New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: support CVE schema v5.0 in worker #49289
Comments
v5.0 is a radical change from v4.0. Even the basic object keys are in a different format: Currently, no CVEs use v5. |
We can probably hold off on implementing this until we see actual v5.0 CVEs in the cvelist repo. |
Change https://go.dev/cl/545300 mentions this issue: |
Change https://go.dev/cl/545302 mentions this issue: |
Change https://go.dev/cl/545297 mentions this issue: |
Change https://go.dev/cl/545301 mentions this issue: |
Change https://go.dev/cl/545299 mentions this issue: |
Change https://go.dev/cl/545296 mentions this issue: |
Change https://go.dev/cl/545298 mentions this issue: |
Adds various helper functions that will be used to add support for the new CVE v5 schema. For golang/go#49289 Change-Id: I3e9aaa95e30000c01a3f6b5738950b9dccdd84cc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545296 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Instead of directly using testdata folder of the cveschema5 package in the worker, make a copy of the required test data. This allows us to transition to a new testing framework in the cveschema5 package without needing to (immediately) change the worker logic. For golang/go#49289 Change-Id: Ieab8fb4701ffa30b2dc000a48d86efe524f1cb02 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545297 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
Creates the infrastructure to pull real, up-to-date data from the cvelist for use in tests. Updates the existing tests to rely on this data instead of the (very) stale data previously used. For golang/go#49289 Change-Id: I31d61d932875e628e8c439cc0ef1dee5d1ccf92c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545298 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds the ability to pull in fresh test data for v5 CVEs, and uses this to add a test repo file containing v5 data. For golang/go#49289 Change-Id: I36f516c75f2a1a241f614db7f5bb69555be096fc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545299 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
Add tests for functions FetchCVE and ParseCVE, which were previously not directly tested, to protect against regression from upcoming changes. For golang/go#49289 Change-Id: Ie7369532e26965fed6fab1f9a811aaa63d34bf72 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545300 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
ParseCVE and FetchCVE now modify a pointer to a CVE instead of returning a new CVE. This will make it easier for these functions to support either a v4 or v5 CVE in an upcoming change. For golang/go#49289 Change-Id: I88718b9b7e42588e35835662567bece3f054f02d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545301 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
FetchCVE and ParseCVE can now operate on either v4 or v5 CVEs. For golang/go#49289 Change-Id: I5eb71bbc2a0f186be220adcb57d9464bf1cc937c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545302 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Change https://go.dev/cl/547497 mentions this issue: |
Change https://go.dev/cl/547556 mentions this issue: |
Add function to convert CVE JSON 5.0 to our internal YAML format. As a starting point, this function does the same thing as the old function that converts from CVE JSON 4 to our format. A temporary test checks that this is the case. For golang/go#49289 Change-Id: Ie5226537cefaeb9e68b98e5dce9c6b97b29f968a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547556 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add support for collectionUrl and packageName in cmd/cvetriage. This is introduced in CVE schema v5.0.
CVEProject/cve-schema@3208d6d
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md
The text was updated successfully, but these errors were encountered: