Merge pull request #64 from micahhausler/go-121

Author: cpanato

.github/workflows/ci-build-test.yaml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.19'
+          go-version: "1.21"
           check-latest: true
           cache: true
 
@@ -35,7 +35,7 @@ jobs:
 
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.19'
+          go-version: "1.21"
           check-latest: true
           cache: true
 

.github/workflows/verify.yaml

@@ -16,12 +16,12 @@ jobs:
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: 1.19
+          go-version: 1.21
           check-latest: true
           cache: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
-          version: v1.50.1
+          version: v1.54
           args: --timeout=5m

go.mod

@@ -1,12 +1,11 @@
 module github.com/openvex/go-vex
 
-go 1.19
+go 1.21
 
 require (
 	github.com/google/go-cmp v0.5.9
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/owenrumney/go-sarif v1.1.1
-	github.com/sirupsen/logrus v1.9.3
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.sum

@@ -1,5 +1,6 @@
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
+github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -32,8 +33,6 @@ github.com/secure-systems-lab/go-securesystemslib v0.6.0 h1:T65atpAVCJQK14UA57LM
 github.com/secure-systems-lab/go-securesystemslib v0.6.0/go.mod h1:8Mtpo9JKks/qhPG4HGZ2LGMvrPbzuxwfz/f/zLfEWkk=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
@@ -48,10 +47,10 @@ golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

pkg/vex/functions_documents_test.go

@@ -23,28 +23,28 @@ func TestMergeDocumentsWithOptions(t *testing.T) {
 	require.NoError(t, err)
 
 	for _, tc := range []struct {
-		opts        MergeOptions
+		opts        *MergeOptions
 		docs        []*VEX
 		expectedDoc *VEX
 		shouldErr   bool
 	}{
 		// Zero docs should fail
 		{
-			opts:        MergeOptions{},
+			opts:        &MergeOptions{},
 			docs:        []*VEX{},
 			expectedDoc: &VEX{},
 			shouldErr:   true,
 		},
 		// One doc results in the same doc
 		{
-			opts:        MergeOptions{},
+			opts:        &MergeOptions{},
 			docs:        []*VEX{doc1},
 			expectedDoc: doc1,
 			shouldErr:   false,
 		},
 		// Two docs, as they are
 		{
-			opts: MergeOptions{},
+			opts: &MergeOptions{},
 			docs: []*VEX{doc1, doc2},
 			expectedDoc: &VEX{
 				Metadata: Metadata{},
@@ -57,7 +57,7 @@ func TestMergeDocumentsWithOptions(t *testing.T) {
 		},
 		// Two docs, filter product
 		{
-			opts: MergeOptions{
+			opts: &MergeOptions{
 				Products: []string{"pkg:apk/wolfi/[email protected]"},
 			},
 			docs: []*VEX{doc3, doc4},
@@ -71,7 +71,7 @@ func TestMergeDocumentsWithOptions(t *testing.T) {
 		},
 		// Two docs, filter vulnerability
 		{
-			opts: MergeOptions{
+			opts: &MergeOptions{
 				Vulnerabilities: []string{"CVE-9876-54321"},
 			},
 			docs: []*VEX{doc3, doc4},
@@ -84,7 +84,7 @@ func TestMergeDocumentsWithOptions(t *testing.T) {
 			shouldErr: false,
 		},
 	} {
-		doc, err := MergeDocumentsWithOptions(&tc.opts, tc.docs)
+		doc, err := MergeDocumentsWithOptions(tc.opts, tc.docs)
 		if tc.shouldErr {
 			require.Error(t, err)
 			continue

pkg/vex/functions_files.go

@@ -9,12 +9,12 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/openvex/go-vex/pkg/csaf"
-	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 )
 
@@ -118,7 +118,7 @@ func Open(path string) (*VEX, error) {
 	}
 
 	if bytes.Contains(data, []byte(`"csaf_version"`)) {
-		logrus.Info("Abriendo CSAF")
+		slog.Info("Abriendo CSAF")
 
 		doc, err := OpenCSAF(path, []string{})
 		if err != nil {

pkg/vex/vex.go

@@ -10,14 +10,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
 	"os"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/package-url/packageurl-go"
-	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -103,7 +103,7 @@ func New() VEX {
 	now := time.Now()
 	t, err := DateFromEnv()
 	if err != nil {
-		logrus.Warn(err)
+		slog.Warn(err.Error())
 	}
 	if t != nil {
 		now = *t
@@ -156,7 +156,7 @@ func (vexDoc *VEX) EffectiveStatement(product, vulnID string) (s *Statement) {
 //
 // Deprecated: vex.StatementFromID is deprecated and will be removed in an upcoming version
 func (vexDoc *VEX) StatementFromID(id string) *Statement {
-	logrus.Warn("vex.StatementFromID is deprecated and will be removed in an upcoming version")
+	slog.Warn("vex.StatementFromID is deprecated and will be removed in an upcoming version")
 	for i := range vexDoc.Statements {
 		if string(vexDoc.Statements[i].Vulnerability.Name) == id && len(vexDoc.Statements[i].Products) > 0 {
 			return vexDoc.EffectiveStatement(vexDoc.Statements[i].Products[0].ID, id)

pkg/vex/vex_test.go

@@ -166,6 +166,7 @@ func genTestDoc(t *testing.T) VEX {
 }
 
 func TestCanonicalHash(t *testing.T) {
+	//nolint:gosec // Not a credential
 	goldenHash := `3edda795cc8f075902800f0bb6a24f89b49e7e45fbceea96ce6061097460f139`
 
 	otherTS, err := time.Parse(time.RFC3339, "2019-01-22T16:36:43-05:00")