feat: reimplement the exporter in Go (google#4197)

More database migration!
Reimplement the exporter in Go, reading from the GCS proto files instead
of from the datastore Bugs.
I've made the whole thing more parallel and all in-memory, which should
be a pretty decent performance improvement.

Testing is currently missing - we need a way to mock the GCS buckets.

Author: michaelkedar

README.md

@@ -45,7 +45,8 @@ consists of:
 | `gcp/functions` | The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed) |
 | `gcp/indexer`   | The determine version `indexer` |
 | `gcp/website`   | The backend of the osv.dev web interface, with the frontend in `frontend3` <br /> Blog posts (in `blog`) |
-| `gcp/workers/`  | Workers for bisection and impact analysis (`worker`, `importer`, `exporter`, `alias`) <br /> `cron/` jobs for database backups and processing oss-fuzz records |
+| `gcp/workers/`  | Workers for bisection and impact analysis (`worker`, `importer`, `alias`) <br /> `cron/` jobs for database backups and processing oss-fuzz records |
+| `go/`           | Go module for shared libraries and commands (`cmd/exporter`, `cmd/recordchecker`) |
 | `osv/`          | The core OSV Python library, used in basically all Python services <br /> OSV ecosystem package versioning helpers in `ecosystems/` <br /> Datastore model definitions in `models.py` |
 | `tools/`        | Misc scripts/tools, mostly intended for development (datastore stuff, linting) <br /> The `indexer-api-caller` for indexer calling |
 | `vulnfeeds/`    | Go module for (mostly) the NVD CVE conversion <br /> The Alpine feed converter (`cmd/alpine`) <br /> The Debian feed converter (`tools/debian`, which is written in Python) |

deployment/build-and-stage.yaml

@@ -62,7 +62,7 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/worker-base']
   waitFor: ['build-worker-base', 'cloud-build-queue']
 
-# Build/push core worker/importer/exporter/alias images.
+# Build/push core worker/importer/alias images.
 - name: gcr.io/cloud-builders/docker
   args: ['build', '-t', 'gcr.io/oss-vdb/worker:latest', '-t', 'gcr.io/oss-vdb/worker:$COMMIT_SHA', '-f', 'gcp/workers/worker/Dockerfile', '.']
   id: 'build-worker'
@@ -80,15 +80,6 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/importer']
   waitFor: ['build-importer', 'cloud-build-queue']
 
-- name: gcr.io/cloud-builders/docker
-  args: ['build', '-t', 'gcr.io/oss-vdb/exporter:latest', '-t', 'gcr.io/oss-vdb/exporter:$COMMIT_SHA', '.']
-  dir: 'gcp/workers/exporter'
-  id: 'build-exporter'
-  waitFor: ['build-worker']
-- name: gcr.io/cloud-builders/docker
-  args: ['push', '--all-tags', 'gcr.io/oss-vdb/exporter']
-  waitFor: ['build-exporter', 'cloud-build-queue']
-
 - name: gcr.io/cloud-builders/docker
   args: ['build', '-t', 'gcr.io/oss-vdb/alias-computation:latest', '-t', 'gcr.io/oss-vdb/alias-computation:$COMMIT_SHA', '.']
   dir: 'gcp/workers/alias'
@@ -107,6 +98,21 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/recoverer']
   waitFor: ['build-recoverer', 'cloud-build-queue']
 
+# Build/push exporter/record-checker go images
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/oss-vdb/exporter:latest || exit 0']
+  id: 'pull-exporter'
+  waitFor: ['setup']
+- name: gcr.io/cloud-builders/docker
+  args: ['build', '-t', 'gcr.io/oss-vdb/exporter:latest', '-t', 'gcr.io/oss-vdb/exporter:$COMMIT_SHA', '-f', 'cmd/exporter/Dockerfile', '--cache-from', 'gcr.io/oss-vdb/exporter:latest', '--pull', '.']
+  dir: 'go'
+  id: 'build-exporter'
+  waitFor: ['pull-exporter']
+- name: gcr.io/cloud-builders/docker
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/exporter']
+  waitFor: ['build-exporter', 'cloud-build-queue']
+
 - name: 'gcr.io/cloud-builders/docker'
   entrypoint: 'bash'
   args: ['-c', 'docker pull gcr.io/oss-vdb/record-checker:latest || exit 0']

deployment/clouddeploy/gke-workers/base/exporter.yaml

@@ -24,18 +24,11 @@ spec:
           - name: exporter
             image: exporter
             imagePullPolicy: Always
-            volumeMounts:
-              - mountPath: "/work"
-                name: "ssd"
             resources:
               requests:
                 cpu: "12"
-                memory: "48G"
+                memory: "48Gi"
               limits:
                 cpu: "24"
-                memory: "128G"
+                memory: "128Gi"
           restartPolicy: Never
-          volumes:
-            - name: "ssd"
-              emptyDir:
-                sizeLimit: 60Gi

