[pkgsite] all: update for osv schema change

[Damien Neil (Gerrit)]

Damien Neil has uploaded this change for review.

View Change

all: update for osv schema change

Update golang.org/x/vuln to latest.

/vuln/list, /vuln: Set "Affects:" header to a list of stdlib package
names and non-stdlib module names. For example, "net/http, golang.org/x/net".

/vuln: Find list of affected packages from ecosystem_specific.imports field.
Perhaps this page should list modules, or modules and packages within the
module, but for now just update the list to reflect the changed location
of package names in the OSV.

Package page, package versions tab: No changes to content, but use the
ecosystem_specific.imports field for package names.

Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48
---
M cmd/frontend/vulndb_cache.go
M go.mod
M go.sum
M internal/frontend/search.go
M internal/frontend/search_test.go
M internal/frontend/unit.go
M internal/frontend/versions.go
M internal/frontend/versions_test.go
M internal/frontend/vulns.go
M internal/frontend/vulns_test.go
M internal/memory/memory_test.go
M static/frontend/vuln/entry/entry.tmpl
M static/frontend/vuln/vuln.tmpl
13 files changed, 170 insertions(+), 98 deletions(-)

diff --git a/cmd/frontend/vulndb_cache.go b/cmd/frontend/vulndb_cache.go
index 22dd913..b333105 100644
--- a/cmd/frontend/vulndb_cache.go
+++ b/cmd/frontend/vulndb_cache.go
@@ -10,6 +10,7 @@
 	"time"
 
 	lru "github.com/hashicorp/golang-lru"
+	vulnc "golang.org/x/vuln/client"
 	"golang.org/x/vuln/osv"
 )
 
@@ -18,7 +19,7 @@
 type vulndbCache struct {
 	mu         sync.Mutex
 	dbName     string // support only one DB
-	index      osv.DBIndex
+	index      vulnc.DBIndex
 	retrieved  time.Time
 	entryCache *lru.Cache
 }
@@ -35,7 +36,7 @@
 
 // ReadIndex returns the index for dbName from the cache, or returns zero values
 // if it is not present.
-func (c *vulndbCache) ReadIndex(dbName string) (osv.DBIndex, time.Time, error) {
+func (c *vulndbCache) ReadIndex(dbName string) (vulnc.DBIndex, time.Time, error) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if err := c.checkDB(dbName); err != nil {
@@ -45,7 +46,7 @@
 }
 
 // WriteIndex puts the index and retrieved time into the cache.
-func (c *vulndbCache) WriteIndex(dbName string, index osv.DBIndex, retrieved time.Time) error {
+func (c *vulndbCache) WriteIndex(dbName string, index vulnc.DBIndex, retrieved time.Time) error {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if err := c.checkDB(dbName); err != nil {
diff --git a/go.mod b/go.mod
index 38d2621..e7aeb7a 100644
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,7 @@
 	github.com/go-redis/redis/v8 v8.11.4
 	github.com/go-redis/redis_rate/v9 v9.1.2
 	github.com/golang-migrate/migrate/v4 v4.15.1
-	github.com/google/go-cmp v0.5.6
+	github.com/google/go-cmp v0.5.8
 	github.com/google/go-replayers/httpreplay v1.0.0
 	github.com/google/licensecheck v0.3.1
 	github.com/google/safehtml v0.0.3-0.20211026203422-d6f0e11a5516
@@ -36,12 +36,12 @@
 	github.com/yuin/goldmark v1.4.13
 	github.com/yuin/goldmark-emoji v1.0.1
 	go.opencensus.io v0.23.0
-	golang.org/x/mod v0.5.1
-	golang.org/x/net v0.0.0-20211013171255-e13a2654a71e
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
+	golang.org/x/net v0.0.0-20220722155237-a158d28d115b
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	golang.org/x/text v0.3.7
-	golang.org/x/tools v0.1.5
-	golang.org/x/vuln v0.0.0-20211104165457-3710d685f6c2
+	golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
+	golang.org/x/vuln v0.0.0-20220823182523-5ae4b706aeb8
 	google.golang.org/api v0.63.0
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa
 	google.golang.org/grpc v1.43.0
@@ -102,7 +102,7 @@
 	go.uber.org/atomic v1.6.0 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20211210111614-af8b64212486 // indirect
+	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
index 1030ddd..dbee01a 100644
--- a/go.sum
+++ b/go.sum
@@ -563,8 +563,9 @@
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v35 v35.2.0/go.mod h1:s0515YVTI+IMrDoy9Y4pHt9ShGpzHvHO8rZ7L7acgvs=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-replayers/httpreplay v1.0.0 h1:8SmT8fUYM4nueF+UnXIX8LJxNTb1vpPuknXz+yTWzL4=
@@ -1171,8 +1172,8 @@
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1233,8 +1234,9 @@
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211013171255-e13a2654a71e h1:Xj+JO91noE97IN6F/7WZxzC5QE6yENAQPrwIYhW3bsA=
 golang.org/x/net v0.0.0-20211013171255-e13a2654a71e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180227000427-d7d64896b5ff/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1267,8 +1269,9 @@
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180224232135-f6cff0780e54/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1374,11 +1377,12 @@
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486 h1:5hpz5aRr+W1erYCL5JRhSUBJRph7l9XkNveoExlrKYk=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1466,10 +1470,11 @@
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/vuln v0.0.0-20211104165457-3710d685f6c2 h1:NW7zCHSSPK1imIHQ2syrERqdvROo86oIxSNB10/En1E=
-golang.org/x/vuln v0.0.0-20211104165457-3710d685f6c2/go.mod h1:vGjwvr4zd0JNGaeuScTP00A/lDhN8Ao3GFprqIUiIcM=
+golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 h1:aE4T3aJwdCNz+s35ScSQYUzeGu7BOLDHZ1bBHVurqqY=
+golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/vuln v0.0.0-20220823182523-5ae4b706aeb8 h1:3XpOL48IUVS6mZLG5/twvtWSRL0VwLxX3wrA3nlEABU=
+golang.org/x/vuln v0.0.0-20220823182523-5ae4b706aeb8/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/frontend/search.go b/internal/frontend/search.go
index 9863338..d0c97e0 100644
--- a/internal/frontend/search.go
+++ b/internal/frontend/search.go
@@ -230,7 +230,7 @@
 	}
 
 	if getVulnEntries != nil {
-		addVulns(results, getVulnEntries)
+		addVulns(ctx, results, getVulnEntries)
 	}
 
 	var numResults int
@@ -508,7 +508,7 @@
 
 // addVulns adds vulnerability information to search results by consulting the
 // vulnerability database.
-func addVulns(rs []*SearchResult, getVulnEntries vulnEntriesFunc) {
+func addVulns(ctx context.Context, rs []*SearchResult, getVulnEntries vulnEntriesFunc) {
 	// Get all vulns concurrently.
 	var wg sync.WaitGroup
 	// TODO(golang/go#48223): throttle concurrency?
@@ -517,7 +517,7 @@
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			r.Vulns = VulnsForPackage(r.ModulePath, r.Version, r.PackagePath, getVulnEntries)
+			r.Vulns = VulnsForPackage(ctx, r.ModulePath, r.Version, r.PackagePath, getVulnEntries)
 		}()
 	}
 	wg.Wait()
diff --git a/internal/frontend/search_test.go b/internal/frontend/search_test.go
index ef6f6bb..ae6034f 100644
--- a/internal/frontend/search_test.go
+++ b/internal/frontend/search_test.go
@@ -157,7 +157,7 @@
 			}},
 		}}
 
-		getVulnEntries = func(modulePath string) ([]*osv.Entry, error) {
+		getVulnEntries = func(_ context.Context, modulePath string) ([]*osv.Entry, error) {
 			if modulePath == moduleFoo.ModulePath {
 				return vulnEntries, nil
 			}
@@ -230,7 +230,7 @@
 						DisplayVersion: moduleFoo.Version,
 						Licenses:       []string{"MIT"},
 						CommitTime:     elapsedTime(moduleFoo.CommitTime),
-						Vulns:          []Vuln{{ID: "test", Details: "vuln", FixedVersion: "v1.9.0"}},
+						Vulns:          []Vuln{{ID: "test", Details: "vuln"}},
 					},
 				},
 			},
diff --git a/internal/frontend/unit.go b/internal/frontend/unit.go
index 1614a43..6eddc07 100644
--- a/internal/frontend/unit.go
+++ b/internal/frontend/unit.go
@@ -235,7 +235,7 @@
 
 	// Get vulnerability information.
 	if s.vulnClient != nil {
-		page.Vulns = VulnsForPackage(um.ModulePath, um.Version, um.Path, s.vulnClient.GetByModule)
+		page.Vulns = VulnsForPackage(ctx, um.ModulePath, um.Version, um.Path, s.vulnClient.GetByModule)
 	}
 	s.servePage(ctx, w, tabSettings.TemplateName, page)
 	return nil
diff --git a/internal/frontend/versions.go b/internal/frontend/versions.go
index 73b0b3e..a364033 100644
--- a/internal/frontend/versions.go
+++ b/internal/frontend/versions.go
@@ -195,7 +195,7 @@
 		if sv := sh.SymbolsAtVersion(mi.Version); sv != nil {
 			vs.Symbols = symbolsForVersion(linkify(mi), sv)
 		}
-		vs.Vulns = VulnsForPackage(mi.ModulePath, mi.Version, "", getVulnEntries)
+		vs.Vulns = VulnsForPackage(ctx, mi.ModulePath, mi.Version, "", getVulnEntries)
 		vl := lists[key]
 		if vl == nil {
 			seenLists = append(seenLists, key)
diff --git a/internal/frontend/versions_test.go b/internal/frontend/versions_test.go
index 858a13f..62d0e12 100644
--- a/internal/frontend/versions_test.go
+++ b/internal/frontend/versions_test.go
@@ -98,7 +98,7 @@
 			}},
 		}},
 	}
-	getVulnEntries := func(m string) ([]*osv.Entry, error) {
+	getVulnEntries := func(_ context.Context, m string) ([]*osv.Entry, error) {
 		if m == modulePath1 {
 			return []*osv.Entry{vulnEntry}, nil
 		}
@@ -142,8 +142,7 @@
 					func() *VersionList {
 						vl := makeList(v1Path, modulePath1, "v1", []string{"v1.3.0", "v1.2.3", "v1.2.1"}, false)
 						vl.Versions[2].Vulns = []Vuln{{
-							Details:      vulnEntry.Details,
-							FixedVersion: "v" + vulnFixedVersion,
+							Details: vulnEntry.Details,
 						}}
 						return vl
 					}(),
diff --git a/internal/frontend/vulns.go b/internal/frontend/vulns.go
index 9a42cfc..ff920dc 100644
--- a/internal/frontend/vulns.go
+++ b/internal/frontend/vulns.go
@@ -5,6 +5,7 @@
 package frontend
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"sort"
@@ -31,33 +32,31 @@
 	ID string
 	// A description of the vulnerability, or the problem in obtaining it.
 	Details string
-	// The version is which the vulnerability has been fixed.
-	FixedVersion string
 }
 
-type vulnEntriesFunc func(string) ([]*osv.Entry, error)
+type vulnEntriesFunc func(context.Context, string) ([]*osv.Entry, error)
 
 // VulnsForPackage obtains vulnerability information for the given package.
 // If packagePath is empty, it returns all entries for the module at version.
 // The getVulnEntries function should retrieve all entries for the given module path.
 // It is passed to facilitate testing.
 // If there is an error, VulnsForPackage returns a single Vuln that describes the error.
-func VulnsForPackage(modulePath, version, packagePath string, getVulnEntries vulnEntriesFunc) []Vuln {
-	vs, err := vulnsForPackage(modulePath, version, packagePath, getVulnEntries)
+func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, getVulnEntries vulnEntriesFunc) []Vuln {
+	vs, err := vulnsForPackage(ctx, modulePath, version, packagePath, getVulnEntries)
 	if err != nil {
 		return []Vuln{{Details: fmt.Sprintf("could not get vulnerability data: %v", err)}}
 	}
 	return vs
 }
 
-func vulnsForPackage(modulePath, version, packagePath string, getVulnEntries vulnEntriesFunc) (_ []Vuln, err error) {
+func vulnsForPackage(ctx context.Context, modulePath, version, packagePath string, getVulnEntries vulnEntriesFunc) (_ []Vuln, err error) {
 	defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, version, packagePath)
 
 	if getVulnEntries == nil {
 		return nil, nil
 	}
 	// Get all the vulns for this module.
-	entries, err := getVulnEntries(modulePath)
+	entries, err := getVulnEntries(ctx, modulePath)
 	if err != nil {
 		return nil, err
 	}
@@ -75,46 +74,84 @@
 // VulnListPage holds the information for a page that lists all vuln entries.
 type VulnListPage struct {
 	basePage
-	Entries []*osv.Entry
+	Entries []OSVEntry
 }
 
 // VulnPage holds the information for a page that displays a single vuln entry.
 type VulnPage struct {
 	basePage
-	Entry            *osv.Entry
+	Entry            OSVEntry
 	AffectedPackages []*AffectedPackage
 	AliasLinks       []link
 	AdvisoryLinks    []link
 }
 
 type AffectedPackage struct {
-	Path     string // Package.Name in the osv.Entry
-	Versions string
+	PackagePath string
+	Versions    string
+}
+
+// OSVEntry holds an OSV entry and provides additional methods.
+type OSVEntry struct {
+	*osv.Entry
+}
+
+// AffectedModulesAndPackages returns a list of names affected by a vuln.
+func (e OSVEntry) AffectedModulesAndPackages() []string {
+	var affected []string
+	for _, a := range e.Affected {
+		switch a.Package.Name {
+		case "stdlib", "toolchain":
+			// Name specific standard library packages and tools.
+			for _, p := range a.EcosystemSpecific.Imports {
+				affected = append(affected, p.Path)
+			}
+		default:
+			// Outside the standard library, name the module.
+			affected = append(affected, a.Package.Name)
+		}
+	}
+	return affected
 }
 
