internal/report: document CVEMeta vs CVE

Document when report.CVEMeta vs report.CVE and report.Description should
be used.

Change-Id: Icf2d75b4701d8c7aad84e0d4d3e826adce0a2402
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/357030
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/internal/report/report.go b/internal/report/report.go
index 2c21af9..f0a54d2 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -49,15 +49,25 @@
 	// for most
 	AdditionalPackages []Additional   `yaml:"additional_packages,omitempty"`
 	Versions           []VersionRange `yaml:",omitempty"`
-	Description        string         `yaml:",omitempty"`
-	Published          time.Time      `yaml:",omitempty"`
-	LastModified       *time.Time     `yaml:"last_modified,omitempty"`
-	Withdrawn          *time.Time     `yaml:",omitempty"`
-	CVE                string         `yaml:",omitempty"`
-	Credit             string         `yaml:",omitempty"`
-	Symbols            []string       `yaml:",omitempty"`
-	OS                 []string       `yaml:",omitempty"`
-	Arch               []string       `yaml:",omitempty"`
-	Links              Links          `yaml:",omitempty"`
-	CVEMetadata        *CVEMeta       `yaml:"cve_metadata,omitempty"`
+
+	// Description is the CVE description from an existing CVE. If we are
+	// assigning a CVE ID ourselves, use CVEMetadata.Description instead.
+	Description  string     `yaml:",omitempty"`
+	Published    time.Time  `yaml:",omitempty"`
+	LastModified *time.Time `yaml:"last_modified,omitempty"`
+	Withdrawn    *time.Time `yaml:",omitempty"`
+
+	// CVE is the CVE ID for an existing CVE. If we are assigning a CVE ID
+	// ourselves, use CVEMetdata.ID instead.
+	CVE     string   `yaml:",omitempty"`
+	Credit  string   `yaml:",omitempty"`
+	Symbols []string `yaml:",omitempty"`
+	OS      []string `yaml:",omitempty"`
+	Arch    []string `yaml:",omitempty"`
+	Links   Links    `yaml:",omitempty"`
+
+	// CVEMetdata is used to capture CVE information when we want to assign a
+	// CVE ourselves. If a CVE already exists for an issue, use the CVE field
+	// to fill in the ID string.
+	CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
 }