Extend vulnerabilities verification to metadata (#8412)

drewgillies · web-flow · commit 62bd2c388086 · 2021-03-12T11:51:28.000+10:00
Extend vulnerabilities verification to metadata
diff --git a/src/VerifyGitHubVulnerabilities/Configuration/VerifyGitHubVulnerabilitiesConfiguration.cs b/src/VerifyGitHubVulnerabilities/Configuration/VerifyGitHubVulnerabilitiesConfiguration.cs
@@ -16,5 +16,20 @@ public class VerifyGitHubVulnerabilitiesConfiguration
         /// The personal access token to use to authenticate with GitHub.
         /// </summary>
         public string GitHubPersonalAccessToken { get; set; }
+
+        /// <summary>
+        /// The v3 index URI string for fetching registration metadata
+        /// </summary>
+        public string NuGetV3Index { get; set; }
+
+        /// <summary>
+        /// Whether to verify GitHubVulnerabilities in the gallery database
+        /// </summary>
+        public bool VerifyDatabase { get; set; } = true;
+
+        /// <summary>
+        /// Whether to verify GitHubVulnerabilities in the registration blobs
+        /// </summary>
+        public bool VerifyRegistrationMetadata { get; set; } = true;
     }
 }
diff --git a/src/VerifyGitHubVulnerabilities/Job.cs b/src/VerifyGitHubVulnerabilities/Job.cs
@@ -34,13 +34,13 @@ public override async Task Run()
             Console.WriteLine($" FOUND {advisories.Count} advisories.");
 
             Console.WriteLine("Fetching vulnerabilities from DB...");
-            var verifier = new PackageVulnerabilitiesVerifier(_serviceProvider.GetRequiredService<IEntitiesContext>());
-            var ingestor = new AdvisoryIngestor(verifier, new GitHubVersionRangeParser());
+            var ingestor = _serviceProvider.GetRequiredService<IAdvisoryIngestor>();
             await ingestor.IngestAsync(advisories);
 
+            var verifier = _serviceProvider.GetRequiredService<IPackageVulnerabilitiesVerifier>();
             Console.WriteLine(verifier.HasErrors ? 
                 "DB does not match GitHub API - see stderr output for details" :
-                "DB matches GitHub API!");
+                "DB/metadata matches GitHub API!");
         }
 
         protected override void ConfigureJobServices(IServiceCollection services, IConfigurationRoot configurationRoot)
@@ -68,6 +68,12 @@ protected void ConfigureIngestionServices(ContainerBuilder containerBuilder)
             containerBuilder
                 .RegisterType<AdvisoryIngestor>()
                 .As<IAdvisoryIngestor>();
+
+            containerBuilder
+                .RegisterType<PackageVulnerabilitiesVerifier>()
+                .As<IPackageVulnerabilitiesManagementService>()
+                .As<IPackageVulnerabilitiesVerifier>()
+                .SingleInstance();
         }
 
         protected void ConfigureGalleryServices(ContainerBuilder containerBuilder)
diff --git a/src/VerifyGitHubVulnerabilities/Verify/IPackageVulnerabilitiesVerifier.cs b/src/VerifyGitHubVulnerabilities/Verify/IPackageVulnerabilitiesVerifier.cs
@@ -0,0 +1,20 @@
+﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using NuGet.Services.Entities;
+using NuGetGallery;
+
+namespace VerifyGitHubVulnerabilities.Verify
+{
+    /// <summary>
+    /// We need a <see cref=IPackageVulnerabilitiesManagementService" /> for inserting the verifier into the ingestion job,
+    /// so we extend for our extra reporting data.
+    /// </summary>
+    public interface IPackageVulnerabilitiesVerifier : IPackageVulnerabilitiesManagementService
+    {
+        /// <summary>
+        /// An error flag for verification
+        /// </summary>
+        bool HasErrors { get; }
+    }
+}
diff --git a/src/VerifyGitHubVulnerabilities/Verify/PackageVulnerabilitiesVerifier.cs b/src/VerifyGitHubVulnerabilities/Verify/PackageVulnerabilitiesVerifier.cs
@@ -2,23 +2,42 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Data.Entity;
 using System.Linq;
+using System.Threading;
 using System.Threading.Tasks;
+using NuGet.Configuration;
+using NuGet.Protocol;
+using NuGet.Protocol.Core.Types;
 using NuGet.Services.Entities;
 using NuGet.Versioning;
 using NuGetGallery;
+using VerifyGitHubVulnerabilities.Configuration;
 
 namespace VerifyGitHubVulnerabilities.Verify
 {
-    public class PackageVulnerabilitiesVerifier : IPackageVulnerabilitiesManagementService
+    public class PackageVulnerabilitiesVerifier : IPackageVulnerabilitiesVerifier
     {
+        private readonly VerifyGitHubVulnerabilitiesConfiguration _configuration;
         private readonly IEntitiesContext _entitiesContext;
 
-        public PackageVulnerabilitiesVerifier(
+        private Lazy<Task<PackageMetadataResource>> _packageMetadataResource;
+        private Dictionary<string, IEnumerable<IPackageSearchMetadata>> _packageMetadata;
+
+        private static readonly SemaphoreSlim semaphoreSlim = new SemaphoreSlim(1);
+
+        public PackageVulnerabilitiesVerifier(VerifyGitHubVulnerabilitiesConfiguration configuration,
             IEntitiesContext entitiesContext)
         {
-            _entitiesContext = entitiesContext ?? throw new ArgumentNullException(nameof(entitiesContext));
+            _configuration = configuration;
+            if (_configuration.VerifyDatabase)
+            {
+                _entitiesContext = entitiesContext;
+            }
+
+            _packageMetadata = new Dictionary<string, IEnumerable<IPackageSearchMetadata>>();
+            _packageMetadataResource = new Lazy<Task<PackageMetadataResource>>(InitializeMetadataResourceAsync);
         }
 
         public bool HasErrors { get; private set; }
@@ -36,7 +55,26 @@ public Task UpdateVulnerabilityAsync(PackageVulnerability vulnerability, bool wi
                 return Task.CompletedTask;
             }
 
-            Console.WriteLine($"Verifying vulnerability {vulnerability.GitHubDatabaseKey}.");
+            if (_configuration.VerifyDatabase)
+            {
+                VerifyVulnerabilityInDatabase(vulnerability, withdrawn);
+            }
+
+            // Note: testing a withdrawn advisory isn't practical in registration metadata. We can only download
+            // metadata for a package, and would need to download all package/version blobs to determine an advisory
+            // is no longer present. Covering withdrawn advisory processing in the database will be adequate.
+            if (_configuration.VerifyRegistrationMetadata && !withdrawn)
+            {
+                return VerifyVulnerabilityInMetadataAsync(vulnerability);
+            }
+
+            return Task.CompletedTask;
+        }
+
+        private void VerifyVulnerabilityInDatabase(PackageVulnerability vulnerability, bool withdrawn)
+        {
+            Console.WriteLine($"[Database] Verifying vulnerability {vulnerability.GitHubDatabaseKey}.");
+
             var existingVulnerability = _entitiesContext.Vulnerabilities
                 .Include(v => v.AffectedRanges)
                 .SingleOrDefault(v => v.GitHubDatabaseKey == vulnerability.GitHubDatabaseKey);
@@ -46,47 +84,47 @@ public Task UpdateVulnerabilityAsync(PackageVulnerability vulnerability, bool wi
                 if (existingVulnerability != null)
                 {
                     Console.Error.WriteLine(withdrawn ?
-                        $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey} was withdrawn and should not be in DB!" :
-                        $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey} affects no packages and should not be in DB!");
+                        $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey} was withdrawn and should not be in DB!" :
+                        $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey} affects no packages and should not be in DB!");
                     HasErrors = true;
                 }
 
-                return Task.CompletedTask;
+                return;
             }
 
             if (existingVulnerability == null)
             {
-                Console.Error.WriteLine($"Cannot find vulnerability {vulnerability.GitHubDatabaseKey} in DB!");
+                Console.Error.WriteLine($"[Database] Cannot find vulnerability {vulnerability.GitHubDatabaseKey} in DB!");
                 HasErrors = true;
-                return Task.CompletedTask;
+                return;
             }
 
             if (existingVulnerability.Severity != vulnerability.Severity)
             {
                 Console.Error.WriteLine(
-                    $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey
+                    $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey
                     }, severity does not match! GitHub: {vulnerability.Severity}, DB: {existingVulnerability.Severity}");
                 HasErrors = true;
             }
 
