internal/openvex: add statements to handler

Maceo Thompson · Maceo Thompson · commit 745db65f3506 · 2024-06-03T16:25:36.000Z
Change-Id: I1b1b7c9dff24fab589d83c38f1dd0dab4f5322d6 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/575859 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
@@ -7,5 +7,98 @@ $ govulncheck -format openvex -mode binary ${common_vuln_binary}
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
-  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck"
+  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2020-0015",
+        "name": "GO-2020-0015",
+        "description": "Infinite loop when decoding some inputs in golang.org/x/text",
+        "aliases": [
+          "CVE-2020-14040",
+          "GHSA-5rcv-m4m3-hfh7"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0054",
+        "name": "GO-2021-0054",
+        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
+        "aliases": [
+          "CVE-2020-36067",
+          "GHSA-p64j-r5f4-pwwx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
+        "name": "GO-2021-0059",
+        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
+        "aliases": [
+          "CVE-2020-35380",
+          "GHSA-w942-gw6m-p62c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0113",
+        "name": "GO-2021-0113",
+        "description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
+        "aliases": [
+          "CVE-2021-38561",
+          "GHSA-ppp9-7jff-5vj2"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0265",
+        "name": "GO-2021-0265",
+        "description": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
+        "aliases": [
+          "CVE-2021-42248",
+          "CVE-2021-42836",
+          "GHSA-c9gm-7rfj-8w5h",
+          "GHSA-ppj4-34rq-v8j9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    }
+  ]
 }
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
@@ -7,5 +7,98 @@ $ govulncheck -C ${moddir}/vuln -format openvex ./...
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
-  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck"
+  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2020-0015",
+        "name": "GO-2020-0015",
+        "description": "Infinite loop when decoding some inputs in golang.org/x/text",
+        "aliases": [
+          "CVE-2020-14040",
+          "GHSA-5rcv-m4m3-hfh7"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0054",
+        "name": "GO-2021-0054",
+        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
+        "aliases": [
+          "CVE-2020-36067",
+          "GHSA-p64j-r5f4-pwwx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
+        "name": "GO-2021-0059",
+        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
+        "aliases": [
+          "CVE-2020-35380",
+          "GHSA-w942-gw6m-p62c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0113",
+        "name": "GO-2021-0113",
+        "description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
+        "aliases": [
+          "CVE-2021-38561",
+          "GHSA-ppp9-7jff-5vj2"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2021-0265",
+        "name": "GO-2021-0265",
+        "description": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
+        "aliases": [
+          "CVE-2021-42248",
+          "CVE-2021-42836",
+          "GHSA-c9gm-7rfj-8w5h",
+          "GHSA-ppj4-34rq-v8j9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "Unknown Product"
+        }
+      ],
+      "status": "affected"
+    }
+  ]
 }
diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go
@@ -6,7 +6,9 @@ package openvex
 
 import (
 	"encoding/json"
+	"fmt"
 	"io"
+	"slices"
 	"time"
 
 	"golang.org/x/vuln/internal/govulncheck"
@@ -75,7 +77,7 @@ func (h *handler) Finding(f *govulncheck.Finding) error {
 // Flush is used to print the vex json to w.
 // This is needed as vex is not streamed.
 func (h *handler) Flush() error {
-	doc := toVex()
+	doc := toVex(h)
 	out, err := json.MarshalIndent(doc, "", "  ")
 	if err != nil {
 		return err
@@ -84,15 +86,77 @@ func (h *handler) Flush() error {
 	return err
 }
 
-func toVex() Document {
+func toVex(h *handler) Document {
 	doc := Document{
-		ID:        "govulncheckVEX", // TODO: create hash from document for ID
-		Context:   ContextURI,
-		Author:    DefaultAuthor,
-		Timestamp: time.Now().UTC(),
-		Version:   1,
-		Tooling:   Tooling,
-		//TODO: Add statements
+		ID:         "govulncheckVEX", // TODO: create hash from document for ID
+		Context:    ContextURI,
+		Author:     DefaultAuthor,
+		Timestamp:  time.Now().UTC(),
+		Version:    1,
+		Tooling:    Tooling,
+		Statements: statements(h),
 	}
 	return doc
 }
+
+// statements combines all OSVs found by govulncheck and generates the list of
+// vex statements with the proper affected level and justification to match the
+// openVex specification.
+func statements(h *handler) []Statement {
+	var scanLevel findingLevel
+	switch h.cfg.ScanLevel {
+	case govulncheck.ScanLevelModule:
+		scanLevel = required
+	case govulncheck.ScanLevelPackage:
+		scanLevel = imported
+	case govulncheck.ScanLevelSymbol:
+		scanLevel = called
+	}
+
+	var statements []Statement
+	for id, osv := range h.osvs {
+		description := osv.Summary
+		if description == "" {
+			description = osv.Details
+		}
+		s := Statement{
+			Vulnerability: Vulnerability{
+				ID:          fmt.Sprintf("https://pkg.go.dev/vuln/%s", id),
+				Name:        id,
+				Description: description,
+				Aliases:     osv.Aliases,
+			},
+			Products: []Product{
+				{
+					ID: DefaultPID,
+				},
+			},
+		}
+
+		if h.levels[id] >= scanLevel {
+			s.Status = StatusAffected
+		} else {
+			s.Status = StatusNotAffected
+			s.ImpactStatement = Impact
+			s.Justification = JustificationNotPresent
+			// We only reach this case if running in symbol mode
+			if h.levels[id] == imported {
+				s.Justification = JustificationNotExecuted
+			}
+		}
+		statements = append(statements, s)
+	}
+
+	slices.SortFunc(statements, func(a, b Statement) int {
+		if a.Vulnerability.ID > b.Vulnerability.ID {
+			return 1
+		}
+		if a.Vulnerability.ID < b.Vulnerability.ID {
+			return -1
+		}
+		// this should never happen in practice, since statements are being
+		// populated from a map with the vulnerability IDs as keys
+		return 0
+	})
+	return statements
+}
