cmd/vulnreport: auto-populate cve_metadata for first-party reports

For first-party reports where we have assigned our own CVE, auto-populate "cve_metadata" instead of "cves". Change-Id: Ifa23ece087f03a294e07ba4fba4267a0de890431 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596179 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
golang · Jul 9, 2024 · 7c2244f · 7c2244f
1 parent 6155dc5
commit 7c2244f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 26 deletions.
diff --git a/cmd/vulnreport/creator.go b/cmd/vulnreport/creator.go
@@ -105,13 +105,22 @@ func (c *creator) reportFromIssue(ctx context.Context, iss *issues.Issue) error
 		modulePath:   modulePath(iss),
 		aliases:      aliases(iss),
 		reviewStatus: reviewStatusOf(iss, c.reviewStatus),
+		originalCVE:  originalCVE(iss),
 	})
 	if err != nil {
 		return err
 	}
 	return c.write(ctx, r)
 }
 
+func originalCVE(iss *issues.Issue) string {
+	aliases := aliases(iss)
+	if iss.HasLabel(labelFirstParty) && len(aliases) == 1 && idstr.IsCVE(aliases[0]) {
+		return aliases[0]
+	}
+	return ""
+}
+
 func reviewStatusOf(iss *issues.Issue, reviewStatus report.ReviewStatus) report.ReviewStatus {
 	d := defaultReviewStatus(iss)
 	// If a valid review status is provided, it overrides the priority label.
@@ -134,25 +143,33 @@ func defaultReviewStatus(iss *issues.Issue) report.ReviewStatus {
 	return report.Unreviewed
 }
 
+func (c *creator) metaToSource(ctx context.Context, meta *reportMeta) report.Source {
+	if cveID := meta.originalCVE; cveID != "" {
+		log.Infof("%s: creating original report for Go-CNA-assigned %s", meta.id, cveID)
+		return report.OriginalCVE(cveID)
+	}
+
+	if src := c.sourceFromBestAlias(ctx, meta.aliases, *preferCVE); src != nil {
+		log.Infof("%s: picked %s as best source alias (from [%s])", meta.id, src.SourceID(),
+			strings.Join(meta.aliases, ", "))
+		return src
+	}
+
+	log.Infof("%s: no suitable alias found, creating basic report", meta.id)
+	return report.Original()
+}
+
 func (c *creator) reportFromMeta(ctx context.Context, meta *reportMeta) (*yamlReport, error) {
 	// Find the underlying module if the "module" provided is actually a package path.
 	if module, err := c.pc.FindModule(meta.modulePath); err == nil { // no error
 		meta.modulePath = module
 	}
+	meta.aliases = c.allAliases(ctx, meta.aliases)
 
-	var src report.Source
-	aliases := c.allAliases(ctx, meta.aliases)
-	src, ok := c.sourceFromBestAlias(ctx, aliases, *preferCVE)
-	if ok {
-		log.Infof("%s: picked %s as best source alias (from [%s])", meta.id, src.SourceID(), strings.Join(aliases, ", "))
-	} else {
-		log.Infof("%s: no suitable alias found, creating basic report", meta.id)
-	}
-
-	raw := report.New(src, c.pc,
+	raw := report.New(c.metaToSource(ctx, meta), c.pc,
 		report.WithGoID(meta.id),
 		report.WithModulePath(meta.modulePath),
-		report.WithAliases(aliases),
+		report.WithAliases(meta.aliases),
 		report.WithReviewStatus(meta.reviewStatus),
 		report.WithUnexcluded(meta.unexcluded),
 	)
@@ -296,6 +313,7 @@ type reportMeta struct {
 	aliases              []string
 	excluded, unexcluded report.ExcludedReason
 	reviewStatus         report.ReviewStatus
+	originalCVE          string
 }
 
 const todo = "TODO: "
@@ -348,9 +366,12 @@ func addTODOs(r *yamlReport) {
 	if len(r.Credits) == 0 {
 		r.Credits = []string{todo + "who discovered/reported this vulnerability (optional)"}
 	}
-	if len(r.CVEs) == 0 {
+	if r.CVEMetadata == nil && len(r.CVEs) == 0 {
 		r.CVEs = []string{todo + "CVE id(s) for this vulnerability"}
 	}
+	if r.CVEMetadata != nil && r.CVEMetadata.CWE == "" {
+		r.CVEMetadata.CWE = todo + "CWE ID"
+	}
 	addReferenceTODOs(r)
 }
 

diff --git a/cmd/vulnreport/find_aliases.go b/cmd/vulnreport/find_aliases.go
@@ -124,36 +124,31 @@ func aliasesForCVE(ctx context.Context, cve string, gc ghsaClient) (aliases []st
 // By default, it prefers the first GHSA in the list, followed by the first CVE in the list
 // (if no GHSA is present).
 // If "preferCVE" is true, it prefers CVEs instead.
-func (af *aliasFinder) sourceFromBestAlias(ctx context.Context, aliases []string, preferCVE bool) (report.Source, bool) {
+func (af *aliasFinder) sourceFromBestAlias(ctx context.Context, aliases []string, preferCVE bool) report.Source {
 	firstChoice := idstr.IsGHSA
 	secondChoice := idstr.IsCVE
 	if preferCVE {
 		firstChoice, secondChoice = secondChoice, firstChoice
 	}
 
-	find := func(f func(string) bool) (report.Source, bool) {
+	find := func(f func(string) bool) report.Source {
 		for _, alias := range aliases {
 			if f(alias) {
 				src, err := af.fetch(ctx, alias)
 				if err != nil {
 					log.Warnf("could not fetch record for preferred alias %s: %v", alias, err)
 					continue
 				}
-				return src, true
+				return src
 			}
 		}
-		return nil, false
+		return nil
 	}
 
-	if src, found := find(firstChoice); found {
-		return src, true
+	if src := find(firstChoice); src != nil {
+		return src
 	}
-
-	if src, found := find(secondChoice); found {
-		return src, true
-	}
-
-	return report.Original(), false
+	return find(secondChoice)
 }
 
 func (a *aliasFinder) fetch(ctx context.Context, alias string) (report.Source, error) {

diff --git a/internal/report/new.go b/internal/report/new.go
@@ -136,21 +136,32 @@ func newCfg(opts []NewOption) *cfg {
 //
 // This is used for standard library & toolchain reports, or in cases where the
 // source report cannot be retrieved automatically.
-type original struct{}
+type original struct {
+	cveID string // the Go-CNA-assigned CVE for this report, if applicable
+}
 
 var _ Source = &original{}
 
 func Original() Source {
 	return &original{}
 }
 
-func (original) ToReport(modulePath string) *Report {
+func OriginalCVE(cveID string) Source {
+	return &original{cveID: cveID}
+}
+
+func (o *original) ToReport(modulePath string) *Report {
+	var cveMeta *CVEMeta
+	if o.cveID != "" {
+		cveMeta = &CVEMeta{ID: o.cveID}
+	}
 	return &Report{
 		Modules: []*Module{
 			{
 				Module: modulePath,
 			},
 		},
+		CVEMetadata: cveMeta,
 	}
 }