Also update some reports that are affected due to the recent changes to
vuln.
Change-Id: Ib59498928930615ad328d1135407d1fa581d0cad
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462735
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
- Update `golang.org/x/vuln/osv`.
- Output credits in the OSV report from the YAML report.
- Update `data/osv` to include `credits`.
Fixesgolang/go#55956
Change-Id: I8b1a81f33ca7b2832394be316b7d015c8a281220
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435976
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
The most relevant changes are related to how GOOS and GOARCH are handled
during vulnerability search.
Change-Id: If0925643ed8691d452ca893771eec509289ecd51
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/438716
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Factor out the tracing and metrics code from the server
and put it in its own package.
This is a first step towards sharing it with other projects.
Change-Id: I36a04933accc11300f360a410c00a10c8a132dda
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435470
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
A test was failing in CL 422496 with the current version of unparam.
Change-Id: I8a89a7708758adca9c13afd337f53a6946714151
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/425003
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
The OSV affected.package.name field is now the module path, not the
package import path. The affected.package.ecosystem_speficic.imports
field now contains a list of Go packages and symbols within those
packages.
Restructure the report YAML to match the OSV structure:
A report contains a list of modules, a module contains a list of
packages, a package contains a list of symbols.
Move GOOS/GOARCH to the package, rather than being report-global.
This change updates the canonical YAML format and changes the
OSV generation to the new form, but does not reformat data/reports.
The report loader rewrites the old report YAML into the new
style. Followup CLs will convert the reports and remove the
rewriter.
Change-Id: I71af994846721fdd43a8ee5c41574387ff781332
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424895
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Use the git tool rather than direct repo access via go-git,
so as to run commit hooks and give the user a chance to edit
the commit message.
Change-Id: I2e564b334d71bf9cda8a57bc7869119cd896d1ff
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414576
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
The "vulnreport fix" command now verifies that all symbols are present
in the vulnerable package.
The "vulnreport fix" command now only adds symbols to the derived_symbols
field if they aren't already present in the symbols field.
Change-Id: I1a1f1e44e92e66a4c3b141dbff9b8e8fea265870
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/412536
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Package has moved from golang.org/x/exp/vulncheck.
Update to new location.
Change-Id: If5c57ab6664b186fed42492561497f1daab89667
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406156
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
golang.org/x/tools is upgraded to the version at master, in order to fix a panic in internal/worker:
`panic: no concrete method: func (*crypto/elliptic.nistCurve[*crypto/elliptic/internal/nistec.P224Point]).Add(x1 *math/big.Int, y1 *math/big.Int, x2 *math/big.Int, y2 *math/big.Int) (*math/big.Int, *math/big.Int)`
This also resulted in x/mod being upgraded.
Change-Id: I2c5581efb9f8c213b2dfabfa4349478af7187c1d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402674
Reviewed-by: Julie Qiu <julieqiu@google.com>
Complete support for scanning modules.
- Add scan-modules command to cmd/worker.
- Remember modules we scanned in the Store.
- Track the last-modified vuln DB time to avoid unnecessary re-scanning.
Change-Id: Id2b6d3b2d91c6617d31f4fe6997babba2db220bd
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/393695
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
This should fix the problem we're having with trybots.
Change-Id: Ia0c4206122f2699878d2077b1969daf34d111336
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/388855
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
Connect to Google Cloud Monitoring using OpenTelemetry
and the golang.org/x/exp/event package.
Export one metric, to start.
Change-Id: I5468a706423d6a6bf40d36c305d94b0dfc920e3c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/386834
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Update the exp repo to the latest version. This will give us the new
event metrics code, which we will then use for worker metrics.
Also, add the -compat=1.17 flag to go mod tidy; otherwise it complains
about maintaining 1.16 compatibility, which we don't care about.
Change-Id: I5abb1aecb8b9d6b424223ea00680ea98bd29e4da
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/386696
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Distinguish between the original vulnerable symbols, and ones
we derive by looking at the source.
Change-Id: I2c1858a143f5a649ca30a982a642f5f1023ac870
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/382162
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
The fix subcommand will re-populate the symbols fields of the report
with all of the vulnerable exported symbols.
Change-Id: I5b0e097b367e74c52ea123022e268b91e54aec17
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/379776
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
The v1 version hasn't been updated since 2018. Upgrade to the latest
version which is v41.
Change-Id: I1e9ae4a525aba4350e2cb674167d55ba9746e022
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/376374
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
golang.org/x/vuln/srv is moved to this repository. Originally, the
motivation for creating x/vuln was to split the YAML reports and Go code
into two separate repositories. However, this resulted in a few
issues:
1. The structure of the YAML reports is tightly coupled with the structs
in internal/report, and changing one without the other would result
in errors when linting the reports.
2. The vlint package itself needed to be exported, even though the only
consumer was the test in x/vulndb.
3. The deploy/build.yaml script depends on cmd/gendb@latest, so updating
that command could easily break the script (for example, submitting
CL 373004 without changing the reference in deploy/build.yaml).
Additionally, the original location of this code was x/vuln, which
contained two types of packages.
(1) Packages meant for consumption by other clients (for example,
x/vuln/client), and
(2) Internal packages that were only meant for use to spin up the
worker.
The internal packages resulted in many dependencies since they pulled in
GCP, which we don't want clients of the vulncheck library to
have to pull in. This problem was originally solved by creating a nested
module inside x/vuln, but nicer separation that would also solve the
issues above is the following:
* x/vuln: contains Go code meant to be imported by others
* x/vulndb: contains internal code only used to maintain the vulndb
For golang/go#50247
Change-Id: I74a7b7f9b8fc5b0ad48a45fc3156f93c08aa9955
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373495
Trust: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
all.bash is replaced with the checks.bash setup from x/vuln, so that
tests run on TryBots.
Change-Id: I49f2265343e9e962b8587eb9a733a52651466737
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373156
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
This code is moved to x/vuln.
Change-Id: Ide030bfcbf1bcaaed4a989e0f4b8c42c94fb0368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/362495
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TestLintReports is updated to use golang.org/x/vuln/vlint.
The internal/ directory will be deleted in the next CL.
Change-Id: Ifa4f5b3772963e2ae85f972fe61776429bace107
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/360716
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Zvonimir Pavlinovic
Maceo Thompson
Jonathan Amsterdam
Aaqa Ishtyaq
Julie Qiu
Damien Neil
Tatiana Bradley
Filippo Valsorda
Roland Shoemaker