feat: add vulnupdatelist hack script

Signed-off-by: bwplotka <bwplotka@google.com>

Author: bwplotka

go.mod

@@ -337,6 +337,8 @@ require (
 )
 
 replace (
+	// Bump unitl we upgrade Prometheus deps.
+	github.com/prometheus/common => github.com/prometheus/common v0.61.0
 	// Go modules keeps resetting the version to a random unversioned commit.
 	// So this is required for unknown reasons.
 	github.com/prometheus/prometheus => github.com/prometheus/prometheus v0.45.2

go.sum

@@ -0,0 +1,14 @@
+module github.com/GoogleCloudPlatform/promethue-engine/hack
+
+go 1.24.0
+
+require (
+	github.com/Masterminds/semver/v3 v3.3.1
+	github.com/stretchr/testify v1.10.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

hack/go.mod

@@ -0,0 +1,140 @@
+// package main implements vulnupdatelist script.
+//
+// Run this script to list all the vulnerable Go modules to upgrade.
+// Compared to govulncheck binary, it also checks severity and groups the results
+// into clear table per module to upgrade.
+//
+// Example use:
+//
+//	go run ./... \
+//		-go-version=1.23.0 \
+//		-only-fixed \
+//		-dir=../../../prometheus \
+//		-nvd-api-key="$(cat ./api.text)" | tee vuln.txt
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/Masterminds/semver/v3"
+)
+
+var (
+	goVersion = flag.String("go-version", "", "Go version to test vulnerabilities in (stdlib). Otherwise the `go env GOVERSION` is used")
+	dir       = flag.String("dir", ".", "Where to run the script from")
+	nvdAPIKey = flag.String("nvd-api-key", "", "API Key for avoiding rate-limiting on severity checks; see https://nvd.nist.gov/developers/request-an-api-key")
+	onlyFixed = flag.Bool("only-fixed", false, "Don't print vulnerable modules without fixed version; note: fixed version often means sometimes that a new major version contains a fix.")
+)
+
+// UpdateList presents the minimum version to upgrade to solve all CVEs with
+// a fixed version. The CVE refers to the important CVE.
+// For example critical CVE 1 is fixed in v0.5.1 and low is fixed in v0.10.1.
+// TODO(bwplotka): Logically, there might be cases where low contains heavy breaking changes that we can't fix easily; add option to print those too.
+type UpdateList struct {
+	CVE            CVE // If CVE has +<number> suffix, it means the top CVE.
+	AdditionalCVEs int // Lower priority CVEs included in the "fixed" version.
+	Module         string
+	FixedVersion   *semver.Version
+	Version        string
+}
+
+func (u UpdateList) String() string {
+	fixedVersion := "???"
+	if u.FixedVersion != nil {
+		fixedVersion = u.FixedVersion.String()
+	}
+	if u.AdditionalCVEs > 0 {
+		return fmt.Sprintf("%s %s@%s %s(+%d more) now@%s", u.CVE.Severity, u.Module, fixedVersion, u.CVE.ID, u.AdditionalCVEs, u.Version)
+	}
+	return fmt.Sprintf("%s %s@%s %s now@%s", u.CVE.Severity, u.Module, fixedVersion, u.CVE.ID, u.Version)
+}
+
+func main() {
+	flag.Parse()
+
+	workDir, err := filepath.Abs(*dir)
+	if err != nil {
+		log.Fatalf("Failed to resolve work dir: %v", err)
+	}
+	slog.Info("Running vulnupdatelist", "dir", workDir)
+
+	if err := ensureGovulncheck(workDir); err != nil {
+		log.Fatalf("Failed to ensure govulncheck is installed: %v", err)
+	}
+
+	slog.Info("Running govulncheck... ")
+	vulnJSON, err := runGovulncheck(workDir, *goVersion)
+	if err != nil {
+		log.Fatalf("Error running govulncheck: %v", err)
+	}
+
+	if len(vulnJSON) == 0 {
+		slog.Info("govulncheck produced no output; no vulnerabilities found.")
+		os.Exit(0)
+	}
+
+	slog.Info("Parsing vulnerabilities and finding updates...")
+	updates, err := compileUpdateList(bytes.NewReader(vulnJSON), *onlyFixed)
+	if err != nil {
+		log.Fatalf("Error parsing govulncheck output: %v", err)
+	}
+	if len(updates) == 0 {
+		slog.Info("No actionable vulnerabilities with fixed versions found.")
+		os.Exit(0)
+	}
+	for _, up := range updates {
+		fmt.Println(up.String())
+	}
+}
+
+// ensureGovulncheck checks if govulncheck is in the PATH, and installs it if not.
+func ensureGovulncheck(dir string) error {
+	_, err := exec.LookPath("govulncheck")
+	if err == nil {
+		slog.Info("govulncheck is already installed")
+		return nil
+	}
+
+	slog.Info("govulncheck not found. Installing...")
+	cmd := exec.Command("go", "install", "golang.org/x/vuln/cmd/govulncheck@latest")
+	cmd.Dir = dir
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to run 'go install': %w", err)
+	}
+	slog.Info("govulncheck installed successfully.")
+	return nil
+}
+
+// runGovulncheck executes `govulncheck -json ./...` and returns the output.
+func runGovulncheck(dir string, goVersion string) ([]byte, error) {
+	cmd := exec.Command("govulncheck", "--format=json", "./...")
+	if goVersion != "" {
+		cmd.Env = append(os.Environ(), "GOVERSION="+goVersion)
+	}
+
+	cmd.Dir = dir
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+
+	// govulncheck exits with a non-zero status code if vulns are found.
+	// We ignore the exit code and check stderr instead. If stderr is empty,
+	// it's a successful run (even with vulnerabilities).
+	_ = cmd.Run()
+
+	if stderr.Len() > 0 {
+		// Only return an error if stderr is not empty, as this indicates a real execution problem.
+		return nil, fmt.Errorf("govulncheck execution error: %s", stderr.String())
+	}
+	return out.Bytes(), nil
+}

