auth/hack/vulncheck-filter/main.go at 7fbe8904eaa64132e27bf1c0d748803fc686ab4c · supabase/auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package main

import (
	"bufio"
	"errors"
	"fmt"
	"os"
	"slices"
	"strings"
)

// Vulnerabilities with no upstream fix — remove entries once fixed.
var ignore = map[string]string{
	"GO-2026-4518": "pgproto3/v2 DoS, no fix available (EOL). Transitive via pgconn v1 + pop/v6.",
}

func main() {
	if err := run(); err != nil {
		fmt.Fprintf(os.Stderr, "vulncheck-filter: %v\n", err)
		os.Exit(1)
	}
}

func run() error {
	const (
		stInit = iota
		stVulnOpen
	)

	type vuln struct {
		ID   string `json:"id"`
		Text string
	}

	var (
		cur   vuln
		vulns []*vuln
	)
	st := stInit
	sc := bufio.NewScanner(os.Stdin)
	for sc.Scan() {
		v := sc.Text()
		switch st {
		case stInit:
			if strings.HasPrefix(v, "Vulnerability ") {
				st = stVulnOpen
				_, id, ok := strings.Cut(v, ": ")
				if !ok {
					return errors.New("no longer able to parse format")
				}
				cur = vuln{
					ID: id,
				}
			}
		case stVulnOpen:
			cur.Text += v + "\n"
			if v == "" {
				st = stInit
				cpy := cur
				vulns = append(vulns, &cpy)
			}
		}
	}
	if err := sc.Err(); err != nil {
		return err
	}
	vulns = slices.DeleteFunc(vulns, func(v *vuln) bool {
		reason, ok := ignore[v.ID]
		if ok {
			fmt.Fprintf(os.Stderr, "ignoring %s: %s\n", v.ID, reason)
		}
		return ok
	})
	if len(vulns) == 0 {
		return nil
	}

	fmt.Fprintf(os.Stderr, "\n")
	for idx, vuln := range vulns {
		msg := "Vulnerability #%d: %v\n%v"
		fmt.Fprintf(os.Stderr, msg, idx+1, vuln.ID, vuln.Text)
	}
	return fmt.Errorf("%d unignored vulnerability(ies) found", len(vulns))
}