 func entryVuln(e *osv.Entry, packagePath, version string) (Vuln, bool) {
 	for _, a := range e.Affected {
-		if (packagePath == "" || a.Package.Name == packagePath) && a.Ranges.AffectsSemver(version) {
-			// Choose the latest fixed version, if any.
-			var fixed string
-			for _, r := range a.Ranges {
-				if r.Type == osv.TypeGit {
-					continue
-				}
-				for _, re := range r.Events {
-					if re.Fixed != "" && (fixed == "" || semver.Compare(re.Fixed, fixed) > 0) {
-						fixed = re.Fixed
-					}
+		if !a.Ranges.AffectsSemver(version) {
+			continue
+		}
+		if packageMatches := func() bool {
+			if packagePath == "" {
+				return true //  match module only
+			}
+			if len(a.EcosystemSpecific.Imports) == 0 {
+				return true // no package info available, so match on module
+			}
+			for _, p := range a.EcosystemSpecific.Imports {
+				if packagePath == p.Path {
+					return true // package matches
 				}
 			}
-			fixed = addVersionPrefix(fixed, packagePath)
-			return Vuln{
-				ID:      e.ID,
-				Details: e.Details,
-				// TODO(golang/go#48223): handle stdlib versions
-				FixedVersion: fixed,
-			}, true
+			return false
+		}(); !packageMatches {
+			continue
 		}
+		// Choose the latest fixed version, if any.
+		var fixed string
+		for _, r := range a.Ranges {
+			if r.Type == osv.TypeGit {
+				continue
+			}
+			for _, re := range r.Events {
+				if re.Fixed != "" && (fixed == "" || semver.Compare(re.Fixed, fixed) > 0) {
+					fixed = re.Fixed
+				}
+			}
+		}
+		fixed = addVersionPrefix(fixed, packagePath)
+		return Vuln{
+			ID:      e.ID,
+			Details: e.Details,
+		}, true
 	}
 	return Vuln{}, false
 }
@@ -123,7 +160,7 @@
 	switch r.URL.Path {
 	case "/":
 		// Serve a list of most recent entries.
-		vulnListPage, err := newVulnListPage(s.vulnClient)
+		vulnListPage, err := newVulnListPage(r.Context(), s.vulnClient)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}
@@ -134,7 +171,7 @@
 		s.servePage(r.Context(), w, "vuln/main", vulnListPage)
 	case "/list":
 		// Serve a list of all entries.
-		vulnListPage, err := newVulnListPage(s.vulnClient)
+		vulnListPage, err := newVulnListPage(r.Context(), s.vulnClient)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}
@@ -151,7 +188,7 @@
 				responseText: "invalid Go vuln ID; should be GO-YYYY-NNNN",
 			}
 		}
-		vulnPage, err := newVulnPage(s.vulnClient, id)
+		vulnPage, err := newVulnPage(r.Context(), s.vulnClient, id)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}
@@ -161,8 +198,8 @@
 	return nil
 }
 
-func newVulnPage(client vulnc.Client, id string) (*VulnPage, error) {
-	entry, err := client.GetByID(id)
+func newVulnPage(ctx context.Context, client vulnc.Client, id string) (*VulnPage, error) {
+	entry, err := client.GetByID(ctx, id)
 	if err != nil {
 		return nil, err
 	}
@@ -170,24 +207,24 @@
 		return nil, derrors.NotFound
 	}
 	return &VulnPage{
-		Entry:            entry,
+		Entry:            OSVEntry{entry},
 		AffectedPackages: affectedPackages(entry),
 		AliasLinks:       aliasLinks(entry),
 		AdvisoryLinks:    advisoryLinks(entry),
 	}, nil
 }
 
-func newVulnListPage(client vulnc.Client) (*VulnListPage, error) {
+func newVulnListPage(ctx context.Context, client vulnc.Client) (*VulnListPage, error) {
 	const concurrency = 4
 
-	ids, err := client.ListIDs()
+	ids, err := client.ListIDs(ctx)
 	if err != nil {
 		return nil, err
 	}
 	// Sort from most to least recent.
 	sort.Slice(ids, func(i, j int) bool { return ids[i] > ids[j] })
 
