Skip to content

feat(vulnfeeds): rewrite debian first version finder and DSA/DLA/DTSA converters in Go#4961

Open
jess-lowe wants to merge 23 commits intogoogle:masterfrom
jess-lowe:feat/rewrite-deb-in-go
Open

feat(vulnfeeds): rewrite debian first version finder and DSA/DLA/DTSA converters in Go#4961
jess-lowe wants to merge 23 commits intogoogle:masterfrom
jess-lowe:feat/rewrite-deb-in-go

Conversation

@jess-lowe
Copy link
Contributor

@jess-lowe jess-lowe commented Mar 4, 2026

I have checked whether semantically the new versions are producing the same output as the last, and they are.

Also moved these out of the vulnfeeds/tools directory and into go/cmd/first-version-finder and vulnfeeds/cmd/converters/dsa-dla-dtsa respectively

@jess-lowe jess-lowe requested a review from michaelkedar March 4, 2026 02:25
@jess-lowe
Copy link
Contributor Author

jess-lowe commented Mar 4, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request rewrites the Debian feed tools from Python to Go, aiming to improve performance and maintainability. A critical security concern has been identified: a potential command injection vulnerability in the run_convert_debian.sh script due to unquoted environment variables. Furthermore, the review highlighted critical issues related to incorrect paths in the Dockerfiles and script arguments, which are likely to cause build and script failures. To enhance robustness, suggestions include adding timeouts to HTTP requests and validating command-line flags. Addressing these points will ensure a solid and reliable Go implementation.

michaelkedar
michaelkedar reviewed Mar 4, 2026
View reviewed changes
Copy link
Member

@michaelkedar michaelkedar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not reviewed the go code yet, but a couple of comments for the infra stuff

@michaelkedar
Copy link
Member

michaelkedar commented Mar 4, 2026

Need to update build-and-stage.yaml to build the two new images (and add the new one here)

You'll also need to change the base kubernetes configs to remove the command
and make them use a different named image

@jess-lowe jess-lowe force-pushed the feat/rewrite-deb-in-go branch from b6fcbf7 to 181140f Compare March 5, 2026 03:46
michaelkedar
michaelkedar reviewed Mar 6, 2026
View reviewed changes
Copy link
Member

@michaelkedar michaelkedar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems alright, but this is quite hard to follow with the comments stripped

@jess-lowe jess-lowe requested a review from michaelkedar March 10, 2026 02:36
michaelkedar
michaelkedar approved these changes Mar 10, 2026
View reviewed changes
Copy link
Member

@michaelkedar michaelkedar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems good to me

vulnfeeds/cmd/converters/dsa-dla-dtsa/main.go
return generateVulnerabilities(advisories)
}

func cloneRepo(url, dest string) error {
Copy link
Member

@michaelkedar michaelkedar Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not worth it right now, but maybe this should be using the gitter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelkedar michaelkedar michaelkedar approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jess-lowe @michaelkedar