-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
all: move cve/ghsa utils to their own package
- Move some functions related to CVE/GHSA regex matching to a new "idstr" package, as they are not related specifically to the CVE5 or GHSA GraphQL format. - Move all logic related to the cve5, cve4 and legacyGHSA formats in the "internal/report" package to their own files, so it is easier to (potentially) move these to their own packages in the future. The goal of this CL is to reduce the risk of import cycles for some upcoming refactors. Change-Id: I7e14c31c17882230b783cc62e1ecdf43dcb98995 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/581717 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
- Loading branch information
Showing
24 changed files
with
460 additions
and
422 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
// Copyright 2024 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
// Package idstr provides utilities for working with vulnerability | ||
// identifier strings. | ||
package idstr | ||
|
||
import "regexp" | ||
|
||
const ghsaStr = `GHSA-[^-]{4}-[^-]{4}-[^-]{4}` | ||
|
||
var ( | ||
ghsaRE, ghsaStrict = re(ghsaStr) | ||
) | ||
|
||
func IsGHSA(s string) bool { | ||
return ghsaStrict.MatchString(s) | ||
} | ||
|
||
func FindGHSA(s string) string { | ||
return ghsaRE.FindString(s) | ||
} | ||
|
||
const cveStr = `CVE-\d{4}-\d{4,}` | ||
|
||
var ( | ||
cveRE, cveStrict = re(cveStr) | ||
) | ||
|
||
func IsCVE(s string) bool { | ||
return cveStrict.MatchString(s) | ||
} | ||
|
||
func FindCVE(s string) string { | ||
return cveRE.FindString(s) | ||
} | ||
|
||
const goIDStr = `GO-\d{4}-\d{4,}` | ||
|
||
var ( | ||
_, goIDStrict = re(goIDStr) | ||
) | ||
|
||
func IsGoID(s string) bool { | ||
return goIDStrict.MatchString(s) | ||
} | ||
|
||
func re(s string) (*regexp.Regexp, *regexp.Regexp) { | ||
return regexp.MustCompile(s), regexp.MustCompile(`^` + s + `$`) | ||
} | ||
|
||
// IsIdentifier returns whether the given ID is a recognized identifier | ||
// (currently, either a GHSA, CVE, or Go ID). | ||
func IsIdentifier(id string) bool { | ||
return IsAliasType(id) || IsGoID(id) | ||
} | ||
|
||
// IsAliasType returns whether the given ID is a recognized alias type | ||
// (currently, either a GHSA or CVE). | ||
func IsAliasType(id string) bool { | ||
return IsGHSA(id) || IsCVE(id) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// Copyright 2024 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package idstr | ||
|
||
import "testing" | ||
|
||
func TestFindCVE(t *testing.T) { | ||
s := "something/CVE-1999-0004.json" | ||
got, want := FindCVE(s), "CVE-1999-0004" | ||
if got != want { | ||
t.Errorf("FindCVE(%s) = %s, want %s", s, got, want) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
// Copyright 2024 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package idstr | ||
|
||
import "regexp" | ||
|
||
var ( | ||
NISTLink = regexp.MustCompile(`^https://nvd.nist.gov/vuln/detail/(` + cveStr + `)$`) | ||
GHSALink = regexp.MustCompile(`^https://github.com/.*/(` + ghsaStr + `)$`) | ||
MITRELink = regexp.MustCompile(`^https://cve.mitre.org/.*(` + cveStr + `)$`) | ||
goAdvisoryLink = regexp.MustCompile(`^https://pkg.go.dev/vuln/(` + goIDStr + `)$`) | ||
) | ||
|
||
func IsGoAdvisory(u string) bool { | ||
return goAdvisoryLink.MatchString(u) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.