-	entries := make([]*osv.Entry, len(ids))
+	entries := make([]OSVEntry, len(ids))
 	sem := make(chan struct{}, concurrency)
 	var g errgroup.Group
 	for i, id := range ids {
@@ -196,11 +233,11 @@
 		sem <- struct{}{}
 		g.Go(func() error {
 			defer func() { <-sem }()
-			e, err := client.GetByID(id)
+			e, err := client.GetByID(ctx, id)
 			if err != nil {
 				return err
 			}
-			entries[i] = e
+			entries[i] = OSVEntry{e}
 			return nil
 		})
 	}
@@ -273,10 +310,12 @@
 			}
 			vs = append(vs, s)
 		}
-		affs = append(affs, &AffectedPackage{
-			Path:     a.Package.Name,
-			Versions: strings.Join(vs, ", "),
-		})
+		for _, p := range a.EcosystemSpecific.Imports {
+			affs = append(affs, &AffectedPackage{
+				PackagePath: p.Path,
+				Versions:    strings.Join(vs, ", "),
+			})
+		}
 	}
 	return affs
 }
diff --git a/internal/frontend/vulns_test.go b/internal/frontend/vulns_test.go
index eccb66d..ee91d62 100644
--- a/internal/frontend/vulns_test.go
+++ b/internal/frontend/vulns_test.go
@@ -5,6 +5,7 @@
 package frontend
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"reflect"
@@ -17,6 +18,7 @@
 )
 
 func TestVulnsForPackage(t *testing.T) {
+	ctx := context.Background()
 	e := osv.Entry{
 		Details: "bad",
 		Affected: []osv.Affected{{
@@ -25,10 +27,15 @@
 				Type:   osv.TypeSemver,
 				Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.2.3"}},
 			}},
+			EcosystemSpecific: osv.EcosystemSpecific{
+				Imports: []osv.EcosystemSpecificImport{{
+					Path: "bad.com",
+				}},
+			},
 		}},
 	}
 
-	get := func(modulePath string) ([]*osv.Entry, error) {
+	get := func(_ context.Context, modulePath string) ([]*osv.Entry, error) {
 		switch modulePath {
 		case "good.com":
 			return nil, nil
@@ -39,20 +46,19 @@
 		}
 	}
 
-	got := VulnsForPackage("good.com", "v1.0.0", "good.com", get)
+	got := VulnsForPackage(ctx, "good.com", "v1.0.0", "good.com", get)
 	if got != nil {
 		t.Errorf("got %v, want nil", got)
 	}
-	got = VulnsForPackage("bad.com", "v1.0.0", "bad.com", get)
+	got = VulnsForPackage(ctx, "bad.com", "v1.0.0", "bad.com", get)
 	want := []Vuln{{
-		Details:      "bad",
-		FixedVersion: "v1.2.3",
+		Details: "bad",
 	}}
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("mismatch (-want, +got):\n%s", diff)
 	}
 
-	got = VulnsForPackage("bad.com", "v1.3.0", "bad.com", get)
+	got = VulnsForPackage(ctx, "bad.com", "v1.3.0", "bad.com", get)
 	if got != nil {
 		t.Errorf("got %v, want nil", got)
 	}
@@ -69,15 +75,16 @@
 }
 
 func TestNewVulnListPage(t *testing.T) {
+	ctx := context.Background()
 	c := &vulndbTestClient{entries: testEntries}
-	got, err := newVulnListPage(c)
+	got, err := newVulnListPage(ctx, c)
 	if err != nil {
 		t.Fatal(err)
 	}
 	// testEntries is already sorted by ID, but it should be reversed.
-	var wantEntries []*osv.Entry
+	var wantEntries []OSVEntry
 	for i := len(testEntries) - 1; i >= 0; i-- {
-		wantEntries = append(wantEntries, testEntries[i])
+		wantEntries = append(wantEntries, OSVEntry{testEntries[i]})
 	}
 	want := &VulnListPage{Entries: wantEntries}
 	if diff := cmp.Diff(want, got, cmpopts.IgnoreUnexported(VulnListPage{})); diff != "" {
@@ -86,12 +93,13 @@
 }
 
 func TestNewVulnPage(t *testing.T) {
+	ctx := context.Background()
 	c := &vulndbTestClient{entries: testEntries}
-	got, err := newVulnPage(c, "GO-1990-02")
+	got, err := newVulnPage(ctx, c, "GO-1990-02")
 	if err != nil {
 		t.Fatal(err)
 	}
-	want := &VulnPage{Entry: testEntries[1]}
+	want := &VulnPage{Entry: OSVEntry{testEntries[1]}}
 	if diff := cmp.Diff(want, got, cmpopts.IgnoreUnexported(VulnPage{})); diff != "" {
 		t.Errorf("mismatch (-want, +got):\n%s", diff)
 	}
@@ -102,11 +110,11 @@
 	entries []*osv.Entry
 }
 
-func (c *vulndbTestClient) GetByModule(string) ([]*osv.Entry, error) {
+func (c *vulndbTestClient) GetByModule(context.Context, string) ([]*osv.Entry, error) {
 	return nil, errors.New("unimplemented")
 }
 
