Let some people know they can try out newer versions, if we know they aren't bad! #225
Conversation
| // // fix vulnerability: CVE-2020-15114 in etcd v3.3.13+incompatible | ||
| // replace github.com/coreos/etcd => github.com/coreos/etcd v3.3.24+incompatible |
There was a problem hiding this comment.
I have these commented out for easy local testing of vulnerable dependencies
| // // fix vulnerability: CVE-2021-3121 in github.com/gogo/protobuf v1.2.1 | ||
| // replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 |
There was a problem hiding this comment.
I have these commented out for easy local testing of vulnerable dependencies
|
|
||
| for _, c := range coordinates { | ||
| c.ExcludeVulnerabilities(exclusions) | ||
| if exclusions == nil { |
There was a problem hiding this comment.
I moved this further up because it seemed odd it would make this AFTER we try using exclusions?
There was a problem hiding this comment.
so the only reason it was down there was b/c if you log it it would not work correctly i believe. So if you passed in nil we wanted it to present to the user as []. Its used in the ExcludeVulnerabilites but range over nil is noop ¯_(ツ)_/¯
So really we only do it for presentation. If we can find a better way im cool with it. But moving it up or down doesn't mean much just has to be before the log statement at line 46 hits.
| func splitPackages(entries []types.Coordinate) (nonVulnerable []types.Coordinate, vulnerable []types.Coordinate) { | ||
| for _, v := range entries { | ||
| if v.IsVulnerable() { | ||
| vulnerable = append(vulnerable, v) | ||
| } else { | ||
| nonVulnerable = append(nonVulnerable, v) | ||
| } | ||
| } | ||
| return | ||
| } |
There was a problem hiding this comment.
This wasn't even being used, or rather it was, but we already had two lists of data. I removed it because LOL
There was a problem hiding this comment.
Seems mostly sane to me. Project=Dep and Coordinate stuff gets confusing, but I don't see a clearer path. "Naming" (pronounce like Seinfeld "Newman").
For later discussion (version 2?): When we find a "clean" newer version, is a "replace" directive the best solution to suggest? If we could determine if the dependency is non-transitive (is direct - not indirect), then maybe suggesting a go get -u mydep@v command is better? Probably a lot more trouble, but wanted to ask. In my mind, the problem with adding replace directives is they are a form of technical debt - ideally, you always prefer upgrading to new versions of deps instead. With replace directives, you need to go back "someday" and determine if the directive can be removed in favor of a newer dependency version.
| @@ -76,19 +77,19 @@ func logInvalidSemVerWarning(sb *strings.Builder, noColor bool, quiet bool, inva | |||
| } | |||
| } | |||
|
|
|||
| func logVulnerablePackage(sb *strings.Builder, noColor bool, coordinate types.Coordinate) { | |||
| func logVulnerablePackage(sb *strings.Builder, noColor bool, coordinate types.Projects) { | |||
There was a problem hiding this comment.
I was struggling with the change to types.Projects. Made more sense once I saw how the term is used in the dep code, e.g.: dep.Project - oh yeah, a coordinate really refers to a given "project" that we depend on...Oh the joys of Naming.
There was a problem hiding this comment.
Yeah I'm not attached to this name TBH. The changes in this PR would merit a new major version of Nancy, so if we want to clean up some naming, let's do it!
| if err != nil { | ||
| return | ||
| } | ||
|
|
||
| // Wittle down list of audited to vulnerable stuff, so we can work faster |
There was a problem hiding this comment.
WOOD YOU GIVE ME A BREAK!?!
Co-authored-by: gmohre <[email protected]>
I absolutely agree with you. What I was THINKING is we can parse What do you think about changing |
Yes, I think that change might ease the cognitive load. |
| buildVersion := entry.Data["version"].(string) | ||
| numVulnerable := len(vulnerableEntries.(map[string]interface{})) | ||
| numPackages := len(auditedEntries) | ||
|
|
||
| var summaryHeader = []string{"Audited Count", "Vulnerable Count", "Build Version"} | ||
| var invalidHeader = []string{"Count", "Package", "Reason"} | ||
| var auditedHeader = []string{"Count", "Package", "Is Vulnerable", "Num Vulnerabilities", "Vulnerabilities"} |
There was a problem hiding this comment.
Should we also maybe add these "can be updated" packages to the csv output too?? Maybe a column of "Latest non-vulnerable version" or something like that??
| version = strings.Replace(version, "v", "", -1) | ||
| version = strings.Replace(version, "+incompatible", "", -1) |
There was a problem hiding this comment.
Do we need to strip more here?? +meta, -pre, etc etc.
There was a problem hiding this comment.
I THINK I stripped that version part out for OSS Index, IIRC. I'd have to look further into it.
|
Kudos, SonarCloud Quality Gate passed!
|
It dawned on me that because
go list -m -json -u alllet's us know the newest version of something, we can run that version past OSS Index and see if it's vulnerable or not. If it's not, let's suggest someone update to it!This pull request makes the following changes:
Of note, this is slower, but it's because
go list -m -json -u allis making requests to I assumepkg.go.devto see what the newest version of a package isTODO:
deporgo mod, so we can give them the right instructions on how to fix thingsgo get -ucommand to users if the dependency is in thego.modfile, and then thereplaceif the dependency is not in their go.mod file?This builds the path towards a
nancy solvecommand where we can go ok, you want us to take care of this? We will give it a shot! That command can work with bothossindexandiq, because we should get similar data from IQ, knowing what the recommended version of something is.cc @bhamail / @DarthHater