internal/report: attempt to auto-fix summaries

If there is no module path in a summary,
simply add it to the end, i.e., "<summary> in <module>".

This could result in non-grammatical
phrases so it's meant as a convenience for a human to fix up.

As a last resort, if there is no summary at all, add
the summary '<[alias] | "Vulnerability"> in <module_path>' as a
starting point.

Change-Id: I64810c7c77980654d7973dc605b256e6053c0254
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576998
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

Author: tatianab

internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml

@@ -19,7 +19,7 @@ modules:
       vulnerable_at: 2.0.2
 summary: |-
     HashiCorp go-getter unsafe downloads could lead to asymmetric resource
-    exhaustion
+    exhaustion in github.com/hashicorp/go-getter
 description: |-
     HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric
     resource exhaustion could occur when go-getter processed malicious HTTP
@@ -39,4 +39,4 @@ references:
     - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
     - web: https://github.com/hashicorp/go-getter/releases
 notes:
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/hashicorp/go-getter")'
+    - lint: 'summary: too long (found 115 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml

@@ -3,7 +3,7 @@ modules:
     - module: atomys.codes/stud42
       versions:
         - fixed: 0.23.0
-summary: Stud42 vulnerable to denial of service
+summary: Stud42 vulnerable to denial of service in atomys.codes/stud42
 description: |-
     A security vulnerability has been identified in the GraphQL parser used by the
     API of s42.app. An attacker can overload the parser and cause the API pod to
@@ -22,4 +22,3 @@ references:
     - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
 notes:
     - lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "atomys.codes/stud42")'

internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml

@@ -12,7 +12,7 @@ modules:
       versions:
         - introduced: 6.3.0
           fixed: 7.1.6
-summary: Mattermost vulnerable to information disclosure
+summary: Mattermost vulnerable to information disclosure in github.com/mattermost/mattermost-server
 description: |-
     Mattermost allows an attacker to request a preview of an existing message when
     creating a new message via the createPost API call, disclosing the contents of
@@ -27,4 +27,3 @@ references:
 notes:
     - lint: 'modules[0] "github.com/mattermost/mattermost-server": 6 versions do not exist: 7.1.0, 7.1.6, 7.7.0, 7.7.2, 7.8.0, 7.8.1'
     - lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/mattermost/mattermost-server")'

internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml

@@ -6,7 +6,7 @@ modules:
       unsupported_versions:
         - version: 4.0.2
           type: last_affected
-summary: rttys SQL Injection vulnerability
+summary: rttys SQL Injection vulnerability in github.com/zhaojh329/rttys
 description: |-
     SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go,
     allows attackers to execute arbitrary code.
@@ -21,4 +21,3 @@ notes:
     - lint: 'modules[0] "github.com/zhaojh329/rttys": unsupported_versions: found 1 (want none)'
     - lint: 'modules[0] "github.com/zhaojh329/rttys": version 4.0.0 does not exist'
     - lint: 'summary: must begin with a capital letter'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/zhaojh329/rttys")'

internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml

@@ -4,7 +4,7 @@ modules:
       versions:
         - introduced: 5.1.1
           fixed: 6.0.0
-summary: Open Redirect in OAuth2 Proxy
+summary: Open Redirect in OAuth2 Proxy in github.com/oauth2-proxy/oauth2-proxy
 description: |-
     ### Impact As users can provide a redirect address for the proxy to send the
     authenticated user to at the end of the authentication flow. This is expected to
@@ -22,4 +22,3 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/oauth2-proxy/oauth2-proxy")'

internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml

@@ -14,7 +14,7 @@ modules:
           fixed: 6.4.1
 summary: |-
     GitLab auth uses full name instead of username as user ID, allowing
-    impersonation
+    impersonation in github.com/concourse/concourse
 description: |-
     ### Impact
 
@@ -70,4 +70,4 @@ notes:
     - lint: 'description: possible markdown formatting (found `users`)'
     - lint: 'modules[0] "github.com/concourse/concourse": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
     - lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")'
+    - lint: 'summary: too long (found 115 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml

@@ -8,7 +8,7 @@ modules:
       vulnerable_at: 1.11.3
 summary: |-
     Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in
-    deletion of files and directories on the host system
+    deletion of files and directories on the host system in github.com/pterodactyl/wings
 description: |-
     ### Impact
 
@@ -45,5 +45,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5))'
     - lint: 'description: possible markdown formatting (found `GHSA-p8r3-83r8-jwj5`)'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
-    - lint: 'summary: too long (found 131 characters, want <=100)'
+    - lint: 'summary: too long (found 163 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml

@@ -10,7 +10,7 @@ modules:
         - fixed: 1.19.7
       packages:
         - package: github.com/ethereum/go-ethereum/core/vm
-summary: Shallow copy bug in geth
+summary: Shallow copy bug in geth in github.com/ethereum/go-ethereum
 description: |-
     ### Impact This is a Consensus vulnerability, which can be used to cause a
     chain-split where vulnerable nodes reject the canonical chain.
@@ -44,4 +44,3 @@ notes:
     - lint: 'description: possible markdown formatting (found `dataCopy` (at `0x00...04`)'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": packages[0] "github.com/ethereum/go-ethereum/core/vm": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/ethereum/go-ethereum")'

internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml

@@ -16,7 +16,7 @@ modules:
       vulnerable_at: 1.16.0-rc.2
       packages:
         - package: k8s.io/kubernetes/pkg/kubectl/cmd/cp
-summary: Symlink Attack
+summary: Symlink Attack in github.com/kubernetes/kubernetes
 description: |-
     The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to
     1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar
@@ -33,5 +33,3 @@ references:
     - report: https://github.com/kubernetes/kubernetes/issues/87773
     - fix: https://github.com/kubernetes/kubernetes/pull/82143
     - web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
-notes:
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/kubernetes/kubernetes")'

internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml

@@ -7,7 +7,7 @@ modules:
       vulnerable_at: 1.2.0
 summary: |-
     Unchecked hostname resolution could allow access to local network resources by
-    users outside the local network
+    users outside the local network in github.com/pterodactyl/wings
 description: |-
     ### Impact A newly implemented route allowing users to download files from
     remote endpoints was not properly verifying the destination hostname for user
@@ -29,5 +29,4 @@ references:
     - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
-    - lint: 'summary: too long (found 110 characters, want <=100)'
+    - lint: 'summary: too long (found 142 characters, want <=100)'