Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: migrate to v1 vulnerability database #58928

Closed
tatianab opened this issue Mar 8, 2023 · 5 comments
Closed

x/pkgsite: migrate to v1 vulnerability database #58928

tatianab opened this issue Mar 8, 2023 · 5 comments
Assignees
Labels
FrozenDueToAge pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@tatianab
Copy link

tatianab commented Mar 8, 2023

No description provided.

@tatianab tatianab added pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo labels Mar 8, 2023
@tatianab tatianab self-assigned this Mar 8, 2023
@gopherbot gopherbot added this to the Unreleased milestone Mar 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/474255 mentions this issue: internal/frontend, internal/vulns: isolate references to x/vuln repo

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/474537 mentions this issue: internal/frontend, internal/vuln: replace getVulnEntries with vuln.Client

gopherbot pushed a commit to golang/pkgsite that referenced this issue Mar 8, 2023
No-op refactor to move all code that depends on x/vuln to the
internal/vuln (renamed from internal/vulns) package. This will allow
us to more easily remove the dependency, as a part of the migration to
the v1 database schema.

For golang/go#58928

Change-Id: Ic8ac2377832d8e4a2a6afbb42729a7e10553665c
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/474255
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
@hyangah hyangah modified the milestones: Unreleased, pkgsite/later Mar 8, 2023
gopherbot pushed a commit to golang/pkgsite that referenced this issue Mar 9, 2023
…ient

Instead of passing around a function, getVulnEntries, pass the actual
vuln client and call it directly.

Update the TestClient to implement the GetByModules function so that
tests can use it.

The purpose of this change is to further isolate calls to the vulndb
Client to the internal/vuln package, and to make the code easier to
understand by removing a function parameter.

For golang/go#58928

Change-Id: I8bef528034a1caa44b99da2f185990338ec9cd5f
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/474537
Reviewed-by: Jamal Carvalho <jamal@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/476555 mentions this issue: internal/vuln: add support for v1 vulndb client

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/477015 mentions this issue: add newSource and newClient functions

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/476556 mentions this issue: cmd/frontend, internal/vuln: add vulndb v1 experiment

gopherbot pushed a commit to golang/pkgsite that referenced this issue Mar 28, 2023
Add a new client struct, clientV1, that can read from Go vulnerability
databases in the new v1 format. clientV1 implements the internal "client"
interface, and will eventually be renamed to simply Client, and
completely replace the existing Client type.

The clientV1 struct contains a "source" interface. The source interface
is used to read raw JSON data from a given endpoint. The implemented sources
are an HTTP source, used to read from the actual database, and directory
and in-memory sources used for testing.

This struct and its methods are implemented and tested in this change,
but not yet used outside of testing.

For golang/go#58928

Change-Id: Icd4491aeb98a7f7e3bf10301c71ec620cf5cdea8
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/476555
TryBot-Result: kokoro <noreply+kokoro@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
gopherbot pushed a commit to golang/pkgsite that referenced this issue Mar 29, 2023
Add an experiment, "vulndb-v1", which if active causes pkgsite to
read from the v1 vulnerability database instead of the legacy database.

The experiment is not yet enabled anywhere.

For golang/go#58928

Change-Id: I66d6a90fc2eb841ed674169c09ea36c957551f1b
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/476556
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
@julieqiu julieqiu modified the milestones: pkgsite/later, vuln/v0.1.0 Apr 7, 2023
@tatianab tatianab closed this as completed Jul 5, 2023
@golang golang locked and limited conversation to collaborators Jul 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

4 participants