// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package report

import (
	"errors"
	"flag"
	"fmt"
	"os"
	"path"
	"path/filepath"
	"strings"
	"testing"

	"github.com/google/go-cmp/cmp"
	"github.com/google/go-cmp/cmp/cmpopts"
	"golang.org/x/tools/txtar"
	"golang.org/x/vulndb/internal/idstr"
	"golang.org/x/vulndb/internal/osv"
	"golang.org/x/vulndb/internal/proxy"
	"golang.org/x/vulndb/internal/test"
)

var (
	update    = flag.Bool("update", false, "update golden files")
	realProxy = flag.Bool("proxy", false, "if true, contact the real module proxy and update expected responses")
)

var (
	validStdLibReferences = []*Reference{
		{Type: osv.ReferenceTypeFix, URL: "https://go.dev/cl/12345"},
		{Type: osv.ReferenceTypeWeb, URL: "https://groups.google.com/g/golang-announce/c/12345"},
		{Type: osv.ReferenceTypeReport, URL: "https://go.dev/issue/12345"},
	}
	validCVEMetadata = &CVEMeta{
		ID:  "CVE-0000-1111",
		CWE: "CWE XXX: A CWE description",
	}
	noop = func(*Report) {}
)

func validReport(f func(r *Report)) Report {
	r := Report{
		ID: "GO-0000-0000",
		Modules: []*Module{{
			Module:       "golang.org/x/net",
			VulnerableAt: VulnerableAt("1.2.3"),
			Packages: []*Package{{
				Package: "golang.org/x/net/http2",
			}},
		}},
		Description:  "description",
		Summary:      "A summary of the issue in golang.org/x/net",
		CVEs:         []string{"CVE-1234-0000"},
		ReviewStatus: Reviewed,
	}
	f(&r)
	return r
}

func validNeedsReviewReport(f func(r *Report)) Report {
	r := Report{
		ID: "GO-0000-0000",
		Modules: []*Module{{
			Module:       "golang.org/x/net",
			VulnerableAt: VulnerableAt("1.2.3"),
			Packages: []*Package{{
				Package: "golang.org/x/net/http2",
			}},
			Versions: []*Version{
				Fixed("1.5.0"),
			},
		}},
		Description:  "description",
		Summary:      "A summary of the issue in golang.org/x/net",
		CVEs:         []string{"CVE-1234-0000"},
		ReviewStatus: NeedsReview,
		References: []*Reference{
			{Type: osv.ReferenceTypeAdvisory, URL: "https://example.com"},
		},
	}
	f(&r)
	return r
}

func validStdReport(f func(r *Report)) Report {
	r := Report{
		ID: "GO-0000-0000",
		Modules: []*Module{{
			Module:       "std",
			VulnerableAt: VulnerableAt("1.2.3"),
			Packages: []*Package{{
				Package: "net/http",
			}},
		}},
		Description:  "description",
		Summary:      "A summary of the problem with net/http",
		References:   validStdLibReferences,
		ReviewStatus: Reviewed,
	}
	f(&r)
	return r
}

func validExcludedReport(f func(r *Report)) Report {
	r := Report{
		ID:       "GO-0000-0000",
		Excluded: ExcludedNotGoCode,
		CVEs:     []string{"CVE-2022-1234545"},
	}
	f(&r)
	return r
}

func TestLint(t *testing.T) {
	pc, err := proxy.NewTestClient(t, *realProxy)
	if err != nil {
		t.Fatal(err)
	}

	for _, test := range []lintTC{
		{
			name: "module_version_ok",
			desc: "Module-version pairs that exist are OK.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module: "golang.org/x/net",
					Versions: Versions{
						Introduced("0.2.0"),
					}})
			}),
			pc: pc,
			// No lints.
		},
		{
			name: "module_version_invalid",
			desc: "Version@module must exist.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module: "golang.org/x/net",
					Versions: Versions{
						Introduced("0.2.5"), // does not exist
					}})
			}),
			pc:           pc,
			wantNumLints: 1,
		},
		{
			name: "module_non_canonical",
			desc: "Module names must be canonical.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module: "github.com/golang/vuln",
					Versions: Versions{