-func (c *vulndbTestClient) GetByID(id string) (*osv.Entry, error) {
+func (c *vulndbTestClient) GetByID(_ context.Context, id string) (*osv.Entry, error) {
 	for _, e := range c.entries {
 		if e.ID == id {
 			return e, nil
@@ -115,7 +123,7 @@
 	return nil, nil
 }
 
-func (c *vulndbTestClient) ListIDs() ([]string, error) {
+func (c *vulndbTestClient) ListIDs(context.Context) ([]string, error) {
 	var ids []string
 	for _, e := range c.entries {
 		ids = append(ids, e.ID)
diff --git a/internal/memory/memory_test.go b/internal/memory/memory_test.go
index bf90273..af86271 100644
--- a/internal/memory/memory_test.go
+++ b/internal/memory/memory_test.go
@@ -5,14 +5,10 @@
 package memory
 
 import (
-	"runtime"
 	"testing"
 )
 
 func TestRead(t *testing.T) {
-	if runtime.GOOS == "darwin" {
-		t.Skip("darwin has no /proc/meminfo")
-	}
 	_, err := ReadSystemStats()
 	if err != nil {
 		t.Fatal(err)
diff --git a/static/frontend/vuln/entry/entry.tmpl b/static/frontend/vuln/entry/entry.tmpl
index 90f4291..53ba67a 100644
--- a/static/frontend/vuln/entry/entry.tmpl
+++ b/static/frontend/vuln/entry/entry.tmpl
@@ -59,7 +59,7 @@
     <tbody>
       {{range .}}
 	<tr>
-	  <td><a href="/{{.Path}}">{{.Path}}</a></td>
+	  <td><a href="/{{.PackagePath}}">{{.PackagePath}}</a></td>
 	  <td>{{.Versions}}</td>
 	</tr>
       {{end}}
diff --git a/static/frontend/vuln/vuln.tmpl b/static/frontend/vuln/vuln.tmpl
index 6adfad4..cb70161 100644
--- a/static/frontend/vuln/vuln.tmpl
+++ b/static/frontend/vuln/vuln.tmpl
@@ -22,7 +22,7 @@
 {{end}}
 
 {{define "vuln-details"}}
-  {{/* . is osv.Entry */}}
+  {{/* . is OSVEntry */}}
   <div class="Vuln-details">
     <ul class="Vuln-detailsMetadata">
       {{if .Aliases}}
@@ -31,9 +31,11 @@
         </li>
       {{end}}
       <li class="go-textSubtle">Affects:
-        {{range $i, $v := .Affected}}
-          {{- if lt $i 2}}{{- if ne $i 0}}, {{end -}}{{$v.Package.Name}}{{end -}}
-          {{- if eq $i 2}}, and {{subtract (len $.Affected) 2}} more{{end -}}
+       {{with $packages := .AffectedModulesAndPackages}}
+          {{range $i, $name := $packages}}
+            {{- if lt $i 2}}{{- if ne $i 0}}, {{end -}}{{$name}}{{end -}}
+            {{- if eq $i 2}}, and {{subtract (len $packages) 2}} more{{end -}}
+          {{end}}
         {{end}}
       </li>
       <li class="go-textSubtle">Published: {{.Published.Format "Jan 02, 2006"}}</li>
@@ -61,4 +63,4 @@
     <input name="q" class="go-Input" placeholder="Search GO IDs" />
     <button class="go-Button">Submit</button>
   </form>
-{{end}}
\ No newline at end of file
+{{end}}

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 1

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-MessageType: newchange

[Damien Neil (Gerrit)]

Patch set 1:Run-TryBot +1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 1

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Comment-Date: Tue, 23 Aug 2022 23:21:33 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: Yes

Gerrit-MessageType: comment

[kokoro (Gerrit)]

Attention is currently required from: Damien Neil, Julie Qiu.

Kokoro presubmit build finished with status: FAILURE
Logs at: https://source.cloud.google.com/results/invocations/a4defe8e-e9a2-4461-b0df-7549bb099ff2

Patch set 1:TryBot-Result -1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 1

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-Comment-Date: Tue, 23 Aug 2022 23:32:31 +0000

[Damien Neil (Gerrit)]

Attention is currently required from: Damien Neil, Julie Qiu.

Damien Neil uploaded patch set #2 to this change.

View Change

The following approvals got outdated and were removed: Run-TryBot+1 by Damien Neil, TryBot-Result-1 by kokoro

13 files changed, 169 insertions(+), 98 deletions(-)

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 2

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-MessageType: newpatchset

[Damien Neil (Gerrit)]

Attention is currently required from: Julie Qiu.

Patch set 2:Run-TryBot +1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 2

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 03:48:55 +0000

[kokoro (Gerrit)]

Attention is currently required from: Damien Neil, Julie Qiu.

