feat: rewrite alias/upstream computation in Go

[michaelkedar]

This is pretty much a direct translation of the existing python code (which makes some of it unidiomatic go), changed to use the new Vulnerability instead of Bug.

One difference is the alias and upstream computations now run at the same time, and the writes to the Vulnerability protos now happen together. I had to modify the recoverer to be able to handle multiple updating multiple fields when the GCS generation is mismatched to support this properly.

Also ported over the datastore emulator manager, and made some interfaces for the google cloud clients (with the added benefit of introducing write retries which resolves #4355)
This has allowed my to bring over the existing tests.

I've renamed the alias-computation cron to relations - Cloud Deploy is going to create a new workload for this, and the old one is going to have to be deleted manually.

In a follow-up, I'm going to add another goroutine to calculate the related field, since these aren't being kept up to date at the moment.

[michaelkedar]

/gemini review

[gemini-code-assist]

Code Review

This is a major rewrite of the alias and upstream computation logic from Python to Go, and the changes are extensive but well-executed. The introduction of interfaces for cloud clients (CloudStorage, Publisher) and mock implementations for testing is a significant improvement in code quality and testability. The new relations Go command is well-structured, and the test coverage is comprehensive. The addition of a datastore emulator for testing is also a great enhancement to the development workflow. I've identified a minor resource leak and a point of code complexity that could be simplified, but overall this is a high-quality contribution.

[gemini-code-assist]

This block of code for populating toVisit and upstreamMap appears to be more complex than necessary and contains some redundant logic. The first loop from line 135 seems to be partially overwritten by the assignment on line 147 and the second loop on line 148. This can be simplified for clarity and to remove the redundancy.

if len(group.UpstreamIDs) == 0 {
	continue
}
// Add the immediate upstreams of the vuln to the map
upstreamMap[vulnID] = group.UpstreamIDs
for _, upstream := range group.UpstreamIDs {
	if _, ok := visited[upstream]; !ok && !slices.Contains(toVisit, upstream) {
		toVisit = append(toVisit, upstream)
	}
}

[michaelkedar]

FWIW, this logic is basically directly translated from the python implementation:

osv.dev/gcp/workers/alias/upstream_computation.py

Lines 171 to 181 in 3016163

	for upstream in upstreams:
	if upstream not in visited and upstream not in to_visit:
	to_visit.add(upstream)
	else:
	if bug_id not in upstream_map:
	upstream_map[bug_id] = set([upstream])
	else:
	upstream_map[bug_id].add(upstream)
	# Add the immediate upstreams of the bug to the dict
	upstream_map[bug_id] = upstreams
	to_visit.update(upstreams - visited)

[michaelkedar]

/gemini review

[gemini-code-assist]

Code Review

This is a significant and well-executed pull request that rewrites the alias and upstream computation logic from Python to Go. The new Go implementation is well-structured, and the introduction of interfaces for cloud clients and comprehensive test utilities is a fantastic improvement for testability and maintainability. The core logic appears to be a faithful translation of the original Python code. I've identified a couple of critical compilation errors related to the misuse of sync.WaitGroup that need to be addressed. Otherwise, the changes are excellent.

[another-rex]

Can you describe in the PR description what this change is for?

[michaelkedar]

Added:

One difference is the alias and upstream computations now run at the same time, and the writes to the Vulnerability protos now happen together. I had to modify the recoverer to be able to handle multiple updating multiple fields when the GCS generation is mismatched to support this properly.

[another-rex]

nit: rename this variable since it's taking in a path now
nit2: Alias string to a gcsPath type and put that as the channel type.

[michaelkedar]

renamed to gcsPathToDownloaderCh
re: nit2 - I don't really see the benefit of doing that - it's fairly standard to use strings as paths in go (e.g. in the path package)

[another-rex]

It's more to clarify whether you are meant to pass in a path, a name, or a vuln ID...etc. This makes it a bit more self documenting. I think you don't even need to cast when passing in a string for aliases

[another-rex]

This is so clean!

[another-rex]

Add a comment here about what vulns is suppose to contain.

[michaelkedar]

I renamed this to rawUpstreams which is more descriptive

[another-rex]

Can you add a comment describing what this function does, and what the two args are. it's unclear why targetBugUpstream is a list.

[michaelkedar]

I added back in all the original docstrings from python to the go code, which should make it slightly clearer.

I also changed the function signature to be computeUpstream(vulnID []string, rawUpstreams map[string][]string) []string , which is simpler and clearer.