worker

package

v0.0.0-...-210767f Latest Latest Go to latest Published: Oct 24, 2023 License: MIT Imports: 41 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/khulnasoft-lab/go-vulndb

Links

Open Source Insights

README ¶

Go Vulnerability Worker

The vuln worker triages incoming security advisories and scans selected modules for vulnerabilities.

The Go security team runs the worker on Google Cloud Platform's Cloud Run product. See the repo's terraform directory for more on the deployment setup.

The main program for the worker, in the repo's cmd/worker directory, can also be used as a command-line tool for one-off executions of some of the server's actions.

Browsing the worker

Accessing the worker server's home page from a browser requires authentication. We recommend cloud-run-proxy for painless browsing. Install it with

go install github.com/GoogleCloudPlatform/cloud-run-proxy@latest

Run it from the repo root with

./devtools/proxy_worker.sh prod

Documentation ¶

Index ¶

func CreateGHSABody(sa *ghsa.SecurityAdvisory, allReports map[string]*report.Report, ...) (body string, err error)
func CreateIssues(ctx context.Context, st store.Store, client *issues.Client, pc *proxy.Client, ...) (err error)
func FormatTime(t time.Time) string
func ReadCVEAtPath(commit *object.Commit, path string) (_ *cveschema.CVE, blobHash string, err error)
func SetKnownModules(mods []string)
func TriageCVE(ctx context.Context, c *cveschema.CVE, pkgsiteURL string) (_ *triageResult, err error)
func UpdateCVEsAtCommit(ctx context.Context, repoPath, commitHashString string, st store.Store, ...) (err error)
type CheckUpdateError
- func (c *CheckUpdateError) Error() string
type Config
- func (c *Config) Validate() error
type GHSAListFunc
type Server
- func NewServer(ctx context.Context, cfg Config) (_ *Server, err error)
type UpdateGHSAStats
- func UpdateGHSAs(ctx context.Context, list GHSAListFunc, st store.Store) (_ UpdateGHSAStats, err error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateGHSABody ¶

func CreateGHSABody(sa *ghsa.SecurityAdvisory, allReports map[string]*report.Report, pc *proxy.Client) (body string, err error)

func CreateIssues ¶

func CreateIssues(ctx context.Context, st store.Store, client *issues.Client, pc *proxy.Client, allReports map[string]*report.Report, limit int) (err error)

CreateIssues creates issues on the x/vulndb issue tracker for allReports.

func FormatTime ¶

func FormatTime(t time.Time) string

func ReadCVEAtPath ¶

func ReadCVEAtPath(commit *object.Commit, path string) (_ *cveschema.CVE, blobHash string, err error)

ReadCVEAtPath reads file at path in commit, and JSON-decodes it into a CVE.

func SetKnownModules ¶

func SetKnownModules(mods []string)

SetKnownModules provides a list of all known modules, so that no requests need to be made to pkg.go.dev.

func TriageCVE ¶

func TriageCVE(ctx context.Context, c *cveschema.CVE, pkgsiteURL string) (_ *triageResult, err error)

TriageCVE reports whether the CVE refers to a Go module.

func UpdateCVEsAtCommit ¶

func UpdateCVEsAtCommit(ctx context.Context, repoPath, commitHashString string, st store.Store, pkgsiteURL string, force bool) (err error)

UpdateCVEsAtCommit performs an update on the store using the given commit. Unless force is true, it checks that the update makes sense before doing it.

Types ¶

type CheckUpdateError ¶

type CheckUpdateError struct {
	// contains filtered or unexported fields
}

CheckUpdateError is an error returned from UpdateCommit that can be avoided calling UpdateCommit with force set to true.

func (*CheckUpdateError) Error ¶

func (c *CheckUpdateError) Error() string

type Config ¶

type Config struct {
	// Project is the Google Cloud Project where the resources live.
	Project string

	// Namespace is the Firstore namespace to use.
	Namespace string

	// UseErrorReporting determines whether errors go to the Error Reporting API.
	UseErrorReporting bool

	// IssueRepo is the GitHub repo to use for issues.
	// An empty string disables issue creation.
	IssueRepo string

	// GitHubAccessToken is the token needed to authorize to the GitHub API.
	GitHubAccessToken string

	// Store is the implementation of store.Store used by the server.
	Store store.Store
}

Config holds configuration information for the worker server.

func (*Config) Validate ¶

func (c *Config) Validate() error

type GHSAListFunc ¶

type GHSAListFunc func(_ context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error)

GHSAListFunc is the type of a function that lists GitHub security advisories.

type Server ¶

type Server struct {
	// contains filtered or unexported fields
}

func NewServer ¶

func NewServer(ctx context.Context, cfg Config) (_ *Server, err error)

type UpdateGHSAStats ¶

type UpdateGHSAStats struct {
	// Number of GitHub security advisories seen.
	NumProcessed int
	// Number of GHSARecords added to the store.
	NumAdded int
	// Number of GHSARecords already in the store that were modified.
	NumModified int
}

func UpdateGHSAs ¶

func UpdateGHSAs(ctx context.Context, list GHSAListFunc, st store.Store) (_ UpdateGHSAStats, err error)

UpdateGHSAs updates the store with the current state of GitHub's security advisories.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
log
store Package store supports permanent data storage for the vuln worker.	Package store supports permanent data storage for the vuln worker.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL