Modify Generate to take in a *git.Repository instead of a directory
string, so it can be more easily unit tested. Add a unit test.
For golang/go#56417
Change-Id: I3eaa84b41568e9582ac1f16be8c979d7b71d5ad3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/457017
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Replaces existing Generate logic with refactored New and Write functions,
which have the equivalent behavior.
For golang/go#56417
Change-Id: Ie01c0c77e93c779c717e89acecb81fc00dd4cfbe
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/453176
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
This change removes unnecessary logic to determine if the proxy knows
about a version in Lint.
Previously, Lint found all versions known to the proxy
for a module, and then checked if a candidate version was in that list.
This step is not needed because Lint already calls the proxy with each
candidate version, and this call would fail if the version did not exist.
Change-Id: I5981c45817ce98382a5b722c2e39ca5a3072fe85
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/456875
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Use the "-q" flag in gsutil to avoid logging while deploying the
database, in order to make deployment faster.
Change-Id: I874115608e32df14fb333ca37555433932a1918a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/456045
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Add "www" to MITRE link prefix so that the link displayed in
"cve publish" works.
Change-Id: I5d066e301b7d39addbc6cfa104576d855beb253b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/455858
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
The vulnreport cve command previously attempted to publish the
CVE record to an incorrect filepath.
This was caused by calling the writeCVE function with the YAML filepath
as input instead of the Go ID.
Change-Id: Ic3191d2d4486074349d548a6e661d59c15c561ae
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/455857
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Adds two steps, CopyExisting and Validate to the vulndb deploy script,
to ensure that the existing and new databases are valid internally
and with respect to each other. Deploy will not proceed if validation
fails.
(Reinstates https://go-review.git.corp.google.com/c/vulndb/+/452771
with fix. The bug was a missing "-c" flag in CopyExisting).
For golang/go#56417
Change-Id: I0ef8e38a6679225e8b7b02a9b4b39c18a975ba9a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/455315
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
In vulnreport create-excluded, each "Fixes #XXX" statement is now
on its own line, so that issues are auto-closed.
Change-Id: I359d8a846e644a89935db1bc8559eca50df20986
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454561
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Previously, the worker would print xrefs in a way that would have all xrefs on the same line when rendered from markdown. This change makes it so that
each xref is on it's own line/bullet point.
Change-Id: I4d1ef41122cf3419555e2f57c8f3f4a261b85d48
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454557
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Whenever the worker files a new issue on the tracker for a GHSA or CVE, it includes cross references (shared CVEs, GHSAs, or modules exluding std and cmd) in the issue description.
Change-Id: I8c10e2f9835c7ddae7ad0427c219edc04a9a7ef6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/453501
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
In "cve publish", allow argument to be a Github issue ID instead of
a filename.
Change-Id: I975030f0a5c9f771dbb1e85fca28b5a88098500e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454016
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
The actual comparison logic in xref has been moved to report.XRef(), which will make b/259438778 easier and cleaner.
This also allows us to test the base xref functionality.
Change-Id: Ib973e6e16e792f18a033d915bfbb13c1bdb3be27
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454096
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Remove function parameter "newBody" in createIssue and replace
with a type switch. This will make a future change (adding xrefs)
simpler.
Change-Id: I958b422f6cf4c8308d862e4bed12aa612212bc3f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454095
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
This change makes a few things possible: we add testing for GetAllExisting, and it allows us to add xref-like functionality to the worker in the future (see https://b.corp.google.com/issues/259438778)
Change-Id: Ia183d29f0d77c01dc7cb4b228be0b9f85f8ada62
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/454015
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Adds two steps, CopyExisting and Validate to the vulndb deploy script,
to ensure that the existing and new databases are valid internally
and with respect to each other. Deploy will not proceed if validation
fails.
For golang/go#56417
Change-Id: I9c522cfb9e3f66f3538d9bc9c89f927692f2c96e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452771
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Adds tests for Load failure cases, adds more context to error message,
and adds an additional failure case.
For golang/go#56417
Change-Id: If4927c11f433c931827b262ee65a04f3594a125a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/453175
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds a function, Validate, which checks a candidate Go vulnerability
database against an existing one, to ensure that both databases are
valid, timestamps are consistent and no OSV entries would be deleted.
Moves single-database validation logic (previously called Validate) to
the Load function, so that Load now loads and checks a database.
Also adds a command line tool, "checkdeploy" which calls the new
Validate function. This tool will be used in the deploy script for vulndb.
For golang/go#56417
Change-Id: Ifa12234376f2a3fd577d96978919b167fcb25f64
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452443
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
The help text previously included the value of VULN_GITHUB_ACCESS_TOKEN.
Change-Id: Ie65506376acb4f5d5cc36f611235714d4a13ea30
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452755
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds a function, Validate, which checks a Go vulnerability for
internal consistency. Also adds a command line tool, "checkdb" which
can be used to validate databases.
This tool will be used in the deploy script for vulndb.
For golang/go#56417
Change-Id: I427eab6b5385d3c858d4a371d90e6e5f54f10812
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/448842
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
I guess this was attempted to be used here: b776e182e6/internal/ghsa/ghsa.go (L206)
Change-Id: Ie9fd51079210dbb653c483b48c0dd27ac2f12165
GitHub-Last-Rev: b776e182e6
GitHub-Pull-Request: golang/vulndb#1116
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452295
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
The vulnreport osv command now populates all generated osvs with the current schema version (1.3.1).
This CL also updates all previous OSV entries to also have the current schema version.
Change-Id: Ie95c91aae0ee623bbf50ff047190a0bbe59893d9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452440
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Previously, the query in ListForCVE would allow partial matches, meaning a CVE like "CVE-2022-2529" will pull in GHSAs for the CVE "CVE-2022-25295". ListForCVE now filters out these incorrect matches after the query is made.
Change-Id: I5d2fcbc71e9533caa93b0b3c1679f2df08cfe5f4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451315
Run-TryBot: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Add advisory link for GO-2022-0384 and delete GO-2022-0918 which is a
duplicate of it.
Aliases: CVE-2021-32690, GHSA-56hp-xqp3-w2jf, GHSA-7jr6-prv4-5wf5
Updates golang/vulndb#384, golang/vulndb#918
Change-Id: Iad28e1aeea5587d8ee49680a2fd28494f3b14bda
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451281
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
GO-2022-0368 is dependent on GO-2020-0008. Remove the CVE, which actually
refers to the upstream vuln, and re-classify as DEPENDENT_VULNERABILITY.
Aliases: GHSA-gv9j-4w24-q7vx
Updates golang/vulndb#368, golang/vulndb#8
Change-Id: Ide59a0ef1c529d66fb5511cafeea9559b372ca07
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451280
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Tatiana Bradley
Maceo Thompson
Julie Qiu
Jonathan Amsterdam
Arnau Diaz