feat(wrlinux): Add Wind River Linux vulnerability data (#177)#178
feat(wrlinux): Add Wind River Linux vulnerability data (#177)#178ssajal-wrl wants to merge 1 commit intoaquasecurity:mainfrom
Conversation
|
|
|
Hi, do I need to do anything else for this PR? |
DmitriyLewen
left a comment
DmitriyLewen
left a comment
There was a problem hiding this comment.
Hello @ssajal-wrl
Thanks for your work!
I added some comments.
wrlinux/wrlinux_test.go
Outdated
| { | ||
| name: "perfect data", | ||
| args: args{ | ||
| filePath: "./testdata/golden", |
There was a problem hiding this comment.
Looks like it is not golden file.
It is source file.
Better to use names/filepaths from source.
e.g. testdata/foo/bar/CVE-1234-12345
wrlinux/wrlinux_test.go
Outdated
| "Status": "ignored", | ||
| "Note": "" | ||
| }, | ||
| 10.19.45.1": { |
There was a problem hiding this comment.
Tests cases are broken.
Fix them or better use golden files.
| } | ||
| lines := strings.Split(string(all), "\n") | ||
|
|
||
| for i := 0; i < len(lines); i++ { |
There was a problem hiding this comment.
We try to use same logic, if it is possible.
Can you use bufio here:
vuln-list-update/debian/tracker/debian.go
Lines 177 to 179 in 728ebae
There was a problem hiding this comment.
I can use bufio to read the file, but I still have to read in the whole file and iterate over it the same way since I have inner loops which modify iterator "i".
There was a problem hiding this comment.
oh... now i understand what you meant.
wrlinux/wrlinux.go
Outdated
| status := strings.TrimSpace(s[1]) | ||
|
|
||
| // Some advisories have status with "Patches_" prefix and it should be skipped | ||
| // e.g. Patches_qtwebkit-opensource-src: needs-triage |
There was a problem hiding this comment.
can you create tests case for this?
wrlinux/wrlinux.go
Outdated
| if isPatch(status) && !strings.HasPrefix(s[0], "Patches_") { | ||
| pkgRel := strings.SplitN(s[0], "_", 2) | ||
| release := Release(pkgRel[0]) | ||
| pkgName := Package(strings.Trim(pkgRel[1], ":")) |
There was a problem hiding this comment.
looks like we don't need trim :, because we did this here:
vuln-list-update/wrlinux/wrlinux.go
Line 230 in 0b161fc
| status := Status{ | ||
| Status: fields[0], | ||
| } | ||
| if len(fields) > 1 { |
There was a problem hiding this comment.
can you add comment with example, please?
| } | ||
|
|
||
| // Parse References | ||
| if strings.HasPrefix(line, "References:") { |
There was a problem hiding this comment.
it would be better if the test case contains multiple References values.
| } | ||
|
|
||
| // Parse Notes | ||
| if strings.HasPrefix(line, "Notes:") { |
ssajal-wrl
force-pushed
the
wrlinux_plugin
branch
from
0b161fc to
7224d5f
Compare
ssajal-wrl
force-pushed
the
wrlinux_plugin
branch
from
7224d5f to
88d9f77
Compare
|
@DmitriyLewen I have addressed all your comments/concerns and pushed the changes. |
|
Hi, any updates? |
DmitriyLewen
left a comment
DmitriyLewen
left a comment
There was a problem hiding this comment.
sorry for waiting!
