feat(staging): record checker (#3957)

Adds a cron job to validate the consistency of records between GCS and
datastore with the new database format (#3850). This sends messages to
the recoverer (#3821) to attempt to repair.

The record-checker stores information from its previous runs in
datastore in a new JobData entity - where the datastore Key is the name
of the metadata, and the value is stored in a `value` property.

I've written this in Go to because it's fairly simple and to set a
precedent for writing / migrating other components away from python. I
made a copy of the `logging` submodule from `vulnfeeds` into the new
toplevel `go` directory - we'll want to consolidate these soon. There's
also room for refactoring the record checker code have some reusable
components for e.g. setting up datastore, gcs, or pub/sub.

I added a validation test script to make sure datastore entities written
in Python are compatible with the go definitions, and vice versa.

Author: michaelkedar

deployment/build-and-stage.yaml

@@ -107,6 +107,20 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/recoverer']
   waitFor: ['build-recoverer', 'cloud-build-queue']
 
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/oss-vdb/record-checker:latest || exit 0']
+  id: 'pull-record-checker'
+  waitFor: ['setup']
+- name: gcr.io/cloud-builders/docker
+  args: ['build', '-t', 'gcr.io/oss-vdb/record-checker:latest', '-t', 'gcr.io/oss-vdb/record-checker:$COMMIT_SHA', '.']
+  dir: 'go'
+  id: 'build-record-checker'
+  waitFor: ['pull-record-checker']
+- name: gcr.io/cloud-builders/docker
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/record-checker']
+  waitFor: ['build-record-checker', 'cloud-build-queue']
+
 # Build/push staging-api-test images to gcr.io/oss-vdb-test.
 - name: gcr.io/cloud-builders/docker
   args: ['build', '-t', 'gcr.io/oss-vdb-test/staging-api-test:latest', '-t', 'gcr.io/oss-vdb-test/staging-api-test:$COMMIT_SHA', '.']
@@ -316,7 +330,8 @@ steps:
      nvd-cve-osv=gcr.io/oss-vdb/nvd-cve-osv:$COMMIT_SHA,\
      nvd-mirror=gcr.io/oss-vdb/nvd-mirror:$COMMIT_SHA,\
      recoverer=gcr.io/oss-vdb/recoverer:$COMMIT_SHA,\
-     cve5-to-osv=gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA"
+     cve5-to-osv=gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA,\
+     record-checker=gcr.io/oss-vdb/record-checker:$COMMIT_SHA"
   ]
   dir: deployment/clouddeploy/gke-workers
 
@@ -374,3 +389,4 @@ images:
 - 'gcr.io/oss-vdb-test/osv-linter:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/recoverer:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA'
+- 'gcr.io/oss-vdb/record-checker:$COMMIT_SHA'

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/kustomization.yaml

@@ -3,6 +3,7 @@ resources:
 - staging-api-test.yaml
 - osv-linter.yaml
 - cve5-to-osv.yaml
+- record-checker.yaml
 patches:
 - path: workers.yaml
 - path: scaler.yaml

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/record-checker.yaml

@@ -0,0 +1,30 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: record-checker
+  labels:
+    cronLastSuccessfulTimeMins: "90"
+spec:
+  schedule: "10/15 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: record-checker
+            image: record-checker
+            env:
+            - name: GOOGLE_CLOUD_PROJECT
+              value: oss-vdb-test
+            - name: OSV_VULNERABILITIES_BUCKET
+              value: osv-test-vulnerabilities
+            imagePullPolicy: Always
+            resources:
+              requests:
+                cpu: "1"
+                memory: "1G"
+              limits:
+                cpu: "1"
+                memory: "2G"
+          restartPolicy: Never

