diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 9a3686a2..90baa8ff 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -59,10 +59,6 @@ jobs: name: Photon CVE Advisory run: ./scripts/update.sh photon "Photon Security Advisories" - - if: always() - name: GitHub Security Advisory - run: ./scripts/update.sh ghsa "GitHub Security Advisory" - - if: always() name: CWE run: ./scripts/update.sh cwe "CWE" diff --git a/ghsa/ghsa.go b/ghsa/ghsa.go deleted file mode 100644 index 6fb244d7..00000000 --- a/ghsa/ghsa.go +++ /dev/null @@ -1,199 +0,0 @@ -package ghsa - -import ( - "context" - "fmt" - "log" - "math" - "os" - "path/filepath" - "strings" - "time" - - "github.com/cheggaaa/pb" - githubql "github.com/shurcooL/githubv4" - "github.com/shurcooL/graphql" - "github.com/spf13/afero" - "golang.org/x/xerrors" - - "github.com/aquasecurity/vuln-list-update/utils" -) - -// https://developer.github.com/v4/enum/securityadvisoryecosystem/ -type SecurityAdvisoryEcosystem string - -var ( - Composer SecurityAdvisoryEcosystem = "COMPOSER" - Maven SecurityAdvisoryEcosystem = "MAVEN" - Npm SecurityAdvisoryEcosystem = "NPM" - Nuget SecurityAdvisoryEcosystem = "NUGET" - Pip SecurityAdvisoryEcosystem = "PIP" - Rubygems SecurityAdvisoryEcosystem = "RUBYGEMS" - Go SecurityAdvisoryEcosystem = "GO" - Rust SecurityAdvisoryEcosystem = "RUST" - Erlang SecurityAdvisoryEcosystem = "ERLANG" - Pub SecurityAdvisoryEcosystem = "PUB" - Swift SecurityAdvisoryEcosystem = "SWIFT" - Ecosystems = []SecurityAdvisoryEcosystem{Composer, Maven, Npm, Nuget, Pip, Rubygems, Go, Erlang, Rust, Pub, Swift} - - wait = func(i int) time.Duration { - sleep := math.Pow(float64(i), 2) + float64(utils.RandInt()%10) - return time.Duration(sleep) * time.Second - } -) - -const ( - ghsaDir = "ghsa" - retry = 5 - maxResponseSize = 100 -) - -type Config struct { - vulnListDir string - appFs afero.Fs - retry int - client GithubClient -} - -type GithubClient interface { - Query(ctx context.Context, q interface{}, variables map[string]interface{}) error -} - -func NewConfig(client GithubClient) Config { - return Config{ - vulnListDir: utils.VulnListDir(), - appFs: afero.NewOsFs(), - retry: retry, - client: client, - } -} - -func (c Config) Update() error { - log.Print("Fetching GitHub Security Advisory") - - for _, ecosystem := range Ecosystems { - err := c.update(ecosystem) - if err != nil { - return xerrors.Errorf("failed to update github security advisory ,%s: %w", ecosystem, err) - } - } - return nil -} - -func (c Config) update(ecosystem SecurityAdvisoryEcosystem) error { - log.Printf("Fetching GitHub Security Advisory: %s", ecosystem) - - dir := filepath.Join(c.vulnListDir, ghsaDir, strings.ToLower(string(ecosystem))) - if err := os.RemoveAll(dir); err != nil { - return xerrors.Errorf("unable to remove github security advisory directory: %w", err) - } - if err := os.MkdirAll(dir, os.ModePerm); err != nil { - return xerrors.Errorf("failed to mkdir: %w", err) - } - - ghsas, err := c.fetchGithubSecurityAdvisories(ecosystem) - if err != nil { - return xerrors.Errorf("failed to fetch github security advisory: %w", err) - } - - ghsaJsonMap := make(map[string]GithubSecurityAdvisoryJson) - for _, ghsa := range ghsas { - // skip bad ghsa - if ghsa.Package.Name == "" { - continue - } - ghsa.Package.Name = strings.TrimSpace(ghsa.Package.Name) - - ghsaJson, ok := ghsaJsonMap[ghsa.Advisory.GhsaId+ghsa.Package.Name] - if ok { - va := Version{ - FirstPatchedVersion: ghsa.FirstPatchedVersion, - VulnerableVersionRange: ghsa.VulnerableVersionRange, - } - ghsaJson.Versions = append(ghsaJson.Versions, va) - ghsaJsonMap[ghsa.Advisory.GhsaId+ghsa.Package.Name] = ghsaJson - - } else { - ghsaJsonMap[ghsa.Advisory.GhsaId+ghsa.Package.Name] = GithubSecurityAdvisoryJson{ - Severity: ghsa.Severity, - UpdatedAt: ghsa.UpdatedAt, - Package: ghsa.Package, - Advisory: ghsa.Advisory, - Versions: []Version{ - { - FirstPatchedVersion: ghsa.FirstPatchedVersion, - VulnerableVersionRange: ghsa.VulnerableVersionRange, - }, - }, - } - } - } - - bar := pb.StartNew(len(ghsaJsonMap)) - for _, ghsaJson := range ghsaJsonMap { - pkgName := strings.Replace(ghsaJson.Package.Name, ":", "/", -1) - // Part Swift advisories have `https://` prefix or `.git` suffix - // e.g. https://github.com/github/advisory-database/blob/76f65b0d0fdac39c8b0e834ab03562b5f80d5b27/advisories/github-reviewed/2023/06/GHSA-r6ww-5963-7r95/GHSA-r6ww-5963-7r95.json#L21 - // https://github.com/github/advisory-database/blob/76f65b0d0fdac39c8b0e834ab03562b5f80d5b27/advisories/github-reviewed/2023/07/GHSA-jq43-q8mx-r7mq/GHSA-jq43-q8mx-r7mq.json#L21 - // Trim them to get correct directory - if ecosystem == Swift { - pkgName = strings.TrimPrefix(pkgName, "https///") - pkgName = strings.TrimSuffix(pkgName, ".git") - } - dir := filepath.Join(c.vulnListDir, ghsaDir, strings.ToLower(string(ecosystem)), pkgName) - err := c.saveGSHA(dir, ghsaJson.Advisory.GhsaId, ghsaJson) - if err != nil { - return xerrors.Errorf("failed to save github security advisory: %w", err) - } - bar.Increment() - } - bar.Finish() - return nil -} - -func (c Config) fetchGithubSecurityAdvisories(ecosystem SecurityAdvisoryEcosystem) ([]GithubSecurityAdvisory, error) { - var getVulnerabilitiesQuery GetVulnerabilitiesQuery - var ghsas []GithubSecurityAdvisory - variables := map[string]interface{}{ - "ecosystem": ecosystem, - "total": graphql.Int(maxResponseSize), - "cursor": (*githubql.String)(nil), - } - for { - var err error - for i := 0; i <= c.retry; i++ { - if i > 0 { - sleep := wait(i) - log.Printf("retry after %s", sleep) - time.Sleep(sleep) - } - - err = c.client.Query(context.Background(), &getVulnerabilitiesQuery, variables) - if err == nil || len(getVulnerabilitiesQuery.Nodes) > 0 { - break - } - } - // GitHub GraphQL API may return error and one of nodes == nil - // We must write other nodes. - // Bad node will be skipped in 'update' function - if err != nil && len(getVulnerabilitiesQuery.Nodes) == 0 { - return nil, xerrors.Errorf("graphql api error: %w", err) - } - - ghsas = append(ghsas, getVulnerabilitiesQuery.Nodes...) - if !getVulnerabilitiesQuery.PageInfo.HasNextPage { - break - } - - variables["cursor"] = githubql.NewString(getVulnerabilitiesQuery.PageInfo.EndCursor) - } - return ghsas, nil -} - -func (c Config) saveGSHA(dirName string, ghsaID string, data interface{}) error { - fileName := fmt.Sprintf("%s.json", ghsaID) - if err := utils.WriteJSON(c.appFs, dirName, fileName, data); err != nil { - return xerrors.Errorf("failed to write file: %w", err) - } - return nil -} diff --git a/ghsa/ghsa_test.go b/ghsa/ghsa_test.go deleted file mode 100644 index b1ec1aae..00000000 --- a/ghsa/ghsa_test.go +++ /dev/null @@ -1,606 +0,0 @@ -package ghsa - -import ( - "context" - "errors" - "flag" - "fmt" - "os" - "testing" - "time" - - githubql "github.com/shurcooL/githubv4" - "github.com/spf13/afero" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -var update = flag.Bool("update", false, "update golden files") - -type MockClient struct { - Response map[githubql.String]GetVulnerabilitiesQuery - Error error - ErrorCount int -} - -func (mc MockClient) Query(ctx context.Context, q interface{}, variables map[string]interface{}) error { - if mc.Error != nil { - return mc.Error - } - - cursor := variables["cursor"].(*githubql.String) - if cursor == (*githubql.String)(nil) { - q.(*GetVulnerabilitiesQuery).SecurityVulnerabilities = mc.Response[githubql.String("")].SecurityVulnerabilities - return nil - } - - q.(*GetVulnerabilitiesQuery).SecurityVulnerabilities = mc.Response[*cursor].SecurityVulnerabilities - return nil -} - -func TestConfig_Update(t *testing.T) { - testCases := []struct { - name string - appFs afero.Fs - inputEcosystem SecurityAdvisoryEcosystem - goldenFiles map[string]string - inputResponse map[githubql.String]GetVulnerabilitiesQuery - expectedErrorMsg string - }{ - { - name: "positive test", - appFs: afero.NewMemMapFs(), - inputEcosystem: Composer, - goldenFiles: map[string]string{ - "/tmp/ghsa/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json": "testdata/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json", - }, - inputResponse: map[githubql.String]GetVulnerabilitiesQuery{ - githubql.String(""): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - Severity: "LOW", - UpdatedAt: "2020-01-24T21:15:59Z", - Package: Package{ - Ecosystem: "COMPOSER", - Name: "simplesamlphp/simplesamlphp", - }, - Advisory: Advisory{ - DatabaseId: 1883, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJyM3YtcTl4My03ZzQ2", - GhsaId: "GHSA-2r3v-q9x3-7g46", - References: []Reference{ - { - Url: "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-2r3v-q9x3-7g46", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2r3v-q9x3-7g46", - }, - }, - Description: "### Background\nSeveral scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.\n\n### Description\nThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:\n\n- `www/logout.php`\n- `modules/core/www/no_cookie.php`\n\nThe issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the `trusted.url.domains` configuration option.\n\n### Affected versions\nAll SimpleSAMLphp versions prior to 1.14.4.\n\n### Impact\nA remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.\n\n### Resolution\nUpgrade to the latest version.\n\n### Credit\nThis security issue was discovered and reported by John Page (hyp3rlinx).", - Origin: "UNSPECIFIED", - PublishedAt: "2020-01-24T21:27:16Z", - Severity: "LOW", - Summary: "Low severity vulnerability that affects simplesamlphp/simplesamlphp", - UpdatedAt: "2020-01-24T21:27:17Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 3.7, - VectorString: "3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "1.14.4", - }, - VulnerableVersionRange: "\u003c 1.14.4", - }, - }, - PageInfo: PageInfo{ - EndCursor: githubql.String(""), - HasNextPage: false, - }, - }, - }, - }, - }, - { - name: "positive test with one nil node", - appFs: afero.NewMemMapFs(), - inputEcosystem: Composer, - goldenFiles: map[string]string{ - "/tmp/ghsa/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json": "testdata/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json", - }, - inputResponse: map[githubql.String]GetVulnerabilitiesQuery{ - githubql.String(""): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - Severity: "LOW", - UpdatedAt: "2020-01-24T21:15:59Z", - Package: Package{ - Ecosystem: "COMPOSER", - Name: "simplesamlphp/simplesamlphp", - }, - Advisory: Advisory{ - DatabaseId: 1883, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJyM3YtcTl4My03ZzQ2", - GhsaId: "GHSA-2r3v-q9x3-7g46", - References: []Reference{ - { - Url: "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-2r3v-q9x3-7g46", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2r3v-q9x3-7g46", - }, - }, - Description: "### Background\nSeveral scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.\n\n### Description\nThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:\n\n- `www/logout.php`\n- `modules/core/www/no_cookie.php`\n\nThe issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the `trusted.url.domains` configuration option.\n\n### Affected versions\nAll SimpleSAMLphp versions prior to 1.14.4.\n\n### Impact\nA remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.\n\n### Resolution\nUpgrade to the latest version.\n\n### Credit\nThis security issue was discovered and reported by John Page (hyp3rlinx).", - Origin: "UNSPECIFIED", - PublishedAt: "2020-01-24T21:27:16Z", - Severity: "LOW", - Summary: "Low severity vulnerability that affects simplesamlphp/simplesamlphp", - UpdatedAt: "2020-01-24T21:27:17Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 3.7, - VectorString: "3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "1.14.4", - }, - VulnerableVersionRange: "\u003c 1.14.4", - }, - {}, // nil node - }, - PageInfo: PageInfo{ - EndCursor: githubql.String(""), - HasNextPage: false, - }, - }, - }, - }, - }, - { - name: "positive test multi nodes", - appFs: afero.NewMemMapFs(), - inputEcosystem: Maven, - goldenFiles: map[string]string{ - "/tmp/ghsa/maven/org.apache.solr/solr-core/GHSA-2289-pqfq-6wx7.json": "testdata/maven/org.apache.solr/solr-core/GHSA-2289-pqfq-6wx7.json", - "/tmp/ghsa/maven/org.apache.qpid/qpid-broker/GHSA-269m-695x-j34p.json": "testdata/maven/org.apache.qpid/qpid-broker/GHSA-269m-695x-j34p.json", - "/tmp/ghsa/maven/org.apache.hive/hive/GHSA-2g9q-chq2-w8qw.json": "testdata/maven/org.apache.hive/hive/GHSA-2g9q-chq2-w8qw.json", - }, - inputResponse: map[githubql.String]GetVulnerabilitiesQuery{ - githubql.String(""): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - Severity: "HIGH", - UpdatedAt: "2020-01-28T22:25:34Z", - Package: Package{ - Ecosystem: "MAVEN", - Name: "org.apache.solr:solr-core", - }, - Advisory: Advisory{ - DatabaseId: 1892, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIyODktcHFmcS02d3g3", - GhsaId: "GHSA-2289-pqfq-6wx7", - References: []Reference{ - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2019-12409", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2289-pqfq-6wx7", - }, - { - Type: "CVE", - Value: "CVE-2019-12409", - }, - }, - Description: "The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.", - Origin: "UNSPECIFIED", - PublishedAt: "2020-01-28T22:26:54Z", - Severity: "HIGH", - Summary: "High severity vulnerability that affects org.apache.solr:solr-core", - UpdatedAt: "2020-01-28T22:26:54Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 9.8, - VectorString: "3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "8.3.0", - }, - VulnerableVersionRange: "\u003e= 8.1.1, \u003c= 8.2.0", - }, - { - Severity: "MODERATE", - UpdatedAt: "2018-10-19T16:40:55Z", - Package: Package{ - Ecosystem: "MAVEN", - Name: "org.apache.qpid:qpid-broker", - }, - Advisory: Advisory{ - DatabaseId: 888, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI2OW0tNjk1eC1qMzRw", - GhsaId: "GHSA-269m-695x-j34p", - References: []Reference{ - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2017-15702", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-269m-695x-j34p", - }, - { - Type: "CVE", - Value: "CVE-2017-15702", - }, - }, - Description: "In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection (e.g., anonymous access, default accounts) and is normally protected by firewall rules or similar which can be circumvented by this vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer are not affected.", - Origin: "UNSPECIFIED", - PublishedAt: "2018-10-19T16:41:04Z", - Severity: "MODERATE", - Summary: "Moderate severity vulnerability that affects org.apache.qpid:qpid-broker", - UpdatedAt: "2019-07-03T21:02:04Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 9.8, - VectorString: "3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "6.0.0", - }, - VulnerableVersionRange: "\u003e= 0.18, \u003c= 0.32", - }, - }, - PageInfo: PageInfo{ - EndCursor: githubql.String("nextCursor"), - HasNextPage: true, - }, - }, - }, - githubql.String("nextCursor"): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - - Severity: "MODERATE", - UpdatedAt: "2019-03-14T15:37:54Z", - Package: Package{ - Ecosystem: "MAVEN", - Name: "org.apache.hive:hive", - }, - Advisory: Advisory{ - DatabaseId: 1293, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnOXEtY2hxMi13OHF3", - GhsaId: "GHSA-2g9q-chq2-w8qw", - References: []Reference{ - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12625", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2g9q-chq2-w8qw", - }, - { - Type: "CVE", - Value: "CVE-2017-12625", - }, - }, - Description: "Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.", - Origin: "UNSPECIFIED", - PublishedAt: "2019-03-14T15:40:16Z", - Severity: "MODERATE", - Summary: "Moderate severity vulnerability that affects org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service", - UpdatedAt: "2019-07-03T21:02:07Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 4.3, - VectorString: "3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "2.3.1", - }, - VulnerableVersionRange: "= 2.3.0", - }, - { - - Severity: "MODERATE", - UpdatedAt: "2019-03-14T15:37:54Z", - Package: Package{ - Ecosystem: "MAVEN", - Name: "org.apache.hive:hive", - }, - Advisory: Advisory{ - DatabaseId: 1293, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnOXEtY2hxMi13OHF3", - GhsaId: "GHSA-2g9q-chq2-w8qw", - References: []Reference{ - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12625", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2g9q-chq2-w8qw", - }, - { - Type: "CVE", - Value: "CVE-2017-12625", - }, - }, - Description: "Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.", - Origin: "UNSPECIFIED", - PublishedAt: "2019-03-14T15:40:16Z", - Severity: "MODERATE", - Summary: "Moderate severity vulnerability that affects org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service", - UpdatedAt: "2019-07-03T21:02:07Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 4.3, - VectorString: "3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "2.2.1", - }, - VulnerableVersionRange: "= 2.2.0", - }, - { - - Severity: "MODERATE", - UpdatedAt: "2019-03-14T15:37:54Z", - Package: Package{ - Ecosystem: "MAVEN", - Name: "org.apache.hive:hive", - }, - Advisory: Advisory{ - DatabaseId: 1293, - Id: "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnOXEtY2hxMi13OHF3", - GhsaId: "GHSA-2g9q-chq2-w8qw", - References: []Reference{ - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12625", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-2g9q-chq2-w8qw", - }, - { - Type: "CVE", - Value: "CVE-2017-12625", - }, - }, - Description: "Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.", - Origin: "UNSPECIFIED", - PublishedAt: "2019-03-14T15:40:16Z", - Severity: "MODERATE", - Summary: "Moderate severity vulnerability that affects org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service", - UpdatedAt: "2019-07-03T21:02:07Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 4.3, - VectorString: "3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "2.1.2", - }, - VulnerableVersionRange: "\u003e= 2.1.0, \u003c 2.1.2", - }, - }, - PageInfo: PageInfo{ - EndCursor: githubql.String(""), - HasNextPage: false, - }, - }, - }, - }, - expectedErrorMsg: "", - }, - { - name: "happy path with correct swift dir name", - appFs: afero.NewMemMapFs(), - inputEcosystem: Swift, - goldenFiles: map[string]string{ - "/tmp/ghsa/swift/github.com/grpc/grpc-swift/GHSA-r6ww-5963-7r95.json": "testdata/swift/github.com/grpc/grpc-swift/GHSA-r6ww-5963-7r95.json", - }, - inputResponse: map[githubql.String]GetVulnerabilitiesQuery{ - githubql.String(""): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - Severity: "HIGH", - UpdatedAt: "2023-06-09T19:33:17Z", - Package: Package{ - Ecosystem: "SWIFT", - Name: "https://github.com/grpc/grpc-swift.git", - }, - Advisory: Advisory{ - DatabaseId: 212034, - Id: "GSA_kwCzR0hTQS1yNnd3LTU5NjMtN3I5Nc4AAzxC", - GhsaId: "GHSA-r6ww-5963-7r95", - References: []Reference{ - { - Url: "https://github.com/grpc/grpc-swift/security/advisories/GHSA-r6ww-5963-7r95", - }, - { - Url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24777", - }, - { - Url: "https://github.com/grpc/grpc-swift/commit/858f977f2a51fca2292f384cf7a108dc2e73a3bd", - }, - { - Url: "https://github.com/advisories/GHSA-r6ww-5963-7r95", - }, - }, - Identifiers: []Identifier{ - { - Type: "GHSA", - Value: "GHSA-r6ww-5963-7r95", - }, - { - Type: "CVE", - Value: "CVE-2022-24777", - }, - }, - Description: "A grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This was due to incorrect logic when handling `GOAWAY` frames.\n\nThe attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests.\n\nThe issue was discovered by automated fuzz testing and is resolved by fixing the relevant state handling code.", - Origin: "UNSPECIFIED", - PublishedAt: "2023-06-09T19:33:16Z", - Severity: "HIGH", - Summary: "Denial of Service via reachable assertion", - UpdatedAt: "2023-06-19T16:45:07Z", - WithdrawnAt: "", - CVSS: GithubCVSS{ - Score: 7.5, - VectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - }, - }, - FirstPatchedVersion: FirstPatchedVersion{ - Identifier: "1.7.2", - }, - VulnerableVersionRange: "\u003c 1.7.2", - }, - }, - PageInfo: PageInfo{ - EndCursor: githubql.String(""), - HasNextPage: false, - }, - }, - }, - }, - }, - { - name: "read only filesystem test", - appFs: afero.NewReadOnlyFs(afero.NewOsFs()), - inputEcosystem: Composer, - goldenFiles: map[string]string{}, - inputResponse: map[githubql.String]GetVulnerabilitiesQuery{ - githubql.String(""): { - SecurityVulnerabilities: SecurityVulnerabilities{ - Nodes: []GithubSecurityAdvisory{ - { - Package: Package{ - Ecosystem: "COMPOSER", - Name: "composer", - }, - Advisory: Advisory{ - DatabaseId: 1, - }, - }, - }, - PageInfo: PageInfo{ - EndCursor: githubql.String(""), - HasNextPage: false, - }, - }, - }, - }, - expectedErrorMsg: "unable to create a directory: operation not permitted", - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - client := MockClient{ - Response: tc.inputResponse, - } - c := Config{ - vulnListDir: "/tmp", - appFs: tc.appFs, - retry: 0, - client: client, - } - err := c.update(tc.inputEcosystem) - switch { - case tc.expectedErrorMsg != "": - require.NotNil(t, err, tc.name) - assert.Contains(t, err.Error(), tc.expectedErrorMsg, tc.name) - return - default: - assert.NoError(t, err, tc.name) - } - - fileCount := 0 - err = afero.Walk(c.appFs, "/", func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - if info.IsDir() { - return nil - } - fileCount += 1 - - actual, err := afero.ReadFile(c.appFs, path) - assert.NoError(t, err, tc.name) - - goldenPath, ok := tc.goldenFiles[path] - if !ok { - fmt.Println(path) - } - assert.True(t, ok, tc.name) - - if *update { - err = os.WriteFile(goldenPath, actual, 0666) - assert.NoError(t, err, tc.name) - } - - expected, err := os.ReadFile(goldenPath) - assert.NoError(t, err, tc.name) - - assert.Equal(t, string(expected), string(actual), tc.name) - - return nil - }) - assert.Equal(t, len(tc.goldenFiles), fileCount, tc.name) - assert.NoError(t, err, tc.name) - }) - } - -} - -func TestConfig_FetchGithubSecurityAdvisories(t *testing.T) { - testCases := []struct { - name string - retry int - }{ - { - name: "retry test", - retry: 1, - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - wait = func(i int) time.Duration { return 0 } - client := MockClient{ - Error: errors.New("request error"), - } - c := Config{ - vulnListDir: "/tmp", - appFs: afero.NewMemMapFs(), - retry: tc.retry, - client: client, - } - _, err := c.fetchGithubSecurityAdvisories(Pip) - assert.Error(t, err, tc.name) - }) - } -} diff --git a/ghsa/testdata/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json b/ghsa/testdata/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json deleted file mode 100644 index 6012156e..00000000 --- a/ghsa/testdata/composer/simplesamlphp/simplesamlphp/GHSA-2r3v-q9x3-7g46.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "Severity": "LOW", - "UpdatedAt": "2020-01-24T21:15:59Z", - "Package": { - "Ecosystem": "COMPOSER", - "Name": "simplesamlphp/simplesamlphp" - }, - "Advisory": { - "DatabaseId": 1883, - "Id": "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJyM3YtcTl4My03ZzQ2", - "GhsaId": "GHSA-2r3v-q9x3-7g46", - "References": [ - { - "Url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-2r3v-q9x3-7g46" - } - ], - "Identifiers": [ - { - "Type": "GHSA", - "Value": "GHSA-2r3v-q9x3-7g46" - } - ], - "Description": "### Background\nSeveral scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.\n\n### Description\nThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:\n\n- `www/logout.php`\n- `modules/core/www/no_cookie.php`\n\nThe issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the `trusted.url.domains` configuration option.\n\n### Affected versions\nAll SimpleSAMLphp versions prior to 1.14.4.\n\n### Impact\nA remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.\n\n### Resolution\nUpgrade to the latest version.\n\n### Credit\nThis security issue was discovered and reported by John Page (hyp3rlinx).", - "Origin": "UNSPECIFIED", - "PublishedAt": "2020-01-24T21:27:16Z", - "Severity": "LOW", - "Summary": "Low severity vulnerability that affects simplesamlphp/simplesamlphp", - "UpdatedAt": "2020-01-24T21:27:17Z", - "WithdrawnAt": "", - "CVSS": { - "Score": 3.7, - "VectorString": "3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" - } - }, - "Versions": [ - { - "FirstPatchedVersion": { - "Identifier": "1.14.4" - }, - "VulnerableVersionRange": "\u003c 1.14.4" - } - ] -} \ No newline at end of file diff --git a/ghsa/testdata/maven/org.apache.hive/hive/GHSA-2g9q-chq2-w8qw.json b/ghsa/testdata/maven/org.apache.hive/hive/GHSA-2g9q-chq2-w8qw.json deleted file mode 100644 index b095d7c1..00000000 --- a/ghsa/testdata/maven/org.apache.hive/hive/GHSA-2g9q-chq2-w8qw.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "Severity": "MODERATE", - "UpdatedAt": "2019-03-14T15:37:54Z", - "Package": { - "Ecosystem": "MAVEN", - "Name": "org.apache.hive:hive" - }, - "Advisory": { - "DatabaseId": 1293, - "Id": "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnOXEtY2hxMi13OHF3", - "GhsaId": "GHSA-2g9q-chq2-w8qw", - "References": [ - { - "Url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12625" - } - ], - "Identifiers": [ - { - "Type": "GHSA", - "Value": "GHSA-2g9q-chq2-w8qw" - }, - { - "Type": "CVE", - "Value": "CVE-2017-12625" - } - ], - "Description": "Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.", - "Origin": "UNSPECIFIED", - "PublishedAt": "2019-03-14T15:40:16Z", - "Severity": "MODERATE", - "Summary": "Moderate severity vulnerability that affects org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service", - "UpdatedAt": "2019-07-03T21:02:07Z", - "WithdrawnAt": "", - "CVSS": { - "Score": 4.3, - "VectorString": "3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" - } - }, - "Versions": [ - { - "FirstPatchedVersion": { - "Identifier": "2.3.1" - }, - "VulnerableVersionRange": "= 2.3.0" - }, - { - "FirstPatchedVersion": { - "Identifier": "2.2.1" - }, - "VulnerableVersionRange": "= 2.2.0" - }, - { - "FirstPatchedVersion": { - "Identifier": "2.1.2" - }, - "VulnerableVersionRange": "\u003e= 2.1.0, \u003c 2.1.2" - } - ] -} \ No newline at end of file diff --git a/ghsa/testdata/maven/org.apache.qpid/qpid-broker/GHSA-269m-695x-j34p.json b/ghsa/testdata/maven/org.apache.qpid/qpid-broker/GHSA-269m-695x-j34p.json deleted file mode 100644 index 70f35029..00000000 --- a/ghsa/testdata/maven/org.apache.qpid/qpid-broker/GHSA-269m-695x-j34p.