hack/go.sum

@@ -0,0 +1,107 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// NVDResponse is the top-level object for the NVD CVE API.
+type NVDResponse struct {
+	Vulnerabilities []struct {
+		CVE struct {
+			ID      string `json:"id"`
+			Metrics struct {
+				CVSSMetricV31 []struct {
+					CVSSData struct {
+						BaseSeverity string `json:"baseSeverity"`
+					} `json:"cvssData"`
+				} `json:"cvssMetricV31"`
+			} `json:"metrics"`
+		} `json:"cve"`
+	} `json:"vulnerabilities"`
+}
+
+// getCVSSSeverity fetches vulnerability details from the NVD API and returns the CVSS V3 severity.
+func getCVSSSeverity(apiKey string, cveID string) (string, error) {
+	// https://nvd.nist.gov/developers/vulnerabilities
+	apiURL := fmt.Sprintf("https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=%s", cveID)
+
+	client := &http.Client{Timeout: 15 * time.Second}
+	req, err := http.NewRequest("GET", apiURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to create request: %w", err)
+	}
+	if apiKey != "" {
+		req.Header.Set("apiKey", apiKey)
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to make request to NVD API: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("NVD API returned non-200 status: %s", resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var nvdResponse NVDResponse
+	if err := json.Unmarshal(body, &nvdResponse); err != nil {
+		return "", fmt.Errorf("failed to parse JSON from NVD API: %w", err)
+	}
+
+	if len(nvdResponse.Vulnerabilities) > 0 {
+		metrics := nvdResponse.Vulnerabilities[0].CVE.Metrics
+		if len(metrics.CVSSMetricV31) > 0 {
+			return metrics.CVSSMetricV31[0].CVSSData.BaseSeverity, nil
+		}
+	}
+
+	return "UNKNOWN", nil
+}
+
+type CVE struct {
+	ID       string
+	Severity string
+}
+
+func (a CVE) LessThan(b CVE) bool {
+	order := map[string]int{
+		"CRITICAL": 0,
+		"HIGH":     1,
+		"MEDIUM":   2,
+		"UNKNOWN":  3,
+		"":         3,
+	}
+	return order[a.Severity] < order[b.Severity]
+}
+
+func getCVEDetails(apiKey string, osv OSV) CVE {
+	cveID := CVE{Severity: "UNKNOWN"}
+	// Assume ID is GO-... ID and use it as a fallback.
+	for _, a := range osv.Aliases {
+		if strings.HasPrefix(a, "CVE") {
+			cveID.ID = a
+			break
+		}
+	}
+	if cveID.ID == "" {
+		return CVE{ID: osv.ID, Severity: "UNKNOWN"} // Fallback to GO ID.
+	}
+	sev, err := getCVSSSeverity(apiKey, cveID.ID)
+	if err != nil {
+		slog.Error("failed to find severity", "cve", cveID, "err", err)
+	} else {
+		cveID.Severity = sev
+	}
+	return cveID
+}

hack/vulnupdatelist/main.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetCVEDetails(t *testing.T) {
+	t.Skip("depends on NVDE API")
+
+	c := getCVEDetails("", OSV{
+		ID:      "GO-2021-0065",
+		Aliases: []string{"GHSA-jmrx-5g74-6v2f", "CVE-2019-11250"},
+	})
+	require.Equal(t, "CVE-2019-11250", c.ID)
+	require.Equal(t, "MEDIUM", c.Severity)
+}