internal/cveschema: move CVE structs to separate package
The CVE structs are moved from internal to internal/cveschema. These
structs may be moved to be able non-internal package in the future, for
use by govulncheck.
This is a follow up from CL 355270.
Change-Id: I96580cb60f69752d448f7acc079b4f9adbf16668
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/356389
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/cmd/report2cve/main.go b/cmd/report2cve/main.go
index a1030ed..304bc1a 100644
--- a/cmd/report2cve/main.go
+++ b/cmd/report2cve/main.go
@@ -12,12 +12,12 @@
"os"
"strings"
- "golang.org/x/vulndb/internal"
+ "golang.org/x/vulndb/internal/cveschema"
"golang.org/x/vulndb/internal/report"
"gopkg.in/yaml.v2"
)
-func fromReport(r *report.Report) (*internal.CVE, error) {
+func fromReport(r *report.Report) (*cveschema.CVE, error) {
if r.CVE != "" {
return nil, errors.New("report has CVE ID is wrong section (should be in cve_metadata for self-issued CVEs)")
}
@@ -28,18 +28,18 @@
return nil, errors.New("report missing CVE ID")
}
- c := &internal.CVE{
+ c := &cveschema.CVE{
DataType: "CVE",
DataFormat: "MITRE",
DataVersion: "4.0",
- CVEDataMeta: internal.CVEDataMeta{
+ CVEDataMeta: cveschema.CVEDataMeta{
ID: r.CVEMetadata.ID,
ASSIGNER: "security@golang.org",
STATE: "PUBLIC",
},
- Description: internal.Description{
- DescriptionData: []internal.LangString{
+ Description: cveschema.Description{
+ DescriptionData: []cveschema.LangString{
{
Lang: "eng",
Value: strings.TrimSuffix(r.CVEMetadata.Description, "\n"),
@@ -47,10 +47,10 @@
},
},
- Problemtype: internal.Problemtype{
- ProblemtypeData: []internal.ProblemtypeDataItems{
+ Problemtype: cveschema.Problemtype{
+ ProblemtypeData: []cveschema.ProblemtypeDataItems{
{
- Description: []internal.LangString{
+ Description: []cveschema.LangString{
{
Lang: "eng",
Value: r.CVEMetadata.CWE,
@@ -60,13 +60,13 @@
},
},
- Affects: internal.Affects{
- Vendor: internal.Vendor{
- VendorData: []internal.VendorDataItems{
+ Affects: cveschema.Affects{
+ Vendor: cveschema.Vendor{
+ VendorData: []cveschema.VendorDataItems{
{
VendorName: "n/a", // ???
- Product: internal.Product{
- ProductData: []internal.ProductDataItem{
+ Product: cveschema.Product{
+ ProductData: []cveschema.ProductDataItem{
{
ProductName: r.Package,
Version: versionToVersion(r.Versions),
@@ -80,10 +80,10 @@
}
for _, additional := range r.AdditionalPackages {
- c.Affects.Vendor.VendorData = append(c.Affects.Vendor.VendorData, internal.VendorDataItems{
+ c.Affects.Vendor.VendorData = append(c.Affects.Vendor.VendorData, cveschema.VendorDataItems{
VendorName: "n/a",
- Product: internal.Product{
- ProductData: []internal.ProductDataItem{
+ Product: cveschema.Product{
+ ProductData: []cveschema.ProductDataItem{
{
ProductName: additional.Package,
Version: versionToVersion(additional.Versions),
@@ -94,29 +94,29 @@
}
if r.Links.PR != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, internal.Reference{URL: r.Links.PR})
+ c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.PR})
}
if r.Links.Commit != "" {
- c.References.ReferenceData = append(c.References.ReferenceData, internal.Reference{URL: r.Links.Commit})
+ c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: r.Links.Commit})
}
for _, url := range r.Links.Context {
- c.References.ReferenceData = append(c.References.ReferenceData, internal.Reference{URL: url})
+ c.References.ReferenceData = append(c.References.ReferenceData, cveschema.Reference{URL: url})
}
return c, nil
}
-func versionToVersion(versions []report.VersionRange) internal.VersionData {
- vd := internal.VersionData{}
+func versionToVersion(versions []report.VersionRange) cveschema.VersionData {
+ vd := cveschema.VersionData{}
for _, vr := range versions {
if vr.Introduced != "" {
- vd.VersionData = append(vd.VersionData, internal.VersionDataItems{
+ vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
VersionValue: vr.Introduced,
VersionAffected: ">=",
})
}
if vr.Fixed != "" {
- vd.VersionData = append(vd.VersionData, internal.VersionDataItems{
+ vd.VersionData = append(vd.VersionData, cveschema.VersionDataItems{
VersionValue: vr.Fixed,
VersionAffected: "<",
})
diff --git a/internal/cve.go b/internal/cveschema/cveschema.go
similarity index 97%
rename from internal/cve.go
rename to internal/cveschema/cveschema.go
index da22b33..4aa66af 100644
--- a/internal/cve.go
+++ b/internal/cveschema/cveschema.go
@@ -2,8 +2,9 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package internal contains functionality for interacting with x/vulndb.
-package internal
+// Package cveschema contains the schema for a CVE, as derived from
+// https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
+package cveschema
// CVE represents a "Common Vulnerabilities and Exposures" record, which is
// associated with a CVE ID and provided by a CNA.
@@ -12,9 +13,6 @@
// component resulting from a weakness that can be exploited, causing a negative
// impact to the confidentiality, integrity, or availability of an impacted
// component or components.
-//
-// This schema is derived from
-// https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
type CVE struct {
// DataType identifies what kind of data is held in this JSON file. This is
// mandatory and designed to prevent problems with attempting to detect
