x/vulndb: add cve publish and record commands

Adds a new command, cve publish, which can be used to publish CVE
Records to MITRE from YAML reports or JSON files. Also adds a cve record
command to look up existing CVE records by ID. The commands are
currently only supported in the test environment as the MITRE API does
not yet support the commands in production.

To support these commands, this CL also contains logic to convert YAML
report files to the new CVE JSON 5.0 format.

For golang/go#53256

Change-Id: I024bb18a2ece851724ca97f2f6d77f6aafc956b0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/411514
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>

Author: Tatiana Bradley

cmd/cve/main.go

@@ -7,15 +7,20 @@
 package main
 
 import (
+	"bufio"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
 	"log"
 	"os"
 	"regexp"
+	"strings"
 	"time"
 
 	"golang.org/x/vulndb/internal/cveclient"
+	"golang.org/x/vulndb/internal/cveschema5"
+	"golang.org/x/vulndb/internal/report"
 )
 
 var (
@@ -34,6 +39,9 @@ var (
 	// flags for the list command
 	listState = flag.String("state", "", "list: filter by CVE state (RESERVED, PUBLIC, or REJECT)")
 
+	// flags for the publish command
+	publishUpdate = flag.Bool("update", false, "publish: if true, update an existing CVE Record")
+
 	// flags that apply to multiple commands
 	year = flag.Int("year", 0, "reserve: the CVE ID year for newly reserved CVE IDs (default is current year)\nlist: filter by the year in the CVE ID")
 )
@@ -47,6 +55,8 @@ func main() {
 		fmt.Fprintf(out, formatCmd, "[-n] [-seq] [-year] reserve", "reserves new CVE IDs")
 		fmt.Fprintf(out, formatCmd, "quota", "outputs the CVE ID quota of the authenticated organization")
 		fmt.Fprintf(out, formatCmd, "id {cve-id}", "outputs details on an assigned CVE ID (CVE-YYYY-NNNN)")
+		fmt.Fprintf(out, formatCmd, "record {cve-id}", "outputs the record associated with a CVE ID (CVE-YYYY-NNNN)")
+		fmt.Fprintf(out, formatCmd, "[-update] publish {filename}", "publishes a CVE Record from a YAML or JSON file")
 		fmt.Fprintf(out, formatCmd, "org", "outputs details on the authenticated organization")
 		fmt.Fprintf(out, formatCmd, "[-year] [-state] list", "lists all CVE IDs for an organization")
 		flag.PrintDefaults()
@@ -111,6 +121,35 @@ func main() {
 		if err := lookupID(c, id); err != nil {
 			log.Fatalf("cve id: could not retrieve CVE IDs due to error:\n  %v", err)
 		}
+	case "record":
+		id, err := validateID(flag.Arg(1))
+		if err != nil {
+			logUsageErr("cve record", err)
+		}
+		// TODO(https://go.dev/issue/53256): Remove when record lookup is
+		// supported by CVE Services API.
+		if !*test {
+			logUnsupportedErr("cve record")
+		}
+		if err := lookupRecord(c, id); err != nil {
+			log.Fatalf("cve record: could not retrieve CVE record due to error:\n  %v", err)
+		}
+	case "publish":
+		filename := flag.Arg(1)
+		if filename == "" {
+			logUsageErr("cve publish", errors.New("filename must be provided"))
+		}
+		if !strings.HasSuffix(filename, ".json") && !strings.HasSuffix(filename, ".yaml") {
+			logUsageErr("cve publish", errors.New("filename must end in '.json' or '.yaml'"))
+		}
+		// TODO(https://go.dev/issue/53256): Remove when record publish is
+		// supported by CVE Services API.
+		if !*test {
+			logUnsupportedErr("cve publish")
+		}
+		if err := publish(c, filename, *publishUpdate); err != nil {
+			log.Fatalf("cve publish: could not publish CVE record due to error:\n %v", err)
+		}
 	case "org":
 		if err := lookupOrg(c); err != nil {
 			log.Fatalf("cve org: could not retrieve org info due to error:\n  %v", err)
@@ -141,6 +180,10 @@ func logUsageErr(context string, err error) {
 	os.Exit(1)
 }
 
+func logUnsupportedErr(context string) {
+	log.Fatalf("%s: command not yet supported by MITRE CVE Services API", context)
+}
+
 func getCurrentYear() int {
 	year, _, _ := time.Now().Date()
 	return year
@@ -200,11 +243,78 @@ func lookupOrg(c *cveclient.Client) error {
 }
 