						Introduced("0.1.0"),
					}})
			}),
			pc:           pc,
			wantNumLints: 1,
		},
		{
			name: "multiple_problems",
			desc: "A test for a report with multiple module-version issues at once.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module: "github.com/golang/vuln",
					Versions: Versions{
						Introduced("0.1.0"),
						Fixed("0.2.5"),      // does not exist
						Introduced("0.2.6"), // does not exist
					}})
			}),
			pc:           pc,
			wantNumLints: 1,
		},
		{
			name:         "no_proxy_client",
			desc:         "A non-nil proxy client must be provided.",
			report:       validReport(noop),
			pc:           nil,
			wantNumLints: 1,
		},
		{
			name: "bad_module_skip_lint",
			desc: "Module does not exist but skip lint is set.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module:   "golang.org/x/doesnotexist",
					SkipLint: true,
				})
			}),
			pc: pc,
			// No lints.
		},
	} {
		test := test
		t.Run(test.name, func(t *testing.T) {
			got := test.report.Lint(test.pc)
			updateAndCheckGolden(t, &test, got)
		})
	}
}

// lintTC is a lint test case.
type lintTC struct {
	name, desc   string
	report       Report
	pc           *proxy.Client
	wantNumLints int
}

func TestLintOffline(t *testing.T) {
	for _, test := range []lintTC{
		{
			name: "no_ID",
			desc: "All reports must have an ID.",
			report: validReport(func(r *Report) {
				r.ID = ""
			}),
			wantNumLints: 1,
		},
		{
			name: "no_modules",
			desc: "All reports (except excluded reports marked NOT_GO_CODE) must have at least one module.",
			report: validReport(func(r *Report) {
				r.Modules = nil
			}),
			wantNumLints: 1,
		},
		{
			name: "no_module_path",
			desc: "Every module must have a path.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					// no path
				})
			}),
			wantNumLints: 1,
		},
		{
			name: "no_advisory",
			desc: "Reports without a description must have an advisory link.",
			report: validReport(func(r *Report) {
				r.Description = ""
				r.References = nil
			}),
			wantNumLints: 1,
		},
		{
			name: "no_advisory_unreviewed",
			desc: "Unreviewed reports must have an advisory link.",
			report: validReport(func(r *Report) {
				r.ReviewStatus = Unreviewed
				r.References = nil
			}),
			wantNumLints: 1,
		},
		{
			name: "no_advisory_needs_review",
			desc: "Needs review reports must have an advisory link.",
			report: validNeedsReviewReport(func(r *Report) {
				r.ReviewStatus = NeedsReview
				r.References = nil
			}),
			wantNumLints: 1,
		},
		{
			name: "no_description_ok",
			desc: "Reports with no description are OK if they have an advisory.",
			report: validReport(func(r *Report) {
				r.Description = ""
				r.References = []*Reference{
					{Type: osv.ReferenceTypeAdvisory, URL: "https://example.com"},
				}
			}),
			wantNumLints: 0,
		},
		{
			name: "no_description_go_cve",
			desc: "Reports with a CVE assigned by the Go CNA must have a description.",
			report: validReport(func(r *Report) {
				r.Description = ""
				r.CVEs = nil
				r.CVEMetadata = validCVEMetadata
			}),
			wantNumLints: 1,
		},
		{
			name: "description_line_length",
			desc: "Descriptions must not (except in special cases) contain lines longer than 80 characters.",
			report: validReport(func(r *Report) {
				r.Description = "This line is too long; it needs to be shortened to less than 80 characters to pass the lint check"
			}),
			wantNumLints: 1,
		},
		{
			name: "description_long_word_ok",
			desc: "Descriptions may contain lines longer than 80 characters if the line is a single word.",
			report: validReport(func(r *Report) {
				r.Description = "http://1234567890.abcdefghijklmnopqrstuvwxyz.1234567890.abcdefghijklmnopqrstuvwxyz" // 82 chars ok if single word
			}),
			// No lints.
		},
		{
			name: "no_summary",
			desc: "Regular (non-excluded) reports must have a summary.",
			report: validReport(func(r *Report) {
				r.Summary = ""
			}),
			wantNumLints: 1,
		},
		{
			name: "no_review_status",
			desc: "Regular (non-excluded) reports must have a review status.",
			report: validReport(func(r *Report) {
				r.ReviewStatus = 0
				// add an advisory to avoid the "no advisory" lint error
				r.References = []*Reference{
					{
						URL:  idstr.AdvisoryLink("CVE-1234-0000"),
						Type: osv.ReferenceTypeAdvisory,
					},
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "summary_todo",
			desc: "Summaries must not contain TODOs.",
			report: validReport(func(r *Report) {
				r.Summary = "TODO: fill this out"
			}),
			wantNumLints: 1,
		},
		{
			name: "summary_too_long",
			desc: fmt.Sprintf("The summary must be %d characters or less.", summaryMaxLen),
			report: validReport(func(r *Report) {
				r.Summary = Summary(
					fmt.Sprintf("This summary of golang.org/x/net is too long and probably has unnecessary detail; it needs to be shortened to %d or fewer characters to pass the lint check", summaryMaxLen),
				)
			}),
			wantNumLints: 1,
		},
		{
			name: "summary_period",
			desc: "The summary should not end in a period. It should be a phrase, not a sentence.",
			report: validReport(func(r *Report) {
				r.Summary = "This summary of golang.org/x/net is a sentence, not a phrase."
			}),
			wantNumLints: 1,
		},
		{
			name: "summary_no_path",
			desc: "The summary must contain a module or package path listed in the report.",
			report: validReport(func(r *Report) {
				r.Summary = "This summary doesn't have a path"
			}),
			wantNumLints: 1,
		},
		{
			name: "summary_path_prefix",
