Memcached (#4)

Added cache on NVD calls

Author: c4s4

Makefile

@@ -48,3 +48,6 @@ release: clean lint test integ binaries # Perform release (must pass VERSION=X.Y
 	@test `git rev-parse --abbrev-ref HEAD` = 'main' || (echo "ERROR You are not on branch main" && exit 1)
 	@git tag -a $(VERSION) -m "Release $(VERSION)"
 	@git push origin --tags
+
+memcached: # Start memcached
+	@docker-compose up -d memcached

README.md

@@ -1,8 +1,19 @@
 # Gobinsec
 
-This tool parses Go binary dependencies, calls NVD database to produce a vulnerability report for this binary.
+This tool parses Go binary dependencies and calls [NVD database](https://nvd.nist.gov/) to produce a vulnerability report.
 
-## Install
+## Table of Contents
+
+1. [Installation](#installation)
+2. [Usage](#usage)
+3. [Configuration](#configuration)
+4. [Cache](#cache)
+5. [Version](#versions)
+6. [How to Fix Vulnerabilities](#how-to-fix-vulnerabilities)
+7. [Data Source](#data-source)
+8. [License](#license)
+
+## Installation
 
 Download binary for your platform in [latest release](https://github.com/intercloud/gobinsec/releases). Rename it *gobinsec*, make it executable with `chmod +x gobinsec` and move it somewhere in your *PATH*.
 