go/.golangci.yaml

@@ -0,0 +1,144 @@
+version: "2"
+
+linters:
+  default: all
+  # prettier-ignore
+  disable:
+    - forbidigo
+    - paralleltest
+    - tparallel
+    - cyclop           #
+    - depguard         # Too annoying
+    - err113           # will re-add later (another-rex)
+    - exhaustruct      # overkill (g-rath)
+    - forcetypeassert  # too hard (g-rath)
+    - funlen           #
+    - funcorder        #
+    - gochecknoglobals # disagree with, for non changing variables (another-rex)
+    - gocognit         #
+    - goconst          # not everything should be a constant
+    - gocyclo          #
+    - godot            # comments are fine without full stops (g-rath)
+    - godox            # to-do comments are fine (g-rath)
+    - ireturn          # disagree with, sort of (g-rath)
+    - lll              # line length is hard (g-rath)
+    - maintidx         #
+    - mnd              # not every number is magic (g-rath)
+    - nestif           #
+    - noctx            # Most of these don't need a context
+    - noinlineerr      #
+    - nonamedreturns   # disagree with, for now (another-rex)
+    - tagliatelle      # we're parsing data from external sources (g-rath)
+    - testpackage      # will re-add later (another-rex)
+    - varnamelen       # maybe later (g-rath)
+    - wrapcheck        # too difficult, will re-add later (another-rex)
+    - wsl              # disagree with, for now (g-rath)
+    - wsl_v5           # disagree with, for now (g-rath)
+  settings:
+    exhaustive:
+      default-signifies-exhaustive: true
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+    nlreturn:
+      block-size: 2
+    revive:
+      rules:
+        - name: increment-decrement
+          disabled: true
+        - name: blank-imports
+          disabled: false
+        - name: context-as-argument
+          disabled: false
+        - name: context-keys-type
+          disabled: false
+        - name: dot-imports
+          disabled: false
+        - name: empty-block
+          disabled: false
+        - name: error-naming
+          disabled: false
+        - name: error-return
+          disabled: false
+        - name: error-strings
+          disabled: false
+        - name: errorf
+          disabled: false
+        - name: exported
+          disabled: false
+          arguments:
+            # TODO: get these all enabled
+            - "check-private-receivers"
+            # - "check-public-interface"
+            - "disable-checks-on-constants"
+            - "disable-checks-on-functions"
+            - "disable-checks-on-methods"
+            - "disable-checks-on-types"
+            - "disable-checks-on-variables"
+        - name: import-alias-naming
+          disabled: false
+        - name: import-shadowing
+          disabled: false
+        - name: indent-error-flow
+          disabled: false
+        - name: package-comments
+          disabled: false
+        - name: range
+          disabled: false
+        - name: receiver-naming
+          disabled: false
+        - name: redefines-builtin-id
+          disabled: false
+        - name: redundant-test-main-exit
+          disabled: false
+        - name: superfluous-else
+          disabled: false
+        - name: time-naming
+          disabled: false
+        - name: unexported-return
+          disabled: false
+        - name: unreachable-code
+          disabled: false
+        - name: unused-parameter
+          disabled: false
+        - name: use-any
+          disabled: false
+        - name: var-declaration
+          disabled: false
+        - name: var-naming
+          disabled: false
+          arguments:
+            - [] # AllowList
+            - [] # DenyList
+            - - skip-package-name-checks: true
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - path: _test\.go
+        linters:
+          - dupl
+      - path-except: _test\.go
+        text: use `testutility.GetCurrentWorkingDirectory`
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0

go/cmd/recordchecker/Dockerfile

@@ -0,0 +1,31 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.25.0-alpine@sha256:f18a072054848d87a8077455f0ac8a25886f2397f88bfdd222d6fafbb5bba440 AS build
+
+WORKDIR /src
+
+COPY ./go.mod /src/go.mod
+COPY ./go.sum /src/go.sum
+RUN go mod download && go mod verify
+
+
+COPY ./ /src/
+RUN CGO_ENABLED=0 go build -o recordchecker ./cmd/recordchecker/
+
+FROM gcr.io/distroless/static-debian12@sha256:87bce11be0af225e4ca761c40babb06d6d559f5767fbf7dc3c47f0f1a466b92c
+
+COPY --from=build /src/recordchecker /
+
+ENTRYPOINT ["/recordchecker"]