report,osv,client: update schema to current state

rolandshoemaker · rolandshoemaker · commit c856ba870e92 · 2021-05-21T02:20:14.000Z
Match the current state of https://tinyurl.com/vuln-json, also fix a minor bug in deploy-db.sh. Change-Id: Ib6c225637cb538ef263b7bf182d30e36e76a43e3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/321509 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
diff --git a/client/client_test.go b/client/client_test.go
@@ -18,13 +18,13 @@ import (
 
 var testVuln1 string = `[
 	{"ID":"ID1","Package":{"Name":"golang.org/example/one","Ecosystem":"go"}, "Summary":"",
-	 "Severity":2,"Affects":{"Ranges":[{"Type":2,"Introduced":"","Fixed":"v2.2.0"}]},
+	 "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.0"}]},
 	 "ecosystem_specific":{"Symbols":["some_symbol_1"]
 	}}]`
 
 var testVuln2 string = `[
 	{"ID":"ID2","Package":{"Name":"golang.org/example/two","Ecosystem":"go"}, "Summary":"",
-	 "Severity":2,"Affects":{"Ranges":[{"Type":2,"Introduced":"","Fixed":"v2.1.0"}]},
+	 "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.1.0"}]},
 	 "ecosystem_specific":{"Symbols":["some_symbol_2"]
 	}}]`
 
diff --git a/deploy-db.sh b/deploy-db.sh
@@ -2,6 +2,6 @@
 tmp_dir=$(mktemp -d -t vulndb-XXXX)
 go run ./cmd/gendb -reports reports -out $tmp_dir
 cd $tmp_dir
-gsutil cp -m -r . gs://go-vulndb
+gsutil -m cp -r . gs://go-vulndb
 cd -
-rm -rf $tmp_dir
+rm -rf $tmp_dir
diff --git a/osv/json.go b/osv/json.go
@@ -34,27 +34,27 @@ import (
 // vulndb implementatiion detail.
 type DBIndex map[string]time.Time
 
-type AffectsRangeType int
+type AffectsRangeType string
 
 const (
-	TypeUnspecified AffectsRangeType = iota
-	TypeGit
-	TypeSemver
+	TypeUnspecified AffectsRangeType = "UNSPECIFIED"
+	TypeGit         AffectsRangeType = "GIT"
+	TypeSemver      AffectsRangeType = "SEMVER"
 )
 
 type Ecosystem string
 
-const GoEcosystem Ecosystem = "go"
+const GoEcosystem Ecosystem = "Go"
 
 type Package struct {
-	Name      string
-	Ecosystem Ecosystem
+	Name      string    `json:"name"`
+	Ecosystem Ecosystem `json:"ecosystem"`
 }
 
 type AffectsRange struct {
-	Type       AffectsRangeType
-	Introduced string
-	Fixed      string
+	Type       AffectsRangeType `json:"type"`
+	Introduced string           `json:"introduced"`
+	Fixed      string           `json:"fixed"`
 }
 
 func (ar AffectsRange) containsSemver(v string) bool {
@@ -108,29 +108,27 @@ type GoSpecific struct {
 	Symbols []string `json:",omitempty"`
 	GOOS    []string `json:",omitempty"`
 	GOARCH  []string `json:",omitempty"`
-	URL     string
+	URL     string   `json:"url"`
 }
 
 type Reference struct {
-	Type string
-	URL  string
+	Type string `json:"type"`
+	URL  string `json:"url"`
 }
 
 // Entry represents a OSV style JSON vulnerability database
 // entry
 type Entry struct {
-	ID         string
-	Published  time.Time
-	Modified   time.Time
-	Withdrawn  *time.Time `json:",omitempty"`
-	Aliases    []string   `json:",omitempty"`
-	Package    Package
-	Details    string
-	Affects    Affects
-	References []Reference `json:",omitempty"`
-	Extra      struct {
-		Go GoSpecific
-	}
+	ID                string      `json:"id"`
+	Published         time.Time   `json:"published"`
+	Modified          time.Time   `json:"modified"`
+	Withdrawn         *time.Time  `json:"withdrawn,omitempty"`
+	Aliases           []string    `json:"aliases,omitempty"`
+	Package           Package     `json:"package"`
+	Details           string      `json:"details"`
+	Affects           Affects     `json:"affects"`
+	References        []Reference `json:"references,omitempty"`
+	EcosystemSpecific GoSpecific  `json:"ecosystem_specific"`
 }
 
