internal/worker: prevent duplicates for GHSAs

This is a quick fix to prevent the worker from filing issues for
duplicate GHSAs. The check for duplicates should eventually be moved to
the triage stage.

For golang/go#54049

Change-Id: I902c64f032fc66c15b7fe62787ecb0520e446216
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/461237
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>

Author: tatianab

internal/worker/worker.go

@@ -365,6 +365,24 @@ func createGHSAIssues(ctx context.Context, st store.Store, client *issues.Client
 		if limit > 0 && numCreated >= limit {
 			break
 		}
+		// TODO(https://github.com/golang/go/issues/54049): Move this
+		// check to the triage step of the worker.
+		if isDuplicate(ctx, gr.GHSA, allReports) {
+			// Update the GHSARecord in the DB to reflect that the GHSA
+			// already has an advisory.
+			if err = st.RunTransaction(ctx, func(ctx context.Context, tx store.Transaction) error {
+				r, err := tx.GetGHSARecord(gr.GetID())
+				if err != nil {
+					return err
+				}
+				r.TriageState = store.TriageStateHasVuln
+				return tx.SetGHSARecord(r)
+			}); err != nil {
+				return err
+			}
+			// Do not create an issue.
+			continue
+		}
 		ref, err := createIssue(ctx, gr, client, allReports)
 		if err != nil {
 			return err
@@ -389,6 +407,16 @@ func createGHSAIssues(ctx context.Context, st store.Store, client *issues.Client
 	return nil
 }
 
+func isDuplicate(ctx context.Context, sa *ghsa.SecurityAdvisory, allReports map[string]*report.Report) bool {
+	r := report.GHSAToReport(sa, "")
+	for _, aliases := range report.XRef(r, allReports) {
+		if slices.Contains(aliases, sa.ID) {
+			return true
+		}
+	}
+	return false
+}
+
 func CreateGHSABody(sa *ghsa.SecurityAdvisory, allReports map[string]*report.Report) (body string, err error) {
 	r := report.GHSAToReport(sa, "")
 	rs, err := r.ToString()

internal/worker/worker_test.go

@@ -175,10 +175,20 @@ func TestCreateIssues(t *testing.T) {
 			},
 			TriageState: store.TriageStateAlias,
 		},
+		{
+			GHSA: &ghsa.SecurityAdvisory{
+				ID:          "g5",
+				Vulns:       []*ghsa.Vuln{{Package: "p1"}},
+				Identifiers: []ghsa.Identifier{{Type: "GHSA", Value: "g5"}},
+			},
+			TriageState: store.TriageStateNeedsIssue,
+		},
 	}
 	createGHSARecords(t, mstore, grs)
 
-	if err := CreateIssues(ctx, mstore, ic, map[string]*report.Report{}, 0); err != nil {
+	// Add an existing report with GHSA "g5".
+	allReports := map[string]*report.Report{"data/reports/GO-1999-0001": {GHSAs: []string{"g5"}}}
+	if err := CreateIssues(ctx, mstore, ic, allReports, 0); err != nil {
 		t.Fatal(err)
 	}
 
@@ -209,6 +219,9 @@ func TestCreateIssues(t *testing.T) {
 	wantGHSARecs[0].TriageState = store.TriageStateIssueCreated
 	wantGHSARecs[0].IssueReference = "https://github.com/test-owner/test-repo/issues/1"
 
+	// A report already exists for GHSA "g5".
+	wantGHSARecs[4].TriageState = store.TriageStateHasVuln
+
 	gotGHSARecs := getGHSARecordsSorted(t, mstore)
 	fmt.Printf("%+v\n", gotGHSARecs[0])
 	if diff := cmp.Diff(wantGHSARecs, gotGHSARecs,