internal/{report, genericosv}: add optional types to report notes

Add an optional type field to report notes, to allow notes to be annotated
with which tool/process added them (e.g., "lint", "create".)

The notes field can be used by humans or tools to add metadata to a report
that will not be published in the OSV, but is meant as information for
the human triager.

Here it is used by the ToReport function (which converts GHSAs to YAML) to
add notes about errors or warnings that occurred while creating/linting the report,
and need to be fixed by a human.

Change-Id: I9cc37c37dac7171dfbac1af2c147cd491e1e6dbc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/529837
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

internal/genericosv/report.go

@@ -29,42 +29,46 @@ func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
 		Summary:     osv.Summary,
 		Description: osv.Details,
 	}
-	addNote := func(note string) {
-		r.Notes = append(r.Notes, note)
-	}
 	addAlias := func(alias string) {
 		switch {
 		case cveschema5.IsCVE(alias):
 			r.CVEs = append(r.CVEs, alias)
 		case ghsa.IsGHSA(alias):
 			r.GHSAs = append(r.GHSAs, alias)
 		default:
-			addNote(fmt.Sprintf("create: found alias %s that is not a GHSA or CVE", alias))
+			r.Notes = append(r.Notes, &report.Note{
+				Body: fmt.Sprintf("found alias %s that is not a GHSA or CVE", alias),
+				Type: report.NoteTypeCreate,
+			})
 		}
 	}
 	addAlias(osv.ID)
 	for _, alias := range osv.Aliases {
 		addAlias(alias)
 	}
+
+	r.Modules = affectedToModules(osv.Affected, pc)
+
 	for _, ref := range osv.References {
 		r.References = append(r.References, convertRef(ref))
 	}
-	r.Modules = affectedToModules(osv.Affected, addNote, pc)
 	fixRefs(r)
+
 	r.Credits = convertCredits(osv.Credits)
 	r.Fix(pc)
 	if lints := r.Lint(pc); len(lints) > 0 {
 		slices.Sort(lints)
 		for _, lint := range lints {
-			addNote(fmt.Sprintf("lint: %s", lint))
+			r.Notes = append(r.Notes, &report.Note{
+				Body: lint,
+				Type: report.NoteTypeLint,
+			})
 		}
 	}
 	return r
 }
 
-type addNoteFunc func(string)
-
-func affectedToModules(as []osvschema.Affected, addNote addNoteFunc, pc *proxy.Client) []*report.Module {
+func affectedToModules(as []osvschema.Affected, pc *proxy.Client) []*report.Module {
 	var modules []*report.Module
 	for _, a := range as {
 		if a.Package.Ecosystem != osvschema.EcosystemGo {

internal/genericosv/report_test.go

@@ -349,17 +349,10 @@ func TestAffectedToModules(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			var gotNotes []string
-			addNote := func(note string) {
-				gotNotes = append(gotNotes, note)
-			}
-			got := affectedToModules(tc.in, addNote, pc)
+			got := affectedToModules(tc.in, pc)
 			if diff := cmp.Diff(tc.want, got); diff != "" {
 				t.Errorf("%s: affectedToModules() mismatch (-want +got)\n%s", tc.desc, diff)
 			}
-			if len(gotNotes) > 0 {
-				t.Errorf("%s: affectedToModules() output unexpected notes = %s", tc.desc, gotNotes)
-			}
 		})
 
 	}

internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml

@@ -55,6 +55,6 @@ references:
     - web: https://bugzilla.redhat.com/show_bug.cgi?id=1954376
     - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
 notes:
-    - 'lint: github.com/apptainer/sif: bad version "1.2.1-0.20180103161547-0ef6afb2f6cd": HTTP GET /github.com/apptainer/sif/@v/v1.2.1-0.20180103161547-0ef6afb2f6cd.mod returned status 404 Not Found'
-    - 'lint: github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/apptainer/sif: bad version "1.2.1-0.20180103161547-0ef6afb2f6cd": HTTP GET /github.com/apptainer/sif/@v/v1.2.1-0.20180103161547-0ef6afb2f6cd.mod returned status 404 Not Found'
+    - lint: 'github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml

