internal/report: add YAML field "source"

Adds a new field, source, which holds metadata about the
original source of the report. For now, it is either a CVE,
a GHSA, or the Go team.

This is not required and is not published to OSV, but will
assist in our automation efforts.

Change-Id: Ief5ea6eca35d8799655b3a86e7a22cf8ff49d4e5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576999
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: tatianab

cmd/vulnreport/create.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"
 
 	"golang.org/x/vulndb/cmd/vulnreport/log"
 	"golang.org/x/vulndb/internal/cveclient"
@@ -210,13 +211,7 @@ func reportFromAliases(ctx context.Context, id, modulePath string, aliases []str
 		}
 	} else {
 		log.Infof("no alias found, creating basic report for %s", id)
-		r = &report.Report{
-			ID: id,
-			Modules: []*report.Module{
-				{
-					Module: modulePath,
-				},
-			}}
+		r = basicReport(id, modulePath)
 	}
 
 	// Ensure all source aliases are added to the report.
@@ -248,6 +243,11 @@ func reportFromAliases(ctx context.Context, id, modulePath string, aliases []str
 		}
 	}
 
+	if r.Source != nil {
+		now := time.Now()
+		r.Source.Created = &now
+	}
+
 	return r, nil
 }
 
@@ -344,6 +344,9 @@ func basicReport(id, modulePath string) *report.Report {
 				Module: modulePath,
 			},
 		},
+		Source: &report.Source{
+			ID: report.SourceGoTeam,
+		},
 	}
 }
 

internal/genericosv/report.go

@@ -28,6 +28,9 @@ func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
 		ID:          goID,
 		Summary:     report.Summary(osv.Summary),
 		Description: report.Description(osv.Details),
+		Source: &report.Source{
+			ID: osv.ID,
+		},
 	}
 	addAlias := func(alias string) {
 		switch {

internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml

@@ -40,3 +40,5 @@ references:
     - web: https://github.com/hashicorp/go-getter/releases
 notes:
     - lint: 'summary: too long (found 115 characters, want <=100)'
+source:
+    id: GHSA-28r2-q6m8-9hpx

internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml

@@ -59,3 +59,5 @@ notes:
     - lint: 'modules[0] "github.com/apptainer/sif": 2 versions do not exist: 1.2.1-0.20180103161547-0ef6afb2f6cd, 1.2.1-0.20180404165556-75cca531ea76'
     - lint: 'modules[1] "github.com/satori/go.uuid": vulnerable_at: 1.2.0 is not inside vulnerable range'
     - lint: 'summary: must begin with a capital letter'
+source:
+    id: GHSA-33m6-q9v5-62r7

internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml

@@ -22,3 +22,5 @@ references:
     - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
 notes:
     - lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
+source:
+    id: GHSA-3hwm-922r-47hw

internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml

@@ -27,3 +27,5 @@ references:
 notes:
     - lint: 'modules[0] "github.com/mattermost/mattermost-server": 6 versions do not exist: 7.1.0, 7.1.6, 7.7.0, 7.7.2, 7.8.0, 7.8.1'
     - lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
+source:
+    id: GHSA-3wq5-3f56-v5xc

internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml

@@ -21,3 +21,5 @@ notes:
     - lint: 'modules[0] "github.com/zhaojh329/rttys": unsupported_versions: found 1 (want none)'
     - lint: 'modules[0] "github.com/zhaojh329/rttys": version 4.0.0 does not exist'
     - lint: 'summary: must begin with a capital letter'
+source:
+    id: GHSA-54q4-74p3-mgcw

internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml

@@ -22,3 +22,5 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
+source:
+    id: GHSA-5m6c-jp6f-2vcv

internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml

@@ -71,3 +71,5 @@ notes:
     - lint: 'modules[0] "github.com/concourse/concourse": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
     - lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
     - lint: 'summary: too long (found 115 characters, want <=100)'
+source:
+    id: GHSA-627p-rr78-99rj

internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml

@@ -46,3 +46,5 @@ notes:
     - lint: 'description: possible markdown formatting (found [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5))'
     - lint: 'description: possible markdown formatting (found `GHSA-p8r3-83r8-jwj5`)'
     - lint: 'summary: too long (found 163 characters, want <=100)'
+source:
+    id: GHSA-66p8-j459-rq63

internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml

@@ -44,3 +44,5 @@ notes:
     - lint: 'description: possible markdown formatting (found `dataCopy` (at `0x00...04`)'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": packages[0] "github.com/ethereum/go-ethereum/core/vm": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
+source:
+    id: GHSA-69v6-xc2j-r2jf

internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml

@@ -33,3 +33,5 @@ references:
     - report: https://github.com/kubernetes/kubernetes/issues/87773
     - fix: https://github.com/kubernetes/kubernetes/pull/82143
     - web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
+source:
+    id: GHSA-6qfg-8799-r575

internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml

@@ -30,3 +30,5 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'summary: too long (found 142 characters, want <=100)'
+source:
+    id: GHSA-6rg3-8h8x-5xfv

internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml

@@ -132,3 +132,5 @@ notes:
     - lint: 'description: possible markdown formatting (found `--dex-server`)'
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.2.11 does not exist'
     - lint: 'summary: too long (found 108 characters, want <=100)'
+source:
+    id: GHSA-7943-82jg-wmw5

internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml

@@ -26,3 +26,5 @@ references:
 notes:
     - lint: 'modules[0] "github.com/pingcap/tidb": unsupported_versions: found 2 (want none)'
     - lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
+source:
+    id: GHSA-7fxj-fr3v-r9gj

internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml

@@ -27,3 +27,5 @@ references:
 notes:
     - lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1'
     - lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'
+source:
+    id: GHSA-9689-rx4v-cqgc

internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml

@@ -20,3 +20,5 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist'
+source:
+    id: GHSA-cf7g-cm7q-rq7f

internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml

@@ -38,3 +38,5 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [pomerium](http://github.com/pomerium/pomerium))'
     - lint: 'summary: must begin with a capital letter'
+source:
+    id: GHSA-fv82-r8qv-ch4v

internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml

@@ -25,3 +25,5 @@ references:
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
     - lint: 'description: possible markdown formatting (found ## )'
+source:
+    id: GHSA-g5gj-9ggf-9vmq

internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml

@@ -25,3 +25,5 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ## )'
     - lint: 'summary: too long (found 108 characters, want <=100)'
+source:
+    id: GHSA-g9wh-3vrx-r7hg

internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml

@@ -31,3 +31,5 @@ references:
     - web: https://security.netapp.com/advisory/ntap-20230413-0001/
 notes:
     - lint: 'modules[0] "github.com/grafana/grafana": 6 versions do not exist: 8.1.0, 8.5.21, 9.0.0, 9.2.13, 9.3.0, 9.3.8'
+source:
+    id: GHSA-hjv9-hm2f-rpcj

internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml

@@ -70,3 +70,5 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [containerd](https://github.com/containerd/containerd/issues/new/choose))'
     - lint: 'description: possible markdown formatting (found `"USER $USERNAME"`)'
+source:
+    id: GHSA-hmfx-3pcx-653p

internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml

@@ -57,3 +57,5 @@ notes:
     - lint: 'description: possible markdown formatting (found [C#](https://github.com/advisories/GHSA-qv8q-v995-72gr))'
     - lint: 'modules[0] "github.com/personnummer/go": version 3.0.1 does not exist'
     - lint: 'summary: must begin with a capital letter'
+source:
+    id: GHSA-hv53-vf5m-8q94

internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml

@@ -31,3 +31,5 @@ references:
     - web: https://github.com/kubernetes/kubernetes/issues/113757
     - web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
     - web: https://security.netapp.com/advisory/ntap-20230505-0007/
+source:
+    id: GHSA-jh36-q97c-9928

internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml

@@ -62,3 +62,5 @@ notes:
     - lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
     - lint: 'description: possible markdown formatting (found `list`)'
     - lint: 'summary: too long (found 144 characters, want <=100)'
+source:
+    id: GHSA-jmp2-wc4p-wfh2

internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml

@@ -64,3 +64,5 @@ notes:
     - lint: 'description: possible markdown formatting (found [Slack](https://docs.cilium.io/en/latest/community/community/#slack))'
     - lint: 'modules[0] "github.com/cilium/cilium": unsupported_versions: found 1 (want none)'
     - lint: 'modules[0] "github.com/cilium/cilium": versions: introduced and fixed versions must alternate'
+source:
+    id: GHSA-pg5p-wwp8-97g8

internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml

@@ -71,3 +71,5 @@ notes:
     - lint: 'description: possible markdown formatting (found [Singularity Slack Channel](https://bit.ly/2m0g3lX))'
     - lint: 'description: possible markdown formatting (found `legacyinsecure`)'
     - lint: 'modules[0] "github.com/sylabs/singularity": version 3.6.0 does not exist'
+source:
+    id: GHSA-pmfr-63c2-jr5c

internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml

@@ -112,3 +112,5 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [Open an issue](https://github.com/moby/moby/issues/new))'
     - lint: 'description: possible markdown formatting (found `git+<protocol>://...`)'
+source:
+    id: GHSA-vp35-85q5-9f25

internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml

@@ -32,3 +32,5 @@ notes:
     - lint: 'modules[0] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
     - lint: 'modules[1] "github.com/git-lfs/git-lfs": packages[0] "github.com/git-lfs/git-lfs/lfsapi": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'modules[1] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
+source:
+    id: GHSA-w4xh-w33p-4v29

internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml

@@ -29,3 +29,5 @@ references:
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'summary: too long (found 106 characters, want <=100)'
+source:
+    id: GHSA-wx8q-rgfr-cf6v

internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml

@@ -74,3 +74,5 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.1.15 does not exist'
+source:
+    id: GHSA-xmg8-99r8-jc2j

internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml

@@ -45,3 +45,5 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'modules[0] "github.com/goharbor/harbor": version 1.0.0 does not exist'
     - lint: 'summary: too long (found 105 characters, want <=100)'
+source:
+    id: GHSA-xx9w-464f-7h6f

internal/report/cve.go

@@ -82,6 +82,9 @@ func cveToReport(c *cveschema.CVE, id, modulePath string) *Report {
 		Description: description,
 		Credits:     credits,
 		References:  refs,
+		Source: &Source{
+			ID: c.Metadata.ID,
+		},
 	}
 	r.addCVE(c.Metadata.ID, getCWE(c), isGoCNA(c))
 	return r
@@ -142,6 +145,9 @@ func cve5ToReport(c *cveschema5.CVERecord, id, modulePath string) *Report {
 		Description: description,
 		Credits:     credits,
 		References:  refs,
+		Source: &Source{
+			ID: c.Metadata.ID,
+		},
 	}
 
 	r.addCVE(c.Metadata.ID, getCWE5(&cna), isGoCNA5(&cna))

internal/report/ghsa.go

@@ -17,6 +17,9 @@ func GHSAToReport(sa *ghsa.SecurityAdvisory, modulePath string, pc *proxy.Client
 	r := &Report{
 		Summary:     Summary(sa.Summary),
 		Description: Description(sa.Description),
+		Source: &Source{
+			ID: sa.ID,
+		},
 	}
 	var cves, ghsas []string
 	for _, id := range sa.Identifiers {

internal/report/ghsa_test.go

@@ -58,6 +58,7 @@ func TestGHSAToReport(t *testing.T) {
 				GHSAs:       []string{"G1"},
 				CVEs:        []string{"C1"},
 				References:  []*Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
+				Source:      &Source{ID: "G1_blah"},
 			},
 		},
 		{
@@ -78,6 +79,7 @@ func TestGHSAToReport(t *testing.T) {
 				GHSAs:       []string{"G1"},
 				CVEs:        []string{"C1"},
 				References:  []*Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
+				Source:      &Source{ID: "G1_blah"},
 			},
 		},
 	} {

internal/report/report.go

@@ -238,6 +238,20 @@ type Report struct {
 	// creating the report, outstanding issues, or anything else worth
 	// mentioning.
 	Notes []*Note `yaml:",omitempty"`
+
+	// Metadata about how this report was generated.
+	// Not published to OSV.
+	Source *Source `yaml:",omitempty"`
+}
+
+const SourceGoTeam = "go-security-team"
+
+type Source struct {
+	// The ID (GHSA or CVE) of the original source of this report.
+	// If created by a human, this is "go-security-team".
+	ID string `yaml:",omitempty"`
+	// The time the original auto-generated report was created.
+	Created *time.Time `yaml:",omitempty"`
 }
 
 type Summary string

internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -21,3 +21,5 @@ references:
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
+source:
+    id: CVE-2020-9283

internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -19,3 +19,5 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
     - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
     - web: https://security.gentoo.org/glsa/202208-02
+source:
+    id: CVE-2021-27919

internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -20,3 +20,5 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
     - web: https://security.netapp.com/advisory/ntap-20210219-0001/
     - web: https://security.gentoo.org/glsa/202208-02
+source:
+    id: CVE-2021-3115

internal/report/testdata/cve/TestCVE5ToReport/CVE-2022-39213.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -22,3 +22,5 @@ references:
     - advisory: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
     - fix: https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4
     - web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
+source:
+    id: CVE-2022-39213

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -32,3 +32,5 @@ references:
 cve_metadata:
     id: CVE-2023-29407
     cwe: 'CWE-834: Excessive Iteration'
+source:
+    id: CVE-2023-29407

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-44378.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -22,3 +22,5 @@ references:
     - advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
     - report: https://github.com/zkopru-network/zkopru/issues/116
     - fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
+source:
+    id: CVE-2023-44378

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45141.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -20,3 +20,5 @@ cves:
     - CVE-2023-45141
 references:
     - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+source:
+    id: CVE-2023-45141

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar

@@ -1,4 +1,4 @@
-Copyright 2023 The Go Authors. All rights reserved.
+Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 
@@ -84,3 +84,5 @@ references:
 cve_metadata:
     id: CVE-2023-45283
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
+source:
+    id: CVE-2023-45283