internal/report: add YAML field "source"
Adds a new field, source, which holds metadata about the
original source of the report. For now, it is either a CVE,
a GHSA, or the Go team.
This is not required and is not published to OSV, but will
assist in our automation efforts.
Change-Id: Ief5ea6eca35d8799655b3a86e7a22cf8ff49d4e5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576999
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/vulnreport/create.go b/cmd/vulnreport/create.go
index c71b78e..4a42ca5 100644
--- a/cmd/vulnreport/create.go
+++ b/cmd/vulnreport/create.go
@@ -11,6 +11,7 @@
"fmt"
"strconv"
"strings"
+ "time"
"golang.org/x/vulndb/cmd/vulnreport/log"
"golang.org/x/vulndb/internal/cveclient"
@@ -210,13 +211,7 @@
}
} else {
log.Infof("no alias found, creating basic report for %s", id)
- r = &report.Report{
- ID: id,
- Modules: []*report.Module{
- {
- Module: modulePath,
- },
- }}
+ r = basicReport(id, modulePath)
}
// Ensure all source aliases are added to the report.
@@ -248,6 +243,11 @@
}
}
+ if r.Source != nil {
+ now := time.Now()
+ r.Source.Created = &now
+ }
+
return r, nil
}
@@ -344,6 +344,9 @@
Module: modulePath,
},
},
+ Source: &report.Source{
+ ID: report.SourceGoTeam,
+ },
}
}
diff --git a/internal/genericosv/report.go b/internal/genericosv/report.go
index 25b4426..ba2307c 100644
--- a/internal/genericosv/report.go
+++ b/internal/genericosv/report.go
@@ -28,6 +28,9 @@
ID: goID,
Summary: report.Summary(osv.Summary),
Description: report.Description(osv.Details),
+ Source: &report.Source{
+ ID: osv.ID,
+ },
}
addAlias := func(alias string) {
switch {
diff --git a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
index e508bf8..16f9b5d 100644
--- a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
@@ -40,3 +40,5 @@
- web: https://github.com/hashicorp/go-getter/releases
notes:
- lint: 'summary: too long (found 115 characters, want <=100)'
+source:
+ id: GHSA-28r2-q6m8-9hpx
diff --git a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
index 24b9840..ca36393 100644
--- a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
@@ -59,3 +59,5 @@
- lint: 'modules[0] "github.com/apptainer/sif": 2 versions do not exist: 1.2.1-0.20180103161547-0ef6afb2f6cd, 1.2.1-0.20180404165556-75cca531ea76'
- lint: 'modules[1] "github.com/satori/go.uuid": vulnerable_at: 1.2.0 is not inside vulnerable range'
- lint: 'summary: must begin with a capital letter'
+source:
+ id: GHSA-33m6-q9v5-62r7
diff --git a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
index d0b7fd2..46f05b1 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
@@ -22,3 +22,5 @@
- web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
notes:
- lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
+source:
+ id: GHSA-3hwm-922r-47hw
diff --git a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
index 4f901e4..36769a1 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
@@ -27,3 +27,5 @@
notes:
- lint: 'modules[0] "github.com/mattermost/mattermost-server": 6 versions do not exist: 7.1.0, 7.1.6, 7.7.0, 7.7.2, 7.8.0, 7.8.1'
- lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
+source:
+ id: GHSA-3wq5-3f56-v5xc
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
index d3f42e6..1a82331 100644
--- a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -21,3 +21,5 @@
- lint: 'modules[0] "github.com/zhaojh329/rttys": unsupported_versions: found 1 (want none)'
- lint: 'modules[0] "github.com/zhaojh329/rttys": version 4.0.0 does not exist'
- lint: 'summary: must begin with a capital letter'
+source:
+ id: GHSA-54q4-74p3-mgcw
diff --git a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
index 594b3fd..ae29fee 100644
--- a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
@@ -22,3 +22,5 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
+source:
+ id: GHSA-5m6c-jp6f-2vcv
diff --git a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
index ff95b78..687a6da 100644
--- a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
@@ -71,3 +71,5 @@
- lint: 'modules[0] "github.com/concourse/concourse": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
- lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
- lint: 'summary: too long (found 115 characters, want <=100)'
+source:
+ id: GHSA-627p-rr78-99rj
diff --git a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
index ce01fa5..0aa2b6b 100644
--- a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
@@ -46,3 +46,5 @@
- lint: 'description: possible markdown formatting (found [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5))'
- lint: 'description: possible markdown formatting (found `GHSA-p8r3-83r8-jwj5`)'
- lint: 'summary: too long (found 163 characters, want <=100)'
+source:
+ id: GHSA-66p8-j459-rq63
diff --git a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
index 5998d15..a057f18 100644
--- a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
@@ -44,3 +44,5 @@
- lint: 'description: possible markdown formatting (found `dataCopy` (at `0x00...04`)'
- lint: 'modules[1] "github.com/ethereum/go-ethereum": packages[0] "github.com/ethereum/go-ethereum/core/vm": at least one of vulnerable_at and skip_fix must be set'
- lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
+source:
+ id: GHSA-69v6-xc2j-r2jf
diff --git a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
index 6efb3f5..2685a43 100644
--- a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
@@ -33,3 +33,5 @@
- report: https://github.com/kubernetes/kubernetes/issues/87773
- fix: https://github.com/kubernetes/kubernetes/pull/82143
- web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
+source:
+ id: GHSA-6qfg-8799-r575
diff --git a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
index 928da0a..368a588 100644
--- a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
@@ -30,3 +30,5 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'summary: too long (found 142 characters, want <=100)'
+source:
+ id: GHSA-6rg3-8h8x-5xfv
diff --git a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
index ff2b99b..64dcaca 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
@@ -132,3 +132,5 @@
- lint: 'description: possible markdown formatting (found `--dex-server`)'
- lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.2.11 does not exist'
- lint: 'summary: too long (found 108 characters, want <=100)'
+source:
+ id: GHSA-7943-82jg-wmw5
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
index 394e749..879ea72 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -26,3 +26,5 @@
notes:
- lint: 'modules[0] "github.com/pingcap/tidb": unsupported_versions: found 2 (want none)'
- lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
+source:
+ id: GHSA-7fxj-fr3v-r9gj
diff --git a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
index 60516e9..8c83046 100644
--- a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
@@ -27,3 +27,5 @@
notes:
- lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1'
- lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'
+source:
+ id: GHSA-9689-rx4v-cqgc
diff --git a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
index 1698df5..05cfcf7 100644
--- a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
@@ -20,3 +20,5 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist'
+source:
+ id: GHSA-cf7g-cm7q-rq7f
diff --git a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
index 74f205d..2f55b38 100644
--- a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
@@ -38,3 +38,5 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [pomerium](http://github.com/pomerium/pomerium))'
- lint: 'summary: must begin with a capital letter'
+source:
+ id: GHSA-fv82-r8qv-ch4v
diff --git a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
index ba6591e..ee0d4f7 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
@@ -25,3 +25,5 @@
- web: https://www.debian.org/security/2022/dsa-5041
notes:
- lint: 'description: possible markdown formatting (found ## )'
+source:
+ id: GHSA-g5gj-9ggf-9vmq
diff --git a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
index 48880bc..a63d108 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
@@ -25,3 +25,5 @@
notes:
- lint: 'description: possible markdown formatting (found ## )'
- lint: 'summary: too long (found 108 characters, want <=100)'
+source:
+ id: GHSA-g9wh-3vrx-r7hg
diff --git a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
index 9192823..b9b1a1a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
@@ -31,3 +31,5 @@
- web: https://security.netapp.com/advisory/ntap-20230413-0001/
notes:
- lint: 'modules[0] "github.com/grafana/grafana": 6 versions do not exist: 8.1.0, 8.5.21, 9.0.0, 9.2.13, 9.3.0, 9.3.8'
+source:
+ id: GHSA-hjv9-hm2f-rpcj
diff --git a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
index e66ab0c..0afe597 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
@@ -70,3 +70,5 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [containerd](https://github.com/containerd/containerd/issues/new/choose))'
- lint: 'description: possible markdown formatting (found `"USER $USERNAME"`)'
+source:
+ id: GHSA-hmfx-3pcx-653p
diff --git a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
index 6ad8b7c..061b536 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
@@ -57,3 +57,5 @@
- lint: 'description: possible markdown formatting (found [C#](https://github.com/advisories/GHSA-qv8q-v995-72gr))'
- lint: 'modules[0] "github.com/personnummer/go": version 3.0.1 does not exist'
- lint: 'summary: must begin with a capital letter'
+source:
+ id: GHSA-hv53-vf5m-8q94
diff --git a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
index bb52e2a..7f6e427 100644
--- a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
@@ -31,3 +31,5 @@
- web: https://github.com/kubernetes/kubernetes/issues/113757
- web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
- web: https://security.netapp.com/advisory/ntap-20230505-0007/
+source:
+ id: GHSA-jh36-q97c-9928
diff --git a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
index afe2d09..a58b069 100644
--- a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
@@ -62,3 +62,5 @@
- lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
- lint: 'description: possible markdown formatting (found `list`)'
