all: add lint rule to catch redundant CVE/GHSA links

The references section of a report doesn't need to include
links to GitHub/MITRE/NIST for advisories listed as aliases,
since we'll generate those links from the alias information.
Add a lint rule to fund these redundant references.

Allow ADVISORY links to these destinations, which indicate
that the source is the canonical advisory for a vuln.

Allow links to CVEs/GHSAs not listed as aliases, since it's
legitimate to link to a related vulnerability for further
information.

Change-Id: Ibdc103a3ef76f306c2e9ddac7f839f3b94d8467f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/432975
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>

Author: neild

data/osv/GO-2020-0016.json

@@ -52,10 +52,6 @@
     {
       "type": "WEB",
       "url": "https://github.com/ulikunitz/xz/issues/35"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
     }
   ]
 }

data/osv/GO-2020-0050.json

@@ -50,10 +50,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"
     }
   ]
 }

data/osv/GO-2021-0060.json

@@ -49,10 +49,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg"
     }
   ]
 }

data/osv/GO-2021-0095.json

@@ -49,10 +49,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
     }
   ]
 }

data/osv/GO-2021-0098.json

@@ -76,10 +76,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5"
     }
   ]
 }

data/osv/GO-2021-0099.json

@@ -46,10 +46,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"
     }
   ]
 }

data/osv/GO-2021-0103.json

@@ -55,10 +55,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
     }
   ]
 }

data/osv/GO-2021-0110.json

@@ -47,10 +47,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"
     }
   ]
 }

data/osv/GO-2021-0237.json

@@ -49,10 +49,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/AndrewBurian/powermux/commit/5e60a8a0372b35a898796c2697c40e8daabed8e9"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/AndrewBurian/powermux/security/advisories/GHSA-mj9r-wwm8-7q52"
     }
   ]
 }

data/osv/GO-2021-0258.json

@@ -51,10 +51,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg"
     }
   ]
 }

data/osv/GO-2021-0412.json

@@ -53,10 +53,6 @@
     {
       "type": "WEB",
       "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
     }
   ]
 }

data/osv/GO-2022-0246.json

@@ -50,10 +50,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
     }
   ]
 }

data/osv/GO-2022-0462.json

@@ -54,10 +54,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh"
     }
   ]
 }

data/osv/GO-2022-0470.json

@@ -91,10 +91,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w"
     }
   ]
 }

data/osv/GO-2022-0621.json

@@ -46,10 +46,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-2v6x-frw8-7r7f"
     }
   ]
 }

data/osv/GO-2022-0629.json

@@ -63,10 +63,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-5cgx-vhfp-6cf9"
     }
   ]
 }

data/osv/GO-2022-0643.json

@@ -50,10 +50,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/elastic/beats/commit/aeca65779d573976981587ca1d1461399e1b59dd"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-9q3g-m353-cp4p"
     }
   ]
 }

data/osv/GO-2022-0646.json

@@ -46,14 +46,6 @@
       "type": "ADVISORY",
       "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
     },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-7f33-f4f5-xwgw"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-f5pg-7wfw-84q9"
-    },
     {
       "type": "FIX",
       "url": "https://github.com/aws/aws-sdk-go/pull/3403"

data/osv/GO-2022-0701.json

@@ -80,10 +80,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-jp32-vmm6-3vf5"
     }
   ]
 }

data/osv/GO-2022-0706.json

@@ -51,10 +51,6 @@
     {
       "type": "FIX",
       "url": "https://github.com/elastic/apm-agent-go/commit/dd3e8c593580e7b80a98b57e1cc6e017e56747b4"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/advisories/GHSA-qqc5-rgcc-cjqh"
     }
   ]
 }

data/reports/GO-2020-0016.yaml

@@ -24,4 +24,3 @@ credit: '@0xdecaf'
 references:
   - fix: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
   - web: https://github.com/ulikunitz/xz/issues/35
-  - web: https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27

data/reports/GO-2020-0050.yaml

@@ -25,4 +25,3 @@ ghsas:
 credit: '@jupenur'
 references:
   - fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
-  - web: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

data/reports/GO-2021-0060.yaml

@@ -23,4 +23,3 @@ ghsas:
 credit: Juho Nurminen
 references:
   - fix: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
-  - web: https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg

data/reports/GO-2021-0095.yaml

@@ -19,4 +19,3 @@ credit: Chris Fenner
 references:
   - fix: https://github.com/google/go-tpm/pull/195
   - fix: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
-  - web: https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw

data/reports/GO-2021-0098.yaml

@@ -35,4 +35,3 @@ ghsas:
 credit: '@Ry0taK'
 references:
   - fix: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
-  - web: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5

data/reports/GO-2021-0099.yaml

@@ -20,4 +20,3 @@ ghsas:
 credit: Chris Smowton
 references:
   - fix: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
-  - web: https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx

data/reports/GO-2021-0103.yaml

@@ -27,4 +27,3 @@ credit: Dima Stebaev
 references:
   - fix: https://github.com/holiman/uint256/pull/80
   - fix: https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
-  - web: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m

data/reports/GO-2021-0110.yaml

@@ -19,4 +19,3 @@ ghsas:
   - GHSA-v3q9-2p3m-7g43
 references:
   - fix: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
-  - web: https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43

data/reports/GO-2021-0237.yaml

@@ -19,4 +19,3 @@ ghsas:
 references:
   - fix: https://github.com/AndrewBurian/powermux/pull/42
   - fix: https://github.com/AndrewBurian/powermux/commit/5e60a8a0372b35a898796c2697c40e8daabed8e9
-  - web: https://github.com/AndrewBurian/powermux/security/advisories/GHSA-mj9r-wwm8-7q52