Kokoro presubmit build finished with status: FAILURE

Logs at: https://source.cloud.google.com/results/invocations/0028a566-1a2a-4a51-9c45-d27daa8ba7eb

Patch set 2:TryBot-Result -1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 2

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 03:59:39 +0000

[Damien Neil (Gerrit)]

Attention is currently required from: Damien Neil, Julie Qiu.

Damien Neil uploaded patch set #3 to this change.

13 files changed, 169 insertions(+), 108 deletions(-)

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-MessageType: newpatchset

[Damien Neil (Gerrit)]

Attention is currently required from: Julie Qiu.

Patch set 3:Run-TryBot +1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 04:01:47 +0000

[kokoro (Gerrit)]

Attention is currently required from: Julie Qiu.

Kokoro presubmit build finished with status: SUCCESS
Logs at: https://source.cloud.google.com/results/invocations/280586d9-f1cb-4585-947f-52e7b8315508

Patch set 3:TryBot-Result +1

View Change

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Julie Qiu <juli...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 04:26:41 +0000

[Julie Qiu (Gerrit)]

Attention is currently required from: Damien Neil.

Patch set 3:Code-Review +2

View Change

1 comment:

• File internal/memory/memory_test.go:

  • Patch Set #3, Line 13:

    	if runtime.GOOS == "darwin" {

• • 
    		t.Skip("darwin has no /proc/meminfo")
    	}
    

• • did you mean to delete this?

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 16:03:15 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: Yes

Gerrit-MessageType: comment

[Damien Neil (Gerrit)]

Attention is currently required from: Damien Neil.

Damien Neil uploaded patch set #4 to this change.

View Change

The following approvals got outdated and were removed: Run-TryBot+1 by Damien Neil, TryBot-Result+1 by kokoro

all: update for osv schema change

Update golang.org/x/vuln to latest.

/vuln/list, /vuln: Set "Affects:" header to a list of stdlib package
names and non-stdlib module names. For example, "net/http, golang.org/x/net".

/vuln: Find list of affected packages from ecosystem_specific.imports field.
Perhaps this page should list modules, or modules and packages within the
module, but for now just update the list to reflect the changed location
of package names in the OSV.

Package page, package versions tab: No changes to content, but use the
ecosystem_specific.imports field for package names.

Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48
---
M cmd/frontend/vulndb_cache.go
M go.mod
M go.sum
M internal/frontend/search.go
M internal/frontend/search_test.go
M internal/frontend/unit.go
M internal/frontend/versions.go
M internal/frontend/versions_test.go
M internal/frontend/vulns.go
M internal/frontend/vulns_test.go

M static/frontend/vuln/entry/entry.tmpl
M static/frontend/vuln/vuln.tmpl
12 files changed, 169 insertions(+), 104 deletions(-)

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 4

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-MessageType: newpatchset

[Damien Neil (Gerrit)]

Patch set 3:Run-TryBot +1

View Change

1 comment:

• File internal/memory/memory_test.go:

• • Patch Set #3, Line 13:

    	if runtime.GOOS == "darwin" {
    		t.Skip("darwin has no /proc/meminfo")
    	}
    

    did you mean to delete this?

• • Nope, fixed.

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-Comment-Date: Wed, 24 Aug 2022 16:55:09 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: Yes

Comment-In-Reply-To: Julie Qiu <juli...@google.com>

Gerrit-MessageType: comment

[Damien Neil (Gerrit)]

Damien Neil submitted this change.

View Change

3 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: internal/memory/memory_test.go
Insertions: 4, Deletions: 0.

@@ -5,10 +5,14 @@
 package memory
 
 import (
+	"runtime"

 	"testing"
 )
 