			desc: "Summary may contain a prefix of a module or package path that is mentioned at least twice in a report. This is a workaround for reports that affect many modules.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module:       "example.com/module/example/v2",
					VulnerableAt: VulnerableAt("1.0.0"),
				})
				r.Modules = append(r.Modules, &Module{
					Module:       "example.com/module/example/v3",
					VulnerableAt: VulnerableAt("1.0.0"),
				})
				r.Summary = "This summary is about example.com/module/example"
			}),
			// No lints.
		},
		{
			name: "summary_ok_unreviewed",
			desc: "Summary does not need to conform to style guide for unreviewed reports.",
			report: validReport(func(r *Report) {
				r.ReviewStatus = Unreviewed
				// add an advisory to avoid the "no advisory" lint error
				r.References = []*Reference{
					{
						URL:  idstr.AdvisoryLink("CVE-1234-0000"),
						Type: osv.ReferenceTypeAdvisory,
					},
				}
				r.Summary = "this summary doesn't conform to our `style` guide, but its ok because this is an unreviewed report."
			}),
			// No lints.
		},
		{
			name: "no_package_path",
			desc: "All packages must have a path.",
			report: validReport(func(r *Report) {
				r.Modules[0].Packages = append(r.Modules[0].Packages,
					&Package{
						// No package path.
					})
			}),
			wantNumLints: 1,
		},
		{
			name: "no_vulnerable_at_or_skip_fix",
			desc: "At least one of module.vulnerable_at and module.package.skip_fix must be set.",
			report: validReport(func(r *Report) {
				r.Modules[0].VulnerableAt = nil
				r.Modules[0].Packages[0].SkipFixSymbols = ""
			}),
			wantNumLints: 1,
		},
		{
			name: "skip_fix_ok",
			desc: "The vulnerable_at field can be blank if skip_fix is set.",
			report: validReport(func(r *Report) {
				r.Modules[0].VulnerableAt = nil
				r.Modules[0].Packages[0].SkipFixSymbols = "a reason"
			}),
			// No lints.
		},
		{
			name: "vulnerable_at_and_skip_fix_ok",
			desc: "It is OK to set both module.vulnerable_at and module.package.skip_fix.",
			report: validReport(func(r *Report) {
				r.Modules[0].VulnerableAt = VulnerableAt("1.2.3")
				r.Modules[0].Packages[0].SkipFixSymbols = "a reason"
			}),
			// No lints.
		},
		{
			name: "vulnerable_at_out_of_range",
			desc: "Field module.vulnerable_at must be inside the vulnerable version range for the module.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].VulnerableAt = VulnerableAt("2.0.0")
				r.Modules[0].Versions = Versions{
					Fixed("1.2.1"),
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "unsupported_versions",
			desc: "The unsupported_versions field should never be set.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].UnsupportedVersions = Versions{
					{Version: "1.2.1", Type: "unknown"},
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "unsupported_versions_needs_review",
			desc: "The unsupported_versions field should never be set for NEEDS_REVIEW reports.",
			report: validNeedsReviewReport(func(r *Report) {
				r.Modules[0].UnsupportedVersions = Versions{
					{Version: "1.2.1", Type: "unknown"},
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "module_package_prefix",
			desc: "In third party reports, module names must be prefixes of package names.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module:       "example.com/module",
					VulnerableAt: VulnerableAt("1.0.0"),
					Packages: []*Package{{
						Package: "example.com/package",
					}},
				})
			}),
			wantNumLints: 1,
		},
		{
			name: "invalid_package_path",
			desc: "In third party reports, package paths must pass validity checks in x/mod/module.CheckImportPath.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module:       "invalid.",
					VulnerableAt: VulnerableAt("1.0.0"),
					Packages: []*Package{{
						Package: "invalid.",
					}}})
			}),
			wantNumLints: 1,
		},
		{
			name: "no_package_path_stdlib",
			desc: "All packages must have a path.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].Packages[0].Package = ""
			}),
			wantNumLints: 1,
		},
		{
			name: "no_package_stdlib",
			desc: "In standard library reports, all modules must contain at least one package.",
			report: validStdReport(func(r *Report) {
				r.Modules = append(r.Modules,
					&Module{
						Module:       "std",
						VulnerableAt: VulnerableAt("1.0.0"),
						// No packages.
					},
				)
			}),
			wantNumLints: 1,
		},
		{
			name: "runtime_package_with_symbols",
			desc: "In standard library reports, the runtime package must not contain any symbols.",
			report: validStdReport(func(r *Report) {
				r.Modules = append(r.Modules,
					&Module{
						Module:       "std",
						VulnerableAt: VulnerableAt("1.0.0"),
						Packages: []*Package{{
							Package: "runtime",
							Symbols: []string{"foo"},
						}},
					},
				)
			}),
			wantNumLints: 1,
		},
		{
			name: "wrong_module_cmd",
			desc: "Packages beginning with 'cmd' should be in the 'cmd' module.",
			report: validStdReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module:       "std",
					VulnerableAt: VulnerableAt("1.0.0"),
					Packages: []*Package{{
						Package: "cmd/go",
					}},
				})
			}),
			wantNumLints: 1,
		},
		{
			name: "versions_overlapping_ranges",
			desc: "Version ranges must not overlap.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].Versions = Versions{
					// Two fixed versions in a row with no introduced.
					Fixed("1.2.1"), Fixed("1.3.2"),
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "versions_fixed_before_introduced",
			desc: "Within a version range, the fixed version must come before the introduced version.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].Versions = Versions{