- lint: 'summary: too long (found 144 characters, want <=100)'
+source:
+ id: GHSA-jmp2-wc4p-wfh2
diff --git a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
index 0f3f8fc..3e0017a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
@@ -64,3 +64,5 @@
- lint: 'description: possible markdown formatting (found [Slack](https://docs.cilium.io/en/latest/community/community/#slack))'
- lint: 'modules[0] "github.com/cilium/cilium": unsupported_versions: found 1 (want none)'
- lint: 'modules[0] "github.com/cilium/cilium": versions: introduced and fixed versions must alternate'
+source:
+ id: GHSA-pg5p-wwp8-97g8
diff --git a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
index dfded10..37e65ce 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
@@ -71,3 +71,5 @@
- lint: 'description: possible markdown formatting (found [Singularity Slack Channel](https://bit.ly/2m0g3lX))'
- lint: 'description: possible markdown formatting (found `legacyinsecure`)'
- lint: 'modules[0] "github.com/sylabs/singularity": version 3.6.0 does not exist'
+source:
+ id: GHSA-pmfr-63c2-jr5c
diff --git a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
index 88b9026..82324e7 100644
--- a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
@@ -112,3 +112,5 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [Open an issue](https://github.com/moby/moby/issues/new))'
- lint: 'description: possible markdown formatting (found `git+<protocol>://...`)'
+source:
+ id: GHSA-vp35-85q5-9f25
diff --git a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
index 731914f..ccb5ca5 100644
--- a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
@@ -32,3 +32,5 @@
- lint: 'modules[0] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
- lint: 'modules[1] "github.com/git-lfs/git-lfs": packages[0] "github.com/git-lfs/git-lfs/lfsapi": at least one of vulnerable_at and skip_fix must be set'
- lint: 'modules[1] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
+source:
+ id: GHSA-w4xh-w33p-4v29
diff --git a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
index 7fd22b6..c9107c4 100644
--- a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
@@ -29,3 +29,5 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'summary: too long (found 106 characters, want <=100)'
+source:
+ id: GHSA-wx8q-rgfr-cf6v
diff --git a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
index 495bb23..9728fa8 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
@@ -74,3 +74,5 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
- lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.1.15 does not exist'
+source:
+ id: GHSA-xmg8-99r8-jc2j
diff --git a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
index 163d8e2..d036b1d 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
@@ -45,3 +45,5 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/goharbor/harbor": version 1.0.0 does not exist'
- lint: 'summary: too long (found 105 characters, want <=100)'
+source:
+ id: GHSA-xx9w-464f-7h6f
diff --git a/internal/report/cve.go b/internal/report/cve.go
index 713817d..4850200 100644
--- a/internal/report/cve.go
+++ b/internal/report/cve.go
@@ -82,6 +82,9 @@
Description: description,
Credits: credits,
References: refs,
+ Source: &Source{
+ ID: c.Metadata.ID,
+ },
}
r.addCVE(c.Metadata.ID, getCWE(c), isGoCNA(c))
return r
@@ -142,6 +145,9 @@
Description: description,
Credits: credits,
References: refs,
+ Source: &Source{
+ ID: c.Metadata.ID,
+ },
}
r.addCVE(c.Metadata.ID, getCWE5(&cna), isGoCNA5(&cna))
diff --git a/internal/report/ghsa.go b/internal/report/ghsa.go
index 23b7cc3..39d2068 100644
--- a/internal/report/ghsa.go
+++ b/internal/report/ghsa.go
@@ -17,6 +17,9 @@
r := &Report{
Summary: Summary(sa.Summary),
Description: Description(sa.Description),
+ Source: &Source{
+ ID: sa.ID,
+ },
}
var cves, ghsas []string
for _, id := range sa.Identifiers {
diff --git a/internal/report/ghsa_test.go b/internal/report/ghsa_test.go
index b3032f2..03ef292 100644
--- a/internal/report/ghsa_test.go
+++ b/internal/report/ghsa_test.go
@@ -58,6 +58,7 @@
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
References: []*Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
+ Source: &Source{ID: "G1_blah"},
},
},
{
@@ -78,6 +79,7 @@
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
References: []*Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
+ Source: &Source{ID: "G1_blah"},
},
},
} {
diff --git a/internal/report/report.go b/internal/report/report.go
index 41decd1..d553e4f 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -238,6 +238,20 @@
// creating the report, outstanding issues, or anything else worth
// mentioning.
Notes []*Note `yaml:",omitempty"`
+
+ // Metadata about how this report was generated.
+ // Not published to OSV.
+ Source *Source `yaml:",omitempty"`
+}
+
+const SourceGoTeam = "go-security-team"
+
+type Source struct {
+ // The ID (GHSA or CVE) of the original source of this report.
+ // If created by a human, this is "go-security-team".
+ ID string `yaml:",omitempty"`
+ // The time the original auto-generated report was created.
