internal/{genericosv,report}: add YAML field unknown_aliases
Adds a structured field, "unknown_aliases", to store aliases
other than GHSAs and CVEs.
We don't yet publish these to OSV, but this opens the
possibility to do this in the future.
Change-Id: Iab2f63bd15241c9d72f73bda33889f65874e9dc0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576997
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/reports/GO-2024-2643.yaml b/data/reports/GO-2024-2643.yaml
index f3ca4db..9c04252 100644
--- a/data/reports/GO-2024-2643.yaml
+++ b/data/reports/GO-2024-2643.yaml
@@ -31,10 +31,10 @@
- CVE-2023-50726
ghsas:
- GHSA-g623-jcgg-mhmm
+unknown_aliases:
+ - BIT-argo-cd-2023-50726
credits:
- '@crenshaw-dev'
references:
- fix: https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978
- web: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac
-notes:
- - create: found alias BIT-argo-cd-2023-50726 that is not a GHSA or CVE
diff --git a/data/reports/GO-2024-2646.yaml b/data/reports/GO-2024-2646.yaml
index d9f8fb2..95dac89 100644
--- a/data/reports/GO-2024-2646.yaml
+++ b/data/reports/GO-2024-2646.yaml
@@ -29,11 +29,12 @@
- CVE-2024-28175
ghsas:
- GHSA-jwv5-8mqv-g387
+unknown_aliases:
+ - BIT-argo-cd-2024-28175
credits:
- '@Ry0taK, @agaudreault, and @crenshaw-dev'
references:
- advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387
- fix: https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71
notes:
- - create: found alias BIT-argo-cd-2024-28175 that is not a GHSA or CVE
- Fix is in typescript code.
diff --git a/data/reports/GO-2024-2683.yaml b/data/reports/GO-2024-2683.yaml
index 9a05c3f..70b5e68 100644
--- a/data/reports/GO-2024-2683.yaml
+++ b/data/reports/GO-2024-2683.yaml
@@ -25,10 +25,10 @@
- CVE-2021-41803
ghsas:
- GHSA-hr3v-8cp3-68rf
+unknown_aliases:
+ - BIT-consul-2021-41803
credits:
- anonymous4ACL24
references:
- web: https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
- fix: https://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee
-notes:
- - create: found alias BIT-consul-2021-41803 that is not a GHSA or CVE
diff --git a/internal/genericosv/report.go b/internal/genericosv/report.go
index 370c250..25b4426 100644
--- a/internal/genericosv/report.go
+++ b/internal/genericosv/report.go
@@ -36,7 +36,7 @@
case ghsa.IsGHSA(alias):
r.GHSAs = append(r.GHSAs, alias)
default:
- r.AddNote(report.NoteTypeCreate, "found alias %s that is not a GHSA or CVE", alias)
+ r.UnknownAliases = append(r.UnknownAliases, alias)
}
}
addAlias(osv.ID)
diff --git a/internal/report/report.go b/internal/report/report.go
index 301f5ed..41decd1 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -217,6 +217,10 @@
// the above CVEs.
GHSAs []string `yaml:",omitempty"`
+ // Aliases from other databases that we don't (yet) know about.
+ // Not published to OSV.
+ UnknownAliases []string `yaml:"unknown_aliases,omitempty"`
+
// Related is a list of identifiers (e.g. CVEs or GHSAs)
// that are related to, but are not direct aliases of, this report.
Related []string `yaml:",omitempty"`
