Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: integrate with Go vulnerability database #48223

Open
jba opened this issue Sep 7, 2021 · 12 comments
Open

x/pkgsite: integrate with Go vulnerability database #48223

jba opened this issue Sep 7, 2021 · 12 comments

Comments

@jba
Copy link
Contributor

@jba jba commented Sep 7, 2021

Display information about vulnerabilities in packages and modules.

@jba jba added the pkgsite label Sep 7, 2021
@jba jba added this to the pkgsite/unplanned milestone Sep 7, 2021
@jba jba self-assigned this Sep 7, 2021
@jba
Copy link
Contributor Author

@jba jba commented Sep 7, 2021

This issue covers only vulnerabilities in the package or module being displayed, not transitive vulnerabilities.

We want to show vulnerability information in the following places:

  • On the main page for a package.
  • On the versions page.
  • In search.

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 7, 2021

Change https://golang.org/cl/347949 mentions this issue: internal/frontend: display vulnerabilities on package page

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 7, 2021

Change https://golang.org/cl/347970 mentions this issue: internal/frontend/versions.go: minor cleanup

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 7, 2021

Change https://golang.org/cl/347969 mentions this issue: cmd/frontend: add a cache for vuln data

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 7, 2021

Change https://golang.org/cl/347971 mentions this issue: internal/frontend: collect vulns for versions page

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 7, 2021
Under an experiment, look up and display a package's vulnerabilities
on its main page using the client provided by the golang.org/x/vulndb
module.

For golang/go#48223

Change-Id: I310440db16f8ad5fe582fc8ab42999e874f3ca88
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/347949
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Jamal Carvalho <jamal@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 7, 2021
The vulndb.Client already supports caching; we just have to supply an
implementation.

The only implementation in golang.org/x/vulndb uses the filesystem, so
we can't use it on App Engine. Provide an in-memory implementation
instead.

For golang/go#48223

Change-Id: I0431921dcabfb5546350dff095ae6aa5668ad892
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/347969
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 7, 2021
Move some field assignments into struct literals.

For golang/go#48223

Change-Id: I18e87e709577592020ad9b7e2c17b40c7275811b
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/347970
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 7, 2021
Store the vulnerabilities for each version in the
structs that are handed to the rendering templates.

Later CLs will display them on the versions page.

For golang/go#48223

Change-Id: Icbc541b5d981ea84d5b97b142c48d312219f3aba
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/347971
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 7, 2021

Change https://golang.org/cl/348109 mentions this issue: internal/frontend: move deprecation info to VersionList

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 7, 2021
Move the deprecation information from VersionListKey to VersionList.
The former is intended as a map key, not a container for arbitrary
major-version data.

For golang/go#48223

Change-Id: Ifcbd72f368b68d627cb98ee4afa93ab6e3b81d17
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348109
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 8, 2021

Change https://golang.org/cl/348380 mentions this issue: internal/frontend: update to latest vulndb client

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 8, 2021
There have been some changes to the vulndb entry format.

For golang/go#48223

Change-Id: I60eef20863f0d968d90e97638c06e48d9a7af2d1
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348380
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 8, 2021

Change https://golang.org/cl/348529 mentions this issue: internal/frontend,static: simple UI for version vulns

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 8, 2021

Change https://golang.org/cl/348532 mentions this issue: internal/frontend: Vulns eats errors

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 9, 2021
This is a simple UI for displaying vulnerabilities on the versions
page.  It displays each vuln as a chip next to the commit time of the
version.

It doesn't attempt to display the introduced version differentlly.

For golang/go#48223

Change-Id: I5813e3c1149005081267b2d7ac4fe75c2ef33574
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348529
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Jamal Carvalho <jamal@golang.org>
TryBot-Result: kokoro <noreply+kokoro@google.com>
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 9, 2021

Change https://golang.org/cl/348789 mentions this issue: internal/frontend: add vulns to search results

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 9, 2021

Change https://golang.org/cl/348790 mentions this issue: static: initial UI for vulns in search

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 9, 2021

Change https://golang.org/cl/348791 mentions this issue: internal/frontend: serve /vuln

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 9, 2021
On error, the Vulns function creates a Vuln with the error, instead of
returning it.

We were doing this at all call sites anyway.

For golang/go#48223

Change-Id: Ibbb9819902da2ea45dd03c2b3c73e0494902222c
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348532
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 9, 2021
For golang/go#48223

Change-Id: I6dd0adffa17c754c91dd952dd3f55d8a9c53a5de
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348789
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 9, 2021
For golang/go#48223

Change-Id: Ief87455ee7305018ba20be838a245855a107e8e5
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348790
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 9, 2021
Serve the /vuln endpoint with the following behavior:

/vuln: redirect to the doc for golang.org/x/vulndb.

/vuln/list: display the directory in the vulndb repo containing all
vuln reports.

/vuln/{ID}: display the vuln with ID, in yaml form, directly from the
vulndb repo.

For golang/go#48223

Change-Id: Iedfd1e6a4782fa7f1b3c4fc9cc2dcefd453db288
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/348791
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
@julieqiu julieqiu removed this from the pkgsite/unplanned milestone Sep 13, 2021
@julieqiu julieqiu added this to the pkgsite/2021 milestone Sep 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants