internal/report: fallback to package in GHSAToReport

If no module name is provided to GHSAToReport, use the name of the
package instead of adding a TODO.

Change-Id: I77c72391e4045de3e7f940bdc138351b562db4a3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459841
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>

Author: tatianab

internal/report/ghsa.go

@@ -27,10 +27,10 @@ func GHSAToReport(sa *ghsa.SecurityAdvisory, modulePath string) *Report {
 	}
 	r.CVEs = cves
 	r.GHSAs = ghsas
-	if modulePath == "" {
-		modulePath = "TODO"
-	}
 	for _, v := range sa.Vulns {
+		if modulePath == "" {
+			modulePath = v.Package
+		}
 		m := &Module{
 			Module:   modulePath,
 			Versions: versions(v.EarliestFixedVersion, v.VulnerableVersionRange),

internal/report/ghsa_test.go

@@ -26,24 +26,55 @@ func TestGHSAToReport(t *testing.T) {
 			VulnerableVersionRange: "< 1.2.3",
 		}},
 	}
-	got := GHSAToReport(sa, "aModule")
-	want := &Report{
-		Modules: []*Module{{
-			Module: "aModule",
-			Versions: []VersionRange{
-				{Fixed: "1.2.3"},
+	for _, test := range []struct {
+		name   string
+		module string
+		want   *Report
+	}{
+		{
+			name:   "module provided",
+			module: "aModule",
+			want: &Report{
+				Modules: []*Module{{
+					Module: "aModule",
+					Versions: []VersionRange{
+						{Fixed: "1.2.3"},
+					},
+					Packages: []*Package{{
+						Package: "aPackage",
+					}},
+				}},
+				Description: "a description",
+				GHSAs:       []string{"G1"},
+				CVEs:        []string{"C1"},
 			},
-			Packages: []*Package{{
-				Package: "aPackage",
-			}},
-		}},
-		Description: "a description",
-		GHSAs:       []string{"G1"},
-		CVEs:        []string{"C1"},
-	}
-
-	if diff := cmp.Diff(*got, *want); diff != "" {
-		t.Errorf("mismatch (-want, +got):\n%s", diff)
+		},
+		{
+			name:   "empty module uses package",
+			module: "",
+			want: &Report{
+				Modules: []*Module{{
+					Module: "aPackage",
+					Versions: []VersionRange{
+						{Fixed: "1.2.3"},
+					},
+					Packages: []*Package{{
+						Package: "aPackage",
+					}},
+				}},
+				Description: "a description",
+				GHSAs:       []string{"G1"},
+				CVEs:        []string{"C1"},
+			},
+		},
+	} {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			got := GHSAToReport(sa, test.module)
+			if diff := cmp.Diff(*got, *test.want); diff != "" {
+				t.Errorf("mismatch (-want, +got):\n%s", diff)
+			}
+		})
 	}
 }
 func TestParseVulnRange(t *testing.T) {

internal/worker/worker_test.go

@@ -310,7 +310,7 @@ See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md)
 
 ` + "```" + `
 modules:
-  - module: TODO
+  - module: aPackage
     versions:
       - fixed: 1.2.3
     packages: