
according to this check.
Change-Id: Id14fb79fc2f2c2d4c8145fdc88d11aa33708c94b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588761
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Command vulnreport create now decides whether to generate a REVIEWED
or UNREVIEWED report based on issue's labels.
This can be overridden with flag "-status=<REVIEW_STATUS>". The "unreviewed"
flag is removed.
Change-Id: I8f8b808c6f9bbcaeb0dc176fb6cb875b8f9ccee4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/587976
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Adds the beginnings of a guide that can be used as a
reference for the current vulndb triager, in combination
with the older triage guide.
The goal is to document new features / processes
so we can get started with experimenting with them
without needing to overhaul the whole guide before we
have worked out the final process.
Change-Id: Iad8256414fda78ebbdbfc44776a46786cbbb034c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/587975
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Update the vulnreport triage command to label any issues it triages
as "triaged", and skip issues that are already labeled as such.
(The flag "-f" overrides the skip).
This allows the triager to simply run "vulnreport triage" to triage all
untriaged issues.
Change-Id: I24611166d972c46100b1e8fd38bed1fb87071d11
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/587915
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This is part of computation of the name of the function in vuln. db
format. For "func (A[T1, T1, T3]) Foo", the name should be "A.Foo".
Change-Id: Iaeb7eccf3d72504484e697de972297ff37481255
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586719
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Add the first UNREVIEWED report.
- data/reports/GO-2024-2864.yaml
Fixesgolang/vulndb#2864
Change-Id: Ib67d84b1da34f0a9ede9af69fdef084efa44db17
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586295
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sort references by type, then alphabetically.
Change-Id: Ia09085488f62829f5216c5cb90db680821afc1ea
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585418
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds a few general improvements to make it more likely that
automation will succeed with no lint/fix errors for UNREVIEWED
reports.
Specifically:
- For CVEs:
- don't populate a package if it is the same as the module path
- fix incorrect classification of vulns as affecting stdlib
if their packages don't contain a "." (usually this is a mistake)
- Auto-convert "versions" to "non_go_versions" if none of the versions
exist according to the proxy
- Make error messages for symbol population more specific so it is
more clear what caused the error
- Add an advisory referencing the source ID if not present
- Improve classification of advisories by checking if a CVE/GHSA alias
is actually referenced
- Relax lint checks for unreviewed reports:
- Unreviewed report summaries do not need to conform to style
- Unreviewed reports must have at least one advisory, but may have more
Change-Id: I3762202d4eeb60cff3dc407c3f9ab9a208a91134
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/583476
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Move the check for outstanding TODOs from the vulnreport
fix function to the report.Lint function.
Change-Id: I909dae66400423453c6178ec452462e0cf1f4273
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585417
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Flag -batch causes vulnreport commit to (attempt to) create a single
commit that commits all reports indicated by its arguments, instead
of committing each report separately.
Change-Id: Ib0c9b3d52c7654ac952e78ca042ce5f29b98f48a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585439
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Flag -unreviewed causes create to generate unreviewed reports
(with no description and no TODOs).
Change-Id: If60eeb22983b3b6480d440de740e6eedf3fcf8d9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585438
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
All non-excluded reports must now contain a status (either REVIEWED
or UNREVIEWED).
Change-Id: I7c3d217a5efc7f7fc4a15e22b277d456177212c4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585518
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
In report.New, make UNREVIEWED the default status. This
can be overridden via the WithReviewStatus() option.
(This does not change the fact that vulnreport create creates
REVIEWED reports by default).
Change-Id: Id4c6d453a2b977986381eb81b7e2fb1087c9b735
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585516
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add support for the field "review_status" for both YAML
and OSV, but don't yet publish any reports with the field.
Newly created reports will be marked REVIEWED and newly "unexcluded"
reports will be marked UNREVIEWED by default.
Change-Id: Id04c9d1c9f3240b1fa277c23c2351627c99b1fc4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585515
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Replace "vulnreport duplicates" with a new command, "vulnreport triage"
that checks the current open issues for duplicates and issues that are likely
not affecting Go code, and determines the issues' priority.
Likely duplicates are labeled "possible duplicate" and issues that may
not affect Go code are labeled "possibly not Go". (This is determined
based on the number of excluded issues labeled "NOT_GO_CODE" that also
affect this module).
An issue is considered high priority if its module has more than 100
importers and has more existing regular reports than excluded reports.
Issues that are high priority are automatically labeled "high priority".
Number of importers is currently determined based on a static file that
is checked into the repo.
Change-Id: Iecb311a68c8c15851417c0f8561df23bcd0e467d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584976
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Re-structure the vulnreport commands as collections of composable
types that perform common operations, such as reading GitHub issues
and creating new reports.
This allows us to re-use code & increase the consistency of
the various commands' behavior. It also makes it easier to create new
commands and operate on batches of issues / reports.
Change-Id: I5ffb9c5cf2c9169ca755693d460ee13dc94c18f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584217
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
For new reports, the default created time is now time.Now(). An
alternate time (e.g., for testing) can be provided via the WithCreated()
option.
Update tests to include a placeholder created time.
Change-Id: I2c48ac56c89d2f33310fca58ae44ff7e9035f609
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/583837
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tatiana Bradley
Gopher Robot
Zvonimir Pavlinovic