internal/ghsa: refactor client

Instead of initializing a new client in every function call, move the
functions in internal/ghsa to methods on a client.

This will make it easier to add unit tests in a follow up CL.

Change-Id: Ifdd7ee04e884822a94d489d4f6fde3035441f152
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/458202
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Julie Qiu <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>

Author: julieqiu

cmd/issue/main.go

@@ -51,11 +51,12 @@ func main() {
 		log.Fatal(err)
 	}
 	c := issues.NewClient(&issues.Config{Owner: owner, Repo: repoName, Token: *githubToken})
+	ghsaClient := ghsa.NewClient(ctx, *githubToken)
 	switch cmd {
 	case "triage":
-		err = createIssueToTriage(ctx, c, *githubToken, filename)
+		err = createIssueToTriage(ctx, c, ghsaClient, filename)
 	case "excluded":
-		err = createExcluded(ctx, c, *githubToken, filename)
+		err = createExcluded(ctx, c, ghsaClient, filename)
 	default:
 		err = fmt.Errorf("unsupported command: %q", cmd)
 	}
@@ -64,42 +65,42 @@ func main() {
 	}
 }
 
-func createIssueToTriage(ctx context.Context, c *issues.Client, ghToken, filename string) (err error) {
+func createIssueToTriage(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Client, filename string) (err error) {
 	aliases, err := parseAliases(filename)
 	if err != nil {
 		return err
 	}
 	for _, alias := range aliases {
-		if err := constructIssue(ctx, c, alias, ghToken, []string{"NeedsTriage"}); err != nil {
+		if err := constructIssue(ctx, c, ghsaClient, alias, []string{"NeedsTriage"}); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-func createExcluded(ctx context.Context, c *issues.Client, ghToken, filename string) (err error) {
+func createExcluded(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Client, filename string) (err error) {
 	records, err := parseExcluded(filename)
 	if err != nil {
 		return err
 	}
 	for _, r := range records {
-		if err := constructIssue(ctx, c, r.identifier, ghToken, []string{fmt.Sprintf("excluded: %s", r.category)}); err != nil {
+		if err := constructIssue(ctx, c, ghsaClient, r.identifier, []string{fmt.Sprintf("excluded: %s", r.category)}); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-func constructIssue(ctx context.Context, c *issues.Client, alias, ghToken string, labels []string) (err error) {
+func constructIssue(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Client, alias string, labels []string) (err error) {
 	var ghsas []*ghsa.SecurityAdvisory
 	if strings.HasPrefix(alias, "GHSA") {
-		sa, err := ghsa.FetchGHSA(ctx, ghToken, alias)
+		sa, err := ghsaClient.FetchGHSA(ctx, alias)
 		if err != nil {
 			return err
 		}
 		ghsas = append(ghsas, sa)
 	} else if strings.HasPrefix(alias, "CVE") {
-		ghsas, err = ghsa.ListForCVE(ctx, ghToken, alias)
+		ghsas, err = ghsaClient.ListForCVE(ctx, alias)
 		if err != nil {
 			return err
 		}

cmd/vulnreport/main.go

@@ -80,55 +80,56 @@ func main() {
 		*githubToken = os.Getenv("VULN_GITHUB_ACCESS_TOKEN")
 	}
 
-	cmd := flag.Arg(0)
-
-	// Create-excluded has no args, so it is separated form the other commands.
-	if cmd == "create-excluded" {
-		_, cfg, err := setupCreate(ctx, nil)
-		if err != nil {
-			log.Fatal(err)
+	var (
+		args []string
+		cmd  = flag.Arg(0)
+	)
+	if cmd != "create-excluded" {
+		if flag.NArg() < 2 {
+			flag.Usage()
+			log.Fatal("not enough arguments")
 		}
-		if err = createExcluded(ctx, cfg); err != nil {
-			log.Fatal(err)
-		}
-		return
+		args = flag.Args()[1:]
 	}
 
