feat(vulnfeeds): rewrite debian first version finder and DSA/DLA/DTSA converters in Go#4961
Conversation
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request rewrites the Debian feed tools from Python to Go, aiming to improve performance and maintainability. A critical security concern has been identified: a potential command injection vulnerability in the run_convert_debian.sh script due to unquoted environment variables. Furthermore, the review highlighted critical issues related to incorrect paths in the Dockerfiles and script arguments, which are likely to cause build and script failures. To enhance robustness, suggestions include adding timeouts to HTTP requests and validating command-line flags. Addressing these points will ensure a solid and reliable Go implementation.
michaelkedar
left a comment
michaelkedar
left a comment
There was a problem hiding this comment.
I've not reviewed the go code yet, but a couple of comments for the infra stuff
|
Need to update build-and-stage.yaml to build the two new images (and add the new one here) You'll also need to change the base kubernetes configs to remove the command |
jess-lowe
force-pushed
the
feat/rewrite-deb-in-go
branch
from
b6fcbf7 to
181140f
Compare
michaelkedar
left a comment
michaelkedar
left a comment
There was a problem hiding this comment.
seems alright, but this is quite hard to follow with the comments stripped
| return generateVulnerabilities(advisories) | ||
| } | ||
|
|
||
| func cloneRepo(url, dest string) error { |
There was a problem hiding this comment.
not worth it right now, but maybe this should be using the gitter
jess-lowe
added
the
await release
Cron job wasn't running as it should since #4961 was merged
… converters in Go (google#4961) I have checked whether semantically the new versions are producing the same output as the last, and they are. Also moved these out of the vulnfeeds/tools directory and into go/cmd/first-version-finder and vulnfeeds/cmd/converters/dsa-dla-dtsa respectively
Cron job wasn't running as it should since google#4961 was merged
3 participants
I have checked whether semantically the new versions are producing the same output as the last, and they are.
Also moved these out of the vulnfeeds/tools directory and into go/cmd/first-version-finder and vulnfeeds/cmd/converters/dsa-dla-dtsa respectively