+ Created *time.Time `yaml:",omitempty"`
}
type Summary string
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar
index f3dc995..615d1d1 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -21,3 +21,5 @@
- web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
- web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
- web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
+source:
+ id: CVE-2020-9283
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar
index 6d998f8..10ba52c 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -19,3 +19,5 @@
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
- web: https://security.gentoo.org/glsa/202208-02
+source:
+ id: CVE-2021-27919
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar
index edf8ab4..7e5c3cf 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -20,3 +20,5 @@
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- web: https://security.netapp.com/advisory/ntap-20210219-0001/
- web: https://security.gentoo.org/glsa/202208-02
+source:
+ id: CVE-2021-3115
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2022-39213.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2022-39213.txtar
index 16eb31c..1534e17 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2022-39213.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2022-39213.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -22,3 +22,5 @@
- advisory: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
- fix: https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4
- web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
+source:
+ id: CVE-2022-39213
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar
index d1d2500..809fdd7 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -32,3 +32,5 @@
cve_metadata:
id: CVE-2023-29407
cwe: 'CWE-834: Excessive Iteration'
+source:
+ id: CVE-2023-29407
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-44378.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-44378.txtar
index d3dfc27..6a11881 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-44378.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-44378.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -22,3 +22,5 @@
- advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
- report: https://github.com/zkopru-network/zkopru/issues/116
- fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
+source:
+ id: CVE-2023-44378
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45141.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45141.txtar
index dd39d87..10f3840 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45141.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45141.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -20,3 +20,5 @@
- CVE-2023-45141
references:
- advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+source:
+ id: CVE-2023-45141
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar
index 2f7fcbe..cf7ce52 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -84,3 +84,5 @@
cve_metadata:
id: CVE-2023-45283
cwe: 'CWE-41: Improper Resolution of Path Equivalence'
+source:
+ id: CVE-2023-45283
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar
index 209e52d..9c0328b 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -27,3 +27,5 @@
cve_metadata:
id: CVE-2023-45285
cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
+source:
+ id: CVE-2023-45285
diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar
index 3a445d9..a6ee0b9 100644
--- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar
+++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -38,3 +38,5 @@
cve_metadata:
id: CVE-2023-45286
cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+source:
+ id: CVE-2023-45286
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar
index 8e6dd11..0716c01 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -21,3 +21,5 @@
- web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
- web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
- web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
+source:
+ id: CVE-2020-9283
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar
index 8aa2f2c..8bac068 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -19,3 +19,5 @@
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
- web: https://security.gentoo.org/glsa/202208-02
+source:
+ id: CVE-2021-27919
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar
index 3d7bbba..3b9dfb5 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -20,3 +20,5 @@
- web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- web: https://security.netapp.com/advisory/ntap-20210219-0001/
- web: https://security.gentoo.org/glsa/202208-02
+source:
+ id: CVE-2021-3115
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2022-39213.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2022-39213.txtar
index 0b76b1c..5d2e9dc 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2022-39213.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2022-39213.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -18,3 +18,5 @@
- advisory: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
- fix: https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4
- web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
+source:
+ id: CVE-2022-39213
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar
index 918475f..15bf74a 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -23,3 +23,5 @@
cve_metadata:
id: CVE-2023-29407
cwe: 'CWE-834: Excessive Iteration'
+source:
+ id: CVE-2023-29407
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-44378.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-44378.txtar
index f41d093..5db8c2f 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-44378.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-44378.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -18,3 +18,5 @@
- advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
- report: https://github.com/zkopru-network/zkopru/issues/116
- fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
+source:
+ id: CVE-2023-44378
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45141.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45141.txtar
index 39b25db..4a0e9cb 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45141.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45141.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -16,3 +16,5 @@
- CVE-2023-45141
references:
- advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+source:
+ id: CVE-2023-45141
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar
index fa03126..e0ea2d2 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -24,3 +24,5 @@
cve_metadata:
id: CVE-2023-45283
cwe: 'CWE-41: Improper Resolution of Path Equivalence'
+source:
+ id: CVE-2023-45283
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar
index f3919a8..3deb790 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -20,3 +20,5 @@
cve_metadata:
id: CVE-2023-45285
cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
+source:
+ id: CVE-2023-45285
diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar
index 209c125..98e6280 100644
--- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar
+++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar
@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
@@ -20,3 +20,5 @@
cve_metadata:
id: CVE-2023-45286
cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+source:
+ id: CVE-2023-45286
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index 01acaaf..78d1cf9 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -302,6 +302,8 @@
summary: ID1 in a.Module
cves:
- ID1
+source:
+ id: ID1
` + "```"
if diff := cmp.Diff(unindent(want), got); diff != "" {
@@ -365,6 +367,8 @@
summary: G1 in aPackage
ghsas:
- G1
+source:
+ id: G1
` + "```"