-	if flag.NArg() < 2 {
-		flag.Usage()
-		log.Fatal("not enough arguments")
-	}
-
-	args := flag.Args()[1:]
-
-	// Create operates on github issue IDs instead of filenames, so it is
-	// separated from the other commands.
-	if cmd == "create" {
+	// setupCreate clones the CVEList repo and can be very slow,
+	// so commands that require this functionality are separated from other
+	// commands.
+	if cmd == "create-excluded" || cmd == "create" {
 		githubIDs, cfg, err := setupCreate(ctx, args)
 		if err != nil {
 			log.Fatal(err)
 		}
-		for _, githubID := range githubIDs {
-			if err := create(ctx, githubID, cfg); err != nil {
-				fmt.Printf("skipped: %s\n", err)
+		switch cmd {
+		case "create-excluded":
+			if err = createExcluded(ctx, cfg); err != nil {
+				log.Fatal(err)
+			}
+		case "create":
+			// Unlike commands below, create operates on github issue IDs
+			// instead of filenames.
+			for _, githubID := range githubIDs {
+				if err := create(ctx, githubID, cfg); err != nil {
+					fmt.Printf("skipped: %s\n", err)
+				}
 			}
 		}
-		return
 	}
 
+	ghsaClient := ghsa.NewClient(ctx, *githubToken)
 	var cmdFunc func(string) error
 	switch cmd {
 	case "lint":
 		cmdFunc = lint
 	case "commit":
-		cmdFunc = func(name string) error { return commit(ctx, name, *githubToken) }
+		cmdFunc = func(name string) error { return commit(ctx, name, ghsaClient) }
 	case "cve":
 		cmdFunc = func(name string) error { return cveCmd(ctx, name) }
 	//TODO: (https://github.com/golang/go/issues/56356): Deprecate this command once CVE JSON 5.0 publishing is available
 	case "cve4":
 		cmdFunc = func(name string) error { return cve4Cmd(ctx, name, *indent) }
 	case "fix":
-		cmdFunc = func(name string) error { return fix(ctx, name, *githubToken) }
+		cmdFunc = func(name string) error { return fix(ctx, name, ghsaClient) }
 	case "osv":
 		cmdFunc = osvCmd
 	case "set-dates":
@@ -233,8 +234,8 @@ func parseArgsToGithubIDs(args []string, existingByIssue map[int]*report.Report)
 }
 
 type createCfg struct {
-	ghToken         string
 	repo            *git.Repository
+	ghsaClient      *ghsa.Client
 	issuesClient    *issues.Client
 	existingByFile  map[string]*report.Report
 	existingByIssue map[int]*report.Report
@@ -270,9 +271,9 @@ func setupCreate(ctx context.Context, args []string) ([]int, *createCfg, error)
 		return nil, nil, err
 	}
 	return githubIDs, &createCfg{
-		ghToken:         *githubToken,
 		repo:            repo,
 		issuesClient:    issues.NewClient(&issues.Config{Owner: owner, Repo: repoName, Token: *githubToken}),
+		ghsaClient:      ghsa.NewClient(ctx, *githubToken),
 		existingByFile:  existingByFile,
 		existingByIssue: existingByIssue,
 		allowClosed:     *closedOk,
@@ -287,7 +288,7 @@ func createReport(ctx context.Context, cfg *createCfg, iss *issues.Issue) (r *re
 	}
 	if len(parsed.ghsas) == 0 && len(parsed.cves) > 0 {
 		for _, cve := range parsed.cves {
-			sas, err := ghsa.ListForCVE(ctx, cfg.ghToken, cve)
+			sas, err := cfg.ghsaClient.ListForCVE(ctx, cve)
 			if err != nil {
 				return nil, err
 			}
@@ -427,7 +428,7 @@ func newReport(ctx context.Context, cfg *createCfg, parsed *parsedIssue) (*repor
 	var r *report.Report
 	switch {
 	case len(parsed.ghsas) > 0:
-		ghsa, err := ghsa.FetchGHSA(ctx, cfg.ghToken, parsed.ghsas[0])
+		ghsa, err := cfg.ghsaClient.FetchGHSA(ctx, parsed.ghsas[0])
 		if err != nil {
 			return nil, err
 		}
@@ -597,7 +598,7 @@ func lint(filename string) (err error) {
 	return nil
 }
 
