internal/report: document CVEMeta vs CVE
Document when report.CVEMeta vs report.CVE and report.Description should
be used.
Change-Id: Icf2d75b4701d8c7aad84e0d4d3e826adce0a2402
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/357030
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/internal/report/report.go b/internal/report/report.go
index 2c21af9..f0a54d2 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -49,15 +49,25 @@
// for most
AdditionalPackages []Additional `yaml:"additional_packages,omitempty"`
Versions []VersionRange `yaml:",omitempty"`
- Description string `yaml:",omitempty"`
- Published time.Time `yaml:",omitempty"`
- LastModified *time.Time `yaml:"last_modified,omitempty"`
- Withdrawn *time.Time `yaml:",omitempty"`
- CVE string `yaml:",omitempty"`
- Credit string `yaml:",omitempty"`
- Symbols []string `yaml:",omitempty"`
- OS []string `yaml:",omitempty"`
- Arch []string `yaml:",omitempty"`
- Links Links `yaml:",omitempty"`
- CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
+
+ // Description is the CVE description from an existing CVE. If we are
+ // assigning a CVE ID ourselves, use CVEMetadata.Description instead.
+ Description string `yaml:",omitempty"`
+ Published time.Time `yaml:",omitempty"`
+ LastModified *time.Time `yaml:"last_modified,omitempty"`
+ Withdrawn *time.Time `yaml:",omitempty"`
+
+ // CVE is the CVE ID for an existing CVE. If we are assigning a CVE ID
+ // ourselves, use CVEMetdata.ID instead.
+ CVE string `yaml:",omitempty"`
+ Credit string `yaml:",omitempty"`
+ Symbols []string `yaml:",omitempty"`
+ OS []string `yaml:",omitempty"`
+ Arch []string `yaml:",omitempty"`
+ Links Links `yaml:",omitempty"`
+
+ // CVEMetdata is used to capture CVE information when we want to assign a
+ // CVE ourselves. If a CVE already exists for an issue, use the CVE field
+ // to fill in the ID string.
+ CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
}