Looks good.
added some small notes.
wrlinux/wrlinux.go
Outdated
| "io" | ||
| "bufio" | ||
| "log" | ||
| "os" | ||
| "path/filepath" | ||
| "strings" | ||
| "time" | ||
|
|
||
| "github.com/aquasecurity/vuln-list-update/git" | ||
| "github.com/araddon/dateparse" | ||
| "golang.org/x/xerrors" | ||
| "github.com/aquasecurity/vuln-list-update/utils" |
There was a problem hiding this comment.
format import with gofmt please.
wrlinux/wrlinux.go
Outdated
| vuln = &Vulnerability{} | ||
| vuln.Patches = map[Package]Statuses{} | ||
|
|
||
| lines := []string{} |
There was a problem hiding this comment.
| lines := []string{} | |
| var lines []string |
| } | ||
| lines := strings.Split(string(all), "\n") | ||
|
|
||
| for i := 0; i < len(lines); i++ { |
There was a problem hiding this comment.
oh... now i understand what you meant.
wrlinux/wrlinux_test.go
Outdated
| type args struct { | ||
| filePath string | ||
| } |
There was a problem hiding this comment.
I thinks we can move filePath to testCases struct.
Looks liike we don't need args struct.
wrlinux/wrlinux_test.go
Outdated
| Candidate: "CVE-2020-24241", | ||
| PublicDate: time.Date(2020, 8, 25, 0, 0, 0, 0, time.UTC), | ||
| Description: "In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.", | ||
| Priority: "medium", | ||
| Bugs: []string{ | ||
| "LINCD-2974", | ||
| "LIN1019-5289", | ||
| "LIN1018-6614", | ||
| "LIN10-7689", | ||
| }, |
There was a problem hiding this comment.
gofmt is also needed here
| gc := git.Config{} | ||
| dir := filepath.Join(utils.CacheDir(), cveTrackerDir) | ||
| for _, url := range repoURLs { | ||
| _, err = gc.CloneOrPull(url, dir, "master", false) |
There was a problem hiding this comment.
i think we can remove this folder after adding CVEs.
wdyt?
ssajal-wrl
force-pushed
the
wrlinux_plugin
branch
from
88d9f77 to
365b5e6
Compare
|
@DmitriyLewen addressed all your comments above. Please take a look when you can! |
DmitriyLewen
left a comment
DmitriyLewen
left a comment
There was a problem hiding this comment.
Looks good.
1 small comment
wrlinux/wrlinux.go
Outdated
| log.Printf("failed to clone or pull: %s: %v", url, err) | ||
| log.Printf("removing %s directory", cveTrackerDir) | ||
| if err := os.RemoveAll(dir); err != nil { | ||
| return xerrors.Errorf("failed to remove %s directory: %w", cveTrackerDir, err) | ||
| } |
There was a problem hiding this comment.
ssajal-wrl
force-pushed
the
wrlinux_plugin
branch
from
365b5e6 to
3a009fd
Compare
There was a problem hiding this comment.
good job! @ssajal-wrl
Thanks for your work.
Can you sign CLA(#178 (comment))?
@knqyf263 i approved this PR. Can you take a look and merge this PR, if you don't see any notes.
|
Hi, I have signed the CLA for vuln-list-update but it still shows as pending, I am not sure how to resolve this. Any suggestions? |
|
@ssajal-wrl message have small text:)
did you try it? |
|
I had to sign CLA with the account that authored the commit, sorry for the delay. |
ssajal-wrl
force-pushed
the
wrlinux_plugin
branch
from
3a009fd to
d314775
Compare
|
Looks like this PR is good to be merged, anything else that I need to address? |
|
We're sorry for the late response. We're not sure if we can keep maintaining this feature. Could you suspend your work until further notice? We want to see how many people need this one. |
Hi, @knqyf263, what are the concerns with maintaining this feature? Would you please provide more details about your concerns? |
|
@FuzzyGophers More features bring more bugs. |
Thank you for the follow up, @knqyf263. The addition of Wind River Linux is a "standard" approach. The only concern I can see is whether Wind River Linux continues to host the git repo with the required vulnerability data. I will be happy to maintain this if it can be merged. Would this address your concerns? |
It's hard for outside contributors to keep maintaining OSS for the long term. It is likely that we, the maintainers, will eventually maintain it because this is our job. Unfortunately, our resources are not plentiful. |
6 participants
Signed-off-by: Sakib Sajal sakib.sajal@windriver.com