-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Check the package patterns in doc/pkg-vulnerabilities
- Loading branch information
Showing
3 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| package pkglint | ||
|
|
||
| // Vulnerabilities collects the vulnerabilites from the | ||
| // doc/pkg-vulnerabilities file. | ||
| type Vulnerabilities struct { | ||
| byPkgbase map[string][]Vulnerability | ||
| } | ||
|
|
||
| type Vulnerability struct { | ||
| line *Line | ||
| pattern *PackagePattern | ||
| kind string | ||
| url string | ||
| } | ||
|
|
||
| func NewVulnerabilities() *Vulnerabilities { | ||
| return &Vulnerabilities{ | ||
| map[string][]Vulnerability{}, | ||
| } | ||
| } | ||
|
|
||
| func (vs *Vulnerabilities) read(filename CurrPath) { | ||
| file := Load(filename, MustSucceed|NotEmpty) | ||
| lines := file.Lines | ||
| format := "" | ||
| for len(lines) > 0 && hasPrefix(lines[0].Text, "#") { | ||
| if hasPrefix(lines[0].Text, "#FORMAT ") { | ||
| format = lines[0].Text[8:] | ||
| } | ||
| lines = lines[1:] | ||
| } | ||
| if format != "1.0.0" { | ||
| file.Whole().Errorf("Invalid file format \"%s\".", format) | ||
| return | ||
| } | ||
|
|
||
| for _, line := range lines { | ||
| text := line.Text | ||
| if hasPrefix(text, "#") { | ||
| continue | ||
| } | ||
| m, pattern, kindOfExploit, url := match3(text, `^(\S+)\s+(\S+)\s+(\S+)$`) | ||
| if !m { | ||
| line.Errorf("Invalid line format \"%s\".", text) | ||
| continue | ||
| } | ||
| if !hasBalancedBraces(pattern) { | ||
| line.Errorf("Package pattern \"%s\" must have balanced braces.", pattern) | ||
| continue | ||
| } | ||
| for _, pat := range expandCurlyBraces(pattern) { | ||
| parser := NewMkParser(nil, pat) | ||
| deppat := ParsePackagePattern(parser) | ||
| rest := parser.Rest() | ||
|
|
||
| switch { | ||
| case deppat == nil && contains(pattern, "{"): | ||
| line.Errorf("Package pattern \"%s\" expands to the invalid package pattern \"%s\".", pattern, pat) | ||
| continue | ||
| case deppat == nil: | ||
| line.Errorf("Invalid package pattern \"%s\".", pat) | ||
| continue | ||
| case hasPrefix(rest, "-") && contains(pattern, "{"): | ||
| line.Errorf("Package pattern \"%s\" expands to \"%s\", which has a \"-\" in the version number.", | ||
| pattern, pat) | ||
| continue | ||
| case hasPrefix(rest, "-"): | ||
| line.Errorf("Package pattern \"%s\" has a \"-\" in the version number.", pat) | ||
| continue | ||
| case rest != "" && contains(pattern, "{"): | ||
| line.Errorf("Package pattern \"%s\" expands to \"%s\", which is followed by extra text \"%s\".", | ||
| pattern, pat[:len(pat)-len(rest)], rest) | ||
| continue | ||
| case rest != "": | ||
| line.Errorf("Package pattern \"%s\" is followed by extra text \"%s\".", pat[:len(pat)-len(rest)], rest) | ||
| continue | ||
| } | ||
|
|
||
| vs.byPkgbase[deppat.Pkgbase] = append(vs.byPkgbase[deppat.Pkgbase], | ||
| Vulnerability{line, deppat, kindOfExploit, url}) | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package pkglint | ||
|
|
||
| import ( | ||
| "gopkg.in/check.v1" | ||
| ) | ||
|
|
||
| func (s *Suite) Test_NewVulnerabilities(c *check.C) { | ||
| t := s.Init(c) | ||
|
|
||
| v := NewVulnerabilities() | ||
|
|
||
| t.CheckNotNil(v.byPkgbase) | ||
| } | ||
|
|
||
| func (s *Suite) Test_Vulnerabilities_read(c *check.C) { | ||
| t := s.Init(c) | ||
|
|
||
| f := t.CreateFileLines("pkg-vulnerabilities", | ||
| "#FORMAT 1.0.0", | ||
| "pkgbase<5.6.7\tbuffer-overflow\thttps://example.org/SA-2025-00001", | ||
| "pkgbase-5<5.6.7\tbuffer-overflow\thttps://example.org/SA-2025-00001") | ||
| v := NewVulnerabilities() | ||
| v.read(f) | ||
|
|
||
| t.CheckEquals(len(v.byPkgbase), 1) | ||
| vs := v.byPkgbase["pkgbase"] | ||
| if t.CheckNotNil(vs) { | ||
| t.CheckEquals(len(vs), 1) | ||
| t.CheckEquals(*vs[0].pattern, PackagePattern{"pkgbase", "", "", "<", "5.6.7", ""}) | ||
| t.CheckEquals(vs[0].kind, "buffer-overflow") | ||
| t.CheckEquals(vs[0].url, "https://example.org/SA-2025-00001") | ||
| } | ||
|
|
||
| t.CheckOutputLines( | ||
| "ERROR: ~/pkg-vulnerabilities:3: " + | ||
| "Package pattern \"pkgbase-5\" is followed by " + | ||
| "extra text \"<5.6.7\".") | ||
| } |