cmd/vulnreport: double-check priority after create and in presubmit

The algorithm that determines priority for a report
relies on the affected modules. Sometimes not all affected
modules are known at the outset (e.g., because they are
fixed during report creation).

Ensure that we don't accidentally create UNREVIEWED reports
which are high priority by re-checking the priority of a report
after creating it. As an extra safeguard, also do this check in
the TestLintReports function which acts as a presubmit check.

This involves some refactoring of the priority algorithm. The only
change to the fundamental behavior is that an override list
now exists, where we can add modules that should always have a
certain priority regardless of what the priority algorithm would
say.

Also, the xref command now addionally prints out the priority decision
for a report.

Change-Id: Ia3301022678d7392fb3deb059f9a248dcb153ecc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/598415
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

all_test.go

@@ -8,6 +8,7 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"os"
 	"os/exec"
@@ -20,7 +21,9 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"golang.org/x/vulndb/cmd/vulnreport/priority"
 	"golang.org/x/vulndb/internal/cve5"
+	"golang.org/x/vulndb/internal/gitrepo"
 	"golang.org/x/vulndb/internal/osvutils"
 	"golang.org/x/vulndb/internal/proxy"
 	"golang.org/x/vulndb/internal/report"
@@ -87,8 +90,19 @@ func TestLintReports(t *testing.T) {
 		}
 	}
 
-	// Map from aliases (CVEs/GHSAS) to report paths, used to check for duplicate aliases.
-	aliases := make(map[string]string)
+	vulndb, err := gitrepo.Open(context.Background(), ".")
+	if err != nil {
+		t.Fatal(err)
+	}
+	rc, err := report.NewClient(vulndb)
+	if err != nil {
+		t.Fatal(err)
+	}
+	modulesToImports, err := priority.LoadModuleMap()
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	// Map from summaries to report paths, used to check for duplicate summaries.
 	summaries := make(map[string]string)
 	sort.Strings(reports)
@@ -107,14 +121,14 @@ func TestLintReports(t *testing.T) {
 			}
 			duplicates := make(map[string][]string)
 			for _, alias := range r.Aliases() {
-				if report, ok := aliases[alias]; ok {
-					duplicates[report] = append(duplicates[report], alias)
-				} else {
-					aliases[alias] = filename
+				for _, r2 := range rc.ReportsByAlias(alias) {
+					if r2.ID != r.ID {
+						duplicates[r2.ID] = append(duplicates[r2.ID], alias)
+					}
 				}
 			}
-			for report, aliases := range duplicates {
-				t.Errorf("report %s shares duplicate alias(es) %s with report %s", filename, aliases, report)
+			for r2, aliases := range duplicates {
+				t.Errorf("report %s shares duplicate alias(es) %s with report %s", filename, aliases, r2)
 			}
 			// Ensure that each reviewed report has a unique summary.
 			if r.IsReviewed() {
@@ -126,6 +140,16 @@ func TestLintReports(t *testing.T) {
 					}
 				}
 			}
+			// Ensure that no unreviewed reports are high priority.
+			// This can happen because the initial quick triage algorithm
+			// doesn't know about all affected modules - just the one
+			// listed in the Github issue.
+			if r.IsUnreviewed() {
+				pr, _ := priority.AnalyzeReport(r, rc, modulesToImports)
+				if pr.Priority == priority.High {
+					t.Errorf("UNREVIEWED report %s is high priority (should be REVIEWED) - reason: %s", filename, pr.Reason)
+				}
+			}
 			// Check that a correct OSV file was generated for each YAML report.
 			if r.Excluded == "" {
 				generated, err := r.ToOSV(time.Time{})

cmd/vulnreport/creator.go

@@ -13,6 +13,7 @@ import (
 
 	"golang.org/x/exp/slices"
 	"golang.org/x/vulndb/cmd/vulnreport/log"
+	"golang.org/x/vulndb/cmd/vulnreport/priority"
 	"golang.org/x/vulndb/internal/idstr"
 	"golang.org/x/vulndb/internal/issues"
 	"golang.org/x/vulndb/internal/osv"
@@ -159,20 +160,23 @@ func (c *creator) metaToSource(ctx context.Context, meta *reportMeta) report.Sou
 	return report.Original()
 }
 
