Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: support CVE schema v5.0 in worker #49289

Open
julieqiu opened this issue Nov 2, 2021 · 11 comments
Open

x/vulndb: support CVE schema v5.0 in worker #49289

julieqiu opened this issue Nov 2, 2021 · 11 comments
Assignees
@tatianab
Labels
NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Nov 2, 2021

Add support for collectionUrl and packageName in cmd/cvetriage. This is introduced in CVE schema v5.0.

CVEProject/cve-schema@3208d6d

https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md
@gopherbot gopherbot added this to the Unreleased milestone Nov 2, 2021
@julieqiu julieqiu added the x/vuln label Nov 2, 2021
@thanm thanm added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 3, 2021
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 22, 2021
@julieqiu julieqiu changed the title x/vuln: support CVE schema v5.0 in cmd/cvetriage x/vulndb: support CVE schema v5.0 in cmd/cvetriage Jan 5, 2022
@julieqiu julieqiu removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 5, 2022
@jba jba self-assigned this Jan 27, 2022
@jba
Copy link
Contributor

jba commented Feb 7, 2022

v5.0 is a radical change from v4.0. Even the basic object keys are in a different format: dataVersion vs. data_version. I think we'll need a completely new set of Go structs for v5.

Currently, no CVEs use v5.

@julieqiu
Copy link
Member Author

julieqiu commented Feb 7, 2022

We can probably hold off on implementing this until we see actual v5.0 CVEs in the cvelist repo.

@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu changed the title x/vulndb: support CVE schema v5.0 in cmd/cvetriage x/vulndb: support CVE schema v5.0 in worker Sep 9, 2022
@julieqiu julieqiu modified the milestones: vuln/2022, vuln/unplanned Apr 7, 2023
@gopherbot
Copy link

Change https://go.dev/cl/545300 mentions this issue: internal/cvelistrepo: add tests for FetchCVE and ParseCVE

@gopherbot
Copy link

Change https://go.dev/cl/545302 mentions this issue: internal/cvelistrepo: support fetch/parse v5 cves

@gopherbot
Copy link

Change https://go.dev/cl/545297 mentions this issue: internal/worker: make a copy of testdata repo for worker

@gopherbot
Copy link

Change https://go.dev/cl/545301 mentions this issue: internal/cvelistrepo: refactor ParseCVE and FetchCVE

@gopherbot
Copy link

Change https://go.dev/cl/545299 mentions this issue: internal/cvelistrepo: add test data for cvelistv5

@gopherbot
Copy link

Change https://go.dev/cl/545296 mentions this issue: internal: add some helper functions to support CVE v5

@gopherbot
Copy link

Change https://go.dev/cl/545298 mentions this issue: internal/cvelistrepo: use real CVE data for cvelistrepo tests

gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal: add some helper functions to support CVE v5
173b44e 
Adds various helper functions that will be used to add support for the
new CVE v5 schema.

For golang/go#49289

Change-Id: I3e9aaa95e30000c01a3f6b5738950b9dccdd84cc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545296
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/worker: make a copy of testdata repo for worker
4d62991 
Instead of directly using testdata folder of the cveschema5 package
in the worker, make a copy of the required test data.

This allows us to transition to a new testing framework in the
cveschema5 package without needing to (immediately) change the worker logic.

For golang/go#49289

Change-Id: Ieab8fb4701ffa30b2dc000a48d86efe524f1cb02
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545297
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/cvelistrepo: use real CVE data for cvelistrepo tests
db406b7 
Creates the infrastructure to pull real, up-to-date data from the
cvelist for use in tests.

Updates the existing tests to rely on this data instead of the
(very) stale data previously used.

For golang/go#49289

Change-Id: I31d61d932875e628e8c439cc0ef1dee5d1ccf92c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545298
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/cvelistrepo: add test data for cvelistv5
2c25500 
Adds the ability to pull in fresh test data for v5 CVEs, and uses this
to add a test repo file containing v5 data.

For golang/go#49289

Change-Id: I36f516c75f2a1a241f614db7f5bb69555be096fc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545299
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/cvelistrepo: add tests for FetchCVE and ParseCVE
3fc3d8e 
Add tests for functions FetchCVE and ParseCVE, which were previously
not directly tested, to protect against regression from upcoming changes.

For golang/go#49289

Change-Id: Ie7369532e26965fed6fab1f9a811aaa63d34bf72
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545300
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/cvelistrepo: refactor ParseCVE and FetchCVE
72e37be 
ParseCVE and FetchCVE now modify a pointer to a CVE instead of returning
a new CVE. This will make it easier for these functions to support either
a v4 or v5 CVE in an upcoming change.

For golang/go#49289

Change-Id: I88718b9b7e42588e35835662567bece3f054f02d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545301
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 4, 2023
@tatianab
internal/cvelistrepo: support fetch/parse v5 cves
882a329 
FetchCVE and ParseCVE can now operate on either v4 or v5 CVEs.

For golang/go#49289

Change-Id: I5eb71bbc2a0f186be220adcb57d9464bf1cc937c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545302
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@gopherbot
Copy link

Change https://go.dev/cl/547497 mentions this issue: internal/report: add basic logic to convert cve5 to report

@gopherbot
Copy link

Change https://go.dev/cl/547556 mentions this issue: internal/report: add basic logic to convert cve5 to report

gopherbot pushed a commit to golang/vulndb that referenced this issue Dec 6, 2023
@tatianab
internal/report: add basic logic to convert cve5 to report
3a13be0 
Add function to convert CVE JSON 5.0 to our internal YAML format.

As a starting point, this function does the same thing as the old function
that converts from CVE JSON 4 to our format. A temporary test checks
that this is the case.

For golang/go#49289

Change-Id: Ie5226537cefaeb9e68b98e5dce9c6b97b29f968a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547556
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@julieqiu @tatianab @gopherbot @thanm @jba