Skip to content

Commit

Permalink
cmd/cve: make warning for deleted URLs in CVEs more prominent
Browse files Browse the repository at this point in the history 
Change-Id: I25f25fa5d014d25e8d361826a885e77ad8be5dba
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/526265
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
  • Loading branch information
@tatianab @gopherbot
tatianab authored and gopherbot committed Sep 11, 2023
1 parent 6055ff0 commit 89f9cab
Showing 1 changed file with 40 additions and 7 deletions.
47 changes: 40 additions & 7 deletions cmd/cve/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -324,13 +324,7 @@ func publish(c *cveclient.Client, filename string) (err error) {
fmt.Printf("publish would update record with diff (-existing, +new):\n%s\n", diff)
// The CVE program sometimes adds references to CVEs, so we need
// to make sure we don't accidentally delete them.
// To preserve an externally-added reference, add it to
// cve_metadata.references. An example is GO-2022-0476.
// This warning may be spurious if a reference is deleted from
// a YAML report - in this case it should be ignored.
if d := len(existing.Containers.CNAContainer.References) - len(toPublish.CNAContainer.References); d > 0 {
fmt.Printf("WARNING: publish would delete %d reference(s) that may have been added by the CVE program; use cve_metadata.references to preserve them\n", d)
}
handleDeleted(existing, toPublish, filename)
} else {
fmt.Println("updating record would have no effect, skipping")
return nil
Expand Down Expand Up @@ -363,6 +357,45 @@ func publish(c *cveclient.Client, filename string) (err error) {
return nil
}

func handleDeleted(existing *cveschema5.CVERecord, toPublish *cveschema5.Containers, filename string) {
deleted := findDeleted(existing.Containers.CNAContainer.References, toPublish.CNAContainer.References)
if len(deleted) > 0 {
goID := strings.TrimSuffix(filepath.Base(filename), filepath.Ext(filename))
yamlReportFile := fmt.Sprintf("data/reports/%s.yaml", goID)
// To preserve an externally-added reference, add it to
// cve_metadata.references. An example is GO-2022-0476.
// This warning may be spurious if a reference is deleted from
// a YAML report - in this case it should be ignored.
fmt.Printf(
`!! WARNING !!
updating record would delete %[1]d reference(s) that may have been added by the CVE program;
to preserve these references, add references to %[2]s and run "vulnreport fix %[2]s":
cve_metadata:
...
references:
...
- %[3]s
only update now if this warning is spurious (i.e., the records were deleted on purpose)
`, len(deleted), yamlReportFile, strings.Join(deleted, "\n - "))
}
}

// findDeleted returns a list of URLs in oldRefs that are not in newRefs.
func findDeleted(oldRefs []cveschema5.Reference, newRefs []cveschema5.Reference) (deleted []string) {
m := make(map[string]bool)
for _, r := range newRefs {
m[r.URL] = true
}
for _, r := range oldRefs {
if !m[r.URL] {
deleted = append(deleted, r.URL)
}
}
return deleted
}

func list(c *cveclient.Client, lf *cveclient.ListOptions) error {
cves, err := c.ListOrgCVEs(lf)
if err != nil {
Expand Down

0 comments on commit 89f9cab

Please sign in to comment.