vulnreport: add 'symbols' cmd to vulnreport

Maceo Thompson · Maceo Thompson · commit 6a2e4b6a490c · 2024-01-30T20:52:20.000Z
This change integrates symbols.Patched into vulnreport. One can call `vulnreport symbols [REPORTNUMBER]` to use this. Additionally, if vulnreport is unable to find the correct fix link (this may happen in cases where there are multiple modules or the report's fix link is a pull request and not a commit hash), they can populate the FixLink field per-module. Change-Id: I6566c67538c4de29547432648a28f50cb735b3ce Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/559156 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/vulnreport/main.go b/cmd/vulnreport/main.go
@@ -75,6 +75,7 @@ func main() {
 		fmt.Fprintf(flag.CommandLine.Output(), "usage: vulnreport [cmd] [filename.yaml]\n")
 		fmt.Fprintf(flag.CommandLine.Output(), "  create [githubIssueNumber]: creates a new vulnerability YAML report\n")
 		fmt.Fprintf(flag.CommandLine.Output(), "  create-excluded: creates and commits all open github issues marked as excluded\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "  symbols filename.yaml: finds and populates possible vulnerable symbols for a given report\n")
 		fmt.Fprintf(flag.CommandLine.Output(), "  lint filename.yaml ...: lints vulnerability YAML reports\n")
 		fmt.Fprintf(flag.CommandLine.Output(), "  cve filename.yaml ...: creates and saves CVE 5.0 record from the provided YAML reports\n")
 		fmt.Fprintf(flag.CommandLine.Output(), "  fix filename.yaml ...: fixes and reformats YAML reports\n")
@@ -161,6 +162,8 @@ func main() {
 		cmdFunc = func(ctx context.Context, name string) error { return cveCmd(ctx, name) }
 	case "fix":
 		cmdFunc = func(ctx context.Context, name string) error { return fix(ctx, name, ghsaClient, pc, *force) }
+	case "symbols":
+		cmdFunc = func(ctx context.Context, name string) error { return findSymbols(ctx, name) }
 	case "osv":
 		cmdFunc = func(ctx context.Context, name string) error { return osvCmd(ctx, name, pc) }
 	case "set-dates":
@@ -741,6 +744,77 @@ func addReferenceTODOs(r *report.Report) {
 	}
 }
 
+func findSymbols(_ context.Context, filename string) (err error) {
+	defer derrors.Wrap(&err, "findSymbols(%q)", filename)
+	infolog.Printf("findSymbols %s\n", filename)
+	r, err := report.Read(filename)
+	if err != nil {
+		return err
+	}
+	var defaultFixes []string
+
+	for _, ref := range r.References {
+		if ref.Type == osv.ReferenceTypeFix {
+			if filepath.Base(filepath.Dir(ref.URL)) == "commit" {
+				defaultFixes = append(defaultFixes, ref.URL)
+			}
+		}
+	}
+	if len(defaultFixes) == 0 {
+		return fmt.Errorf("no commit fix links found")
+	}
+
+	for _, mod := range r.Modules {
+		hasFixLink := mod.FixLink != ""
+		if hasFixLink {
+			defaultFixes = append(defaultFixes, mod.FixLink)
+		}
+		numFixedSymbols := make([]int, len(defaultFixes))
+		for i, fixLink := range defaultFixes {
+			fixHash := filepath.Base(fixLink)
+			fixRepo := strings.TrimSuffix(fixLink, "/commit/"+fixHash)
+			pkgsToSymbols, err := symbols.Patched(mod.Module, fixRepo, fixHash, errlog)
+			if err != nil {
+				errlog.Print(err)
+				continue
+			}
+			packages := mod.AllPackages()
+			for pkg, symbols := range pkgsToSymbols {
+				if _, exists := packages[pkg]; exists {
+					packages[pkg].Symbols = append(packages[pkg].Symbols, symbols...)
+				} else {
+					mod.Packages = append(mod.Packages, &report.Package{
+						Package: pkg,
+						Symbols: symbols,
+					})
+				}
+				numFixedSymbols[i] += len(symbols)
+			}
+		}
+		// if the module's link field wasn't already populated, populate it with
+		// the link that results in the most symbols
+		if hasFixLink {
+			defaultFixes = defaultFixes[:len(defaultFixes)-1]
+		} else {
+			mod.FixLink = defaultFixes[indexMax(numFixedSymbols)]
+		}
+	}
+	return r.Write(filename)
+}
+
+// indexMax takes a slice of nonempty ints and returns the index of the maximum value
+func indexMax(s []int) (index int) {
+	maxVal := s[0]
+	index = 0
+	for i, val := range s {
+		if val > maxVal {
+			maxVal = val
+			index = i
+		}
+	}
+	return index
+}
+
 func lint(_ context.Context, filename string, pc *proxy.Client) (err error) {
 	defer derrors.Wrap(&err, "lint(%q)", filename)
 	infolog.Printf("lint %s\n", filename)
diff --git a/internal/report/report.go b/internal/report/report.go
@@ -54,6 +54,9 @@ type Module struct {
 	// It is rare that we need to specify this.
 	VulnerableAtRequires []string   `yaml:"vulnerable_at_requires,omitempty"`
 	Packages             []*Package `yaml:",omitempty"`
+	// Used to automatically determine vulnerable symbols for a given module.
+	// Will be auto-populated from the reports "fix" link if none is specified.
+	FixLink string `yaml:"fix_link,omitempty"`
 }
 
 type Package struct {
@@ -258,6 +261,15 @@ func (r *Report) AllCVEs() []string {
 	return all
 }
 
+// AllPkgs returns all affected packages in a given module.
+func (m *Module) AllPackages() map[string]*Package {
+	pkgs := make(map[string]*Package)
+	for _, pkg := range m.Packages {
+		pkgs[pkg.Package] = pkg
+	}
+	return pkgs
+}
+
 // Aliases returns all aliases (e.g., CVEs, GHSAs) for a report.
 func (r *Report) Aliases() []string {
 	return append(r.AllCVEs(), r.GHSAs...)