@@ -30,13 +41,15 @@ dependencies:
     - '?'
 ```
 
-Exit code is *1* if binary is vulnerable, *2* if there was an error analyzing binary and *0* otherwise. If binary is vulnerable, exposed vulnerabilities are printed in report.
+You can pass more than one binary to check on command line.
+
+Exit code is *1* if exposed vulnerabilities were found, *2* if there was an error analyzing a binary and *0* otherwise. If a binary is vulnerable, exposed vulnerabilities are printed in report.
 
 You can pass *-verbose* option on command line to print vulnerability report, even if binary is not vulnerable and for all vulnerabilities, even if they are ignored or not exposed.
 
 You can set *-strict* flag on command line so that vulnerabilities without version are considered matching vulnerability. In this case, you should check vulnerability manually and disable it in configuration file if necessary.
 
-You can pass more than one binary on command line. In this case, there will be cache on calls to NVD database.
+You can pass configuration file with *-config config.yml*, see configuration section below.
 
 ## Configuration
 
@@ -51,20 +64,30 @@ Configuration file is in YAML format as follows:
 ```yaml
 api-key: "28c6112c-a7bc-4a4e-9b14-75be6da02211"
 strict: false
+memcached:
+  address:    127.0.0.1:11211
+  expiration: 86400
 ignore:
 - "CVE-2020-14040"
 ```
 
-It has two entries:
+Configuration fields are the following:
 
 - **api-key**: this is your NVD API key
 - **strict**: tells if we should consider vulnerability matches without version as matching dependency
+- **memcached** is the configuration for *memcached*, with **address** and **expiration** time in seconds
 - **ignore**: a list of CVE vulnerabilities to ignore
 
 You can also set NVD API Key in your environment with variable *NVD_API_KEY*. This key may be overwritten with value in configuration file. Your API key must be set in environment to be able to run integration tests (with target *integ*).
 
 Note that without API key, you will be limited to *10* requests in a rolling *60* second window while this limit is *100* with an API key.
 
+## Cache
+
+If you define the *memcached* configuration in your configuration file, *memcached* will be used to cache calls to NVD database. This is useful because if you perform more call that allowed, your calls will significantly slow down. An sample [docker-compose.yml](https://github.com/intercloud/gobinsec/blob/main/docker-compose.yml) to start a *memcached* instance is proposed in this project.
+
+If you don't define the *memcached* configuration, the program will use a memory cache when you pass more than one binary to analyse on command line.
+
 ## Versions
 
 Dependencies and vulnerabilities have versions. There are three types of them:

docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+
+  memcached:
+    image: memcached:1.6.13
+    restart: unless-stopped
+    ports:
+    - 11211:11211

go.mod

@@ -8,6 +8,7 @@ require (
 )
 
 require (
+	github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d // indirect
 	github.com/mattn/go-colorable v0.1.9 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d h1:pVrfxiGfwelyab6n21ZBkbkmbevaf+WvMIiR7sr97hw=
+github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U=

gobinsec/binary.go

@@ -105,8 +105,8 @@ func LoadVulnerabilities(dependencies chan *Dependency, wg *sync.WaitGroup) {
 // Report prints a report on terminal
 // nolint:gocyclo // this is life
 func (b *Binary) Report(verbose bool) {
-	fmt.Printf("%s: ",filepath.Base(b.Path))
-	if (b.Vulnerable) {
+	fmt.Printf("%s: ", filepath.Base(b.Path))
+	if b.Vulnerable {
 		ColorRed.Println("VULNERABLE")
 	} else {
 		ColorGreen.Println("OK")

gobinsec/cache-memcached.go

@@ -0,0 +1,42 @@
+package gobinsec
+
+import "github.com/bradfitz/gomemcache/memcache"
+
+// MemcachedClient is the Cache using memcached
+type MemcachedClient struct {
+	Client     *memcache.Client
+	Expiration int32
+}
+
+// NewMemcachedCache builds a memcached cache
+func NewMemcachedCache() Cache {
+	cache := MemcachedClient{
+		Client:     memcache.New(config.Memcached.Address),
+		Expiration: config.Memcached.Expiration,
+	}
+	return &cache
+}
+
+// Get returns NVD response for given dependency
+func (mc *MemcachedClient) Get(d *Dependency) []byte {
+	item, err := mc.Client.Get(d.Key())
+	if err != nil {
+		return nil
+	}
+	return item.Value
+}
+
+// Set put NVD response for given dependency in cache
+func (mc *MemcachedClient) Set(d *Dependency, v []byte) {
+	item := memcache.Item{
+		Key:        d.Key(),
+		Value:      v,
+		Expiration: mc.Expiration,
+	}
+	mc.Client.Set(&item) // nolint:errcheck // we ignore error
+}
+
+// Ping calls memcached
+func (mc *MemcachedClient) Ping() error {
+	return mc.Client.Ping()
+}

gobinsec/cache-memory.go

@@ -0,0 +1,42 @@
+package gobinsec
+
+import (
+	"sync"
+)
+
+// MemoryCache is a cache with a synced map
+type MemoryCache map[string][]byte
+
+// lock for memory cache
+var lock sync.RWMutex
+
+// NewMemoryCache builds a cache in memory
+func NewMemoryCache() *MemoryCache {
+	cache := make(MemoryCache)
+	return &cache
+}
+
+// Get returns NVD response for given dependency
+func (mc *MemoryCache) Get(d *Dependency) []byte {
+	key := d.Key()
+	lock.RLock()
+	defer lock.RUnlock()
+	vulnerabilities, ok := (*mc)[key]
+	if ok {
+		return vulnerabilities
+	}
+	return nil
+}
+
+// Set put NVD response for given dependency in cache
+func (mc *MemoryCache) Set(d *Dependency, v []byte) {
+	key := d.Key()
+	lock.Lock()
+	defer lock.Unlock()
+	(*mc)[key] = v
+}
+
+// Ping does nothing
+func (mc *MemoryCache) Ping() error {
+	return nil
+}

gobinsec/cache.go

@@ -1,36 +1,18 @@
 package gobinsec
 
-import (
-	"sync"
-)
+var cache Cache
 
-type VulnerabilityCache map[string][]Vulnerability
-
-var lock sync.RWMutex
-var cache = NewVulnerabilityCache()
-
-func NewVulnerabilityCache() *VulnerabilityCache {
-	cache := make(VulnerabilityCache)
-	return &cache
-}
-
-func (dc *VulnerabilityCache) Get(d *Dependency) []Vulnerability {
-	key := d.Key()
-	lock.RLock()
-	defer lock.RUnlock()
-	vulnerabilities, ok := (*dc)[key]
-	if ok {
-		return vulnerabilities
-	}
-	return nil
+type Cache interface {
+	Get(d *Dependency) []byte
+	Set(d *Dependency, v []byte)
+	Ping() error
 }
 
-func (dc *VulnerabilityCache) Put(d *Dependency, v []Vulnerability) {
-	key := d.Key()
-	if v == nil {
-		v = make([]Vulnerability, 0)
+func BuildCache() error {
+	if config.Memcached == nil {
+		cache = NewMemoryCache()
+	} else {
+		cache = NewMemcachedCache()
 	}
-	lock.Lock()
-	defer lock.Unlock()
-	(*dc)[key] = v
+	return cache.Ping()
 }

gobinsec/config.go

@@ -8,9 +8,15 @@ import (
 )
 
 type Config struct {
-	APIKey string   `yaml:"api-key"`
-	Ignore []string `yaml:"ignore"`
-	Strict bool     `yaml:"strict"`
+	APIKey    string           `yaml:"api-key"`
+	Memcached *MemcachedConfig `yaml:"memcached"`
+	Ignore    []string         `yaml:"ignore"`
+	Strict    bool             `yaml:"strict"`
+}
+
+type MemcachedConfig struct {
+	Address    string `yaml:"address"`
+	Expiration int32  `yaml:"expiration"`
 }
 
 var config Config
@@ -37,6 +43,7 @@ func LoadConfig(path string, strict bool) error {
 	return nil
 }
 
+// IgnoreVulnerability tells if we should ignore given vulnerability
 func (c *Config) IgnoreVulnerability(id string) bool {
 	for _, ignore := range c.Ignore {
 		if ignore == id {