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "Severity": "MODERATE", - "UpdatedAt": "2018-10-19T16:40:55Z", - "Package": { - "Ecosystem": "MAVEN", - "Name": "org.apache.qpid:qpid-broker" - }, - "Advisory": { - "DatabaseId": 888, - "Id": "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI2OW0tNjk1eC1qMzRw", - "GhsaId": "GHSA-269m-695x-j34p", - "References": [ - { - "Url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15702" - } - ], - "Identifiers": [ - { - "Type": "GHSA", - "Value": "GHSA-269m-695x-j34p" - }, - { - "Type": "CVE", - "Value": "CVE-2017-15702" - } - ], - "Description": "In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection (e.g., anonymous access, default accounts) and is normally protected by firewall rules or similar which can be circumvented by this vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer are not affected.", - "Origin": "UNSPECIFIED", - "PublishedAt": "2018-10-19T16:41:04Z", - "Severity": "MODERATE", - "Summary": "Moderate severity vulnerability that affects org.apache.qpid:qpid-broker", - "UpdatedAt": "2019-07-03T21:02:04Z", - "WithdrawnAt": "", - "CVSS": { - "Score": 9.8, - "VectorString": "3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - }, - "Versions": [ - { - "FirstPatchedVersion": { - "Identifier": "6.0.0" - }, - "VulnerableVersionRange": "\u003e= 0.18, \u003c= 0.32" - } - ] -} \ No newline at end of file diff --git a/ghsa/testdata/maven/org.apache.solr/solr-core/GHSA-2289-pqfq-6wx7.json b/ghsa/testdata/maven/org.apache.solr/solr-core/GHSA-2289-pqfq-6wx7.json deleted file mode 100644 index a8666115..00000000 --- a/ghsa/testdata/maven/org.apache.solr/solr-core/GHSA-2289-pqfq-6wx7.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "Severity": "HIGH", - "UpdatedAt": "2020-01-28T22:25:34Z", - "Package": { - "Ecosystem": "MAVEN", - "Name": "org.apache.solr:solr-core" - }, - "Advisory": { - "DatabaseId": 1892, - "Id": "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTIyODktcHFmcS02d3g3", - "GhsaId": "GHSA-2289-pqfq-6wx7", - "References": [ - { - "Url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12409" - } - ], - "Identifiers": [ - { - "Type": "GHSA", - "Value": "GHSA-2289-pqfq-6wx7" - }, - { - "Type": "CVE", - "Value": "CVE-2019-12409" - } - ], - "Description": "The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.", - "Origin": "UNSPECIFIED", - "PublishedAt": "2020-01-28T22:26:54Z", - "Severity": "HIGH", - "Summary": "High severity vulnerability that affects org.apache.solr:solr-core", - "UpdatedAt": "2020-01-28T22:26:54Z", - "WithdrawnAt": "", - "CVSS": { - "Score": 9.8, - "VectorString": "3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - }, - "Versions": [ - { - "FirstPatchedVersion": { - "Identifier": "8.3.0" - }, - "VulnerableVersionRange": "\u003e= 8.1.1, \u003c= 8.2.0" - } - ] -} \ No newline at end of file diff --git a/ghsa/testdata/swift/github.com/grpc/grpc-swift/GHSA-r6ww-5963-7r95.json b/ghsa/testdata/swift/github.com/grpc/grpc-swift/GHSA-r6ww-5963-7r95.json deleted file mode 100644 index 909de84f..00000000 --- a/ghsa/testdata/swift/github.com/grpc/grpc-swift/GHSA-r6ww-5963-7r95.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "Severity": "HIGH", - "UpdatedAt": "2023-06-09T19:33:17Z", - "Package": { - "Ecosystem": "SWIFT", - "Name": "https://github.com/grpc/grpc-swift.git" - }, - "Advisory": { - "DatabaseId": 212034, - "Id": "GSA_kwCzR0hTQS1yNnd3LTU5NjMtN3I5Nc4AAzxC", - "GhsaId": "GHSA-r6ww-5963-7r95", - "References": [ - { - "Url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-r6ww-5963-7r95" - }, - { - "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24777" - }, - { - "Url": "https://github.com/grpc/grpc-swift/commit/858f977f2a51fca2292f384cf7a108dc2e73a3bd" - }, - { - "Url": "https://github.com/advisories/GHSA-r6ww-5963-7r95" - } - ], - "Identifiers": [ - { - "Type": "GHSA", - "Value": "GHSA-r6ww-5963-7r95" - }, - { - "Type": "CVE", - "Value": "CVE-2022-24777" - } - ], - "Description": "A grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This was due to incorrect logic when handling `GOAWAY` frames.