report: fixes a nil dereference when accessing vuln cve metadata.

zpavlinovic · FiloSottile · commit 42b5a4503a53 · 2021-04-13T16:18:34.000+02:00
Some vulnerabilities, such as GO-2020-0002.toml, do not have CVE metadata. Accessing CVEMetadata.ID without checking if CVEMetadata is nil can lead to a nil dereference. Change-Id: I06a24a7d80a0e8be768af198a1b6254f15de98d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1026682 Reviewed-by: Roland Shoemaker <bracewell@google.com>
diff --git a/report/report.go b/report/report.go
@@ -105,7 +105,7 @@ func (vuln *Report) Lint() error {
 		return fmt.Errorf("unknown severity %q", vuln.Severity)
 	}
 
-	if vuln.CVE != "" && vuln.CVEMetadata.ID != "" {
+	if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {
 		// TODO: may just want to use one of these? :shrug:
 		return errors.New("only one of cve and cve_metadata.id should be present")
 	}

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ func (vuln *Report) Lint() error {`
`105`	`105`	`return fmt.Errorf("unknown severity %q", vuln.Severity)`
`106`	`106`	`}`
`107`	`107`
`108`		`- if vuln.CVE != "" && vuln.CVEMetadata.ID != "" {`
	`108`	`+ if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {`
`109`	`109`	`// TODO: may just want to use one of these? :shrug:`
`110`	`110`	`return errors.New("only one of cve and cve_metadata.id should be present")`
`111`	`111`	`}`