[vulndb] lint
Tatiana Bradley (Gerrit)
Tatiana Bradley has uploaded this change for review.
lint
Change-Id: Ib656a6dfc5d91be538c6c80e466631ab2d07d3d4
---
M internal/report/lint.go
M reports/GO-2021-0067.yaml
M reports/GO-2021-0068.yaml
M reports/GO-2021-0069.yaml
M reports/GO-2021-0140.yaml
M reports/GO-2021-0141.yaml
M reports/GO-2021-0157.yaml
M reports/GO-2021-0159.yaml
M reports/GO-2021-0172.yaml
M reports/GO-2021-0178.yaml
10 files changed, 56 insertions(+), 3 deletions(-)
diff --git a/internal/report/lint.go b/internal/report/lint.go
index cc37654..d31a4a1 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -163,6 +163,36 @@
var cveRegex = regexp.MustCompile(`^CVE-\d{4}-\d{4,}$`)
+func (r *Report) lintStdLibLinks(addIssue func(string)) {
+ prPrefix := "https://go.dev/cl/"
+ if !strings.HasPrefix(r.Links.PR, prPrefix) {
+ addIssue(fmt.Sprintf("links.pr should start with %q", prPrefix))
+ }
+ commitPrefix := "https://go.googlesource.com/go/+/"
+ if !strings.HasPrefix(r.Links.Commit, commitPrefix) {
+ addIssue(fmt.Sprintf("links.commit should start with %q", commitPrefix))
+ }
+ hasIssueLink := false
+ hasAnnounceLink := false
+ issuePrefix := "https://go.dev/issue/"
+ golangAnnouncePrefix := "https://groups.google.com/g/golang-announce/c/"
+ golangDevPrefix := "https://groups.google.com/g/golang-dev/c/"
+ for _, c := range r.Links.Context {
+ if strings.HasPrefix(c, issuePrefix) {
+ hasIssueLink = true
+ }
+ if strings.HasPrefix(c, golangAnnouncePrefix) || strings.HasPrefix(c, golangDevPrefix) {
+ hasAnnounceLink = true
+ }
+ }
+ if !hasIssueLink {
+ addIssue(fmt.Sprintf("links.context should contain an issue link beginning with %q", issuePrefix))
+ }
+ if !hasAnnounceLink {
+ addIssue(fmt.Sprintf("links.context should contain a golang-announce@ link beginning with %q", golangAnnouncePrefix))
+ }
+}
+
// Lint checks the content of a Report.
// TODO: It might make sense to include warnings or informational things
// alongside errors, especially during for use during the triage process.
@@ -177,6 +207,7 @@
addIssue("no packages")
}
+ appliesToStdLib := false
for i, p := range r.Packages {
addPkgIssue := func(iss string) {
issues = append(issues, fmt.Sprintf("packages[%v]: %v", i, iss))
@@ -207,6 +238,7 @@
}
}
} else {
+ appliesToStdLib = true
if p.Package == "" {
addPkgIssue("missing package")
}
@@ -265,6 +297,9 @@
addIssue(fmt.Sprintf("%q should be %q", l, fixURL(l)))
}
}
+ if appliesToStdLib {
+ r.lintStdLibLinks(addIssue)
+ }
return issues
}
diff --git a/reports/GO-2021-0067.yaml b/reports/GO-2021-0067.yaml
index 3fd7d9a..90745b8 100644
--- a/reports/GO-2021-0067.yaml
+++ b/reports/GO-2021-0067.yaml
@@ -15,7 +15,8 @@
cves:
- CVE-2021-27919
links:
- pr: https://go-review.googlesource.com/c/go/+/300489
+ pr: https://go.dev/cl/300489
commit: https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
context:
- https://go.dev/issue/44916
+ - https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ
diff --git a/reports/GO-2021-0068.yaml b/reports/GO-2021-0068.yaml
index 822af93..43df550 100644
--- a/reports/GO-2021-0068.yaml
+++ b/reports/GO-2021-0068.yaml
@@ -21,5 +21,6 @@
commit: https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
context:
- https://go.dev/issue/43783
+ - https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
- https://go.dev/cl/284780
- https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
diff --git a/reports/GO-2021-0069.yaml b/reports/GO-2021-0069.yaml
index 2998cd1..0c77646 100644
--- a/reports/GO-2021-0069.yaml
+++ b/reports/GO-2021-0069.yaml
@@ -15,7 +15,8 @@
cves:
- CVE-2020-28362
links:
- pr: https://go-review.googlesource.com/c/go/+/269657
+ pr: https://go.dev/cl/269657
commit: https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c
context:
- https://go.dev/issue/42552
+ - https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
diff --git a/reports/GO-2021-0140.yaml b/reports/GO-2021-0140.yaml
