perf: skip advisories that are for unrelated packages when loading databases

main.go

@@ -186,6 +186,7 @@ func loadDatabases(
 	listPackages bool,
 	offline bool,
 	batchSize int,
+	pkgNames []string,
 ) (OSVDatabases, bool) {
 	dbs := make(OSVDatabases, 0, len(dbConfigs))
 
@@ -202,7 +203,7 @@ func loadDatabases(
 	for _, dbConfig := range dbConfigs {
 		r.PrintTextf("  %s", dbConfig.Name)
 
-		db, err := database.Load(dbConfig, offline, batchSize)
+		db, err := database.Load(dbConfig, offline, batchSize, pkgNames)
 
 		if err != nil {
 			r.PrintDatabaseLoadErr(err)
@@ -591,12 +592,20 @@ This flag can be passed multiple times to ignore different vulnerabilities`)
 
 	files.adjustExtraDatabases(*noConfigDatabases, *useAPI, *useDatabases)
 
+	var allPackages []string
+	for _, p := range files {
+		for _, pkg := range p.lockf.Packages {
+			allPackages = append(allPackages, pkg.Name)
+		}
+	}
+
 	dbs, errored := loadDatabases(
 		r,
 		uniqueDBConfigs(files.getConfigs()),
 		*listPackages,
 		*offline,
 		*batchSize,
+		allPackages,
 	)
 
 	if errored {

pkg/database/config.go

@@ -27,14 +27,14 @@ func (dbc Config) Identifier() string {
 var ErrUnsupportedDatabaseType = errors.New("unsupported database source type")
 
 // Load initializes a new OSV database based on the given Config
-func Load(config Config, offline bool, batchSize int) (DB, error) {
+func Load(config Config, offline bool, batchSize int, pkgNames []string) (DB, error) {
 	switch config.Type {
 	case "zip":
-		return NewZippedDB(config, offline)
+		return NewZippedDB(config, offline, pkgNames)
 	case "api":
 		return NewAPIDB(config, offline, batchSize)
 	case "dir":
-		return NewDirDB(config, offline)
+		return NewDirDB(config, offline, pkgNames)
 	}
 
 	return nil, fmt.Errorf("%w %s", ErrUnsupportedDatabaseType, config.Type)

pkg/database/dir.go

@@ -28,7 +28,7 @@ var ErrDirPathWrongProtocol = errors.New("directory path must start with \"file:
 
 // load walks the filesystem starting with the working directory within the local path,
 // loading all OSVs found along the way.
-func (db *DirDB) load() error {
+func (db *DirDB) load(pkgNames []string) error {
 	db.vulnerabilities = make(map[string][]OSV)
 
 	if !strings.HasPrefix(db.LocalPath, "file:") {
@@ -78,7 +78,7 @@ func (db *DirDB) load() error {
 			return nil
 		}
 
-		db.addVulnerability(pa)
+		db.addVulnerability(pa, pkgNames)
 
 		return nil
 	})
@@ -94,15 +94,15 @@ func (db *DirDB) load() error {
 	return nil
 }
 
-func NewDirDB(config Config, offline bool) (*DirDB, error) {
+func NewDirDB(config Config, offline bool, pkgNames []string) (*DirDB, error) {
 	db := &DirDB{
 		name:             config.Name,
 		identifier:       config.Identifier(),
 		LocalPath:        config.URL,
 		WorkingDirectory: config.WorkingDirectory,
 		Offline:          offline,
 	}
-	if err := db.load(); err != nil {
+	if err := db.load(pkgNames); err != nil {
 		return nil, fmt.Errorf("unable to load OSV database: %w", err)
 	}
 

pkg/database/dir_test.go

@@ -13,6 +13,12 @@ func TestNewDirDB(t *testing.T) {
 	osvs := []database.OSV{
 		withDefaultAffected("OSV-1"),
 		withDefaultAffected("OSV-2"),
+		{
+			ID: "OSV-3",
+			Affected: []database.Affected{
+				{Package: database.Package{Ecosystem: "PyPi", Name: "mine2"}, Versions: database.Versions{}},
+			},
+		},
 		{
 			ID: "GHSA-1234",
 			Affected: []database.Affected{
@@ -22,7 +28,7 @@ func TestNewDirDB(t *testing.T) {
 		},
 	}
 
-	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/db"}, false)
+	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/db"}, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -34,7 +40,7 @@ func TestNewDirDB(t *testing.T) {
 func TestNewDirDB_InvalidURI(t *testing.T) {
 	t.Parallel()
 
-	db, err := database.NewDirDB(database.Config{URL: "file://\\"}, false)
+	db, err := database.NewDirDB(database.Config{URL: "file://\\"}, false, nil)
 
 	if err == nil {
 		t.Fatalf("NewDirDB() did not return expected error")
@@ -48,7 +54,7 @@ func TestNewDirDB_InvalidURI(t *testing.T) {
 func TestNewDirDB_NotFileProtocol(t *testing.T) {
 	t.Parallel()
 
-	db, err := database.NewDirDB(database.Config{URL: "https://mysite.com/my.zip"}, false)
+	db, err := database.NewDirDB(database.Config{URL: "https://mysite.com/my.zip"}, false, nil)
 
 	if err == nil {
 		t.Fatalf("NewDirDB() did not return expected error")
@@ -66,7 +72,7 @@ func TestNewDirDB_NotFileProtocol(t *testing.T) {
 func TestNewDirDB_DoesNotExist(t *testing.T) {
 	t.Parallel()
 