data/reports/GO-2021-0258.yaml

@@ -27,4 +27,3 @@ ghsas:
 references:
   - fix: https://github.com/pomerium/pomerium/pull/2724
   - fix: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
-  - web: https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg

data/reports/GO-2021-0412.yaml

@@ -37,4 +37,3 @@ references:
   - fix: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
   - web: https://github.com/containerd/imgcrypt/issues/69
   - web: https://github.com/containerd/imgcrypt/releases/tag/v1.1.4
-  - web: https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm

data/reports/GO-2022-0246.yaml

@@ -21,4 +21,3 @@ credit: Job Snijders
 references:
   - fix: https://github.com/cloudflare/cfrpki/pull/90
   - fix: https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422
-  - web: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9

data/reports/GO-2022-0462.yaml

@@ -32,4 +32,3 @@ ghsas:
   - GHSA-w45j-f832-hxvh
 references:
   - fix: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
-  - web: https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh

data/reports/GO-2022-0470.yaml

@@ -45,4 +45,3 @@ ghsas:
   - GHSA-9w9f-6mg8-jp7w
 references:
   - fix: https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff
-  - web: https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w

data/reports/GO-2022-0621.yaml

@@ -25,4 +25,3 @@ ghsas:
 credit: Moritz S.
 references:
   - fix: https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f
-  - web: https://github.com/advisories/GHSA-2v6x-frw8-7r7f

data/reports/GO-2022-0629.yaml

@@ -35,4 +35,3 @@ credit: tam7t (Tommy Murphy)
 references:
   - fix: https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371
   - fix: https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd
-  - web: https://github.com/advisories/GHSA-5cgx-vhfp-6cf9

data/reports/GO-2022-0643.yaml

@@ -20,4 +20,3 @@ ghsas:
 references:
   - fix: https://github.com/elastic/beats/pull/5457
   - fix: https://github.com/elastic/beats/commit/aeca65779d573976981587ca1d1461399e1b59dd
-  - web: https://github.com/advisories/GHSA-9q3g-m353-cp4p

data/reports/GO-2022-0646.yaml

@@ -25,7 +25,5 @@ ghsas:
 credit: Sophie Schmieg from the Google ISE team
 references:
   - advisory: https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
-  - web: https://github.com/advisories/GHSA-7f33-f4f5-xwgw
-  - web: https://github.com/advisories/GHSA-f5pg-7wfw-84q9
   - fix: https://github.com/aws/aws-sdk-go/pull/3403
   - fix: https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4

data/reports/GO-2022-0701.yaml

@@ -38,4 +38,3 @@ credit: liggitt (Jordan Liggitt)
 references:
   - fix: https://github.com/kubernetes/kubernetes/pull/16381
   - fix: https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7
-  - web: https://github.com/advisories/GHSA-jp32-vmm6-3vf5

data/reports/GO-2022-0706.yaml

@@ -21,4 +21,3 @@ ghsas:
 references:
   - fix: https://github.com/elastic/apm-agent-go/pull/888
   - fix: https://github.com/elastic/apm-agent-go/commit/dd3e8c593580e7b80a98b57e1cc6e017e56747b4
-  - web: https://github.com/advisories/GHSA-qqc5-rgcc-cjqh

internal/report/lint.go

@@ -264,12 +264,16 @@ func (r *Report) lintLineLength(field, content string, addIssue func(string)) {
 	}
 }
 
-// Regex patterns for standard library links.
+// Regex patterns for standard links.
 var (
 	prRegex       = regexp.MustCompile(`https://go.dev/cl/\d+`)
 	commitRegex   = regexp.MustCompile(`https://go.googlesource.com/[^/]+/\+/([^/]+)`)
 	issueRegex    = regexp.MustCompile(`https://go.dev/issue/\d+`)
 	announceRegex = regexp.MustCompile(`https://groups.google.com/g/golang-(announce|dev|nuts)/c/([^/]+)`)
+
+	nistRegex  = regexp.MustCompile(`^https://nvd.nist.gov/vuln/detail/(CVE-.*)$`)
+	ghsaRegex  = regexp.MustCompile(`^https://github.com/.*/(GHSA-[^/]+)$`)
+	mitreRegex = regexp.MustCompile(`^https://cve.mitre.org/.*(CVE-[\d\-]+)$`)
 )
 
 // Checks that the "links" section of a Report for a package in the
@@ -329,6 +333,24 @@ func (r *Report) lintLinks(addIssue func(string)) {
 		if ref.Type == ReferenceTypeAdvisory {
 			advisoryCount++
 		}
+		if ref.Type != ReferenceTypeAdvisory {
+			// An ADVISORY reference to a CVE/GHSA indicates that it
+			// is the canonical source of information on this vuln.
+			//
+			// A reference to a CVE/GHSA that is not an alias of this
+			// report indicates that it may contain related information.
+			//
+			// A reference to a CVE/GHSA that appears in the CVEs/GHSAs
+			// aliases is redundant.
+			for _, re := range []*regexp.Regexp{nistRegex, mitreRegex, ghsaRegex} {
+				if m := re.FindStringSubmatch(ref.URL); len(m) > 0 {
+					id := m[1]
+					if slices.Contains(r.CVEs, id) || slices.Contains(r.GHSAs, id) {
+						addIssue(fmt.Sprintf("redundant non-advisory reference to %v", id))
+					}
+				}
+			}
+		}
 	}
 	if advisoryCount > 1 {
 		addIssue("references should contain at most one advisory link")