@@ -21,4 +21,4 @@ references:
     - web: https://github.com/42Atomys/stud42/issues/412
     - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
 notes:
-    - 'lint: atomys.codes/stud42: bad version "0.23.0": HTTP GET /atomys.codes/stud42/@v/v0.23.0.mod returned status 404 Not Found'
+    - lint: 'atomys.codes/stud42: bad version "0.23.0": HTTP GET /atomys.codes/stud42/@v/v0.23.0.mod returned status 404 Not Found'

internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml

@@ -25,5 +25,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1777
     - web: https://mattermost.com/security-updates/
 notes:
-    - 'lint: github.com/mattermost/mattermost-server/v6: bad version "7.1.6": github.com/mattermost/mattermost-server/[email protected]: invalid version: should be v6, not v7'
-    - 'lint: github.com/mattermost/mattermost-server: bad version "7.1.0": github.com/mattermost/[email protected]: invalid version: should be v0 or v1, not v7'
+    - lint: 'github.com/mattermost/mattermost-server/v6: bad version "7.1.6": github.com/mattermost/mattermost-server/[email protected]: invalid version: should be v6, not v7'
+    - lint: 'github.com/mattermost/mattermost-server: bad version "7.1.0": github.com/mattermost/[email protected]: invalid version: should be v0 or v1, not v7'

internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml

@@ -18,5 +18,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38867
     - report: https://github.com/zhaojh329/rttys/issues/117
 notes:
-    - 'lint: github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/[email protected]: invalid version: should be v0 or v1, not v4'
-    - 'lint: github.com/zhaojh329/rttys: version issue: 1 unsupported version(s)'
+    - lint: 'github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/[email protected]: invalid version: should be v0 or v1, not v4'
+    - lint: 'github.com/zhaojh329/rttys: version issue: 1 unsupported version(s)'

internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml

@@ -21,5 +21,5 @@ references:
     - fix: https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2
     - web: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0
 notes:
-    - 'lint: github.com/oauth2-proxy/oauth2-proxy: bad version "5.1.1": github.com/oauth2-proxy/[email protected]: invalid version: should be v0 or v1, not v5'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/oauth2-proxy/oauth2-proxy: bad version "5.1.1": github.com/oauth2-proxy/[email protected]: invalid version: should be v0 or v1, not v5'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml

@@ -66,6 +66,6 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-5415
     - web: https://tanzu.vmware.com/security/cve-2020-5415
 notes:
-    - 'lint: github.com/concourse/concourse: bad version "6.3.0": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v6'
-    - 'lint: github.com/concourse/dex: bad version "6.3.0": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v6'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/concourse/concourse: bad version "6.3.0": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v6'
+    - lint: 'github.com/concourse/dex: bad version "6.3.0": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v6'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml

@@ -43,5 +43,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-25168
     - fix: https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 131 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 131 characters (max 100)'

internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml

@@ -40,6 +40,6 @@ references:
     - fix: https://github.com/ethereum/go-ethereum/commit/295693759e5ded05fec0b2fb39359965b60da785
     - web: https://blog.ethereum.org/2020/11/12/geth_security_release/
 notes:
-    - 'lint: github.com/ethereum/go-ethereum: bad version "1.19.7": HTTP GET /github.com/ethereum/go-ethereum/@v/v1.19.7.mod returned status 404 Not Found'
-    - 'lint: github.com/ethereum/go-ethereum: missing skip_fix and vulnerable_at: "github.com/ethereum/go-ethereum/core/vm"'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/ethereum/go-ethereum: bad version "1.19.7": HTTP GET /github.com/ethereum/go-ethereum/@v/v1.19.7.mod returned status 404 Not Found'
+    - lint: 'github.com/ethereum/go-ethereum: missing skip_fix and vulnerable_at: "github.com/ethereum/go-ethereum/core/vm"'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml

@@ -28,4 +28,4 @@ ghsas:
 references:
     - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
 notes:
-    - 'lint: summary is too long: 110 characters (max 100)'
+    - lint: 'summary is too long: 110 characters (max 100)'

internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml

@@ -128,5 +128,5 @@ references:
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.6
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.4.5
 notes:
-    - 'lint: github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/[email protected]: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/[email protected]: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml

@@ -24,5 +24,5 @@ references:
     - web: https://advisory.dw1.io/45
     - web: https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540
 notes:
-    - 'lint: github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/[email protected]: invalid version: should be v0 or v1, not v6'
-    - 'lint: github.com/pingcap/tidb: version issue: 2 unsupported version(s)'
+    - lint: 'github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/[email protected]: invalid version: should be v0 or v1, not v6'
+    - lint: 'github.com/pingcap/tidb: version issue: 2 unsupported version(s)'

internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml

@@ -25,5 +25,5 @@ references:
     - web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md
     - web: https://pivotal.io/security/cve-2018-15798
 notes:
-    - 'lint: github.com/concourse/concourse: bad version "5.2.8": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v5'
-    - 'lint: github.com/concourse/concourse: missing skip_fix and vulnerable_at: "github.com/concourse/concourse/skymarshal/skyserver"'
+    - lint: 'github.com/concourse/concourse: bad version "5.2.8": github.com/concourse/[email protected]: invalid version: should be v0 or v1, not v5'
+    - lint: 'github.com/concourse/concourse: missing skip_fix and vulnerable_at: "github.com/concourse/concourse/skymarshal/skyserver"'

internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml

@@ -19,5 +19,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39220
     - fix: https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0
 notes:
-    - 'lint: github.com/drakkan/sftpgo: bad version "2.3.5": github.com/drakkan/[email protected]: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/drakkan/sftpgo: bad version "2.3.5": github.com/drakkan/[email protected]: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml

@@ -36,4 +36,4 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-29652
     - fix: https://github.com/pomerium/pomerium/pull/2048
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml

@@ -25,4 +25,4 @@ references:
     - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml

@@ -24,4 +24,4 @@ references:
     - fix: https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml

@@ -30,4 +30,4 @@ references:
     - web: https://grafana.com/security/security-advisories/cve-2023-0507/
     - web: https://security.netapp.com/advisory/ntap-20230413-0001/
 notes:
-    - 'lint: github.com/grafana/grafana: bad version "8.1.0": github.com/grafana/[email protected]: invalid version: should be v0 or v1, not v8'
+    - lint: 'github.com/grafana/grafana: bad version "8.1.0": github.com/grafana/[email protected]: invalid version: should be v0 or v1, not v8'

internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml

@@ -71,4 +71,4 @@ references:
     - web: https://github.com/containerd/containerd/releases/tag/v1.6.18
     - web: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml

@@ -53,4 +53,4 @@ references:
     - advisory: https://github.com/personnummer/go/security/advisories/GHSA-hv53-vf5m-8q94
     - web: https://pkg.go.dev/github.com/personnummer/go
 notes:
-    - 'lint: github.com/personnummer/go: bad version "3.0.1": github.com/personnummer/[email protected]: invalid version: should be v0 or v1, not v3'
+    - lint: 'github.com/personnummer/go: bad version "3.0.1": github.com/personnummer/[email protected]: invalid version: should be v0 or v1, not v3'

internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml

@@ -59,5 +59,5 @@ references:
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 111 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 111 characters (max 100)'

internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml

@@ -61,6 +61,6 @@ references:
     - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-29002
 notes:
-    - 'lint: github.com/cilium/cilium: version issue: 1 unsupported version(s)'
-    - 'lint: github.com/cilium/cilium: version issue: introduced and fixed versions must alternate'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/cilium/cilium: version issue: 1 unsupported version(s)'
+    - lint: 'github.com/cilium/cilium: version issue: introduced and fixed versions must alternate'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml

@@ -68,5 +68,5 @@ references:
     - web: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
     - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
 notes:
-    - 'lint: github.com/sylabs/singularity: bad version "3.6.0": github.com/sylabs/[email protected]: invalid version: should be v0 or v1, not v3'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/sylabs/singularity: bad version "3.6.0": github.com/sylabs/[email protected]: invalid version: should be v0 or v1, not v3'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml

