Merge pull request #468 from luhring/no-mo-sec-data

Remove secfixes and advisories altogether

examples/options.yaml

@@ -8,13 +8,6 @@ package:
         - "*"
       attestation: TODO
       license: MIT
-secfixes:
-  7.87.0-r0:
-    - CVE-2022-43551
-    - CVE-2022-43552
-  7.86.0-r0:
-    - CVE-2022-42916
-    - CVE-2022-32221
 
 environment:
   contents:
@@ -106,21 +99,3 @@ subpackages:
       - runs: |
           mkdir -p "${{targets.subpkgdir}}"/usr/lib
           mv "${{targets.destdir}}"/usr/lib/libcurl.so.* "${{targets.subpkgdir}}"/usr/lib/
-
-advisories:
-  CVE-2022-32221:
-    - timestamp: 2022-12-09T12:10:34-05:00
-      status: fixed
-      fixed-version: 7.86.0-r0
-  CVE-2022-42916:
-    - timestamp: 2022-11-19T10:37:17-05:00
-      status: fixed
-      fixed-version: 7.86.0-r0
-  CVE-2022-43551:
-    - timestamp: 2022-12-21T13:16:36+00:00
-      status: fixed
-      fixed-version: 7.87.0-r0
-  CVE-2022-43552:
-    - timestamp: 2022-12-21T13:16:36+00:00
-      status: fixed
-      fixed-version: 7.87.0-r0

go.mod

@@ -17,7 +17,6 @@ require (
 	github.com/korovkin/limiter v0.0.0-20221015170604-22eb1ceceddc
 	github.com/lima-vm/lima v0.14.2
 	github.com/opencontainers/image-spec v1.1.0-rc2
-	github.com/openvex/go-vex v0.2.0
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
 	github.com/pkg/errors v0.9.1
 	github.com/psanford/memfs v0.0.0-20230130182539-4dbf7e3e865e

go.sum

@@ -535,8 +535,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
 github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/openvex/go-vex v0.2.0 h1:7Q6VzdpZSZzYUyXB1dio/9LCGHp1iL3JldC+hMsbFg0=
-github.com/openvex/go-vex v0.2.0/go.mod h1:jYmYbhQAO/0hquryXND/jMVDBcob8/KkVgzUEUAHsFI=
 github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a h1:tkTSd1nhioPqi5Whu3CQ79UjPtaGOytqyNnSCVOqzHM=
 github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=

pkg/build/build.go

@@ -37,7 +37,6 @@ import (
 	"cloud.google.com/go/storage"
 	"github.com/go-git/go-git/v5"
 	"github.com/joho/godotenv"
-	"github.com/openvex/go-vex/pkg/vex"
 	"github.com/yookoala/realpath"
 	"github.com/zealic/xignore"
 	"google.golang.org/api/iterator"
@@ -279,11 +278,6 @@ type Configuration struct {
 	// Optional: An arbitrary list of data that can be used via templating in the
 	// pipeline
 	Data []RangeData `yaml:"data,omitempty"`
-	// Optional: The map of security fixes for this package keyed by the version
-	// found
-	Secfixes Secfixes `yaml:"secfixes,omitempty"`
-	// Optional: The map of advisories for this package
-	Advisories Advisories `yaml:"advisories,omitempty"`
 	// Optional: The update block determining how this package is auto updated
 	Update Update `yaml:"update"`
 	// Optional: A map of arbitrary variables that can be used via templating in
@@ -316,33 +310,6 @@ type VarTransforms struct {
 	To string `yaml:"to"`
 }
 
-// TODO: ensure that there's no net effect to secdb!
-
-type Secfixes map[string][]string
-
-type Advisories map[string][]AdvisoryContent
-
-type AdvisoryContent struct {
-	// Timestamp is the time at which the information expressed in the Statement
-	// was known to be true.
-	Timestamp time.Time `yaml:"timestamp"`
-	// A VEX statement MUST provide Status of the vulnerabilities with respect to the
-	// products and components listed in the statement. Status MUST be one of the
-	// Status const values, some of which have further options and requirements.
-	Status vex.Status `yaml:"status"`
-	// For ”not_affected” status, a VEX statement MUST include a status Justification
-	// that further explains the status.
-	Justification vex.Justification `yaml:"justification,omitempty"`
-	// For ”not_affected” status, a VEX statement MAY include an ImpactStatement
-	// that contains a description why the vulnerability cannot be exploited.
-	ImpactStatement string `yaml:"impact,omitempty"`
-	// For "affected" status, a VEX statement MUST include an ActionStatement that
-	// SHOULD describe actions to remediate or mitigate [vul_id].
-	ActionStatement string `yaml:"action,omitempty"`
-	// The fixed version at which the advisory pertains to
-	FixedVersion string `yaml:"fixed-version,omitempty"`
-}
-
 // Update provides information used to describe how to keep the package up to date
 type Update struct {
 	// Toggle if updates should occur
@@ -384,29 +351,6 @@ type GitHubMonitor struct {
 	UseTags bool `yaml:"use-tag,omitempty"`
 }
 
-func (ac AdvisoryContent) Validate() error {
-	// We'll lean on the vex module's validation as proxy for validating our advisory data.
-
-	mockStmt := vex.Statement{
-		Timestamp:       &ac.Timestamp,
-		Status:          ac.Status,
-		Justification:   ac.Justification,
-		ImpactStatement: ac.ImpactStatement,
-		ActionStatement: ac.ActionStatement,
-	}
-
-	err := mockStmt.Validate()
-	if err != nil {
-		return err
-	}
-
-	if ac.Status == vex.StatusFixed && ac.FixedVersion == "" {
-		return fmt.Errorf("must specify fixed version when using status %q", ac.Status)
-	}
-
-	return nil
-}
-
 type RangeData struct {
 	Name  string    `yaml:"name"`
 	Items DataItems `yaml:"items"`
@@ -1012,15 +956,6 @@ func ParseConfiguration(configurationFilePath string, opts ...ConfigurationParsi
 		return nil, fmt.Errorf("unable to decode configuration file %q: %w", configurationFilePath, err)
 	}
 
-	for vulnerability, entries := range cfg.Advisories {
-		for i, entry := range entries {
-			err := entry.Validate()
-			if err != nil {
-				return nil, fmt.Errorf("invalid advisory entry for vulnerability %q at index %d: %w", vulnerability, i, err)
-			}
-		}
-	}
-
 	detectedCommit := detectCommit(configurationDirPath, options.logger)
 	if cfg.Package.Commit == "" {
 		cfg.Package.Commit = detectedCommit