 func Generate(id string, url string, r report.Report) []Entry {
@@ -153,24 +151,22 @@ func Generate(id string, url string, r report.Report) []Entry {
 		},
 		Details: r.Description,
 		Affects: generateAffects(r.Versions),
-		Extra: struct{ Go GoSpecific }{
-			Go: GoSpecific{
-				Symbols: r.Symbols,
-				GOOS:    r.OS,
-				GOARCH:  r.Arch,
-				URL:     url,
-			},
+		EcosystemSpecific: GoSpecific{
+			Symbols: r.Symbols,
+			GOOS:    r.OS,
+			GOARCH:  r.Arch,
+			URL:     url,
 		},
 	}
 
 	if r.Links.PR != "" {
-		entry.References = append(entry.References, Reference{Type: "code review", URL: r.Links.PR})
+		entry.References = append(entry.References, Reference{Type: "FIX", URL: r.Links.PR})
 	}
 	if r.Links.Commit != "" {
-		entry.References = append(entry.References, Reference{Type: "fix", URL: r.Links.Commit})
+		entry.References = append(entry.References, Reference{Type: "FIX", URL: r.Links.Commit})
 	}
 	for _, link := range r.Links.Context {
-		entry.References = append(entry.References, Reference{Type: "misc", URL: link})
+		entry.References = append(entry.References, Reference{Type: "WEB", URL: link})
 	}
 
 	if r.CVE != "" {
@@ -187,7 +183,7 @@ func Generate(id string, url string, r report.Report) []Entry {
 			additionalImportPath = additional.Package
 		}
 		entryCopy.Package.Name = additionalImportPath
-		entryCopy.Extra.Go.Symbols = additional.Symbols
+		entryCopy.EcosystemSpecific.Symbols = additional.Symbols
 		entryCopy.Affects = generateAffects(additional.Versions)
 
 		entries = append(entries, entryCopy)
diff --git a/osv/json_test.go b/osv/json_test.go
@@ -15,12 +15,7 @@ import (
 func TestGenerate(t *testing.T) {
 	r := report.Report{
 		Module: "example.com/vulnerable/v2",
-		AdditionalPackages: []struct {
-			Module   string
-			Package  string
-			Symbols  []string
-			Versions []report.VersionRange
-		}{
+		AdditionalPackages: []report.Additional{
 			{
 				Module:  "vanity.host/vulnerable",
 				Package: "vanity.host/vulnerable/package",
@@ -43,11 +38,7 @@ func TestGenerate(t *testing.T) {
 		Symbols:     []string{"A", "B.b"},
 		OS:          []string{"windows"},
 		Arch:        []string{"arm64"},
-		Links: struct {
-			PR      string
-			Commit  string
-			Context []string
-		}{
+		Links: report.Links{
 			PR:      "pr",
 			Commit:  "commit",
 			Context: []string{"issue-a", "issue-b"},
@@ -59,7 +50,7 @@ func TestGenerate(t *testing.T) {
 			ID: "GO-1991-0001",
 			Package: Package{
 				Name:      "example.com/vulnerable/v2",
-				Ecosystem: "go",
+				Ecosystem: "Go",
 			},
 			Details: "It's a real bad one, I'll tell you that",
 			Affects: Affects{
@@ -80,27 +71,25 @@ func TestGenerate(t *testing.T) {
 				},
 			},
 			References: []Reference{
-				Reference{Type: "code review", URL: "pr"},
-				Reference{Type: "fix", URL: "commit"},
-				Reference{Type: "misc", URL: "issue-a"},
-				Reference{Type: "misc", URL: "issue-b"},
+				Reference{Type: "FIX", URL: "pr"},
+				Reference{Type: "FIX", URL: "commit"},
+				Reference{Type: "WEB", URL: "issue-a"},
+				Reference{Type: "WEB", URL: "issue-b"},
 			},
 			Aliases: []string{"CVE-0000-0000"},
-			Extra: struct{ Go GoSpecific }{
-				Go: GoSpecific{
-					Symbols: []string{"A", "B.b"},
-					GOOS:    []string{"windows"},
-					GOARCH:  []string{"arm64"},
-					URL:     "https://vulns.golang.org/GO-1991-0001.html",
-				},
+			EcosystemSpecific: GoSpecific{
+				Symbols: []string{"A", "B.b"},
+				GOOS:    []string{"windows"},
+				GOARCH:  []string{"arm64"},
+				URL:     "https://vulns.golang.org/GO-1991-0001.html",
 			},
 		},
 		{
 