 func lookupID(c *cveclient.Client, id string) error {
-	cve, err := c.RetrieveID(id)
+	assigned, err := c.RetrieveID(id)
 	if err != nil {
 		return err
 	}
-	fmt.Println(cve)
+	// Display the retrieved CVE ID metadata.
+	fmt.Println(assigned)
+	return nil
+}
+
+const cveRecordLink = "https://cve.mitre.org/cgi-bin/cvename.cgi?name="
+
+func recordToString(r *cveschema5.CVERecord) string {
+	s, err := json.MarshalIndent(r, "", " ")
+	if err != nil {
+		s = []byte(fmt.Sprint(r))
+	}
+	return string(s)
+}
+
+func lookupRecord(c *cveclient.Client, id string) error {
+	record, err := c.RetrieveRecord(id)
+	if err != nil {
+		return err
+	}
+	// Display the retrieved CVE record.
+	fmt.Println(recordToString(record))
+	return nil
+}
+
+func publish(c *cveclient.Client, filename string, update bool) (err error) {
+	var toPublish *cveschema5.CVERecord
+	switch {
+	case strings.HasSuffix(filename, ".yaml"):
+		toPublish, err = report.ToCVE5(filename)
+		if err != nil {
+			return err
+		}
+	case strings.HasSuffix(filename, ".json"):
+		toPublish, err = cveschema5.Read(filename)
+		if err != nil {
+			return err
+		}
+	default:
+		return errors.New("filename must end in '.json' or '.yaml'")
+	}
+
+	reader := bufio.NewReader(os.Stdin)
+	fmt.Printf("ready to publish:\n%s\ncontinue? (y/N)\n", recordToString(toPublish))
+	text, _ := reader.ReadString('\n')
+	if text != "y\n" {
+		fmt.Println("exiting")
+		return nil
+	}
+
+	var (
+		published *cveschema5.CVERecord
+		action    string
+	)
+	if update {
+		published, err = c.UpdateRecord(toPublish.Metadata.ID, &toPublish.Containers)
+		if err != nil {
+			return err
+		}
+		action = "update"
+	} else {
+		published, err = c.CreateRecord(toPublish.Metadata.ID, &toPublish.Containers)
+		if err != nil {
+			return err
+		}
+		action = "create"
+	}
+	fmt.Printf("successfully %sd record for %s:\n%v\nlink: %s%s\n", action, published.Metadata.ID, recordToString(published), cveRecordLink, published.Metadata.ID)
 	return nil
 }
 

internal/cveclient/cveclient.go

@@ -7,6 +7,7 @@
 package cveclient
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -15,6 +16,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"golang.org/x/vulndb/internal/cveschema5"
 )
 
 const (
@@ -128,12 +131,13 @@ func (o *ReserveOptions) getURLParams(org string) url.Values {
 }
 
 func (c *Client) createReserveIDsRequest(opts ReserveOptions) (*http.Request, error) {
-	req, err := c.createRequest(http.MethodPost, c.getURL(cveIDTarget))
+	req, err := c.createRequest(http.MethodPost,
+		c.getURL(cveIDTarget), nil)
 	if err != nil {
 		return nil, err
 	}
 	req.URL.RawQuery = opts.getURLParams(c.Org).Encode()
-	return req, nil
+	return req, err
 }
 
 type reserveIDsResponse struct {
@@ -169,16 +173,61 @@ type Quota struct {
 
 // RetrieveQuota queries the API for the organizations reservation quota.
 func (c *Client) RetrieveQuota() (q *Quota, err error) {
-	err = c.queryAPI(http.MethodGet, c.getURL(orgTarget, c.Org, quotaTarget), &q)
+	err = c.queryAPI(http.MethodGet, c.getURL(orgTarget, c.Org, quotaTarget), nil, &q)
 	return
 }
 
 // RetrieveID requests information about an assigned CVE ID.
 func (c *Client) RetrieveID(id string) (cve *AssignedCVE, err error) {
-	err = c.queryAPI(http.MethodGet, c.getURL(cveIDTarget, id), &cve)
+	err = c.queryAPI(http.MethodGet, c.getURL(cveIDTarget, id), nil, &cve)
+	return
+}
+
+// RetrieveRecord requests a CVE record.
+func (c *Client) RetrieveRecord(id string) (cve *cveschema5.CVERecord, err error) {
+	err = c.queryAPI(http.MethodGet, c.getURL(cveTarget, id, cnaTarget), nil, &cve)
 	return
 }
 
+func (c *Client) getCVERecordEndpoint(cveID string) string {
+	return c.getURL(cveTarget, cveID, cnaTarget)
+}
+
+type recordRequestBody struct {
+	CNAContainer cveschema5.CNAPublishedContainer `json:"cnaContainer"`
+}
+type createResponse struct {
+	Created cveschema5.CVERecord `json:"created"`
+}
+
+func (c *Client) CreateRecord(id string, record *cveschema5.Containers) (*cveschema5.CVERecord, error) {
+	requestBody := recordRequestBody{
+		CNAContainer: record.CNAContainer,
+	}
+	var response createResponse
+	err := c.queryAPI(http.MethodPost, c.getCVERecordEndpoint(id), requestBody, &response)
+	if err != nil {
+		return nil, err
+	}
+	return &response.Created, nil
+}
+
+type updateResponse struct {
+	Updated cveschema5.CVERecord `json:"updated"`
+}
+
+func (c *Client) UpdateRecord(id string, record *cveschema5.Containers) (*cveschema5.CVERecord, error) {
+	requestBody := recordRequestBody{
+		CNAContainer: record.CNAContainer,
+	}
+	var response updateResponse
+	err := c.queryAPI(http.MethodPut, c.getCVERecordEndpoint(id), requestBody, &response)
+	if err != nil {
+		return nil, err
+	}
+	return &response.Updated, nil
+}
+
 type Org struct {
 	Name      string `json:"name"`
 	ShortName string `json:"short_name"`
@@ -187,7 +236,7 @@ type Org struct {
 