					Introduced("1.3.0"),
					Fixed("1.2.1"),
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "versions_checked_no_vulnerable_at",
			desc: "Version checks still apply if vulnerable_at is not set.",
			report: validStdReport(func(r *Report) {
				r.Modules[0].VulnerableAt = nil
				r.Modules[0].Versions = Versions{
					// Two fixed versions in a row with no introduced.
					Fixed("1.2.1"), Fixed("1.3.2"),
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "invalid_semver",
			desc: "All versions must be valid, unprefixed, semver",
			report: validStdReport(func(r *Report) {
				r.Modules[0].Versions = Versions{
					Introduced("1.3.X"),
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "invalid_prelease",
			desc: "All versions must be valid, unprefixed, semver",
			report: validStdReport(func(r *Report) {
				r.Modules[0].Versions = Versions{
					Introduced("1.3.0-rc2"),
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "no_latest_fixed",
			desc: "NEEDS_REVIEW reports need a latest fixed version for all modules.",
			report: validNeedsReviewReport(func(r *Report) {
				r.Modules[0].Versions = Versions{
					Introduced("1.2.1"),
					Fixed("1.3.0"),
					Introduced("1.3.2"),
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "bad_cve",
			desc: "All CVEs must be valid.",
			report: validReport(func(r *Report) {
				r.CVEs = []string{"CVE.1234.5678"}
			}),
			wantNumLints: 1,
		},
		{
			name: "bad_ghsa",
			desc: "All GHSAs must be valid.",
			report: validReport(func(r *Report) {
				r.GHSAs = []string{"GHSA-123"}
			}),
			wantNumLints: 1,
		},
		{
			name: "cve_and_cve_metadata_ok",
			desc: "It is OK to set both cves and cve_metadata.",
			report: validReport(func(r *Report) {
				r.CVEs = []string{"CVE-0000-1111"}
				r.CVEMetadata = validCVEMetadata
			}),
			// No lints.
		},
		{
			name: "cve_metadata_missing_fields",
			desc: "Field cve_metadata (if not nil), must have an ID and CWE.",
			report: validReport(func(r *Report) {
				r.CVEs = nil
				r.CVEMetadata = &CVEMeta{
					// missing fields
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "cve_metadata_bad_fields",
			desc: "Field cve_metadata must contain valid entries for ID and CWE.",
			report: validReport(func(r *Report) {
				r.CVEs = nil
				r.CVEMetadata = &CVEMeta{
					ID:  "CVE.0000.1111",
					CWE: "TODO",
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "reference_invalid_type",
			desc: "Reference type must be one of the pre-defined types in osv.ReferenceTypes.",
			report: validReport(func(r *Report) {
				r.References = append(r.References, &Reference{
					Type: "INVALID",
					URL:  "http://go.dev/",
				})
			}),
			wantNumLints: 1,
		},
		{
			name: "references_multiple_advisories",
			desc: "Each report should contain at most one advisory reference.",
			report: validReport(func(r *Report) {
				r.References = append(r.References, &Reference{
					Type: "ADVISORY",
					URL:  "http://go.dev/a",
				}, &Reference{
					Type: "ADVISORY",
					URL:  "http://go.dev/b",
				})
			}),
			wantNumLints: 1,
		},
		{
			name: "references_redundant_web_advisories",
			desc: "Reports should not contain redundant web-type references linking to CVEs/GHSAs listed in the cves/ghsas sections.",
			report: validReport(func(r *Report) {
				r.CVEs = []string{"CVE-0000-0000", "CVE-0000-0001"}
				r.GHSAs = []string{"GHSA-0000-0000-0000"}
				r.References = append(r.References, &Reference{
					Type: "WEB",
					URL:  "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-0000-0000",
				}, &Reference{
					Type: "WEB",
					URL:  "https://nvd.nist.gov/vuln/detail/CVE-0000-0001",
				}, &Reference{
					Type: "WEB",
					URL:  "https://nvd.nist.gov/vuln/detail/CVE-0000-0002", // ok
				}, &Reference{