\n\nThe attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests.\n\nThe issue was discovered by automated fuzz testing and is resolved by fixing the relevant state handling code.", - "Origin": "UNSPECIFIED", - "PublishedAt": "2023-06-09T19:33:16Z", - "Severity": "HIGH", - "Summary": "Denial of Service via reachable assertion", - "UpdatedAt": "2023-06-19T16:45:07Z", - "WithdrawnAt": "", - "CVSS": { - "Score": 7.5, - "VectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - }, - "Versions": [ - { - "FirstPatchedVersion": { - "Identifier": "1.7.2" - }, - "VulnerableVersionRange": "\u003c 1.7.2" - } - ] -} \ No newline at end of file diff --git a/ghsa/types.go b/ghsa/types.go deleted file mode 100644 index 19c4df50..00000000 --- a/ghsa/types.go +++ /dev/null @@ -1,81 +0,0 @@ -package ghsa - -import githubql "github.com/shurcooL/githubv4" - -type GetVulnerabilitiesQuery struct { - SecurityVulnerabilities `graphql:"securityVulnerabilities(ecosystem: $ecosystem, first: $total, after: $cursor)"` -} - -type SecurityVulnerabilities struct { - Nodes []GithubSecurityAdvisory - PageInfo PageInfo -} -type PageInfo struct { - EndCursor githubql.String - HasNextPage bool -} - -type GithubSecurityAdvisory struct { - Severity string - UpdatedAt string - Package Package - Advisory Advisory - FirstPatchedVersion FirstPatchedVersion - VulnerableVersionRange string -} - -type GithubCVSS struct { - Score float32 - VectorString string -} - -type GitHubClient struct { - ApiKey string -} - -type Package struct { - Ecosystem string - Name string -} - -type Advisory struct { - DatabaseId int - Id string - GhsaId string - References []Reference - Identifiers []Identifier - Description string - Origin string - PublishedAt string - Severity string - Summary string - UpdatedAt string - WithdrawnAt string - CVSS GithubCVSS -} - -type Identifier struct { - Type string - Value string -} - -type Reference struct { - Url string -} - -type FirstPatchedVersion struct { - Identifier string -} - -type Version struct { - FirstPatchedVersion FirstPatchedVersion - VulnerableVersionRange string -} - -type GithubSecurityAdvisoryJson struct { - Severity string - UpdatedAt string - Package Package - Advisory Advisory - Versions []Version -} diff --git a/main.go b/main.go index 9e8be68b..67bb4371 100644 --- a/main.go +++ b/main.go @@ -1,13 +1,9 @@ package main import ( - "context" "flag" "log" - "os" - githubql "github.com/shurcooL/githubv4" - "golang.org/x/oauth2" "golang.org/x/xerrors" "github.com/aquasecurity/vuln-list-update/alma" @@ -18,7 +14,6 @@ import ( "github.com/aquasecurity/vuln-list-update/chainguard" "github.com/aquasecurity/vuln-list-update/cwe" "github.com/aquasecurity/vuln-list-update/debian/tracker" - "github.com/aquasecurity/vuln-list-update/ghsa" "github.com/aquasecurity/vuln-list-update/glad" "github.com/aquasecurity/vuln-list-update/k8s" "github.com/aquasecurity/vuln-list-update/kevc" @@ -38,7 +33,7 @@ import ( var ( target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+ - "debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s)") + "debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s)") vulnListDir = flag.String("vuln-list-dir", "", "vuln-list dir") targetUri = flag.String("target-uri", "", "alternative repository URI (only glad)") targetBranch = flag.String("target-branch", "", "alternative repository branch (only glad)") @@ -111,16 +106,6 @@ func run() error { if err := pc.Update(); err != nil { return xerrors.Errorf("Photon update error: %w", err) } - case "ghsa": - src := oauth2.StaticTokenSource( - &oauth2.Token{AccessToken: os.Getenv("GITHUB_TOKEN")}, - ) - httpClient := oauth2.NewClient(context.Background(), src) - - gc := ghsa.NewConfig(githubql.NewClient(httpClient)) - if err := gc.Update(); err != nil { - return xerrors.Errorf("GitHub Security Advisory update error: %w", err) - } case "glad": gu := glad.NewUpdater(*targetUri, *targetBranch) if err := gu.Update(); err != nil {