Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: improve tool for creating yaml reports #50314

Closed
3 tasks done
julieqiu opened this issue Dec 22, 2021 · 6 comments
Closed
3 tasks done

x/vulndb: improve tool for creating yaml reports #50314

julieqiu opened this issue Dec 22, 2021 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@julieqiu
Copy link
Member

julieqiu commented Dec 22, 2021
edited
Loading

cmd/vulnreport should be updated with the following functionality:

Given a GitHub issue ID:

  • Parse the CVE ID from the GitHub issue
  • Parse the JSON file from the CVE list repo
  • Create a yaml file with the correct filename, and populate it as much as possible

Template:

module:
package:
versions:
  - introduced:
  - fixed:
description: |

cve:
credit:
symbols:
  -
published:
links:
  commit:
  pr:
  context:
    -
@gopherbot gopherbot added this to the Unreleased milestone Dec 22, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374100 mentions this issue: internal/report: add CVEToReport

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374099 mentions this issue: internal/worker: update ParseGithubRepo

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374094 mentions this issue: internal/cveschema: add credit field

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374101 mentions this issue: cmd/vulnreport: improve functionality for create

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374098 mentions this issue: internal/worker: add githubIssueClient.GetIssue

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 22, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/374175 mentions this issue: cmd/vulnreport: add TODOs for missing fields

gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
internal/cveschema: add credit field
62c0217 
The CVE JSON schema contains a Credit field, which is now added to the
struct. This is used to populate the credit field for the YAML reports.

For golang/go#50314

Change-Id: I91e22b29ae5bb30220949820a4fccb28855dcfdc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374094
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
internal/worker: add IssueClient.GetIssue
1fcbef4 
A GetIssue method is added to the GitHub client. This will be used by
cmd/vulnreport when creating a template for the YAML reports to
determine the module path and CVE ID.

For golang/go#50314

Change-Id: I6e7a022faf1c6c71ba4f3a68afa5fbaea122ed52
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374098
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
internal/worker: update ParseGithubRepo
c4be848 
ParseGithubRepo is updated to parse a GitHub repo name with the formats
"github.com/owner/repoName" and "owner/repoName".

For golang/go#50314

Change-Id: Ie7152707b67b4215281d08e936e54e11caa7c8e6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374099
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
internal/report: add CVEToReport
cd4a9ba 
CVEToReport is added, which creates a Report struct from a given CVE and
modulePath.

For golang/go#50314

Change-Id: I901565cd0c80b423e8bd6a1ef790545f99a6ec75
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374100
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
cmd/vulnreport: improve functionality for create
57f4e57 
Rather than just creating an empty template, the vulnreport create
command now creates a prepopulated template with information from the
CVE JSON.

For golang/go#50314

Change-Id: Ifcf2adfa63e47e73eace7c349133a4ecc9bf2bf7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374101
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jan 4, 2022
@julieqiu
cmd/vulnreport: add TODOs for missing fields
89796ae 
When a field we want to fill in is not automatically parsed for the YAML
report from the CVE JSON, add a TODO so that it is clear to the triager.

For golang/go#50314

Change-Id: I3a5d1b858073fbd434a777fd3b1775cbef6e308a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/374175
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@julieqiu julieqiu closed this as completed Jan 5, 2022
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
@golang golang locked and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@dmitshur @julieqiu @gopherbot