             if (existingVulnerability.AdvisoryUrl != vulnerability.AdvisoryUrl)
             {
                 Console.Error.WriteLine(
-                    $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey
+                    $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey
                     }, advisory URL does not match! GitHub: {vulnerability.AdvisoryUrl}, DB: { existingVulnerability.AdvisoryUrl}");
                 HasErrors = true;
             }
 
             foreach (var range in vulnerability.AffectedRanges)
             {
-                Console.WriteLine($"Verifying range affecting {range.PackageId} {range.PackageVersionRange}.");
+                Console.WriteLine($"[Database] Verifying range affecting {range.PackageId} {range.PackageVersionRange}.");
                 var existingRange = existingVulnerability.AffectedRanges
                     .SingleOrDefault(r => r.PackageId == range.PackageId && r.PackageVersionRange == range.PackageVersionRange);
 
                 if (existingRange == null)
                 {
                     Console.Error.WriteLine(
-                        $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey
+                        $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey
                         }, cannot find range {range.PackageId} {range.PackageVersionRange} in DB!");
                     HasErrors = true;
                     continue;
@@ -95,7 +133,7 @@ public Task UpdateVulnerabilityAsync(PackageVulnerability vulnerability, bool wi
                 if (existingRange.FirstPatchedPackageVersion != range.FirstPatchedPackageVersion)
                 {
                     Console.Error.WriteLine(
-                        $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey
+                        $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey
                         }, range {range.PackageId} {range.PackageVersionRange}, first patched version does not match! GitHub: {
                         range.FirstPatchedPackageVersion}, DB: {range.FirstPatchedPackageVersion}");
                     HasErrors = true;
@@ -113,15 +151,153 @@ public Task UpdateVulnerabilityAsync(PackageVulnerability vulnerability, bool wi
                     if (versionRange.Satisfies(version) != package.VulnerablePackageRanges.Contains(existingRange))
                     {
                         Console.Error.WriteLine(
-                            $@"Vulnerability advisory {vulnerability.GitHubDatabaseKey
+                            $@"[Database] Vulnerability advisory {vulnerability.GitHubDatabaseKey
                             }, range {range.PackageId} {range.PackageVersionRange}, package {package.NormalizedVersion
                             } is not properly marked vulnerable to vulnerability!");
                         HasErrors = true;
                     }
                 }
             }
+        }
 