					Type: "WEB",
					URL:  "https://github.com/advisories/GHSA-0000-0000-0000",
				}, &Reference{
					Type: "WEB",
					URL:  "https://github.com/advisories/GHSA-0000-0000-0001", // ok
				})
			}),
			wantNumLints: 3,
		},
		{
			name: "references_unfixed",
			desc: "References should not contain non-canonical link formats (that can be auto-fixed).",
			report: validReport(func(r *Report) {
				r.References = []*Reference{
					{Type: osv.ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
					{Type: osv.ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
					{Type: osv.ReferenceTypeWeb, URL: "https://golang.org/xxx"},
					{Type: osv.ReferenceTypeWeb, URL: "https://groups.google.com/forum/#!/golang-announce/12345/1/"},
				}
			}),
			wantNumLints: 4,
		},
		{
			name: "references_incorrect_stdlib",
			desc: "Standard library reports must contain references matching a specific format.",
			report: validStdReport(func(r *Report) {
				r.References = []*Reference{
					{Type: osv.ReferenceTypeAdvisory, URL: "http://www.example.com"},
					{Type: osv.ReferenceTypeFix, URL: "https://go-review.googlesource.com/c/go/+/12345"},
					{Type: osv.ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
					{Type: osv.ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
					{Type: osv.ReferenceTypeWeb, URL: "https://go.dev/"},
					// no announce link
				}
			}),
			wantNumLints: 8,
		},
		{
			name: "references_missing_stdlib",
			desc: "Standard library reports must contain at least one report, fix, and announcement link.",
			report: validStdReport(func(r *Report) {
				r.References = []*Reference{
					// no links
				}
			}),
			wantNumLints: 3,
		},
		{
			name: "reference_invalid_URL",
			desc: "References must be valid URLs.",
			report: validReport(func(r *Report) {
				r.References = []*Reference{
					{
						Type: osv.ReferenceTypeFix,
						URL:  "go.dev/cl/12345", // needs "https://" prefix
					},
				}
			}),
			wantNumLints: 1,
		},
		{
			name: "missing_fields_excluded",
			desc: "Excluded reports must contain (at least): a valid excluded reason, a module, and one CVE or GHSA.",
			report: validExcludedReport(func(r *Report) {
				r.Excluded = "not a real reason"
				r.Modules = nil
				r.CVEs = nil
				r.GHSAs = nil
			}),
			wantNumLints: 3,
		},
		{
			name: "bad_related",
			desc: "The related field must not contain duplicate or invalid IDs.",
			report: validReport(func(r *Report) {
				r.CVEs = []string{"CVE-0000-1111"}
				r.Related = []string{
					"not-an-id",           // bad
					"CVE-0000-1111",       // bad (duplicate)
					"CVE-0000-1112",       // ok
					"GHSA-0000-0000-0000", // ok
					"GO-1990-0001",        // ok
				}
			}),
			wantNumLints: 2,
		},
		{
			name: "module_version_offline",
			desc: "In offline mode, module-version consistency is not checked because it requires a call to the module proxy.",
			report: validReport(func(r *Report) {
				r.Modules = append(r.Modules, &Module{
					Module: "golang.org/x/net",
					Versions: Versions{
						Introduced("0.2.5"), // does not exist
					},
				})
			}),
			// No lints: in offline mode, versions aren't checked.
		},
		{
			name:   "valid_excluded",
			desc:   "No lints are generated for valid excluded reports.",
			report: validExcludedReport(noop),
			// No lints.
		},
		{
			name: "markdown",
			desc: "Descriptions and summaries should not contain Markdown formatting.",
			report: validReport(
				func(r *Report) {
					r.Summary += " in function `Hello`"
					r.Description = "# Problem\nMore info [here](https://example.com)"
				},
			),
			wantNumLints: 3,
		},
	} {
		test := test
		t.Run(test.name, func(t *testing.T) {
			got := test.report.LintOffline()
			updateAndCheckGolden(t, &test, got)
		})
	}
}