-func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlReport, error) {
-	// Find the underlying module if the "module" provided is actually a package path.
-	if module, err := c.pc.FindModule(meta.modulePath); err == nil { // no error
-		meta.modulePath = module
-	}
-	meta.aliases = c.allAliases(ctx, meta.aliases)
-
-	raw := report.New(c.metaToSource(ctx, meta), c.pc,
+func (c *creator) rawReport(ctx context.Context, meta *reportMeta) *report.Report {
+	return report.New(c.metaToSource(ctx, meta), c.pc,
 		report.WithGoID(meta.id),
 		report.WithModulePath(meta.modulePath),
 		report.WithAliases(meta.aliases),
 		report.WithReviewStatus(meta.reviewStatus),
 		report.WithUnexcluded(meta.unexcluded),
 	)
+}
+
+func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlReport, error) {
+	// Find the underlying module if the "module" provided is actually a package path.
+	if module, err := c.pc.FindModule(meta.modulePath); err == nil { // no error
+		meta.modulePath = module
+	}
+	meta.aliases = c.allAliases(ctx, meta.aliases)
+	raw := c.rawReport(ctx, meta)
 
 	if meta.excluded != "" {
 		raw = &report.Report{
@@ -188,6 +192,18 @@ func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlRe
 		}
 	}
 
+	// The initial quick triage algorithm doesn't know about all
+	// affected modules, so double check the priority after the
+	// report is created.
+	if raw.IsUnreviewed() {
+		pr, _ := c.reportPriority(raw)
+		if pr.Priority == priority.High {
+			log.Warnf("%s: re-generating; vuln is high priority and should be REVIEWED; reason: %s", raw.ID, pr.Reason)
+			meta.reviewStatus = report.Reviewed
+			raw = c.rawReport(ctx, meta)
+		}
+	}
+
 	fname, err := raw.YAMLFilename()
 	if err != nil {
 		return nil, err
@@ -221,9 +237,9 @@ func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlRe
 	}
 
 	switch {
-	case meta.excluded != "":
+	case raw.IsExcluded():
 		// nothing
-	case meta.reviewStatus == report.Unreviewed:
+	case raw.IsUnreviewed():
 		r.removeUnreachableRefs()
 	default:
 		// Regular, full-length reports.

cmd/vulnreport/priority/priority.go

@@ -7,15 +7,18 @@ package priority
 
 import (
 	"fmt"
+	"strings"
 
 	"golang.org/x/vulndb/internal/report"
 )
 
 type Result struct {
-	Priority    Priority
-	Reason      string
-	NotGo       bool
-	NotGoReason string
+	Priority Priority
+	Reason   string
+}
+
+type NotGoResult struct {
+	Reason string
 }
 
 type Priority int
@@ -39,30 +42,66 @@ const (
 	High
 )
 
-func Analyze(mp string, reportsForModule []*report.Report, modulesToImports map[string]int) *Result {
+// AnalyzeReport returns the results for a report as a whole:
+//   - priority is the priority of its highest-priority module
+//   - not Go if all modules are not Go
+func AnalyzeReport(r *report.Report, rc *report.Client, modulesToImports map[string]int) (*Result, *NotGoResult) {
+	var overall Priority
+	var reasons []string
+	var notGoReasons []string
+	for _, m := range r.Modules {
+		mp := m.Module
+		result, notGo := Analyze(mp, rc.ReportsByModule(mp), modulesToImports)
+		if result.Priority > overall {
+			overall = result.Priority
+		}
+		reasons = append(reasons, result.Reason)
+		if notGo != nil {
+			notGoReasons = append(notGoReasons, notGo.Reason)
+		}
+	}
+
+	result := &Result{
+		Priority: overall, Reason: strings.Join(reasons, "; "),
+	}
+
+	// If all modules are not Go, the report is not Go.
+	if len(notGoReasons) == len(r.Modules) {
+		return result, &NotGoResult{Reason: strings.Join(notGoReasons, "; ")}
+	}
+
+	return result, nil
+}
+
+func Analyze(mp string, reportsForModule []*report.Report, modulesToImports map[string]int) (*Result, *NotGoResult) {
 	sc := stateCounts(reportsForModule)
 
