internal/cveschema: rename fields
Rename many fields to be more Go-like:
- Correct capitalization, e.g. STATE => State
- Avoid stuttering, e.g. Product.ProductData => Product.Data
- Fix plurals, e.g. VendorDataItems => VendorDataItem
Also, embed Metadata.
Change-Id: I4680fa70557499d8d0470192b26f66045a81486f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/361210
Trust: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/cmd/report2cve/main.go b/cmd/report2cve/main.go
index 54a5b9f..42a7a59 100644
--- a/cmd/report2cve/main.go
+++ b/cmd/report2cve/main.go
@@ -34,14 +34,14 @@
DataType: "CVE",
DataFormat: "MITRE",
DataVersion: "4.0",
- CVEDataMeta: cveschema.CVEDataMeta{
+ Metadata: cveschema.Metadata{
ID: r.CVEMetadata.ID,
- ASSIGNER: "security@golang.org",
- STATE: "PUBLIC",
+ Assigner: "security@golang.org",
+ State: cveschema.StatePublic,
},
Description: cveschema.Description{
- DescriptionData: []cveschema.LangString{
+ Data: []cveschema.LangString{
{
Lang: "eng",
Value: strings.TrimSuffix(r.CVEMetadata.Description, "\n"),
@@ -49,8 +49,8 @@
},
},
- Problemtype: cveschema.Problemtype{
- ProblemtypeData: []cveschema.ProblemtypeDataItems{
+ ProblemType: cveschema.ProblemType{
+ Data: []cveschema.ProblemTypeDataItem{
{
Description: []cveschema.LangString{
{
@@ -64,11 +64,11 @@
Affects: cveschema.Affects{
Vendor: cveschema.Vendor{
- VendorData: []cveschema.VendorDataItems{
+ Data: []cveschema.VendorDataItem{
{
VendorName: "n/a", // ???
Product: cveschema.Product{
- ProductData: []cveschema.ProductDataItem{
+ Data: []cveschema.ProductDataItem{
{
ProductName: r.Package,
Version: versionToVersion(r.Versions),
@@ -82,10 +82,10 @@
}
for _, additional := range r.AdditionalPackages {
- c.Affects.Vendor.VendorData = append(c.Affects.Vendor.VendorData, cveschema.VendorDataItems{
+ c.Affects.Vendor.Data = append(c.Affects.Vendor.Data, cveschema.VendorDataItem{
VendorName: "n/a",
Product: cveschema.Product{
- ProductData: []cveschema.ProductDataItem{
+ Data: []cveschema.ProductDataItem{
{
ProductName: additional.Package,
Version: versionToVersion(additional.Versions),
@@ -96,13 +96,13 @@
}
if r.Links.PR != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.PR})
+ c.References.Data = append(c.References.Data, cveschema.Reference{URL: r.Links.PR})
}
if r.Links.Commit != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.Commit})
+ c.References.Data = append(c.References.Data, cveschema.Reference{URL: r.Links.Commit})
}
for _, url := range r.Links.Context {
- c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: url})
+ c.References.Data = append(c.References.Data, cveschema.Reference{URL: url})
}
return c, nil
@@ -112,13 +112,13 @@
vd := cveschema.VersionData{}
for _, vr := range versions {
if vr.Introduced != "" {
- vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
+ vd.Data = append(vd.Data, cveschema.VersionDataItem{
VersionValue: vr.Introduced,
VersionAffected: ">=",
})
}
if vr.Fixed != "" {
- vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
+ vd.Data = append(vd.Data, cveschema.VersionDataItem{
VersionValue: vr.Fixed,
VersionAffected: "<",
})
diff --git a/internal/cveschema/cveschema.go b/internal/cveschema/cveschema.go
index 9ef8d63..e19970d 100644
--- a/internal/cveschema/cveschema.go
+++ b/internal/cveschema/cveschema.go
@@ -11,14 +11,14 @@
// CVE ID is Reserved by a CNA.
StateReserved = "RESERVED"
- // StatePublished is when a CNA populates the data associated with a CVE ID
- // as a CVE Record, the state of the CVE Record is Published. The
+ // StatePublic is when a CNA populates the data associated with a CVE ID
+ // as a CVE Record, the state of the CVE Record is PUBLIC. The
// associated data must contain an identification number (CVE ID), a prose
// description, and at least one public reference.
- StatePublished = "PUBLIC"
+ StatePublic = "PUBLIC"
// StateRejected is when the CVE ID and associated CVE Record should no
- // longer be used, the CVE Record is placed in the Rejected state. A Rejected
+ // longer be used, the CVE Record is placed in the REJECT state. A Rejected
// CVE Record remains on the CVE List so that users can know when it is
// invalid.