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/exporter.yaml

@@ -14,4 +14,7 @@ spec:
               value: oss-vdb-test
             args:
               # TODO(michaelkedar): single source of truth w/ terraform config
+              - "--uploadToGCS=true"
               - "--bucket=osv-test-vulnerabilities"
+              - "--osv_vulns_bucket=osv-test-vulnerabilities"
+

deployment/clouddeploy/gke-workers/environments/oss-vdb/exporter.yaml

@@ -13,4 +13,7 @@ spec:
             - name: GOOGLE_CLOUD_PROJECT
               value: oss-vdb
             args:
+              - "--uploadToGCS=true"
               - "--bucket=osv-vulnerabilities"
+              - "--osv_vulns_bucket=osv-vulnerabilities"
+

go/cmd/exporter/Dockerfile

@@ -0,0 +1,31 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34 AS build
+
+WORKDIR /src
+
+COPY ./go.mod /src/go.mod
+COPY ./go.sum /src/go.sum
+RUN go mod download && go mod verify
+
+
+COPY ./ /src/
+RUN CGO_ENABLED=0 go build -o exporter ./cmd/exporter
+
+FROM gcr.io/distroless/static-debian12@sha256:87bce11be0af225e4ca761c40babb06d6d559f5767fbf7dc3c47f0f1a466b92c
+
+COPY --from=build /src/exporter /
+
+ENTRYPOINT ["/exporter"]

go/cmd/exporter/README.md

@@ -0,0 +1,32 @@
+# OSV Exporter
+
+The exporter is responsible for creating many files in the OSV vulnerabilities bucket from the canonical protobuf vulnerability format.
+
+The generated files are:
+- `[ECOSYSTEM]/VULN-ID.json` - OSV JSON file for each vulnerability in each ecosystem
+- `[ECOSYSTEM]/all.zip` - contains each OSV JSON file for that ecosystem
+- `[ECOSYSTEM]/modified_id.csv` - contains the (modified, ID) of each vulnerability in the ecosystem directory
+- `/ecosystems.txt` - a line-separated list of each exported ecosystem
+- `/all.zip` - contains every OSV JSON file across all ecosytems
+- `/modified_id.csv` - the (modified, [ECOSYSTEM]/ID) of every vulnerability across all ecosystem directories
+- `GIT/osv_git.json` - a json array of every OSV vulnerability that has Vanir signatures.
+
+## Running locally
+
+To run the exporter locally, run the exporter from within the `go/cmd/exporter` directory, providing the GCS bucket containing the vulnerability protobufs via the `-osv_vulns_bucket` flag.
+
+```sh
+# Example
+go run . -osv_vulns_bucket osv-test-vulnerabilities -uploadToGCS=false -bucket /tmp/osv-export
+```
+
+This will write the exported files to the `/tmp/osv-export` directory.
+
+Note that running this takes quite a long time and uses a lot of memory.
+
+### Flags
+
+- `-bucket`: Output bucket or directory name. If `-uploadToGCS` is false, this is a local path; otherwise, it's a GCS bucket name.
+- `-osv_vulns_bucket`: GCS bucket to read vulnerability protobufs from. Can also be set with the `OSV_VULNERABILITIES_BUCKET` environment variable.
+- `-uploadToGCS`: If false, writes the output to a local directory specified by `-bucket` instead of a GCS bucket.
+- `-num_workers`: The total number of concurrent workers to use for downloading from GCS and writing the output.