-	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/nowhere"}, false)
+	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/nowhere"}, false, nil)
 
 	if err == nil {
 		t.Fatalf("NewDirDB() did not return expected error")
@@ -82,11 +88,33 @@ func TestNewDirDB_WorkingDirectory(t *testing.T) {
 
 	osvs := []database.OSV{withDefaultAffected("OSV-1")}
 
-	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/db", WorkingDirectory: "nested-1"}, false)
+	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/db", WorkingDirectory: "nested-1"}, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
 	expectDBToHaveOSVs(t, db, osvs)
 }
+
+func TestNewDirDB_WithSpecificPackages(t *testing.T) {
+	t.Parallel()
+
+	db, err := database.NewDirDB(database.Config{URL: "file:/testdata/db"}, false, []string{"mine", "request"})
+
+	if err != nil {
+		t.Fatalf("unexpected error \"%v\"", err)
+	}
+
+	expectDBToHaveOSVs(t, db, []database.OSV{
+		withDefaultAffected("OSV-1"),
+		withDefaultAffected("OSV-2"),
+		{
+			ID: "GHSA-1234",
+			Affected: []database.Affected{
+				{Package: database.Package{Ecosystem: "npm", Name: "request"}},
+				{Package: database.Package{Ecosystem: "npm", Name: "@cypress/request"}},
+			},
+		},
+	})
+}

pkg/database/load_test.go

@@ -17,7 +17,7 @@ func TestLoad(t *testing.T) {
 	}
 
 	for _, typ := range types {
-		_, err := database.Load(database.Config{Type: typ}, false, 100)
+		_, err := database.Load(database.Config{Type: typ}, false, 100, nil)
 
 		if err == nil {
 			t.Fatalf("NewDirDB() did not return expected error")
@@ -28,7 +28,7 @@ func TestLoad(t *testing.T) {
 func TestLoad_BadType(t *testing.T) {
 	t.Parallel()
 
-	db, err := database.Load(database.Config{Type: "file"}, false, 100)
+	db, err := database.Load(database.Config{Type: "file"}, false, 100, nil)
 
 	if err == nil {
 		t.Fatalf("NewDirDB() did not return expected error")

pkg/database/mem-check.go

@@ -11,9 +11,15 @@ type memDB struct {
 	VulnerabilitiesCount int
 }
 
-func (db *memDB) addVulnerability(osv OSV) {
+func (db *memDB) addVulnerability(osv OSV, pkgNames []string) {
 	db.VulnerabilitiesCount++
 
+	// if we have been provided a list of package names, only load advisories
+	// that might actually affect those packages, rather than all advisories
+	if len(pkgNames) != 0 && !mightAffectPackages(osv, pkgNames) {
+		return
+	}
+
 	for _, affected := range osv.Affected {
 		hash := string(affected.Package.Ecosystem) + "-" + affected.Package.NormalizedName()
 		vulns := db.vulnerabilities[hash]

pkg/database/testdata/db/nested-2/osv-3.json

@@ -0,0 +1,12 @@
+{
+  "id": "OSV-3",
+  "affected": [
+    {
+      "package": {
+        "name": "mine2",
+        "ecosystem": "PyPi"
+      },
+      "versions": []
+    }
+  ]
+}

pkg/database/zip.go

@@ -126,9 +126,21 @@ func (db *ZipDB) fetchZip() ([]byte, error) {
 	return body, nil
 }
 
+func mightAffectPackages(v OSV, names []string) bool {
+	for _, affected := range v.Affected {
+		for _, name := range names {
+			if affected.Package.Name == name {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // Loads the given zip file into the database as an OSV.
 // It is assumed that the file is JSON and in the working directory of the db
-func (db *ZipDB) loadZipFile(zipFile *zip.File) {
+func (db *ZipDB) loadZipFile(zipFile *zip.File, pkgNames []string) {
 	file, err := zipFile.Open()
 	if err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "Could not read %s: %v\n", zipFile.Name, err)
@@ -152,7 +164,7 @@ func (db *ZipDB) loadZipFile(zipFile *zip.File) {
 		return
 	}
 
-	db.addVulnerability(osv)
+	db.addVulnerability(osv, pkgNames)
 }
 
 // load fetches a zip archive of the OSV database and loads known vulnerabilities
@@ -161,7 +173,7 @@ func (db *ZipDB) loadZipFile(zipFile *zip.File) {
 // Internally, the archive is cached along with the date that it was fetched
 // so that a new version of the archive is only downloaded if it has been
 // modified, per HTTP caching standards.
-func (db *ZipDB) load() error {
+func (db *ZipDB) load(pkgNames []string) error {
 	db.vulnerabilities = make(map[string][]OSV)
 
 	body, err := db.fetchZip()
@@ -185,21 +197,21 @@ func (db *ZipDB) load() error {
 			continue
 		}
 
-		db.loadZipFile(zipFile)
+		db.loadZipFile(zipFile, pkgNames)
 	}
 
 	return nil
 }
 
-func NewZippedDB(config Config, offline bool) (*ZipDB, error) {
+func NewZippedDB(config Config, offline bool, pkgNames []string) (*ZipDB, error) {
 	db := &ZipDB{
 		name:             config.Name,
 		identifier:       config.Identifier(),
 		ArchiveURL:       config.URL,
 		WorkingDirectory: config.WorkingDirectory,
 		Offline:          offline,
 	}
-	if err := db.load(); err != nil {
+	if err := db.load(pkgNames); err != nil {
 		return nil, fmt.Errorf("unable to fetch OSV database: %w", err)
 	}