-	notGo, notGoReason := isPossiblyNotGo(len(reportsForModule), sc)
+	notGo := isPossiblyNotGo(len(reportsForModule), sc)
 	importers, ok := modulesToImports[mp]
 	if !ok {
 		return &Result{
-			Priority:    Unknown,
-			Reason:      fmt.Sprintf("module %s not found", mp),
-			NotGo:       notGo,
-			NotGoReason: notGoReason,
-		}
+			Priority: Unknown,
+			Reason:   fmt.Sprintf("module %s not found", mp),
+		}, notGo
 	}
 
-	priority, reason := priority(mp, importers, sc)
-	return &Result{
-		Priority:    priority,
-		Reason:      reason,
-		NotGo:       notGo,
-		NotGoReason: notGoReason,
-	}
+	return priority(mp, importers, sc), notGo
 }
 
-func priority(mp string, importers int, sc map[reportState]int) (priority Priority, reason string) {
+// override takes precedence over all other metrics in determining
+// a module's priority.
+var override map[string]Priority = map[string]Priority{
+	// argo-cd is primarily a binary and usually has correct version
+	// information without intervention.
+	"github.com/argoproj/argo-cd":    Low,
+	"github.com/argoproj/argo-cd/v2": Low,
+}
+
+func priority(mp string, importers int, sc map[reportState]int) *Result {
+	if pr, ok := override[mp]; ok {
+		return &Result{pr, fmt.Sprintf("%s is in the override list (priority=%s)", mp, pr)}
+	}
+
 	const highPriority = 100
 	importersStr := func(comp string) string {
 		return fmt.Sprintf("%s has %d importers (%s %d)", mp, importers, comp, highPriority)
@@ -77,22 +116,24 @@ func priority(mp string, importers int, sc map[reportState]int) (priority Priori
 		}
 
 		if rev > binary {
-			return High, getReason("and more", "than")
+			return &Result{High, getReason("and more", "than")}
 		} else if rev == binary {
-			return High, getReason("and as many", "as")
+			return &Result{High, getReason("and as many", "as")}
 		}
 
-		return Low, getReason("but fewer", "than")
+		return &Result{Low, getReason("but fewer", "than")}
 	}
 
-	return Low, importersStr("<")
+	return &Result{Low, importersStr("<")}
 }
 
-func isPossiblyNotGo(numReports int, sc map[reportState]int) (bool, string) {
+func isPossiblyNotGo(numReports int, sc map[reportState]int) *NotGoResult {
 	if (float32(sc[excludedNotGo])/float32(numReports))*100 > 20 {
-		return true, fmt.Sprintf("more than 20 percent of reports (%d of %d) with this module are NOT_GO_CODE", sc[excludedNotGo], numReports)
+		return &NotGoResult{
+			Reason: fmt.Sprintf("more than 20 percent of reports (%d of %d) with this module are NOT_GO_CODE", sc[excludedNotGo], numReports),
+		}
 	}
-	return false, ""
+	return nil
 }
 
