Cache file (#8)

Replaced SQLite with YAML file cache

Author: c4s4

README.md

@@ -10,7 +10,7 @@ This tool parses Go binary dependencies and calls [NVD database](https://nvd.nis
 4. [Cache](#cache)
     - [Memcachier](#memcachier)
     - [Memcached](#memcached)
-    - [SQLite](#sqlite)
+    - [File](#file)
 5. [Versions](#versions)
 6. [How to Fix Vulnerabilities](#how-to-fix-vulnerabilities)
 7. [Information about vulnerabilities](#information-about-vulnerabilities)
@@ -93,6 +93,9 @@ memcachier:
 memcached:
   address:    127.0.0.1:11211
   expiration: 86400
+file:
+  name:       ~/.gobinsec-cache.yml
+  expiration: 86400
 ignore:
 - "CVE-2020-14040"
 ```
@@ -103,6 +106,7 @@ Configuration fields are the following:
 - **strict**: tells if we should consider vulnerability matches without version as matching dependency
 - **memcachier** is the configuration for *memcachier*, with **address**, **expiration** (time in seconds), **username** and **password**
 - **memcached** is the configuration for *memcached*, with **address** and **expiration** time in seconds
+- **file** is the configuration for *file* cache, with **name** and **expiration** time in seconds
 - **ignore**: a list of CVE vulnerabilities to ignore
 
 You can also set NVD API Key in your environment with variable *NVD_API_KEY*. This key may be overwritten with value in configuration file. Your API key must be set in environment to be able to run integration tests (with target *integ*).
@@ -113,55 +117,55 @@ Note that without API key, you will be limited to *10* requests in a rolling *60
 
 A cache is useful because if you perform more call to NVD database than allowed, your calls will significantly slow down. Gobinsec tries to build caches in this order:
 
-### Memcached
+### Memcachier
 
-A cache is built with *Memcached* if following section is found in configuration file:
+A cache is built with *Memcachier* if following section is found in configuration file:
 
 ```yaml
-memcached:
+memcachier:
   address:    ...
   expiration: ...
+  username:   ...
+  password:   ...
 ```
 
-Else it will look for following environment variables:
+Else, il will look for following environment variables:
 
 ```
-MEMCACHED_ADDRESS
-MEMCACHED_EXPIRATION
+MEMCACHIER_ADDRESS
+MEMCACHIER_EXPIRATION
+MEMCACHIER_USERNAME
+MEMCACHIER_PASSWORD
 ```
 
-A sample [docker-compose.yml](https://github.com/intercloud/gobinsec/blob/main/docker-compose.yml) file to start a *memcached* instance is provided in this project.
+[Memcachier](https://www.memcachier.com) is an online cache provider with free tiers.
 
-### Memcachier
+### Memcached
 
-A cache is built with *Memcachier* if following section is found in configuration file:
+A cache is built with *Memcached* if following section is found in configuration file:
 
 ```yaml
-memcachier:
+memcached:
   address:    ...
   expiration: ...
-  username:   ...
-  password:   ...
 ```
 
-Else, il will look for following environment variables:
+Else it will look for following environment variables:
 
 ```
-MEMCACHIER_ADDRESS
-MEMCACHIER_EXPIRATION
-MEMCACHIER_USERNAME
-MEMCACHIER_PASSWORD
+MEMCACHED_ADDRESS
+MEMCACHED_EXPIRATION
 ```
 
-[Memcachier](https://www.memcachier.com) is an online cache provider with free tiers.
+A sample [docker-compose.yml](https://github.com/intercloud/gobinsec/blob/main/docker-compose.yml) file to start a *memcached* instance is provided in this project.
 
-### SQLite
+### File
 
-If none of preceding configuration is found in configuration and none of related environment variables, *Gobinsec* will use *SQLite* for caching. By default, database file is stored in *~/.gobinsec.db* and cache duration is of one day (or *86400* seconds). You can overwrite these default values with following configuration section:
+If none of preceding configuration is found in configuration and none of related environment variables, *Gobinsec* will use *YAML* file for caching. By default, database file is stored in *~/.gobinsec-cache.yml* and cache duration is of one day (or *86400* seconds). You can overwrite these default values with following configuration section:
 
