x/vulndb: add link to importers of a package in new automated issues
The worker now includes a link in the automated issue description to pkg.go.dev/?tab=importedby for the affected module, as a starting point in detecting false positive vulnerability reports.
For golang/go#51944
Change-Id: I3caaaba69c07e7a3e24977cf5ea5e92559ce8628
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402394
Reviewed-by: Julie Qiu <julieqiu@google.com>
diff --git a/internal/worker/worker.go b/internal/worker/worker.go
index a2e9b7b..d4768dd 100644
--- a/internal/worker/worker.go
+++ b/internal/worker/worker.go
@@ -301,6 +301,7 @@
if r.Links.PR != "" {
fmt.Fprintf(&intro, "\n- PR: %s", r.Links.PR)
}
+ fmt.Fprintf(&intro, "\n- Imported by: https://pkg.go.dev/%s?tab=importedby", cr.Module)
for _, l := range r.Links.Context {
fmt.Fprintf(&intro, "\n- %s", l)
}
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index 13531a7..a036f9d 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -227,6 +227,7 @@
Links:
- NIST: https://nvd.nist.gov/vuln/detail/ID1
- JSON: https://github.com/CVEProject/cvelist/tree//
+- Imported by: https://pkg.go.dev/a.Module?tab=importedby
See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.