blob: 12a1aef4cd9db86d41a17b1d43cbf460e3fc11b4 [file] [log] [blame]
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package genericosv
import (
osvschema ""
// ToReport converts OSV into a Go Report with the given ID.
func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
r := &report.Report{
ID: goID,
Summary: report.Summary(osv.Summary),
Description: osv.Details,
addAlias := func(alias string) {
switch {
case cveschema5.IsCVE(alias):
r.CVEs = append(r.CVEs, alias)
case ghsa.IsGHSA(alias):
r.GHSAs = append(r.GHSAs, alias)
r.Notes = append(r.Notes, &report.Note{
Body: fmt.Sprintf("found alias %s that is not a GHSA or CVE", alias),
Type: report.NoteTypeCreate,
for _, alias := range osv.Aliases {
r.Modules = affectedToModules(osv.Affected, pc)
for _, ref := range osv.References {
r.References = append(r.References, convertRef(ref))
r.Credits = convertCredits(osv.Credits)
return r
func affectedToModules(as []osvschema.Affected, pc *proxy.Client) []*report.Module {
var modules []*report.Module
for _, a := range as {
if a.Package.Ecosystem != osvschema.EcosystemGo {
versions, unsupportedVersions := convertVersions(a.Ranges)
modules = append(modules, &report.Module{
Module: a.Package.Name,
Versions: versions,
UnsupportedVersions: unsupportedVersions,
for _, m := range modules {
extractImportPath(m, pc)
if ok := fixMajorVersion(m, pc); !ok {
addIncompatible(m, pc)
canonicalize(m, pc)
modules = merge(modules)
// Fix the versions *after* the modules have been merged.
for _, m := range modules {
return modules
// extractImportPath checks if the module m's "module" path is actually
// an import path. If so, it adds the import path to the packages list
// and fixes the module path. Modifies m.
// Does nothing if the module path is already correct, or isn't recognized
// by the proxy at all.
func extractImportPath(m *report.Module, pc *proxy.Client) {
path := m.Module
modulePath, err := pc.FindModule(m.Module)
if err != nil || // path doesn't contain a module, needs human review
path == modulePath { // path is already a module, no action needed
m.Module = modulePath
m.Packages = append(m.Packages, &report.Package{Package: path})
// fixMajorVersion corrects the major version prefix of the module
// path if possible.
// Returns true if the major version was already correct or could be
// fixed.
// For now, it gives up if it encounters various problems and
// special cases (see comments inline).
func fixMajorVersion(m *report.Module, pc *proxy.Client) (ok bool) {
if strings.HasPrefix(m.Module, "") {
return false // don't attempt to fix modules
// If there is no "introduced" version, don't attempt to fix
// major version.
// Example: is fixed at 2.2.2. This likely means
// that is vulnerable at all versions and
// is vulnerable up to 2.2.2.
// Changing to would lose
// information.
hasIntroduced := func(m *report.Module) bool {
for _, vr := range m.Versions {
if vr.Introduced != "" {
return true
return false
if !hasIntroduced(m) {
return false
wantMajor, ok := commonMajor(m.Versions)
if !ok { // inconsistent major version, don't attempt to fix
return false
prefix, major, ok := module.SplitPathVersion(m.Module)
if !ok { // couldn't parse module path, don't attempt to fix
return false
if major == wantMajor {
return true // nothing to do
fixed := prefix + wantMajor
if !pc.ModuleExists(fixed) {
return false // attempted fixed module doesn't exist, give up
m.Module = fixed
return true
const (
v0 = "v0"
v1 = "v1"
v0v1 = "v0 or v1"
func major(v string) string {
m := version.Major(v)
if m == v0 || m == v1 {
return v0v1
return m
// commonMajor returns the major version path suffix (e.g. "/v2") common
// to all versions in the version range, or ("", false) if not all versions
// have the same major version.
// Returns ("", true) if the major version is 0 or 1.
func commonMajor(vs []report.VersionRange) (_ string, ok bool) {
maj := major(first(vs))
for _, vr := range vs {
for _, v := range []string{vr.Introduced, vr.Fixed} {
if v == "" {
current := major(v)
if current != maj {
return "", false
if maj == v0v1 {
return "", true
return "/" + maj, true
// canonicalize attempts to canonicalize the module path,
// and updates the module path and packages list if successful.
// Modifies m.
// Does nothing if the module path is already canonical, or isn't recognized
// by the proxy at all.
func canonicalize(m *report.Module, pc *proxy.Client) {
if len(m.Versions) == 0 {
return // no versions, don't attempt to fix
canonical, err := commonCanonical(m, pc)
if err != nil {
return // no consistent canonical version found, don't attempt to fix
original := m.Module
m.Module = canonical
// Fix any package paths.
for _, p := range m.Packages {
if strings.HasPrefix(p.Package, original) {
p.Package = canonical + strings.TrimPrefix(p.Package, original)
func commonCanonical(m *report.Module, pc *proxy.Client) (string, error) {
canonical, err := pc.CanonicalModulePath(m.Module, first(m.Versions))
if err != nil {
return "", err
for _, vr := range m.Versions {
for _, v := range []string{vr.Introduced, vr.Fixed} {
if v == "" {
current, err := pc.CanonicalModulePath(m.Module, v)
if err != nil {
return "", err
if current != canonical {
return "", fmt.Errorf("inconsistent canonical module paths: %s and %s", canonical, current)
return canonical, nil
// addIncompatible adds "+incompatible" to all versions where module@version
// does not exist but module@version+incompatible does exist.