 			ID: "GO-1991-0001",
 			Package: Package{
 				Name:      "vanity.host/vulnerable/package",
-				Ecosystem: "go",
+				Ecosystem: "Go",
 			},
 			Details: "It's a real bad one, I'll tell you that",
 			Affects: Affects{
@@ -121,19 +110,17 @@ func TestGenerate(t *testing.T) {
 				},
 			},
 			References: []Reference{
-				Reference{Type: "code review", URL: "pr"},
-				Reference{Type: "fix", URL: "commit"},
-				Reference{Type: "misc", URL: "issue-a"},
-				Reference{Type: "misc", URL: "issue-b"},
+				Reference{Type: "FIX", URL: "pr"},
+				Reference{Type: "FIX", URL: "commit"},
+				Reference{Type: "WEB", URL: "issue-a"},
+				Reference{Type: "WEB", URL: "issue-b"},
 			},
 			Aliases: []string{"CVE-0000-0000"},
-			Extra: struct{ Go GoSpecific }{
-				Go: GoSpecific{
-					Symbols: []string{"b", "A.b"},
-					GOOS:    []string{"windows"},
-					GOARCH:  []string{"arm64"},
-					URL:     "https://vulns.golang.org/GO-1991-0001.html",
-				},
+			EcosystemSpecific: GoSpecific{
+				Symbols: []string{"b", "A.b"},
+				GOOS:    []string{"windows"},
+				GOARCH:  []string{"arm64"},
+				URL:     "https://vulns.golang.org/GO-1991-0001.html",
 			},
 		},
 	}
diff --git a/report/report.go b/report/report.go
@@ -11,6 +11,25 @@ type VersionRange struct {
 	Fixed      string `yaml:",omitempty"`
 }
 
+type Additional struct {
+	Module   string         `yaml:",omitempty"`
+	Package  string         `yaml:",omitempty"`
+	Symbols  []string       `yaml:",omitempty"`
+	Versions []VersionRange `yaml:",omitempty"`
+}
+
+type Links struct {
+	PR      string   `yaml:",omitempty"`
+	Commit  string   `yaml:",omitempty"`
+	Context []string `yaml:",omitempty"`
+}
+
+type CVEMeta struct {
+	ID          string `yaml:",omitempty"`
+	CWE         string `yaml:",omitempty"`
+	Description string `yaml:",omitempty"`
+}
+
 type Report struct {
 	Module  string `yaml:",omitempty"`
 	Package string `yaml:",omitempty"`
@@ -26,30 +45,17 @@ type Report struct {
 	// really be replaced with 'aliases', we'll still need
 	// additional packages for some cases, but it's too heavy
 	// for most
-	AdditionalPackages []struct {
-		Module   string         `yaml:",omitempty"`
-		Package  string         `yaml:",omitempty"`
-		Symbols  []string       `yaml:",omitempty"`
-		Versions []VersionRange `yaml:",omitempty"`
-	} `yaml:"additional_packages,omitempty"`
-	Versions     []VersionRange `yaml:",omitempty"`
-	Description  string         `yaml:",omitempty"`
-	Published    time.Time      `yaml:",omitempty"`
-	LastModified *time.Time     `yaml:"last_modified,omitempty"`
-	Withdrawn    *time.Time     `yaml:",omitempty"`
-	CVE          string         `yaml:",omitempty"`
-	Credit       string         `yaml:",omitempty"`
-	Symbols      []string       `yaml:",omitempty"`
-	OS           []string       `yaml:",omitempty"`
-	Arch         []string       `yaml:",omitempty"`
-	Links        struct {
-		PR      string   `yaml:",omitempty"`
-		Commit  string   `yaml:",omitempty"`
-		Context []string `yaml:",omitempty"`
-	} `yaml:",omitempty"`
-	CVEMetadata *struct {
-		ID          string `yaml:",omitempty"`
-		CWE         string `yaml:",omitempty"`
-		Description string `yaml:",omitempty"`
-	} `yaml:"cve_metadata,omitempty"`
+	AdditionalPackages []Additional   `yaml:"additional_packages,omitempty"`
+	Versions           []VersionRange `yaml:",omitempty"`
+	Description        string         `yaml:",omitempty"`
+	Published          time.Time      `yaml:",omitempty"`
+	LastModified       *time.Time     `yaml:"last_modified,omitempty"`
+	Withdrawn          *time.Time     `yaml:",omitempty"`
+	CVE                string         `yaml:",omitempty"`
+	Credit             string         `yaml:",omitempty"`
+	Symbols            []string       `yaml:",omitempty"`
+	OS                 []string       `yaml:",omitempty"`
+	Arch               []string       `yaml:",omitempty"`
+	Links              Links          `yaml:",omitempty"`
+	CVEMetadata        *CVEMeta       `yaml:"cve_metadata,omitempty"`
 }