StateRejected = "REJECT"
@@ -32,6 +32,11 @@
// impact to the confidentiality, integrity, or availability of an impacted
// component or components.
type CVE struct {
+ // Metadata is metadata about the CVE ID such as the CVE ID, who
+ // requested it, who assigned it, when it was requested, when it was assigned,
+ // the current state (PUBLIC, REJECT, etc.) and so on.
+ Metadata `json:"CVE_data_meta"`
+
// DataType identifies what kind of data is held in this JSON file. This is
// mandatory and designed to prevent problems with attempting to detect
// what kind of file this is. Valid values for this string are CVE, CNA,
@@ -49,11 +54,6 @@
// what format of data is used.
DataVersion string `json:"data_version"`
- // CVEDataMeta is meta data about the CVE ID such as the CVE ID, who
- // requested it, who assigned it, when it was requested, when it was assigned,
- // the current state (PUBLIC, REJECT, etc.) and so on.
- CVEDataMeta CVEDataMeta `json:"CVE_data_meta"`
-
// Affects is the root level container for affected vendors and in turn
// their affected technologies, products, hardware, etc. It only goes in
// the root level.
@@ -66,7 +66,7 @@
Description Description `json:"description"`
// ProblemType is problem type information (e.g. CWE identifier).
- Problemtype Problemtype `json:"problemtype"`
+ ProblemType ProblemType `json:"problemtype"`
// References is reference data in the form of URLs or file objects
// (uuencoded and embedded within the JSON file, exact format to be
@@ -75,13 +75,13 @@
References References `json:"references"`
}
-// CVEDataMeta is meta data about the CVE ID such as the CVE ID, who requested
+// Metadata is meta data about the CVE ID such as the CVE ID, who requested
// it, who assigned it, when it was requested, when it was assigned, the
// current state (PUBLIC, REJECT, etc.) and so on.
-type CVEDataMeta struct {
- ASSIGNER string `json:"ASSIGNER"`
+type Metadata struct {
+ Assigner string `json:"ASSIGNER"`
ID string `json:"ID"`
- STATE string `json:"STATE"`
+ State string `json:"STATE"`
}
// Affects is the root level container for affected vendors and in turn their
@@ -111,19 +111,19 @@
// where impact and attack are arbitrary terms that should be relevant to the
// nature of the vulnerability.
type Description struct {
- DescriptionData []LangString `json:"description_data"`
+ Data []LangString `json:"description_data"`
}
// ProblemType is problem type information (e.g. CWE identifier).
//
// It can include an arbitrary summary of the problem, though Common Weakness
// Enumerations (CWEs) are a standard to use in this field.
-type Problemtype struct {
- ProblemtypeData []ProblemtypeDataItems `json:"problemtype_data"`
+type ProblemType struct {
+ Data []ProblemTypeDataItem `json:"problemtype_data"`
}
-// ProblemtypeDataItems are the entries in a ProblemType.
-type ProblemtypeDataItems struct {
+// A ProblemTypeDataItem is an entry in ProblemType.Data.
+type ProblemTypeDataItem struct {
Description []LangString `json:"description"`
}
@@ -139,7 +139,7 @@
// require a compressed format so the objects require unpacking before they are
// "dangerous").
type References struct {
- ReferenceData []Reference `json:"reference_data"`
+ Data []Reference `json:"reference_data"`
}
// A reference is a URL pointing to a world-wide-web-based resource. For
@@ -156,17 +156,17 @@
// Vendor is the container for affected vendors, it only goes in the affects
// container.
type Vendor struct {
- // VendorData is an array of version values (vulnerable and not); we use an
+ // Data is an array of version values (vulnerable and not); we use an
// array so that different entities can make statements about the same
// vendor and they are separate (if we used a JSON object we'd essentially
// be keying on the vendor name and they would have to overlap). Also this
// allows things like data_version or description to be applied directly to
// the vendor entry.
- VendorData []VendorDataItems `json:"vendor_data"`
+ Data []VendorDataItem `json:"vendor_data"`
}
-// VendorDataItems represents a single vendor name and product.
-type VendorDataItems struct {
+// A VendorDataItem represents a single vendor name and product.
+type VendorDataItem struct {
Product Product `json:"product"`
VendorName string `json:"vendor_name"`
}
@@ -177,13 +177,13 @@
// project name as well as the name of the actual software or hardware in which
// the vulnerability exists.
type Product struct {
- // ProductData is an array of version values (vulnerable and not); we use
+ // Data is an array of version values (vulnerable and not); we use
// an array so that we can make multiple statements about the same product and
// they are separate (if we used a JSON object we'd essentially be keying on
// the product name and they would have to overlap). Also this allows things
// like data_version or description to be applied directly to the product
// entry.
