internal/report: add function report.AddAliases

Change-Id: I37a7ba7050902c3971159c32e5b0ea1a878cc16f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/530596 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Oct 10, 2023 · 4a6d9fe · 4a6d9fe
1 parent d2dd606
commit 4a6d9fe
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 4 deletions.
diff --git a/internal/report/report.go b/internal/report/report.go
@@ -17,7 +17,10 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/exp/slices"
+	"golang.org/x/vulndb/internal/cveschema5"
 	"golang.org/x/vulndb/internal/derrors"
+	"golang.org/x/vulndb/internal/ghsa"
 	"golang.org/x/vulndb/internal/osv"
 	"golang.org/x/vulndb/internal/proxy"
 	"gopkg.in/yaml.v3"
@@ -168,19 +171,48 @@ func (r *Report) GoCVE() string {
 
 // AllCVEs returns all CVE IDs for a report.
 func (r *Report) AllCVEs() []string {
+	all := slices.Clone(r.CVEs)
 	if goCVE := r.GoCVE(); goCVE != "" {
-		// TODO(https://go.dev/issue/61184): If we allow both cve and
-		// cve_metadata to be populated, this needs to be updated.
-		return []string{goCVE}
+		all = append(all, goCVE)
 	}
-	return r.CVEs
+	return all
 }
 
 // Aliases returns all aliases (e.g., CVEs, GHSAs) for a report.
 func (r *Report) Aliases() []string {
 	return append(r.AllCVEs(), r.GHSAs...)
 }
 
+// AddAliases adds any GHSAs and CVEs in aliases that were not
+// already present to the report.
+func (r *Report) AddAliases(aliases []string) (added int) {
+	original := make(map[string]bool)
+	for _, alias := range r.Aliases() {
+		original[alias] = true
+	}
+
+	for _, alias := range aliases {
+		switch {
+		case original[alias]:
+			continue
+		case ghsa.IsGHSA(alias):
+			r.GHSAs = append(r.GHSAs, alias)
+		case cveschema5.IsCVE(alias):
+			r.CVEs = append(r.CVEs, alias)
+		default:
+			continue // skip aliases that are not CVEs or GHSAs
+		}
+		added++
+	}
+
+	if added > 0 {
+		slices.Sort(r.GHSAs)
+		slices.Sort(r.CVEs)
+	}
+
+	return added
+}
+
 const (
 	NISTPrefix    = "https://nvd.nist.gov/vuln/detail/"
 	ghsaURLPrefix = "https://github.com/advisories/"

diff --git a/internal/report/report_test.go b/internal/report/report_test.go
@@ -95,3 +95,57 @@ func TestParseFilepath(t *testing.T) {
 		t.Errorf("ParseFilepath(%s) returned incorrect filename: want %d, got %d", filepath, wantIssueID, gotIssueID)
 	}
 }
+
+func TestAddAliases(t *testing.T) {
+	tests := []struct {
+		name       string
+		report     *Report
+		aliases    []string
+		want       int
+		wantReport *Report
+	}{
+		{
+			name: "add",
+			report: &Report{
+				CVEs: []string{"CVE-2023-0002"},
+			},
+			aliases: []string{"CVE-2023-0001", "CVE-2023-0002", "GHSA-aaaa-bbbb-cccc"},
+			want:    2,
+			wantReport: &Report{
+				CVEs:  []string{"CVE-2023-0001", "CVE-2023-0002"},
+				GHSAs: []string{"GHSA-aaaa-bbbb-cccc"},
+			},
+		},
+		{
+			name: "no_change",
+			report: &Report{
+				CVEs:  []string{"CVE-2023-0001"},
+				GHSAs: []string{"GHSA-aaaa-bbbb-cccc"},
+				CVEMetadata: &CVEMeta{
+					ID: "CVE-2023-0002",
+				},
+			},
+			aliases: []string{"CVE-2023-0001", "CVE-2023-0002", "GHSA-aaaa-bbbb-cccc"},
+			want:    0,
+			wantReport: &Report{
+				CVEs:  []string{"CVE-2023-0001"},
+				GHSAs: []string{"GHSA-aaaa-bbbb-cccc"},
+				CVEMetadata: &CVEMeta{
+					ID: "CVE-2023-0002",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			gotAdded := test.report.AddAliases(test.aliases)
+			if gotAdded != test.want {
+				t.Errorf("AddAliases(%v) = %v, want %v", test.aliases, gotAdded, test.want)
+			}
+			if diff := cmp.Diff(test.wantReport, test.report); diff != "" {
+				t.Errorf("AddAliases(%v) report mismatch: (-want, +got):\n%s", test.aliases, diff)
+			}
+		})
+	}
+}