 ```yaml
-sqlite:
-  file:       "/path/to/database.db"
+file:
+  name:       "/path/to/file.yml"
   expiration: 86400
 ```
 

go.mod

@@ -5,7 +5,6 @@ go 1.18
 require (
 	github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d
 	github.com/fatih/color v1.13.0
-	github.com/mattn/go-sqlite3 v1.14.12
 	github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )

go.sum

@@ -8,8 +8,6 @@ github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-sqlite3 v1.14.12 h1:TJ1bhYJPV44phC+IMu1u2K/i5RriLTPe+yc68XDJ1Z0=
-github.com/mattn/go-sqlite3 v1.14.12/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653 h1:222emoxOt/bCmNHp8Xt0Pr5Am3gIbqRKFpb4CQ9O2SI=
 github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653/go.mod h1:KoYVbOQexD45AOLfn+gsFB6c3o4ANzP1QKzjE6tZbK0=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

gobinsec/cache-file.go

@@ -0,0 +1,111 @@
+package gobinsec
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"gopkg.in/yaml.v3"
+)
+
+// FileConfig is the configuration for file cache
+type FileConfig struct {
+	File       string `yaml:"name"`
+	Expiration int32  `yaml:"expiration"`
+}
+
+// NewFileConfig builds configuration for file cache
+func NewFileConfig(config *FileConfig) *FileConfig {
+	if config == nil {
+		config = &FileConfig{}
+	}
+	if config.File == "" {
+		config.File = "~/.gobinsec-cache.yml"
+	}
+	if strings.HasPrefix(config.File, "~/") {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil
+		}
+		config.File = filepath.Join(home, config.File[2:])
+	}
+	if config.Expiration == 0 {
+		config.Expiration = 86400
+	}
+	return config
+}
+
+// DependencyCache is an entry of dependency cache
+type DependencyCache struct {
+	Date            string
+	Vulnerabilities string
+}
+
+// FileCache is the cache instance
+type FileCache struct {
+	File       string
+	Expiration int32
+	Cache      map[string]DependencyCache
+}
+
+// NewFileCache builds a cache using file
+func NewFileCache(config *FileConfig) Cache {
+	cache := make(map[string]DependencyCache)
+	file, err := os.ReadFile(config.File)
+	if err == nil {
+		if err := yaml.Unmarshal(file, cache); err != nil {
+			cache = make(map[string]DependencyCache)
+		}
+	}
+	fileCache := &FileCache{
+		File:       config.File,
+		Expiration: config.Expiration,
+		Cache:      cache,
+	}
+	fileCache.CleanCache()
+	return fileCache
+}
+
+// Get returns NVD response for given dependency
+func (fc *FileCache) Get(d *Dependency) []byte {
+	dependency, ok := fc.Cache[d.Name]
+	if ok {
+		return []byte(dependency.Vulnerabilities)
+	}
+	return nil
+}
+
+// Set put NVD response for given dependency in cache
+func (fc *FileCache) Set(d *Dependency, v []byte) {
+	now := time.Now().UTC().Format("2006-01-02T15:04:05")
+	cache := DependencyCache{
+		Date:            now,
+		Vulnerabilities: string(v),
+	}
+	fc.Cache[d.Name] = cache
+}
+
+// Ping does nothing
+func (fc *FileCache) Open() error {
+	return nil
+}
+
+// Clean saves file
+func (fc *FileCache) Close() {
+	text, err := yaml.Marshal(fc.Cache)
+	if err == nil {
+		os.WriteFile(fc.File, text, 0644) // nolint:errcheck,gosec,gomnd // if error writing cache, do nothing
+	}
+}
+
+// CleanCache removes obsolete cache entries
+func (fc *FileCache) CleanCache() {
+	duration := time.Duration(fc.Expiration) * time.Second
+	limit := time.Now().UTC().Add(-duration).Format("2006-01-02T15:04:05")
+	for name, cache := range fc.Cache {
+		if cache.Date < limit {
+			delete(fc.Cache, name)
+		}
+	}
+}

gobinsec/cache-memcached.go

@@ -70,10 +70,10 @@ func (mc *MemcachedClient) Set(d *Dependency, v []byte) {
 }
 
 // Ping calls memcached
-func (mc *MemcachedClient) Ping() error {
+func (mc *MemcachedClient) Open() error {
 	return mc.Client.Ping()
 }
 
 // Clean does nothing
-func (mc *MemcachedClient) Clean() {
+func (mc *MemcachedClient) Close() {
 }

gobinsec/cache-memcachier.go

@@ -78,7 +78,7 @@ func (mc *MemcachierClient) Set(d *Dependency, v []byte) {
 }
 
 // Ping calls Memcachier
-func (mc *MemcachierClient) Ping() error {
+func (mc *MemcachierClient) Open() error {
 	item := memcache.Item{
 		Key:        "test",
 		Value:      []byte("test"),
@@ -88,5 +88,5 @@ func (mc *MemcachierClient) Ping() error {
 }
 
 // Clean does nothing
-func (mc *MemcachierClient) Clean() {
+func (mc *MemcachierClient) Close() {
 }