index b4dacdf..1e6de73 100644
--- a/reports/GO-2021-0140.yaml
+++ b/reports/GO-2021-0140.yaml
@@ -20,4 +20,5 @@
pr: https://go.dev/cl/242597
commit: https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
context:
+ - https://go.dev/issue/39360
- https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w
diff --git a/reports/GO-2021-0141.yaml b/reports/GO-2021-0141.yaml
index 58d7c96..6cd8d1c 100644
--- a/reports/GO-2021-0141.yaml
+++ b/reports/GO-2021-0141.yaml
@@ -20,3 +20,4 @@
commit: https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f
context:
- https://go.dev/issue/34902
+ - https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ
diff --git a/reports/GO-2021-0157.yaml b/reports/GO-2021-0157.yaml
index 505a354..c13230c 100644
--- a/reports/GO-2021-0157.yaml
+++ b/reports/GO-2021-0157.yaml
@@ -17,4 +17,5 @@
pr: https://go.dev/cl/11772
commit: https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9
context:
+ - https://go.dev/issue/ (no associated issue)
- https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ
diff --git a/reports/GO-2021-0159.yaml b/reports/GO-2021-0159.yaml
index 52e8f5b..4aa6e06 100644
--- a/reports/GO-2021-0159.yaml
+++ b/reports/GO-2021-0159.yaml
@@ -33,4 +33,6 @@
- https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9
- https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f
- https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87
+ - https://go.dev/issue/12027
+ - https://go.dev/issue/11930
- https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ
diff --git a/reports/GO-2021-0172.yaml b/reports/GO-2021-0172.yaml
index b70a1a8..2fb3c9e 100644
--- a/reports/GO-2021-0172.yaml
+++ b/reports/GO-2021-0172.yaml
@@ -20,4 +20,5 @@
pr: https://go.dev/cl/30410
commit: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
context:
+ - https://go.dev/issue/#16296
- https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
diff --git a/reports/GO-2021-0178.yaml b/reports/GO-2021-0178.yaml
index 577641c..f3263c6 100644
--- a/reports/GO-2021-0178.yaml
+++ b/reports/GO-2021-0178.yaml
@@ -21,4 +21,4 @@
commit: https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790
context:
- https://go.dev/issue/22134
- - https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
+ - https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Tatiana Bradley uploaded patch set #2 to this change.
x/vulndb: update vulnreport lint to check stdlib report format
Fixes #52830
Change-Id: Ib656a6dfc5d91be538c6c80e466631ab2d07d3d4
---
M internal/report/lint.go
M reports/GO-2021-0067.yaml
M reports/GO-2021-0068.yaml
M reports/GO-2021-0069.yaml
M reports/GO-2021-0140.yaml
M reports/GO-2021-0141.yaml
M reports/GO-2021-0157.yaml
M reports/GO-2021-0159.yaml
M reports/GO-2021-0172.yaml
M reports/GO-2021-0178.yaml
10 files changed, 58 insertions(+), 3 deletions(-)
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Patch set 2:Run-TryBot +1
Tatiana Bradley (Gerrit)
Attention is currently required from: Tatiana Bradley.
Tatiana Bradley uploaded patch set #3 to this change.
The following approvals got outdated and were removed: Run-TryBot+1 by Tatiana Bradley
x/vulndb: update vulnreport lint to check stdlib report format
Update lint tool to check correctness of links in stdlib reports. Also update existing reports that do not meet the new requirements.
Fixes #52830
Change-Id: Ib656a6dfc5d91be538c6c80e466631ab2d07d3d4
---
M internal/report/lint.go
M reports/GO-2021-0067.yaml
M reports/GO-2021-0068.yaml
M reports/GO-2021-0069.yaml
M reports/GO-2021-0140.yaml
M reports/GO-2021-0141.yaml
M reports/GO-2021-0157.yaml
M reports/GO-2021-0159.yaml
M reports/GO-2021-0172.yaml
M reports/GO-2021-0178.yaml
10 files changed, 60 insertions(+), 3 deletions(-)
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Attention is currently required from: Tatiana Bradley.
Set Ready For Review
Tatiana Bradley (Gerrit)
Attention is currently required from: Julie Qiu.