-            return Task.CompletedTask;
+        private Task VerifyVulnerabilityInMetadataAsync(PackageVulnerability gitHubAdvisory)
+        {
+            Console.WriteLine($"[Metadata] Verifying vulnerability {gitHubAdvisory.GitHubDatabaseKey}.");
+
+            if (gitHubAdvisory.AffectedRanges == null || !gitHubAdvisory.AffectedRanges.Any())
+            {
+                return Task.CompletedTask;
+            }
+
+            // Group ranges by id -- this makes testing metadata collections cleaner
+            var rangesById = new Dictionary<string, IList<string>>();
+            foreach (var range in gitHubAdvisory.AffectedRanges)
+            {
+                var id = range.PackageId.Trim(' '); // some incoming data needs cleaning
+                if (rangesById.TryGetValue(id, out var packageVersionRangeForId))
+                {
+                    packageVersionRangeForId.Add(range.PackageVersionRange);
+                }
+                else
+                {
+                    rangesById[id] = new List<string> {range.PackageVersionRange};
+                }
+            }
+
+            var verificationJobsForAdvisory = new List<Task>();
+            foreach (var rangeById in rangesById)
+            {
+                verificationJobsForAdvisory.Add(
+                    VerifyVulnerabilityForRangeAsync(
+                        rangeById.Key,
+                        ranges: rangeById.Value,
+                        gitHubAdvisory.AdvisoryUrl,
+                        gitHubAdvisory.GitHubDatabaseKey,
+                        gitHubAdvisory.Severity)
+                );
+            }
+
+            return Task.WhenAll(verificationJobsForAdvisory);
+        }
+
+        private async Task VerifyVulnerabilityForRangeAsync(
+            string packageId,
+            IList<string> ranges,
+            string advisoryUrl, 
+            int advisoryDatabaseKey, 
+            PackageVulnerabilitySeverity advisorySeverity)
+        {
+            // Fetch metadata from registration blobs for verification--a collection of all versions of the package Id
+            var metadata = await GetPackageMetadataAsync(packageId);
+            foreach (var versionMetadata in metadata)
+            {
+                var matchingVulnerabilities = Enumerable.Empty<PackageVulnerabilityMetadata>();
+                if (versionMetadata.Vulnerabilities != null)
+                {
+                    matchingVulnerabilities = versionMetadata.Vulnerabilities.Where(v => v.AdvisoryUrl.ToString() == advisoryUrl);
+                }
+
+                var hasTheVulnerability = matchingVulnerabilities.Any();
+
+                // Check whether a version range pertaining to this id in the github advisory is satisfied by this metadata version
+                var versionisInGitHubRange = false;
+                foreach (var range in ranges)
+                {
+                    var gitHubVersionRange = VersionRange.Parse(range);
+                    if (gitHubVersionRange.Satisfies(versionMetadata.Identity.Version, new VersionComparer()))
+                    {
+                        versionisInGitHubRange = true;
+                        break;
+                    }
+                }
+
+                if (versionisInGitHubRange)
+                {
+                    if (!hasTheVulnerability)
+                    {
+                        Console.Error.WriteLine(
+                            $@"[Metadata] Vulnerability advisory {advisoryDatabaseKey
+                                }, version {versionMetadata.Identity.Version} of package {packageId} is not marked vulnerable and is in a vulnerable range!");
+                        HasErrors = true;
+                    }
+
+                    // Test whether we have any severity mismatches
+                    var firstSeverityMismatch = matchingVulnerabilities
+                        .FirstOrDefault(v => v.Severity != (int)advisorySeverity);
+                    if (firstSeverityMismatch != null)
+                    {
+                        Console.Error.WriteLine(
+                            $@"[Metadata] Vulnerability advisory {advisoryDatabaseKey
+                                }, severities has at least one mismatch! GitHub: {advisorySeverity}, Metadata: {firstSeverityMismatch.Severity}");
+                        HasErrors = true;
+                    }
+                }
+                else
+                {
+                    if (hasTheVulnerability)
+                    {
+                        Console.Error.WriteLine(
+                            $@"[Metadata] Vulnerability advisory {advisoryDatabaseKey
+                                }, version {versionMetadata} of package {packageId} is marked vulnerable and is not in a vulnerable range!");
+                        HasErrors = true;
+                    }
+                }
+            }
+        }
+
+        private async Task<IEnumerable<IPackageSearchMetadata>> GetPackageMetadataAsync(string packageId)
+        {
+            // We need this to be thread-safe as it's called by multiple tasks concurrently
+            await semaphoreSlim.WaitAsync();
+
+            try
+            {
+                if (!_packageMetadata.TryGetValue(packageId, out IEnumerable<IPackageSearchMetadata> metadata))
+                {
+                    metadata = (await (await _packageMetadataResource.Value).GetMetadataAsync(
+                        packageId,
+                        includePrerelease: true,
+                        includeUnlisted: false,
+                        sourceCacheContext: new SourceCacheContext(),
+                        log: NuGet.Common.NullLogger.Instance,
+                        token: CancellationToken.None)).ToList();
+                    _packageMetadata[packageId] = metadata;
+                }
+
+                return metadata;
+            }
+            finally
+            {
+                semaphoreSlim.Release();
+            }
+        }
+
+        private async Task<PackageMetadataResource> InitializeMetadataResourceAsync()
+        {
+            var providers = Repository.Provider.GetCoreV3();
+            var packageSource = new PackageSource(_configuration.NuGetV3Index, "NuGet Source", isEnabled: true);
+            var sourceRepository = Repository.CreateSource(providers, packageSource, FeedType.Undefined);
+            return await sourceRepository.GetResourceAsync<PackageMetadataResource>(CancellationToken.None);
         }
     }
 }
diff --git a/src/VerifyGitHubVulnerabilities/VerifyGitHubVulnerabilities.csproj b/src/VerifyGitHubVulnerabilities/VerifyGitHubVulnerabilities.csproj
@@ -49,6 +49,7 @@
     <Compile Include="Job.cs" />
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Verify\IPackageVulnerabilitiesVerifier.cs" />
     <Compile Include="Verify\PackageVulnerabilitiesVerifier.cs" />
   </ItemGroup>
   <ItemGroup>
