internal/report: attempt to auto-fix summaries

If there is no module path in a summary,
simply add it to the end, i.e., "<summary> in <module>".

This could result in non-grammatical
phrases so it's meant as a convenience for a human to fix up.

As a last resort, if there is no summary at all, add
the summary '<[alias] | "Vulnerability"> in <module_path>' as a
starting point.

Change-Id: I64810c7c77980654d7973dc605b256e6053c0254
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576998
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

Author: tatianab

internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml

@@ -19,7 +19,7 @@ modules:
       vulnerable_at: 2.0.2
 summary: |-
     HashiCorp go-getter unsafe downloads could lead to asymmetric resource
-    exhaustion
+    exhaustion in github.com/hashicorp/go-getter
 description: |-
     HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric
     resource exhaustion could occur when go-getter processed malicious HTTP
@@ -39,4 +39,4 @@ references:
     - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
     - web: https://github.com/hashicorp/go-getter/releases
 notes:
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/hashicorp/go-getter")'
+    - lint: 'summary: too long (found 115 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml

@@ -3,7 +3,7 @@ modules:
     - module: atomys.codes/stud42
       versions:
         - fixed: 0.23.0
-summary: Stud42 vulnerable to denial of service
+summary: Stud42 vulnerable to denial of service in atomys.codes/stud42
 description: |-
     A security vulnerability has been identified in the GraphQL parser used by the
     API of s42.app. An attacker can overload the parser and cause the API pod to
@@ -22,4 +22,3 @@ references:
     - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
 notes:
     - lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "atomys.codes/stud42")'

internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml

@@ -12,7 +12,7 @@ modules:
       versions:
         - introduced: 6.3.0
           fixed: 7.1.6
-summary: Mattermost vulnerable to information disclosure
+summary: Mattermost vulnerable to information disclosure in github.com/mattermost/mattermost-server
 description: |-
     Mattermost allows an attacker to request a preview of an existing message when
     creating a new message via the createPost API call, disclosing the contents of
@@ -27,4 +27,3 @@ references:
 notes:
     - lint: 'modules[0] "github.com/mattermost/mattermost-server": 6 versions do not exist: 7.1.0, 7.1.6, 7.7.0, 7.7.2, 7.8.0, 7.8.1'
     - lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/mattermost/mattermost-server")'

internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml

@@ -6,7 +6,7 @@ modules:
       unsupported_versions:
         - version: 4.0.2
           type: last_affected
-summary: rttys SQL Injection vulnerability
+summary: rttys SQL Injection vulnerability in github.com/zhaojh329/rttys
 description: |-
     SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go,
     allows attackers to execute arbitrary code.
@@ -21,4 +21,3 @@ notes:
     - lint: 'modules[0] "github.com/zhaojh329/rttys": unsupported_versions: found 1 (want none)'
     - lint: 'modules[0] "github.com/zhaojh329/rttys": version 4.0.0 does not exist'
     - lint: 'summary: must begin with a capital letter'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/zhaojh329/rttys")'

internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml

@@ -4,7 +4,7 @@ modules:
       versions:
         - introduced: 5.1.1
           fixed: 6.0.0
-summary: Open Redirect in OAuth2 Proxy
+summary: Open Redirect in OAuth2 Proxy in github.com/oauth2-proxy/oauth2-proxy
 description: |-
     ### Impact As users can provide a redirect address for the proxy to send the
     authenticated user to at the end of the authentication flow. This is expected to
@@ -22,4 +22,3 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/oauth2-proxy/oauth2-proxy")'

internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml

@@ -14,7 +14,7 @@ modules:
           fixed: 6.4.1
 summary: |-
     GitLab auth uses full name instead of username as user ID, allowing
-    impersonation
+    impersonation in github.com/concourse/concourse
 description: |-
     ### Impact
 