// TODO( Consider making this work for
// non-canonical versions too (example: GHSA-w4xh-w33p-4v29).
func addIncompatible(m *report.Module, pc *proxy.Client) {
tryAdd := func(v string) (string, bool) {
if v == "" {
return "", false
if major(v) == v0v1 {
return "", false // +incompatible does not apply for major versions < 2
if pc.ModuleExistsAtTaggedVersion(m.Module, v) {
return "", false // module@version is already OK
if vi := v + "+incompatible"; pc.ModuleExistsAtTaggedVersion(m.Module, vi) {
return vi, true
return "", false // module@version+incompatible doesn't exist
for i, vr := range m.Versions {
if vi, ok := tryAdd(vr.Introduced); ok {
m.Versions[i].Introduced = vi
if vi, ok := tryAdd(vr.Fixed); ok {
m.Versions[i].Fixed = vi
func sortModules(ms []*report.Module) {
sort.SliceStable(ms, func(i, j int) bool {
m1, m2 := ms[i], ms[j]
// Break ties by lowest affected version, assuming the version list is sorted.
if m1.Module == m2.Module {
vr1, vr2 := m1.Versions, m2.Versions
if len(vr1) == 0 {
return true
} else if len(vr2) == 0 {
return false
v1, v2 := first(vr1), first(vr2)
if v1 == v2 {
pkgs1, pkgs2 := m1.Packages, m2.Packages
if len(pkgs1) == 0 {
return true
} else if len(pkgs2) == 0 {
return false
return pkgs1[0].Package < pkgs2[0].Package
return version.Before(v1, v2)
return m1.Module < m2.Module
// merge merges all modules with the same module & package info
// (but possibly different versions) into one.
func merge(ms []*report.Module) []*report.Module {
type compMod struct {
path string
packages string // sorted, comma separated list of package names
toCompMod := func(m *report.Module) compMod {
var packages []string
for _, p := range m.Packages {
packages = append(packages, p.Package)
return compMod{
path: m.Module,
packages: strings.Join(packages, ","),
merge := func(m1, m2 *report.Module) *report.Module {
// only run if m1 and m2 are same except versions
// deletes vulnerable_at if set
return &report.Module{
Module: m1.Module,
Versions: append(m1.Versions, m2.Versions...),
UnsupportedVersions: append(m1.UnsupportedVersions, m2.UnsupportedVersions...),
Packages: m1.Packages,
modules := make(map[compMod]*report.Module)
for _, m := range ms {
c := toCompMod(m)
mod, ok := modules[c]
if !ok {
modules[c] = m
} else {
modules[c] = merge(mod, m)
return maps.Values(modules)
func first(vrs []report.VersionRange) string {
for _, vr := range vrs {
for _, v := range []string{vr.Introduced, vr.Fixed} {
if v != "" {
return v
return ""
func convertVersions(rs []osvschema.Range) ([]report.VersionRange, []report.UnsupportedVersion) {
var vrs []report.VersionRange
var uvs []report.UnsupportedVersion
for _, r := range rs {
for _, e := range r.Events {
if e.Introduced != "" || e.Fixed != "" {
var vr report.VersionRange
switch {
case e.Introduced == "0":
case e.Introduced != "":
vr.Introduced = e.Introduced
case e.Fixed != "":
vr.Fixed = e.Fixed
vrs = append(vrs, vr)
var uv report.UnsupportedVersion
switch {
case e.LastAffected != "":
uv.Version = e.LastAffected
uv.Type = "last_affected"
case e.Limit != "":
uv.Version = e.Limit
uv.Type = "limit"
uv.Version = fmt.Sprint(e)
uv.Type = "unknown"
uvs = append(uvs, uv)
return vrs, uvs
var (
goAdvisory = regexp.MustCompile(`^*$`)
func convertRef(ref osvschema.Reference) *report.Reference {
return &report.Reference{
Type: osv.ReferenceType(ref.Type),
URL: ref.URL,
// fixRefs deletes some unneeded references, and attempts to fix reference types.
// Modifies r.
// Deletes:
// - "package"-type references
// - Go advisory references (these are redundant for us)
// Changes:
// - reference type to "advisory" for GHSA and CVE links.
// - reference type to "fix" for Github pull requests and commit links in one of
// the affected modules
// - reference type to "report" for Github issues in one of
// the affected modules
func fixRefs(r *report.Report) {
r.References = slices.DeleteFunc(r.References, func(ref *report.Reference) bool {
return ref.Type == osv.ReferenceTypePackage ||
if len(r.References) == 0 {
r.References = nil
oneOfRE := func(s []string) string {
return `(` + strings.Join(s, "|") + `)`
ghsaAdvisory := regexp.MustCompile(`^*advisories/(` + oneOfRE(r.GHSAs) + `)$`)
cveAdvisory := regexp.MustCompile(`^` + oneOfRE(r.CVEs) + `)$`)
// For now, this will not attempt to fix reference types for
// modules whose canonical names are different from their github path.
var modulePaths []string
for _, m := range r.Modules {
modulePaths = append(modulePaths, m.Module)
moduleRE := oneOfRE(modulePaths)
issue := regexp.MustCompile(`https://` + moduleRE + `/issue(s?)/.*$`)
fix := regexp.MustCompile(`https://` + moduleRE + `/(commit(s?)|pull)/.*$`)
for _, ref := range r.References {
switch {
case ghsaAdvisory.MatchString(ref.URL) ||
ref.Type = osv.ReferenceTypeAdvisory
case issue.MatchString(ref.URL):
ref.Type = osv.ReferenceTypeReport
case fix.MatchString(ref.URL):
ref.Type = osv.ReferenceTypeFix
func convertCredits(cs []osvschema.Credit) []string {
var credits []string
for _, c := range cs {
credit := c.Name
if len(c.Contact) != 0 {
credit = fmt.Sprintf("%s (%s)", c.Name, strings.Join(c.Contact, ","))
credits = append(credits, credit)
return credits