// The name of the "file" in the txtar archive containing the expected output.
const golden = "golden"

func updateAndCheckGolden(t *testing.T, test *lintTC, lints []string) {
	if *update {
		if errs := checkGoldenFile(t, test, lints); len(errs) == 0 {
			return
		}
		if err := updateGoldenFile(t, test, lints); err != nil {
			t.Error(err)
		}
	}
	for _, err := range checkGoldenFile(t, test, lints) {
		t.Error(err)
	}
}

func updateGoldenFile(t *testing.T, tc *lintTC, lints []string) error {
	t.Helper()

	fpath := goldenFilename(t)

	// Double-check that we got the right number of lints, to make it
	// harder to lose/gain a lint with the auto-update.
	if tc.wantNumLints != len(lints) {
		return fmt.Errorf("%s: cannot update: got %d lints, want %d", fpath, len(lints), tc.wantNumLints)
	}

	rb, err := reportToBytes(&tc.report)
	if err != nil {
		return err
	}

	return test.WriteTxtar(fpath, []txtar.File{
		{
			Name: testYAMLFilename(&tc.report),
			Data: rb,
		},
		{
			Name: golden,
			Data: lintsToBytes(lints),
		},
	}, newComment(t, tc))
}

func checkGoldenFile(t *testing.T, tc *lintTC, lints []string) []error {
	t.Helper()

	fpath := goldenFilename(t)

	if _, err := os.Stat(fpath); err != nil {
		return []error{fmt.Errorf("golden file %s does not exist (re-run test with -update flag)", fpath)}
	}

	ar, err := txtar.ParseFile(fpath)
	if err != nil {
		return []error{err}
	}

	var errs []error

	wantComment, gotComment := newComment(t, tc), string(ar.Comment)
	if err := test.CheckComment(wantComment, gotComment); err != nil {
		errs = append(errs, err)
	}