@@ -70,4 +70,4 @@ notes:
     - lint: 'description: possible markdown formatting (found `users`)'
     - lint: 'modules[0] "github.com/concourse/concourse": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
     - lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")'
+    - lint: 'summary: too long (found 115 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml

@@ -8,7 +8,7 @@ modules:
       vulnerable_at: 1.11.3
 summary: |-
     Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in
-    deletion of files and directories on the host system
+    deletion of files and directories on the host system in github.com/pterodactyl/wings
 description: |-
     ### Impact
 
@@ -45,5 +45,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5))'
     - lint: 'description: possible markdown formatting (found `GHSA-p8r3-83r8-jwj5`)'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
-    - lint: 'summary: too long (found 131 characters, want <=100)'
+    - lint: 'summary: too long (found 163 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml

@@ -10,7 +10,7 @@ modules:
         - fixed: 1.19.7
       packages:
         - package: github.com/ethereum/go-ethereum/core/vm
-summary: Shallow copy bug in geth
+summary: Shallow copy bug in geth in github.com/ethereum/go-ethereum
 description: |-
     ### Impact This is a Consensus vulnerability, which can be used to cause a
     chain-split where vulnerable nodes reject the canonical chain.
@@ -44,4 +44,3 @@ notes:
     - lint: 'description: possible markdown formatting (found `dataCopy` (at `0x00...04`)'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": packages[0] "github.com/ethereum/go-ethereum/core/vm": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/ethereum/go-ethereum")'

internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml

@@ -16,7 +16,7 @@ modules:
       vulnerable_at: 1.16.0-rc.2
       packages:
         - package: k8s.io/kubernetes/pkg/kubectl/cmd/cp
-summary: Symlink Attack
+summary: Symlink Attack in github.com/kubernetes/kubernetes
 description: |-
     The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to
     1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar
@@ -33,5 +33,3 @@ references:
     - report: https://github.com/kubernetes/kubernetes/issues/87773
     - fix: https://github.com/kubernetes/kubernetes/pull/82143
     - web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
-notes:
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/kubernetes/kubernetes")'

internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml

@@ -7,7 +7,7 @@ modules:
       vulnerable_at: 1.2.0
 summary: |-
     Unchecked hostname resolution could allow access to local network resources by
-    users outside the local network
+    users outside the local network in github.com/pterodactyl/wings
 description: |-
     ### Impact A newly implemented route allowing users to download files from
     remote endpoints was not properly verifying the destination hostname for user
@@ -29,5 +29,4 @@ references:
     - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
-    - lint: 'summary: too long (found 110 characters, want <=100)'
+    - lint: 'summary: too long (found 142 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml

@@ -11,7 +11,7 @@ modules:
         - introduced: 2.4.0
           fixed: 2.4.5
       vulnerable_at: 2.4.4
-summary: Argo CD certificate verification is skipped for connections to OIDC providers
+summary: Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
 description: |-
     ### Impact
 
@@ -131,4 +131,4 @@ notes:
     - lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
     - lint: 'description: possible markdown formatting (found `--dex-server`)'
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.2.11 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/argoproj/argo-cd")'
+    - lint: 'summary: too long (found 108 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml

@@ -8,7 +8,7 @@ modules:
           type: last_affected
         - version: 6.4.0-alpha1
           type: last_affected
-summary: TiDB vulnerable to Use of Externally-Controlled Format String
+summary: TiDB vulnerable to Use of Externally-Controlled Format String in github.com/pingcap/tidb
 description: |-
     TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to
     data source name injection. The database name for generating and inserting data
@@ -26,4 +26,3 @@ references:
 notes:
     - lint: 'modules[0] "github.com/pingcap/tidb": unsupported_versions: found 2 (want none)'
     - lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pingcap/tidb")'

internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml

@@ -9,7 +9,7 @@ modules:
           fixed: 5.8.1
       packages:
         - package: github.com/concourse/concourse/skymarshal/skyserver
-summary: Open Redirect
+summary: Open Redirect in github.com/concourse/concourse
 description: |-
     Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows
     redirects to untrusted websites. A remote unauthenticated attacker could
@@ -27,4 +27,3 @@ references:
 notes:
     - lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1'
     - lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")'

internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml

@@ -3,7 +3,7 @@ modules:
     - module: github.com/drakkan/sftpgo
       versions:
         - fixed: 2.3.5
-summary: SFTPGo WebClient vulnerable to Cross-site Scripting
+summary: SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo
 description: |-
     ### Impact Cross-site scripting (XSS) vulnerabilities have been reported to
     affect SFTPGo WebClient. If exploited, this vulnerability allows remote
@@ -20,4 +20,3 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/drakkan/sftpgo")'

internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml

@@ -6,7 +6,7 @@ modules:
       vulnerable_at: 1.3.0
       packages:
         - package: github.com/cloudflare/cfrpki/cmd/octorpki
-summary: Infinite certificate chain depth results in OctoRPKI running forever
+summary: Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki
 description: |-
     OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to
     create children in an ad-hoc fashion, thereby making tree traversal never end.
@@ -25,4 +25,3 @@ references:
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
     - lint: 'description: possible markdown formatting (found ## )'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")'

internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml

@@ -4,7 +4,7 @@ modules:
       versions:
         - fixed: 1.4.0
       vulnerable_at: 1.3.0
-summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository
+summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository in github.com/cloudflare/cfrpki
 description: |-
     OctoRPKI tries to load the entire contents of a repository in memory, and in the
     case of a GZIP bomb, unzip it in memory, making it possible to create a
@@ -24,4 +24,4 @@ references:
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
     - lint: 'description: possible markdown formatting (found ## )'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")'
+    - lint: 'summary: too long (found 108 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml

@@ -8,7 +8,7 @@ modules:
           fixed: 9.2.13
         - introduced: 9.3.0
           fixed: 9.3.8
-summary: Grafana vulnerable to Cross-site Scripting
+summary: Grafana vulnerable to Cross-site Scripting in github.com/grafana/grafana
 description: |-
     Grafana is an open-source platform for monitoring and observability. Starting
     with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core
@@ -31,4 +31,3 @@ references:
     - web: https://security.netapp.com/advisory/ntap-20230413-0001/
 notes:
     - lint: 'modules[0] "github.com/grafana/grafana": 6 versions do not exist: 8.1.0, 8.5.21, 9.0.0, 9.2.13, 9.3.0, 9.3.8'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/grafana/grafana")'

internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml

@@ -3,7 +3,7 @@ modules:
     - module: github.com/personnummer/go
       versions:
         - fixed: 3.0.1
-summary: personnummer/go vulnerable to Improper Input Validation
+summary: personnummer/go vulnerable to Improper Input Validation in github.com/personnummer/go
 description: |-
     This vulnerability was reported to the personnummer team in June 2020. The slow
     response was due to locked ownership of some of the affected packages, which
@@ -57,4 +57,3 @@ notes:
     - lint: 'description: possible markdown formatting (found [C#](https://github.com/advisories/GHSA-qv8q-v995-72gr))'
     - lint: 'modules[0] "github.com/personnummer/go": version 3.0.1 does not exist'
     - lint: 'summary: must begin with a capital letter'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/personnummer/go")'

internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml

@@ -11,7 +11,7 @@ modules:
         - introduced: 1.25.0
           fixed: 1.25.4
       vulnerable_at: 1.25.4-rc.0
-summary: Kubernetes vulnerable to validation bypass
+summary: Kubernetes vulnerable to validation bypass in k8s.io/kubernetes
 description: |-
     Users may have access to secure endpoints in the control plane network.
     Kubernetes clusters are only affected if an untrusted user can modify Node
@@ -31,5 +31,3 @@ references:
     - web: https://github.com/kubernetes/kubernetes/issues/113757
     - web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
     - web: https://security.netapp.com/advisory/ntap-20230505-0007/
-notes:
-    - lint: 'summary: must contain an affected module or package path (e.g. "k8s.io/kubernetes")'

internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml

@@ -12,7 +12,7 @@ modules:
       vulnerable_at: 0.17.0
 summary: |-
     Mutagen list and monitor operations do not neutralize control characters in text
-    controlled by remote endpoints
+    controlled by remote endpoints in github.com/mutagen-io/mutagen
 description: |-
     ### Impact
 
