internal/{genericosv,report}: add YAML field unknown_aliases

tatianab · tatianab · commit 44a7c1a1170e · 2024-04-16T17:21:15.000Z
Adds a structured field, "unknown_aliases", to store aliases other than GHSAs and CVEs. We don't yet publish these to OSV, but this opens the possibility to do this in the future. Change-Id: Iab2f63bd15241c9d72f73bda33889f65874e9dc0 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576997 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/reports/GO-2024-2643.yaml b/data/reports/GO-2024-2643.yaml
@@ -31,10 +31,10 @@ cves:
     - CVE-2023-50726
 ghsas:
     - GHSA-g623-jcgg-mhmm
+unknown_aliases:
+    - BIT-argo-cd-2023-50726
 credits:
     - '@crenshaw-dev'
 references:
     - fix: https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978
     - web: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac
-notes:
-    - create: found alias BIT-argo-cd-2023-50726 that is not a GHSA or CVE
diff --git a/data/reports/GO-2024-2646.yaml b/data/reports/GO-2024-2646.yaml
@@ -29,11 +29,12 @@ cves:
     - CVE-2024-28175
 ghsas:
     - GHSA-jwv5-8mqv-g387
+unknown_aliases:
+    - BIT-argo-cd-2024-28175
 credits:
     - '@Ry0taK, @agaudreault, and @crenshaw-dev'
 references:
     - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387
     - fix: https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71
 notes:
-    - create: found alias BIT-argo-cd-2024-28175 that is not a GHSA or CVE
     - Fix is in typescript code.
diff --git a/data/reports/GO-2024-2683.yaml b/data/reports/GO-2024-2683.yaml
@@ -25,10 +25,10 @@ cves:
     - CVE-2021-41803
 ghsas:
     - GHSA-hr3v-8cp3-68rf
+unknown_aliases:
+    - BIT-consul-2021-41803
 credits:
     - anonymous4ACL24
 references:
     - web: https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
     - fix: https://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee
-notes:
-    - create: found alias BIT-consul-2021-41803 that is not a GHSA or CVE
diff --git a/internal/genericosv/report.go b/internal/genericosv/report.go
@@ -36,7 +36,7 @@ func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
 		case ghsa.IsGHSA(alias):
 			r.GHSAs = append(r.GHSAs, alias)
 		default:
-			r.AddNote(report.NoteTypeCreate, "found alias %s that is not a GHSA or CVE", alias)
+			r.UnknownAliases = append(r.UnknownAliases, alias)
 		}
 	}
 	addAlias(osv.ID)
diff --git a/internal/report/report.go b/internal/report/report.go
@@ -217,6 +217,10 @@ type Report struct {
 	// the above CVEs.
 	GHSAs []string `yaml:",omitempty"`
 
+	// Aliases from other databases that we don't (yet) know about.
+	// Not published to OSV.
+	UnknownAliases []string `yaml:"unknown_aliases,omitempty"`
+
 	// Related is a list of identifiers (e.g. CVEs or GHSAs)
 	// that are related to, but are not direct aliases of, this report.
 	Related []string `yaml:",omitempty"`

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func (osv Entry) ToReport(goID string, pc proxy.Client) *report.Report {`
`36`	`36`	`case ghsa.IsGHSA(alias):`
`37`	`37`	`r.GHSAs = append(r.GHSAs, alias)`
`38`	`38`	`default:`
`39`		`- r.AddNote(report.NoteTypeCreate, "found alias %s that is not a GHSA or CVE", alias)`
	`39`	`+ r.UnknownAliases = append(r.UnknownAliases, alias)`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`	`addAlias(osv.ID)`