 // RetrieveOrg requests information about an organization.
 func (c *Client) RetrieveOrg() (org *Org, err error) {
-	err = c.queryAPI(http.MethodGet, c.getURL(orgTarget, c.Org), &org)
+	err = c.queryAPI(http.MethodGet, c.getURL(orgTarget, c.Org), nil, &org)
 	return
 }
 
@@ -257,8 +306,8 @@ type listOrgCVEsResponse struct {
 	CVEs        AssignedCVEList `json:"cve_ids"`
 }
 
-func (c Client) createListOrgCVEsRequest(opts *ListOptions, page int) (*http.Request, error) {
-	req, err := c.createRequest(http.MethodGet, c.getURL(cveIDTarget))
+func (c Client) createListOrgCVEsRequest(opts *ListOptions, page int) (req *http.Request, err error) {
+	req, err = c.createRequest(http.MethodGet, c.getURL(cveIDTarget), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -267,7 +316,7 @@ func (c Client) createListOrgCVEsRequest(opts *ListOptions, page int) (*http.Req
 		params.Set("page", fmt.Sprint(page))
 	}
 	req.URL.RawQuery = params.Encode()
-	return req, nil
+	return
 }
 
 // ListOrgCVEs requests information about the CVEs the organization has been
@@ -294,8 +343,8 @@ func (c *Client) ListOrgCVEs(opts *ListOptions) (AssignedCVEList, error) {
 	return cves, nil
 }
 
-func (c *Client) queryAPI(method, url string, response any) error {
-	req, err := c.createRequest(method, url)
+func (c *Client) queryAPI(method, url string, requestBody any, response any) error {
+	req, err := c.createRequest(method, url, requestBody)
 	if err != nil {
 		return err
 	}
@@ -313,14 +362,23 @@ var (
 )
 
 // createRequest creates a new HTTP request and sets the header fields.
-func (c *Client) createRequest(method, url string) (*http.Request, error) {
-	req, err := http.NewRequest(method, url, nil)
+func (c *Client) createRequest(method, url string, body any) (*http.Request, error) {
+	var r io.Reader
+	if body != nil {
+		b, err := json.Marshal(body)
+		if err != nil {
+			return nil, err
+		}
+		r = bytes.NewReader(b)
+	}
+	req, err := http.NewRequest(method, url, r)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set(headerApiUser, c.User)
 	req.Header.Set(headerApiOrg, c.Org)
 	req.Header.Set(headerApiKey, c.Key)
+	req.Header.Set("Content-Type", "application/json")
 	return req, nil
 }
 
@@ -352,18 +410,30 @@ func (c *Client) sendRequest(req *http.Request, checkStatus func(int) bool, resu
 }
 
 var (
+	cveTarget   = "cve"
 	cveIDTarget = "cve-id"
 	orgTarget   = "org"
 	quotaTarget = "id_quota"
+	cnaTarget   = "cna"
 )
 
 func (c *Client) getURL(targets ...string) string {
 	return fmt.Sprintf("%s/api/%s", c.Endpoint, strings.Join(targets, "/"))
 }
 
 type apiError struct {
-	Error   string `json:"error"`
-	Message string `json:"message"`
+	Error   string         `json:"error"`
+	Message string         `json:"message"`
+	Detail  apiErrorDetail `json:"details"`
+}
+
+type apiErrorDetail struct {
+	Errors []apiErrorInner `json:"errors"`
+}
+
+type apiErrorInner struct {
+	InstancePath string `json:"instancePath"`
+	Message      string `json:"message"`
 }
 
 // extractError extracts additional error messages from the HTTP response
@@ -372,13 +442,11 @@ func extractError(resp *http.Response) error {
 	errMsg := resp.Status
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		// Discard the read error and return the HTTP status.
-		return fmt.Errorf(errMsg)
+		return fmt.Errorf("%s: could not read error data: %s", errMsg, err)
 	}
 	var apiErr apiError
 	if err := json.Unmarshal(body, &apiErr); err != nil {
-		// Discard the unmarshal error and return the HTTP status.
-		return fmt.Errorf(errMsg)
+		return fmt.Errorf("%s: could not unmarshal error: %s", errMsg, err)
 	}
 
 	// Append the error and message text if they add extra information
@@ -389,5 +457,10 @@ func extractError(resp *http.Response) error {
 			errMsg = fmt.Sprintf("%s: %s", errMsg, errText)
 		}
 	}
+
+	for _, detail := range apiErr.Detail.Errors {
+		errMsg = fmt.Sprintf("%s\n  %s: %s", errMsg, detail.InstancePath, detail.Message)
+	}
+
 	return fmt.Errorf(errMsg)
 }