	// Check that all expected files are present and have the correct contents.
	reportFile := testYAMLFilename(&tc.report)
	foundReport, foundGolden := false, false
	for _, f := range ar.Files {
		switch af := f.Name; {
		case af == golden:
			want := f.Data
			got := lintsToBytes(lints)
			if diff := cmp.Diff(want, got); diff != "" {
				errs = append(errs, fmt.Errorf("%s: %s: mismatch (-want, +got):\n%s", fpath, af, diff))
			}
			foundGolden = true
		case af == reportFile:
			want := f.Data
			got, err := reportToBytes(&tc.report)
			if err != nil {
				t.Errorf("%s: %s", af, err)
				continue
			}
			if diff := cmp.Diff(want, got); diff != "" {
				errs = append(errs, fmt.Errorf("%s: %s: mismatch (-want, +got):\n%s", fpath, af, diff))
			}
			foundReport = true
		default:
			errs = append(errs, fmt.Errorf("%s: unexpected archive file %s, expected one of (%q, %q)", fpath, af, reportFile, golden))
		}
	}
	if !foundReport {
		errs = append(errs, fmt.Errorf("%s: no report found (want archive file %q)", fpath, reportFile))
	}
	if !foundGolden {
		errs = append(errs, fmt.Errorf("%s: no golden found (want archive file %q)", fpath, golden))
	}
	return errs
}

func testYAMLFilename(r *Report) string {
	id := r.ID
	if id == "" {
		id = "NO-GO-ID"
	}
	// Use path instead of filepath so that the paths
	// always use forward slashes.
	// These filenames are only used inside .txtar archives.
	return path.Join(dataFolder, r.folder(), id+".yaml")
}

func newComment(t *testing.T, tc *lintTC) string {
	t.Helper()
	return fmt.Sprintf("Test: %s\nDescription: %s", t.Name(), tc.desc)
}

func goldenFilename(t *testing.T) string {
	t.Helper()
	return filepath.Join("testdata", "lint", t.Name()+".txtar")
}

func lintsToBytes(lints []string) []byte {
	return []byte(strings.Join(lints, "\n") + "\n")
}

func reportToBytes(report *Report) ([]byte, error) {
	ys, err := report.ToString()
	if err != nil {
		return nil, err
	}
	return []byte(ys + "\n"), nil
}

func TestCheckFilename(t *testing.T) {
	for _, test := range []struct {
		desc     string
		filename string
		report   Report
		wantErr  error
	}{
		{
			desc:     "wrong ID",
			filename: "data/reports/GO-0000-0000.yaml",
			report: validReport(
				func(r *Report) {
					r.ID = "GO-0000-1111"
				}),
			wantErr: errWrongID,
		},
		{
			desc:     "excluded in correct directory",
			filename: "data/excluded/GO-0000-0000.yaml",
			report:   validExcludedReport(noop),
			wantErr:  nil,
		},
		{
			desc:     "excluded in wrong directory",
			filename: "data/wrong/GO-0000-0000.yaml",
			report:   validExcludedReport(noop),
			wantErr:  errWrongDir,
		},
		{
			desc:     "non-excluded in correct directory",
			filename: "data/reports/GO-0000-0000.yaml",
			report:   validReport(noop),
			wantErr:  nil,
		},
		{
			desc:     "non-excluded in wrong directory",
			filename: "data/wrong/GO-0000-0000.yaml",
			report:   validReport(noop),
			wantErr:  errWrongDir,
		},
	} {
		test := test
		t.Run(test.desc, func(t *testing.T) {
			if err := test.report.CheckFilename(test.filename); !errors.Is(err, test.wantErr) {
				t.Errorf("CheckFilename(%s) = %v, want error %v", test.filename, err, test.wantErr)
			}
		})
	}
}

func TestLintAsNotes(t *testing.T) {
	// A report with lints.
	report := validReport(
		func(r *Report) {
			r.Summary = ""
			r.Notes = []*Note{
				{Body: "an existing lint that will be deleted", Type: NoteTypeLint},
				{Body: "a note added by a human", Type: NoteTypeNone}}
		},
	)

	found := report.LintAsNotes(nil)
	if !found {
		t.Error("LintAsNotes() = false, want true")
	}

	want, got := []*Note{
		{Body: "a note added by a human", Type: NoteTypeNone}, // preserved
		{Body: "summary: missing", Type: NoteTypeLint},
		{Body: "proxy client is nil; cannot perform all lint checks", Type: NoteTypeLint}}, report.Notes
	if diff := cmp.Diff(want, got,
		// ignore order
		cmpopts.SortSlices(
			func(a, b *Note) bool {
				if a.Type < b.Type {
					return true
				} else if a.Type > b.Type {
					return false
				}
				return a.Body < b.Body
			})); diff != "" {
		t.Errorf("mismatch (-want, +got):\n%s", diff)
	}
}