Tatiana Bradley uploaded patch set #7 to this change.
x/vulndb: update vulnreport lint to check stdlib report links
Update lint tool to check correctness of links in stdlib reports, and
update existing reports that do not meet the new requirements.
Also adds a lint check to ensure all links are parseable as URLs.
Fixes #52830
Change-Id: Ib656a6dfc5d91be538c6c80e466631ab2d07d3d4
---
M internal/report/lint.go
M internal/report/lint_test.go
M reports/GO-2020-0012.yaml
M reports/GO-2020-0013.yaml
M reports/GO-2020-0015.yaml
M reports/GO-2021-0067.yaml
M reports/GO-2021-0068.yaml
M reports/GO-2021-0069.yaml
M reports/GO-2021-0078.yaml
M reports/GO-2021-0091.yaml
M reports/GO-2021-0113.yaml
M reports/GO-2021-0140.yaml
M reports/GO-2021-0141.yaml
M reports/GO-2021-0157.yaml
M reports/GO-2021-0159.yaml
M reports/GO-2021-0172.yaml
M reports/GO-2021-0178.yaml
M reports/GO-2021-0227.yaml
M reports/GO-2022-0273.yaml
M reports/GO-2022-0289.yaml
20 files changed, 169 insertions(+), 36 deletions(-)
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Attention is currently required from: Damien Neil, Julie Qiu.
Patch set 7:Run-TryBot +1
1 comment:
File reports/GO-2021-0157.yaml:
Patch Set #7, Line 20:
- https://go.dev/issue/000 (no associated issue)This feels like a hacky solution - any ideas for how to indicate a legacy report with no associated issue?
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Damien Neil (Gerrit)
Attention is currently required from: Julie Qiu, Tatiana Bradley.
1 comment:
File reports/GO-2021-0157.yaml:
Patch Set #7, Line 20:
- https://go.dev/issue/000 (no associated issue)
This feels like a hacky solution - any ideas for how to indicate a legacy report with no associated […]
How about we retroactively file an issue and immediately close it? Kind of weird, but if we want every report to have an issue we can make that happen.
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
Attention is currently required from: Damien Neil, Tatiana Bradley.
4 comments:
File internal/report/lint.go:
In general, I think we should exclude any third-party links for Go project reports (i.e. anything that isn't the announcement, issue, CL, commit, PR, see comments on some of them below), for consistency across our reports.
We should add a lint check here if that makes sense to you too.
File reports/GO-2021-0157.yaml:
Patch Set #7, Line 20:
- https://go.dev/issue/000 (no associated issue)
How about we retroactively file an issue and immediately close it? Kind of weird, but if we want eve […]
We could also change the lint check so that this rule only applies after a certain version (it looks like starting in 1.5.0 they should all have issues)
File reports/GO-2022-0273.yaml:
Patch Set #7, Line 25:
https://security.netapp.com/advisory/ntap-20220217-0009/This can be removed to reduce noise in the report (it is a secondary source that doesn't provide much useful information beyond what's already there)
File reports/GO-2022-0289.yaml:
- https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html
- https://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlThese links can be removed (they don't see related to the issue, and are also secondary sources)
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Attention is currently required from: Tatiana Bradley.
Tatiana Bradley uploaded patch set #8 to this change.
The following approvals got outdated and were removed: Run-TryBot+1 by Tatiana Bradley, TryBot-Result+1 by Gopher Robot
20 files changed, 178 insertions(+), 39 deletions(-)
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Attention is currently required from: Damien Neil, Julie Qiu.
Patch set 8:Run-TryBot +1Code-Review +1
4 comments:
File internal/report/lint.go:
In general, I think we should exclude any third-party links for Go project reports (i.e. […]
Done
File reports/GO-2021-0157.yaml:
Patch Set #7, Line 20:
- https://go.dev/issue/000 (no associated issue)
We could also change the lint check so that this rule only applies after a certain version (it looks […]
Created an issue and closed it
File reports/GO-2022-0273.yaml:
This can be removed to reduce noise in the report (it is a secondary source that doesn't provide muc […]
Done
File reports/GO-2022-0289.yaml:
- https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html
- https://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlThese links can be removed (they don't see related to the issue, and are also secondary sources)
Done
To view, visit change 406255. To unsubscribe, or for help writing mail filters, visit settings.
Damien Neil (Gerrit)
Attention is currently required from: Julie Qiu, Tatiana Bradley.
Patch set 8:Code-Review +1
Julie Qiu (Gerrit)
Attention is currently required from: Julie Qiu, Tatiana Bradley.
Patch set 8:Code-Review +2