@@ -61,5 +61,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
     - lint: 'description: possible markdown formatting (found `list`)'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/mutagen-io/mutagen")'
-    - lint: 'summary: too long (found 111 characters, want <=100)'
+    - lint: 'summary: too long (found 144 characters, want <=100)'

internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml

@@ -13,7 +13,7 @@ modules:
         - version: 1.10.0
           type: last_affected
       vulnerable_at: 1.13.1
-summary: Debug mode leaks confidential data in Cilium
+summary: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium
 description: |-
     ### Impact
 
@@ -64,4 +64,3 @@ notes:
     - lint: 'description: possible markdown formatting (found [Slack](https://docs.cilium.io/en/latest/community/community/#slack))'
     - lint: 'modules[0] "github.com/cilium/cilium": unsupported_versions: found 1 (want none)'
     - lint: 'modules[0] "github.com/cilium/cilium": versions: introduced and fixed versions must alternate'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cilium/cilium")'

internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml

@@ -4,7 +4,7 @@ modules:
       versions:
         - introduced: 3.0.0+incompatible
           fixed: 3.6.0
-summary: Execution Control List (ECL) Is Insecure in Singularity
+summary: Execution Control List (ECL) Is Insecure in Singularity in github.com/sylabs/singularity
 description: |-
     ### Impact
 
@@ -71,4 +71,3 @@ notes:
     - lint: 'description: possible markdown formatting (found [Singularity Slack Channel](https://bit.ly/2m0g3lX))'
     - lint: 'description: possible markdown formatting (found `legacyinsecure`)'
     - lint: 'modules[0] "github.com/sylabs/singularity": version 3.6.0 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/sylabs/singularity")'

internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml

@@ -4,7 +4,7 @@ modules:
       versions:
         - fixed: 20.10.20+incompatible
       vulnerable_at: 20.10.19+incompatible
-summary: Container build can leak any path on the host into the container
+summary: Container build can leak any path on the host into the container in github.com/moby/moby
 description: |-
     ### Description
 
@@ -112,4 +112,3 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [Open an issue](https://github.com/moby/moby/issues/new))'
     - lint: 'description: possible markdown formatting (found `git+<protocol>://...`)'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/moby/moby")'

internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml

@@ -8,7 +8,7 @@ modules:
         - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
       packages:
         - package: github.com/git-lfs/git-lfs/lfsapi
-summary: GitHub Git LFS Improper Input Validation vulnerability
+summary: GitHub Git LFS Improper Input Validation vulnerability in github.com/git-lfs/git-lfs
 description: |-
     GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary
     commands via an ssh URL with an initial dash character in the hostname, located
@@ -32,4 +32,3 @@ notes:
     - lint: 'modules[0] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
     - lint: 'modules[1] "github.com/git-lfs/git-lfs": packages[0] "github.com/git-lfs/git-lfs/lfsapi": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'modules[1] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/git-lfs/git-lfs")'

internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml

@@ -12,7 +12,7 @@ modules:
         - introduced: 2.3.0
           fixed: 2.3.4
       vulnerable_at: 2.3.3
-summary: Login screen allows message spoofing if SSO is enabled
+summary: Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
 description: |-
     ### Impact
 
@@ -74,4 +74,3 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.1.15 does not exist'
-    - lint: 'summary: must contain an affected module or package path (e.g. "github.com/argoproj/argo-cd")'