go/cmd/exporter/downloader.go

@@ -0,0 +1,59 @@
+package main
+
+import (
+	"context"
+	"io"
+	"log/slog"
+	"sync"
+
+	"cloud.google.com/go/storage"
+	"github.com/google/osv.dev/go/logger"
+	"github.com/ossf/osv-schema/bindings/go/osvschema"
+	"google.golang.org/protobuf/proto"
+)
+
+// downloader is a worker that receives GCS object handles from inCh, downloads
+// the raw protobuf data, unmarshals it into a Vulnerability, and sends the
+// result to outCh.
+func downloader(ctx context.Context, inCh <-chan *storage.ObjectHandle, outCh chan<- *osvschema.Vulnerability, wg *sync.WaitGroup) {
+	defer wg.Done()
+	for {
+		var obj *storage.ObjectHandle
+		var ok bool
+
+		// Wait to receive an object, or be cancelled.
+		select {
+		case obj, ok = <-inCh:
+			if !ok {
+				return // Channel closed.
+			}
+		case <-ctx.Done():
+			return
+		}
+
+		// Process object.
+		r, err := obj.NewReader(ctx)
+		if err != nil {
+			logger.Error("failed to open vulnerability", slog.String("obj", obj.ObjectName()), slog.Any("err", err))
+			continue
+		}
+		data, err := io.ReadAll(r)
+		r.Close()
+		if err != nil {
+			logger.Error("failed to read vulnerability", slog.String("obj", obj.ObjectName()), slog.Any("err", err))
+			continue
+		}
+		vuln := &osvschema.Vulnerability{}
+		if err := proto.Unmarshal(data, vuln); err != nil {
+			logger.Error("failed to unmarshal vulnerability", slog.String("obj", obj.ObjectName()), slog.Any("err", err))
+			continue
+		}
+
+		// Wait to send the result, or be cancelled.
+		select {
+		case outCh <- vuln:
+		case <-ctx.Done():
+			return
+		}
+	}
+}