- ProductData []ProductDataItem `json:"product_data"`
+ Data []ProductDataItem `json:"product_data"`
}
// ProductDataItem represents a single product name and version that belongs to
@@ -203,15 +203,15 @@
// statements can be used multiple branches of the same product can be defined
// here.
type VersionData struct {
- VersionData []VersionDataItems `json:"version_data"`
+ Data []VersionDataItem `json:"version_data"`
}
-// VersionDataItems represents a version, the date of release, or whatever
+// A VersionDataItem represents a version, the date of release, or whatever
// indicator that is used by vendors, developers, or projects to differentiate
// between releases. The version can be described with specific version
// numbers, ranges of versions, or “all versions before/after” a version number or
// date.
-type VersionDataItems struct {
+type VersionDataItem struct {
VersionValue string `json:"version_value"`
VersionAffected string `json:"version_affected"`
}
diff --git a/internal/worker/cve.go b/internal/worker/cve.go
index 0940d21..ee46d7c 100644
--- a/internal/worker/cve.go
+++ b/internal/worker/cve.go
@@ -26,7 +26,7 @@
// triageCVE triages the CVE and creates a cve record state.
func triageCVE(c *cveschema.CVE) (_ *cve, err error) {
- defer derrors.Wrap(&err, "cveToIssue(%q)", c.CVEDataMeta.ID)
+ defer derrors.Wrap(&err, "cveToIssue(%q)", c.ID)
if isReservedCVE(c) {
return createCVE(c, stateReserved, "", false), nil
}
@@ -42,7 +42,7 @@
return createCVE(c, statePublicGoVuln, mp, true), nil
default:
// TODO(https://golang.org/issue/49289): Add support for v5.0.
- return nil, fmt.Errorf("CVE %q has DataVersion %q: %w", c.CVEDataMeta.ID, c.DataVersion, errCVEVersionUnsupported)
+ return nil, fmt.Errorf("CVE %q has DataVersion %q: %w", c.ID, c.DataVersion, errCVEVersionUnsupported)
}
}
@@ -63,7 +63,7 @@
// isPendingCVE reports if the CVE is still waiting on information and not
// ready to be triaged.
func isReservedCVE(c *cveschema.CVE) bool {
- return c.CVEDataMeta.STATE == cveschema.StateReserved
+ return c.State == cveschema.StateReserved
}
var vcsHostsWithThreeElementRepoName = map[string]bool{
@@ -85,8 +85,8 @@
// cveModulePath returns a Go module path for a CVE, if we can determine what
// it is.
func cveModulePath(c *cveschema.CVE) (_ string, err error) {
- defer derrors.Wrap(&err, "cveModulePath(%q)", c.CVEDataMeta.ID)
- for _, r := range c.References.ReferenceData {
+ defer derrors.Wrap(&err, "cveModulePath(%q)", c.ID)
+ for _, r := range c.References.Data {
if r.URL == "" {
continue
}
@@ -123,7 +123,7 @@
func cveLinks(c *cveschema.CVE) report.Links {
var links report.Links
- for _, r := range c.References.ReferenceData {
+ for _, r := range c.References.Data {
if links.Commit == "" && strings.Contains(r.URL, "/commit/") {
links.Commit = r.URL
} else if links.PR == "" && strings.Contains(r.URL, "/pull/") {
@@ -137,7 +137,7 @@
func cveCWE(c *cveschema.CVE) string {
var cwe string
- for _, pt := range c.Problemtype.ProblemtypeData {
+ for _, pt := range c.ProblemType.Data {
for _, d := range pt.Description {
if strings.Contains(d.Value, "CWE") {
cwe = d.Value
@@ -149,7 +149,7 @@
func description(c *cveschema.CVE) string {
var ds []string
- for _, d := range c.Description.DescriptionData {
+ for _, d := range c.Description.Data {
ds = append(ds, d.Value)
}
return strings.Join(ds, "| \n ")
diff --git a/internal/worker/triager.go b/internal/worker/triager.go
index 9cbbe91..1653e4c 100644
--- a/internal/worker/triager.go
+++ b/internal/worker/triager.go
@@ -36,7 +36,7 @@
}
func (c *cve) id() string {
- return c.CVEDataMeta.ID
+ return c.ID
}
func newTriager(triaged map[string]string) triager {
@@ -44,7 +44,7 @@
for cveID, state := range triaged {
t[cveID] = &cve{
CVE: cveschema.CVE{
- CVEDataMeta: cveschema.CVEDataMeta{
+ Metadata: cveschema.Metadata{
ID: cveID,
},
},