report: fixes a nil dereference when accessing vuln cve metadata. Some vulnerabilities, such as GO-2020-0002.toml, do not have CVE metadata. Accessing CVEMetadata.ID without checking if CVEMetadata is nil can lead to a nil dereference. Change-Id: I06a24a7d80a0e8be768af198a1b6254f15de98d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1026682 Reviewed-by: Roland Shoemaker <bracewell@google.com>

commit: 42b5a4503a5376834e93ca2d7f163a90d96cdf63 [log] [tgz]
author: Zvonimir Pavlinovic <zpavlinovic@google.com> Wed Mar 17 17:57:56 2021 -0700
committer: Filippo Valsorda <valsorda@google.com> Tue Apr 13 16:18:34 2021 +0200
tree: 4ca7fbb2c31124eafbd167847d4cc48cac7a8c40
parent: abe7a418aeab38d4023c4a54a07b59a6c4ecbaac [diff]
diff --git a/report/report.go b/report/report.go
index 6c52a0c..8839cd8 100644
--- a/report/report.go
+++ b/report/report.go

@@ -105,7 +105,7 @@
 		return fmt.Errorf("unknown severity %q", vuln.Severity)
 	}
 
-	if vuln.CVE != "" && vuln.CVEMetadata.ID != "" {
+	if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {
 		// TODO: may just want to use one of these? :shrug:
 		return errors.New("only one of cve and cve_metadata.id should be present")
 	}
commit	42b5a4503a5376834e93ca2d7f163a90d96cdf63	[log] [tgz]
author	Zvonimir Pavlinovic <zpavlinovic@google.com>	Wed Mar 17 17:57:56 2021 -0700
committer	Filippo Valsorda <valsorda@google.com>	Tue Apr 13 16:18:34 2021 +0200
tree	4ca7fbb2c31124eafbd167847d4cc48cac7a8c40
parent	abe7a418aeab38d4023c4a54a07b59a6c4ecbaac [diff]