-func fix(ctx context.Context, filename string, accessToken string) (err error) {
+func fix(ctx context.Context, filename string, ghsaClient *ghsa.Client) (err error) {
 	defer derrors.Wrap(&err, "fix(%q)", filename)
 	r, err := report.Read(filename)
 	if err != nil {
@@ -611,7 +612,7 @@ func fix(ctx context.Context, filename string, accessToken string) (err error) {
 			return err
 		}
 	}
-	if err := fixGHSAs(ctx, r, accessToken); err != nil {
+	if err := fixGHSAs(ctx, r, ghsaClient); err != nil {
 		return err
 	}
 	// Write unconditionally in order to format.
@@ -842,12 +843,12 @@ func irun(name string, arg ...string) error {
 	return cmd.Run()
 }
 
-func commit(ctx context.Context, filename, accessToken string) (err error) {
+func commit(ctx context.Context, filename string, ghsaClient *ghsa.Client) (err error) {
 	defer derrors.Wrap(&err, "commit(%q)", filename)
 
 	// Ignore errors. If anything is really wrong with the report, we'll
 	// detect it on re-linting below.
-	_ = fix(ctx, filename, accessToken)
+	_ = fix(ctx, filename, ghsaClient)
 
 	r, err := report.ReadAndLint(filename)
 	if err != nil {
@@ -1027,39 +1028,15 @@ func setDates(filename string, dates map[string]gitrepo.Dates) (err error) {
 	return r.Write(filename)
 }
 
-// loadGHSAsByCVE returns a map from CVE ID to GHSA IDs.
-// It does this by using the GitHub API to list all Go security
-// advisories.
-func loadGHSAsByCVE(ctx context.Context, accessToken string) (_ map[string][]string, err error) {
-	defer derrors.Wrap(&err, "loadGHSAsByCVE")
-
-	sas, err := ghsa.List(ctx, accessToken, time.Time{})
-	if err != nil {
-		return nil, err
-	}
-	m := map[string][]string{}
-	for _, sa := range sas {
-		for _, id := range sa.Identifiers {
-			if id.Type == "CVE" {
-				m[id.Value] = append(m[id.Value], sa.ID)
-			}
-		}
-	}
-	return m, nil
-}
-
 // fixGHSAs replaces r.GHSAs with a sorted list of GitHub Security
 // Advisory IDs that correspond to the CVEs.
-func fixGHSAs(ctx context.Context, r *report.Report, accessToken string) error {
-	if accessToken == "" {
-		return nil
-	}
+func fixGHSAs(ctx context.Context, r *report.Report, ghsaClient *ghsa.Client) error {
 	if len(r.GHSAs) > 0 && !*alwaysFixGHSA {
 		return nil
 	}
 	m := map[string]struct{}{}
 	for _, cid := range r.CVEs {
-		sas, err := ghsa.ListForCVE(ctx, accessToken, cid)
+		sas, err := ghsaClient.ListForCVE(ctx, cid)
 		if err != nil {
 			return err
 		}

cmd/worker/main.go

@@ -213,8 +213,9 @@ func updateCommand(ctx context.Context, commitHash string) error {
 		fmt.Printf("Missing GitHub access token; not updating GH security advisories.\n")
 		return nil
 	}
+	ghsaClient := ghsa.NewClient(ctx, cfg.GitHubAccessToken)
 	listSAs := func(ctx context.Context, since time.Time) ([]*ghsa.SecurityAdvisory, error) {
-		return ghsa.List(ctx, cfg.GitHubAccessToken, since)
+		return ghsaClient.List(ctx, since)
 	}
 	_, err = worker.UpdateGHSAs(ctx, listSAs, cfg.Store)
 	return err

internal/ghsa/ghsa.go

@@ -119,17 +119,25 @@ func (sa *gqlSecurityAdvisory) securityAdvisory() (*SecurityAdvisory, error) {
 	return s, nil
 }
 
-func newGitHubClient(ctx context.Context, accessToken string) *githubv4.Client {
+// Client is a client that can fetch data about GitHub security advisories.
+type Client struct {
+	client *githubv4.Client
+	token  string
+}
+
+// NewClient creates a new client for making requests to the GHSA API.
+func NewClient(ctx context.Context, accessToken string) *Client {
 	ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: accessToken})
 	tc := oauth2.NewClient(ctx, ts)
-	return githubv4.NewClient(tc)
+	return &Client{
+		client: githubv4.NewClient(tc),
+		token:  accessToken,
+	}
 }
 
 // List returns all SecurityAdvisories that affect Go,
 // published or updated since the given time.
-func List(ctx context.Context, accessToken string, since time.Time) ([]*SecurityAdvisory, error) {
-	client := newGitHubClient(ctx, accessToken)
-
+func (c *Client) List(ctx context.Context, since time.Time) ([]*SecurityAdvisory, error) {
 	var query struct { // the GraphQL query
 		SAs struct {
 			Nodes    []gqlSecurityAdvisory
@@ -149,7 +157,7 @@ func List(ctx context.Context, accessToken string, since time.Time) ([]*Security
 	// We need a loop to page through the list. The GitHub API limits us to 100
 	// values per call.
 	for {
-		if err := client.Query(ctx, &query, vars); err != nil {
+		if err := c.client.Query(ctx, &query, vars); err != nil {
 			return nil, err
 		}
 		for _, sa := range query.SAs.Nodes {
@@ -170,9 +178,7 @@ func List(ctx context.Context, accessToken string, since time.Time) ([]*Security
 	return sas, nil
 }
 
-func ListForCVE(ctx context.Context, accessToken string, cve string) ([]*SecurityAdvisory, error) {
-	client := newGitHubClient(ctx, accessToken)
-
+func (c *Client) ListForCVE(ctx context.Context, cve string) ([]*SecurityAdvisory, error) {
 	var query struct { // The GraphQL query
 		SAs struct {
 			Nodes    []gqlSecurityAdvisory
@@ -190,7 +196,7 @@ func ListForCVE(ctx context.Context, accessToken string, cve string) ([]*Securit
 		"go": githubv4.SecurityAdvisoryEcosystemGo,
 	}
 
-	if err := client.Query(ctx, &query, vars); err != nil {
+	if err := c.client.Query(ctx, &query, vars); err != nil {
 		return nil, err
 	}
 	if query.SAs.PageInfo.HasNextPage {
@@ -223,9 +229,7 @@ func ListForCVE(ctx context.Context, accessToken string, cve string) ([]*Securit
 
 // FetchGHSA returns the SecurityAdvisory for the given Github Security
 // Advisory ID.
-func FetchGHSA(ctx context.Context, accessToken, ghsaID string) (_ *SecurityAdvisory, err error) {
-	client := newGitHubClient(ctx, accessToken)
-
+func (c *Client) FetchGHSA(ctx context.Context, ghsaID string) (_ *SecurityAdvisory, err error) {
 	var query struct {
 		SA gqlSecurityAdvisory `graphql:"securityAdvisory(ghsaId: $id)"`
 	}
@@ -234,9 +238,8 @@ func FetchGHSA(ctx context.Context, accessToken, ghsaID string) (_ *SecurityAdvi
 		"go": githubv4.SecurityAdvisoryEcosystemGo,
 	}
 
-	if err := client.Query(ctx, &query, vars); err != nil {
+	if err := c.client.Query(ctx, &query, vars); err != nil {
 		return nil, err
 	}
-
 	return query.SA.securityAdvisory()
 }