internal/report: add lint check for multiple ADVISORY references
Fixes golang/go#54900
Change-Id: Ic6a852959dee4609d501ea9abcf7726ddf147aa5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/432237
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2022-0646.json b/data/osv/GO-2022-0646.json
index 5a5912c..612874c 100644
--- a/data/osv/GO-2022-0646.json
+++ b/data/osv/GO-2022-0646.json
@@ -47,11 +47,11 @@
"url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
},
{
- "type": "ADVISORY",
+ "type": "WEB",
"url": "https://github.com/advisories/GHSA-7f33-f4f5-xwgw"
},
{
- "type": "ADVISORY",
+ "type": "WEB",
"url": "https://github.com/advisories/GHSA-f5pg-7wfw-84q9"
},
{
diff --git a/data/reports/GO-2022-0646.yaml b/data/reports/GO-2022-0646.yaml
index add14fa..e1936cb 100644
--- a/data/reports/GO-2022-0646.yaml
+++ b/data/reports/GO-2022-0646.yaml
@@ -25,7 +25,7 @@
credit: Sophie Schmieg from the Google ISE team
references:
- advisory: https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
- - advisory: https://github.com/advisories/GHSA-7f33-f4f5-xwgw
- - advisory: https://github.com/advisories/GHSA-f5pg-7wfw-84q9
+ - web: https://github.com/advisories/GHSA-7f33-f4f5-xwgw
+ - web: https://github.com/advisories/GHSA-f5pg-7wfw-84q9
- fix: https://github.com/aws/aws-sdk-go/pull/3403
- fix: https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4
diff --git a/internal/report/lint.go b/internal/report/lint.go
index 9142c1d..2ca7fe6 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -314,6 +314,7 @@
}
func (r *Report) lintLinks(addIssue func(string)) {
+ advisoryCount := 0
for _, ref := range r.References {
if !slices.Contains(ReferenceTypes, ref.Type) {
addIssue(fmt.Sprintf("%q is not a valid reference type", ref.Type))
@@ -325,6 +326,12 @@
if fixed := fixURL(l); fixed != l {
addIssue(fmt.Sprintf("unfixed url: %q should be %q", l, fixURL(l)))
}
+ if ref.Type == ReferenceTypeAdvisory {
+ advisoryCount++
+ }
+ }
+ if advisoryCount > 1 {
+ addIssue("references should contain at most one advisory link")
}
}
diff --git a/internal/report/lint_test.go b/internal/report/lint_test.go
index 711d8eb..0f646f7 100644
--- a/internal/report/lint_test.go
+++ b/internal/report/lint_test.go
@@ -20,6 +20,20 @@
}
)
+func validXReport(f func(r *Report)) Report {
+ r := Report{
+ Modules: []*Module{{
+ Module: "golang.org/x/net",
+ Packages: []*Package{{
+ Package: "golang.org/x/net/http2",
+ }},
+ }},
+ Description: "description",
+ }
+ f(&r)
+ return r
+}
+
func TestLint(t *testing.T) {
for _, test := range []struct {
desc string
@@ -272,6 +286,19 @@
want: []string{"not a valid reference type"},
},
{
+ desc: "multiple advisory links",
+ report: validXReport(func(r *Report) {
+ r.References = append(r.References, &Reference{
+ Type: "ADVISORY",
+ URL: "http://go.dev/a",
+ }, &Reference{
+ Type: "ADVISORY",
+ URL: "http://go.dev/b",
+ })
+ }),
+ want: []string{"at most one advisory link"},
+ },
+ {
desc: "unfixed links",
report: Report{
Modules: []*Module{{