 type reportState int

cmd/vulnreport/priority/priority/main.go

@@ -38,10 +38,10 @@ func main() {
 	}
 
 	for _, arg := range args {
-		pr := priority.Analyze(arg, rc.ReportsByModule(arg), ms)
+		pr, notGo := priority.Analyze(arg, rc.ReportsByModule(arg), ms)
 		vlog.Outf("%s:\npriority = %s\n%s", arg, pr.Priority, pr.Reason)
-		if pr.NotGo {
-			vlog.Outf("%s is likely not Go because %s", arg, pr.NotGoReason)
+		if notGo != nil {
+			vlog.Outf("%s is likely not Go because %s", arg, notGo.Reason)
 		}
 	}
 }

cmd/vulnreport/priority/priority_test.go

@@ -56,6 +56,7 @@ func TestAnalyze(t *testing.T) {
 		reportsForModule []*report.Report
 		modulesToImports map[string]int
 		want             *Result
+		wantNotGo        *NotGoResult
 	}{
 		{
 			name:             "unknown priority",
@@ -130,18 +131,22 @@ func TestAnalyze(t *testing.T) {
 			reportsForModule: []*report.Report{notGo1, reviewed1, binary1, unreviewed1},
 			modulesToImports: map[string]int{"example.com/module": 99},
 			want: &Result{
-				Priority:    Low,
-				Reason:      "example.com/module has 99 importers (< 100)",
-				NotGo:       true,
-				NotGoReason: "more than 20 percent of reports (1 of 4) with this module are NOT_GO_CODE",
+				Priority: Low,
+				Reason:   "example.com/module has 99 importers (< 100)",
+			},
+			wantNotGo: &NotGoResult{
+				Reason: "more than 20 percent of reports (1 of 4) with this module are NOT_GO_CODE",
 			},
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			got := Analyze(tc.module, tc.reportsForModule, tc.modulesToImports)
+			got, gotNotGo := Analyze(tc.module, tc.reportsForModule, tc.modulesToImports)
 			want := tc.want
 			if diff := cmp.Diff(want, got); diff != "" {
-				t.Errorf("mismatch (-want, +got):\n%s", diff)
+				t.Errorf("result mismatch (-want, +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(tc.wantNotGo, gotNotGo); diff != "" {
+				t.Errorf("not go mismatch (-want, +got):\n%s", diff)
 			}
 		})
 	}

cmd/vulnreport/testdata/TestXref/found_xrefs.txtar

@@ -6,8 +6,10 @@ Expected output of test TestXref/found_xrefs
 command: "vulnreport xref 4"
 
 -- out --
-xrefs for data/reports/GO-9999-0004.yaml:
+data/reports/GO-9999-0004.yaml: found xrefs:
 Module golang.org/x/tools appears in data/reports/GO-9999-0005.yaml
+GO-9999-0004 priority is low
+ - golang.org/x/tools has 50 importers (< 100)
 -- logs --
 info: xref: operating on 1 report(s)
 info: xref data/reports/GO-9999-0004.yaml

cmd/vulnreport/testdata/TestXref/no_xrefs.txtar

@@ -6,9 +6,10 @@ Expected output of test TestXref/no_xrefs
 command: "vulnreport xref 1"
 
 -- out --
-xrefs for data/reports/GO-9999-0001.yaml:
-Module golang.org/x/vulndb appears in data/excluded/GO-9999-0002.yaml  EFFECTIVELY_PRIVATE
+GO-9999-0001 priority is unknown
+ - module golang.org/x/vulndb not found
 -- logs --
 info: xref: operating on 1 report(s)
 info: xref data/reports/GO-9999-0001.yaml
+info: data/reports/GO-9999-0001.yaml: no xrefs found
 info: xref: processed 1 report(s) (success=1; skip=0; error=0)

cmd/vulnreport/testdata/repo.txtar

@@ -30,7 +30,7 @@ review_status: REVIEWED
 -- data/excluded/GO-9999-0002.yaml --
 id: GO-9999-0002
 modules:
-  - module: golang.org/x/vulndb
+  - module: golang.org/x/exp
 cve_metadata:
     id: CVE-9999-0002
 excluded: EFFECTIVELY_PRIVATE