 func TestRead(t *testing.T) {

+	if runtime.GOOS == "darwin" {
+		t.Skip("darwin has no /proc/meminfo")
+	}

 	_, err := ReadSystemStats()
 	if err != nil {
 		t.Fatal(err)

```

Approvals: Julie Qiu: Looks good to me, approved

all: update for osv schema change

Update golang.org/x/vuln to latest.

/vuln/list, /vuln: Set "Affects:" header to a list of stdlib package
names and non-stdlib module names. For example, "net/http, golang.org/x/net".

/vuln: Find list of affected packages from ecosystem_specific.imports field.
Perhaps this page should list modules, or modules and packages within the
module, but for now just update the list to reflect the changed location
of package names in the OSV.

Package page, package versions tab: No changes to content, but use the
ecosystem_specific.imports field for package names.

Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/425202
Reviewed-by: Julie Qiu <juli...@google.com>

---
M cmd/frontend/vulndb_cache.go
M go.mod
M go.sum
M internal/frontend/search.go
M internal/frontend/search_test.go
M internal/frontend/unit.go
M internal/frontend/versions.go
M internal/frontend/versions_test.go
M internal/frontend/vulns.go
M internal/frontend/vulns_test.go
M static/frontend/vuln/entry/entry.tmpl
M static/frontend/vuln/vuln.tmpl

12 files changed, 171 insertions(+), 104 deletions(-)

index 9a42cfc..159b8cd 100644

@@ -75,46 +74,83 @@

+		return Vuln{
+			ID:      e.ID,
+			Details: e.Details,
+		}, true
 	}
 	return Vuln{}, false
 }

@@ -123,7 +159,7 @@

 	switch r.URL.Path {
 	case "/":
 		// Serve a list of most recent entries.
-		vulnListPage, err := newVulnListPage(s.vulnClient)
+		vulnListPage, err := newVulnListPage(r.Context(), s.vulnClient)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}

@@ -134,7 +170,7 @@

 		s.servePage(r.Context(), w, "vuln/main", vulnListPage)
 	case "/list":
 		// Serve a list of all entries.
-		vulnListPage, err := newVulnListPage(s.vulnClient)
+		vulnListPage, err := newVulnListPage(r.Context(), s.vulnClient)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}

@@ -151,7 +187,7 @@

 				responseText: "invalid Go vuln ID; should be GO-YYYY-NNNN",
 			}
 		}
-		vulnPage, err := newVulnPage(s.vulnClient, id)
+		vulnPage, err := newVulnPage(r.Context(), s.vulnClient, id)
 		if err != nil {
 			return &serverError{status: derrors.ToStatus(err)}
 		}

@@ -161,8 +197,8 @@

 	return nil
 }
 
-func newVulnPage(client vulnc.Client, id string) (*VulnPage, error) {
-	entry, err := client.GetByID(id)
+func newVulnPage(ctx context.Context, client vulnc.Client, id string) (*VulnPage, error) {
+	entry, err := client.GetByID(ctx, id)
 	if err != nil {
 		return nil, err
 	}

@@ -170,24 +206,24 @@

 		return nil, derrors.NotFound
 	}
 	return &VulnPage{
-		Entry:            entry,
+		Entry:            OSVEntry{entry},
 		AffectedPackages: affectedPackages(entry),
 		AliasLinks:       aliasLinks(entry),
 		AdvisoryLinks:    advisoryLinks(entry),
 	}, nil
 }
 
-func newVulnListPage(client vulnc.Client) (*VulnListPage, error) {
+func newVulnListPage(ctx context.Context, client vulnc.Client) (*VulnListPage, error) {
 	const concurrency = 4
 
-	ids, err := client.ListIDs()
+	ids, err := client.ListIDs(ctx)
 	if err != nil {
 		return nil, err
 	}
 	// Sort from most to least recent.
 	sort.Slice(ids, func(i, j int) bool { return ids[i] > ids[j] })
 
-	entries := make([]*osv.Entry, len(ids))
+	entries := make([]OSVEntry, len(ids))
 	sem := make(chan struct{}, concurrency)
 	var g errgroup.Group
 	for i, id := range ids {

@@ -196,11 +232,11 @@

 		sem <- struct{}{}
 		g.Go(func() error {
 			defer func() { <-sem }()
-			e, err := client.GetByID(id)
+			e, err := client.GetByID(ctx, id)
 			if err != nil {
 				return err
 			}
-			entries[i] = e
+			entries[i] = OSVEntry{e}
 			return nil
 		})
 	}

@@ -273,10 +309,12 @@

 			}
 			vs = append(vs, s)
 		}
-		affs = append(affs, &AffectedPackage{
-			Path:     a.Package.Name,
-			Versions: strings.Join(vs, ", "),
-		})
+		for _, p := range a.EcosystemSpecific.Imports {
+			affs = append(affs, &AffectedPackage{
+				PackagePath: p.Path,
+				Versions:    strings.Join(vs, ", "),
+			})
+		}
 	}
 	return affs
 }

@@ -314,13 +352,3 @@
 	}
 	return links
 }
-
-func addVersionPrefix(semver, packagePath string) (res string) {
-	if semver == "" {
-		return ""
-	}
-	if packagePath != "" && stdlib.Contains(packagePath) {
-		return "go" + semver
-	}
-	return "v" + semver
-}

To view, visit change 425202. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: pkgsite

Gerrit-Branch: master

Gerrit-Change-Id: Ib34e5f9388829c0ae3448ee14e32a725fb24cb48

Gerrit-Change-Number: 425202

Gerrit-PatchSet: 5

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Julie Qiu <juli...@google.com>

Gerrit-Reviewer: kokoro <noreply...@google.com>

Gerrit-MessageType: merged