fix: check status code from remote database hosts (#197)

main_test.go

@@ -1021,7 +1021,7 @@ func TestRun_Configs(t *testing.T) {
 
 					no known vulnerabilities found
 			`,
-			wantStderr: " failed: unable to fetch OSV database: could not read OSV database archive: zip: not a valid zip file",
+			wantStderr: " failed: unable to fetch OSV database: db host returned an unexpected status code (404 Not Found)",
 		},
 		// databases from configs are ignored if "--no-config-databases" is passed...
 		{

pkg/database/zip.go

@@ -38,6 +38,7 @@ type Cache struct {
 }
 
 var ErrOfflineDatabaseNotFound = errors.New("no offline version of the OSV database is available")
+var ErrUnexpectedStatusCode = errors.New("db host returned an unexpected status code")
 
 func (db *ZipDB) cachePath() string {
 	hash := sha256.Sum256([]byte(db.ArchiveURL))
@@ -90,6 +91,8 @@ func (db *ZipDB) fetchZip() ([]byte, error) {
 		db.UpdatedAt = cache.Date
 
 		return cache.Body, nil
+	} else if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w (%s)", ErrUnexpectedStatusCode, resp.Status)
 	}
 
 	var body []byte

pkg/database/zip_test.go

@@ -230,6 +230,24 @@ func TestNewZippedDB_Online_WithoutCache(t *testing.T) {
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
+func TestNewZippedDB_Online_WithoutCache_NotFound(t *testing.T) {
+	t.Parallel()
+
+	ts, cleanup := createZipServer(t, func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write(zipOSVs(t, map[string]database.OSV{}))
+	})
+	defer cleanup()
+
+	_, err := database.NewZippedDB(database.Config{URL: ts.URL}, false)
+
+	if err == nil {
+		t.Errorf("expected an error but did not get one")
+	} else if !errors.Is(err, database.ErrUnexpectedStatusCode) {
+		t.Errorf("expected %v error but got %v", database.ErrUnexpectedStatusCode, err)
+	}
+}
+
 func TestNewZippedDB_Online_WithCache(t *testing.T) {
 	t.Parallel()