@@ -28,6 +28,6 @@ references:
     - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
     - web: http://www.securityfocus.com/bid/102926
 notes:
-    - 'lint: github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/[email protected]: invalid version: should be v0 or v1, not v2'
-    - 'lint: github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/[email protected]: invalid version: should be v0 or v1, not v2'
-    - 'lint: github.com/git-lfs/git-lfs: missing skip_fix and vulnerable_at: "github.com/git-lfs/git-lfs/lfsapi"'
+    - lint: 'github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/[email protected]: invalid version: should be v0 or v1, not v2'
+    - lint: 'github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/[email protected]: invalid version: should be v0 or v1, not v2'
+    - lint: 'github.com/git-lfs/git-lfs: missing skip_fix and vulnerable_at: "github.com/git-lfs/git-lfs/lfsapi"'

internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml

@@ -28,5 +28,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-22565
     - web: https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 106 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 106 characters (max 100)'

internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml

@@ -72,5 +72,5 @@ references:
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4
 notes:
-    - 'lint: github.com/argoproj/argo-cd: bad version "2.1.15": github.com/argoproj/[email protected]: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/argoproj/argo-cd: bad version "2.1.15": github.com/argoproj/[email protected]: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link

internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml

@@ -42,4 +42,4 @@ ghsas:
 references:
     - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
 notes:
-    - 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
+    - lint: 'github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'

internal/report/report.go

@@ -102,13 +102,13 @@ var ExcludedReasons = []ExcludedReason{
 // single-element mapping of type to URL.
 type Reference osv.Reference
 
-func (r *Reference) MarshalYAML() (interface{}, error) {
+func (r *Reference) MarshalYAML() (any, error) {
 	return map[string]string{
 		strings.ToLower(string(r.Type)): r.URL,
 	}, nil
 }
 
-func (r *Reference) UnmarshalYAML(n *yaml.Node) (err error) {
+func (r *Reference) UnmarshalYAML(n *yaml.Node) error {
 	if n.Kind != yaml.MappingNode || len(n.Content) != 2 || n.Content[0].Kind != yaml.ScalarNode || n.Content[1].Kind != yaml.ScalarNode {
 		return &yaml.TypeError{Errors: []string{
 			fmt.Sprintf("line %d: report.Reference must contain a mapping with one value", n.Line),
@@ -119,6 +119,50 @@ func (r *Reference) UnmarshalYAML(n *yaml.Node) (err error) {
 	return nil
 }
 
+// A Note is a note about the report.
+// May be typed or untyped (with Type left blank).
+type Note struct {
+	Body string
+	Type NoteType
+}
+
+type NoteType string
+
+const (
+	NoteTypeNone   NoteType = ""
+	NoteTypeLint   NoteType = "LINT"
+	NoteTypeFix    NoteType = "FIX"
+	NoteTypeCreate NoteType = "CREATE"
+)
+
+func (n *Note) MarshalYAML() (any, error) {
+	if n.Type == NoteTypeNone {
+		return n.Body, nil
+	}
+	return map[string]string{
+		strings.ToLower(string(n.Type)): n.Body,
+	}, nil
+}
+
+func (n *Note) UnmarshalYAML(node *yaml.Node) error {
+	// Handle untyped notes.
+	if node.Kind == yaml.ScalarNode {
+		n.Type = NoteTypeNone
+		n.Body = node.Value
+		return nil
+	}
+
+	// Handle typed notes.
+	if node.Kind != yaml.MappingNode || len(node.Content) != 2 || node.Content[0].Kind != yaml.ScalarNode || node.Content[1].Kind != yaml.ScalarNode {
+		return &yaml.TypeError{Errors: []string{
+			fmt.Sprintf("line %d: typed Note must contain a mapping with one value", node.Line),
+		}}
+	}
+	n.Type = NoteType(strings.ToUpper(node.Content[0].Value))
+	n.Body = node.Content[1].Value
+	return nil
+}
+
 // Report represents a vulnerability report in the vulndb.
 // Remember to update doc/format.md when this structure changes.
 type Report struct {
@@ -153,11 +197,11 @@ type Report struct {
 	// to fill in the ID string.
 	CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
 
-	// Freeform notes about the report. This field is ignored when creating
+	// Notes about the report. This field is ignored when creating
 	// OSV and CVE records. It can be used to document decisions made when
 	// creating the report, outstanding issues, or anything else worth
 	// mentioning.
-	Notes []string `yaml:",omitempty"`
+	Notes []*Note `yaml:",omitempty"`
 }
 
 // GoCVE returns the CVE assigned to this report by the Go CNA,