go/cmd/exporter/exporter.go

@@ -0,0 +1,178 @@
+// Package main runs the exporter, exporting the whole OSV database to the GCS bucket.
+// See the README.md for more details.
+package main
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"cloud.google.com/go/storage"
+	"github.com/google/osv.dev/go/logger"
+	"github.com/ossf/osv-schema/bindings/go/osvschema"
+	"google.golang.org/api/iterator"
+)
+
+const gcsProtoPrefix = "all/pb/"
+
+// main is the entry point for the exporter. It initializes the GCS clients,
+// sets up the worker pipeline, and starts the GCS object iteration.
+func main() {
+	logger.InitGlobalLogger()
+
+	outBucketName := flag.String("bucket", "osv-test-vulnerabilities", "Output bucket or directory name. If -local is true, this is a local path; otherwise, it's a GCS bucket name.")
+	vulnBucketName := flag.String("osv_vulns_bucket", os.Getenv("OSV_VULNERABILITIES_BUCKET"), "GCS bucket to read vulnerability protobufs from. Can also be set with the OSV_VULNERABILITIES_BUCKET environment variable.")
+	uploadToGCS := flag.Bool("uploadToGCS", false, "If false, writes the output to a local directory specified by -bucket instead of a GCS bucket.")
+	numWorkers := flag.Int("num_workers", 200, "The total number of concurrent workers to use for downloading from GCS and writing the output.")
+
+	flag.Parse()
+
+	logger.Info("exporter starting",
+		slog.String("bucket", *outBucketName),
+		slog.String("osv_vulns_bucket", *vulnBucketName),
+		slog.Bool("uploadToGCS", *uploadToGCS),
+		slog.Int("num_workers", *numWorkers))
+
+	if *vulnBucketName == "" {
+		logger.Fatal("OSV_VULNERABILITIES_BUCKET must be set")
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	cl, err := storage.NewClient(ctx)
+	if err != nil {
+		logger.Fatal("failed to create storage client", slog.Any("err", err))
+	}
+
+	vulnBucket := cl.Bucket(*vulnBucketName)
+	var outBucket *storage.BucketHandle
+	var outPrefix string
+	if *uploadToGCS {
+		outBucket = cl.Bucket(*outBucketName)
+	} else {
+		outPrefix = *outBucketName
+	}
+
+	// The exporter uses a pipeline of channels and worker pools. The data flow is as follows:
+	// 1. The main goroutine lists GCS objects and sends them to `gcsObjToDownloaderCh`.
+	// 2. A pool of `downloader` workers receive GCS objects, downloads and unmarshals them into
+	//    OSV vulnerabilities, and send them to `downloaderToRouterCh`.
+	// 3. The `ecosystemRouter` receives vulnerabilities and dispatches them. It creates a new
+	//    `ecosystemWorker` for each new ecosystem, and sends all vulnerabilities to a single
+	//    `allEcosystemWorker`.
+	// 4. The `ecosystemWorker`s and the `allEcosystemWorker` process the vulnerabilities and
+	//    generate the final files, sending the data to be written to `routerToWriteCh`.
+	// 5. A pool of `writer` workers receive the file data and write it to the output.
+	gcsObjToDownloaderCh := make(chan *storage.ObjectHandle)
+	downloaderToRouterCh := make(chan *osvschema.Vulnerability)
+	routerToWriteCh := make(chan writeMsg)
+
+	var downloaderWg sync.WaitGroup
+	for range *numWorkers / 2 {
+		downloaderWg.Add(1)
+		go downloader(ctx, gcsObjToDownloaderCh, downloaderToRouterCh, &downloaderWg)
+	}
+
+	var writerWg sync.WaitGroup
+	for range *numWorkers / 2 {
+		writerWg.Add(1)
+		go writer(ctx, cancel, routerToWriteCh, outBucket, outPrefix, &writerWg)
+	}
+	var routerWg sync.WaitGroup
+	routerWg.Add(1)
+	go ecosystemRouter(ctx, downloaderToRouterCh, routerToWriteCh, &routerWg)
+
+	it := vulnBucket.Objects(ctx, &storage.Query{Prefix: gcsProtoPrefix})
+	prevPrefix := ""
+MainLoop:
+	for {
+		attrs, err := it.Next()
+		if errors.Is(err, iterator.Done) {
+			break
+		}
+		if err != nil {
+			logger.Fatal("failed to list objects", slog.Any("err", err))
+		}
+		// Only log when we see a new ID prefix (i.e. roughly once per data source)
+		prefix := filepath.Base(attrs.Name)
+		prefix, _, _ = strings.Cut(prefix, "-")
+		if prefix != prevPrefix {
+			logger.Info("iterating vulnerabilities", slog.String("now_at", attrs.Name))
+			prevPrefix = prefix
+		}
+		select {
+		case gcsObjToDownloaderCh <- vulnBucket.Object(attrs.Name):
+		case <-ctx.Done():
+			break MainLoop
+		}
+	}
+
+	close(gcsObjToDownloaderCh)
+	downloaderWg.Wait()
+	close(downloaderToRouterCh)
+	routerWg.Wait()
+	close(routerToWriteCh)
+	writerWg.Wait()
+
+	if ctx.Err() != nil {
+		logger.Fatal("exporter cancelled")
+	}
+	logger.Info("export completed successfully")
+}
+
+// ecosystemRouter receives vulnerabilities from inCh and fans them out to the
+// appropriate ecosystemWorker. It creates workers on-demand for each new
+// ecosystem encountered. It also sends every vulnerability to the allEcosystemWorker.
+func ecosystemRouter(ctx context.Context, inCh <-chan *osvschema.Vulnerability, outCh chan<- writeMsg, wg *sync.WaitGroup) {
+	defer wg.Done()
+	logger.Info("ecosystem router starting")
+	workers := make(map[string]*ecosystemWorker)
+	var workersWg sync.WaitGroup
+	vulnCounter := 0
+
+	allEcosystemWorker := newAllEcosystemWorker(ctx, outCh, &workersWg)
+
+	for vuln := range inCh {
+		vulnCounter++
+		ecosystems := make(map[string]struct{})
+		for _, aff := range vuln.GetAffected() {
+			eco := aff.GetPackage().GetEcosystem()
+			eco, _, _ = strings.Cut(eco, ":")
+			if eco != "" {
+				ecosystems[eco] = struct{}{}
+			}
+			for _, ref := range aff.GetRanges() {
+				if ref.GetType() == osvschema.Range_GIT {
+					ecosystems["GIT"] = struct{}{}
+				}
+			}
+		}
+		if len(ecosystems) == 0 {
+			ecosystems["[EMPTY]"] = struct{}{}
+		}
+		ecoNames := make([]string, 0, len(ecosystems))
+		for eco := range ecosystems {
+			ecoNames = append(ecoNames, eco)
+			worker, ok := workers[eco]
+			if !ok {
+				worker = newEcosystemWorker(ctx, eco, outCh, &workersWg)
+				workers[eco] = worker
+			}
+			worker.inCh <- vuln
+		}
+		allEcosystemWorker.inCh <- vulnAndEcos{Vulnerability: vuln, ecosystems: ecoNames}
+	}
+
+	for _, worker := range workers {
+		worker.Finish()
+	}
+	allEcosystemWorker.Finish()
+	workersWg.Wait()
+	logger.Info("ecosystem router finished, all vulnerabilities dispatched", slog.Int("total_vulnerabilities", vulnCounter))
+}