From bc2ff59a349f87d516f3d834e96128b6c53558f3 Mon Sep 17 00:00:00 2001
From: Tatiana Bradley <tatianabradley@google.com>
Date: Wed, 20 Sep 2023 13:25:10 -0400
Subject: [PATCH] internal/{report, genericosv}: add optional types to report
 notes

Add an optional type field to report notes, to allow notes to be annotated
with which tool/process added them (e.g., "lint", "create".)

The notes field can be used by humans or tools to add metadata to a report
that will not be published in the OSV, but is meant as information for
the human triager.

Here it is used by the ToReport function (which converts GHSAs to YAML) to
add notes about errors or warnings that occurred while creating/linting the report,
and need to be fixed by a human.

Change-Id: I9cc37c37dac7171dfbac1af2c147cd491e1e6dbc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/529837
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 internal/genericosv/report.go                 | 22 ++++----
 internal/genericosv/report_test.go            |  9 +---
 .../testdata/yaml/GHSA-33m6-q9v5-62r7.yaml    |  6 +--
 .../testdata/yaml/GHSA-3hwm-922r-47hw.yaml    |  2 +-
 .../testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml    |  4 +-
 .../testdata/yaml/GHSA-54q4-74p3-mgcw.yaml    |  4 +-
 .../testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml    |  4 +-
 .../testdata/yaml/GHSA-627p-rr78-99rj.yaml    |  6 +--
 .../testdata/yaml/GHSA-66p8-j459-rq63.yaml    |  4 +-
 .../testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml    |  6 +--
 .../testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml    |  2 +-
 .../testdata/yaml/GHSA-7943-82jg-wmw5.yaml    |  4 +-
 .../testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml    |  4 +-
 .../testdata/yaml/GHSA-9689-rx4v-cqgc.yaml    |  4 +-
 .../testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml    |  4 +-
 .../testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml    |  2 +-
 .../testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml    |  2 +-
 .../testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml    |  2 +-
 .../testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml    |  2 +-
 .../testdata/yaml/GHSA-hmfx-3pcx-653p.yaml    |  2 +-
 .../testdata/yaml/GHSA-hv53-vf5m-8q94.yaml    |  2 +-
 .../testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml    |  4 +-
 .../testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml    |  6 +--
 .../testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml    |  4 +-
 .../testdata/yaml/GHSA-w4xh-w33p-4v29.yaml    |  6 +--
 .../testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml    |  4 +-
 .../testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml    |  4 +-
 .../testdata/yaml/GHSA-xx9w-464f-7h6f.yaml    |  2 +-
 internal/report/report.go                     | 52 +++++++++++++++++--
 29 files changed, 110 insertions(+), 69 deletions(-)

diff --git a/internal/genericosv/report.go b/internal/genericosv/report.go
index aa8a4a5a..2c6bc4ee 100644
--- a/internal/genericosv/report.go
+++ b/internal/genericosv/report.go
@@ -29,9 +29,6 @@ func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
 		Summary:     osv.Summary,
 		Description: osv.Details,
 	}
-	addNote := func(note string) {
-		r.Notes = append(r.Notes, note)
-	}
 	addAlias := func(alias string) {
 		switch {
 		case cveschema5.IsCVE(alias):
@@ -39,32 +36,39 @@ func (osv *Entry) ToReport(goID string, pc *proxy.Client) *report.Report {
 		case ghsa.IsGHSA(alias):
 			r.GHSAs = append(r.GHSAs, alias)
 		default:
-			addNote(fmt.Sprintf("create: found alias %s that is not a GHSA or CVE", alias))
+			r.Notes = append(r.Notes, &report.Note{
+				Body: fmt.Sprintf("found alias %s that is not a GHSA or CVE", alias),
+				Type: report.NoteTypeCreate,
+			})
 		}
 	}
 	addAlias(osv.ID)
 	for _, alias := range osv.Aliases {
 		addAlias(alias)
 	}
+
+	r.Modules = affectedToModules(osv.Affected, pc)
+
 	for _, ref := range osv.References {
 		r.References = append(r.References, convertRef(ref))
 	}
-	r.Modules = affectedToModules(osv.Affected, addNote, pc)
 	fixRefs(r)
+
 	r.Credits = convertCredits(osv.Credits)
 	r.Fix(pc)
 	if lints := r.Lint(pc); len(lints) > 0 {
 		slices.Sort(lints)
 		for _, lint := range lints {
-			addNote(fmt.Sprintf("lint: %s", lint))
+			r.Notes = append(r.Notes, &report.Note{
+				Body: lint,
+				Type: report.NoteTypeLint,
+			})
 		}
 	}
 	return r
 }
 
-type addNoteFunc func(string)
-
-func affectedToModules(as []osvschema.Affected, addNote addNoteFunc, pc *proxy.Client) []*report.Module {
+func affectedToModules(as []osvschema.Affected, pc *proxy.Client) []*report.Module {
 	var modules []*report.Module
 	for _, a := range as {
 		if a.Package.Ecosystem != osvschema.EcosystemGo {
diff --git a/internal/genericosv/report_test.go b/internal/genericosv/report_test.go
index d64dc5fe..8e716d77 100644
--- a/internal/genericosv/report_test.go
+++ b/internal/genericosv/report_test.go
@@ -349,17 +349,10 @@ func TestAffectedToModules(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			var gotNotes []string
-			addNote := func(note string) {
-				gotNotes = append(gotNotes, note)
-			}
-			got := affectedToModules(tc.in, addNote, pc)
+			got := affectedToModules(tc.in, pc)
 			if diff := cmp.Diff(tc.want, got); diff != "" {
 				t.Errorf("%s: affectedToModules() mismatch (-want +got)\n%s", tc.desc, diff)
 			}
-			if len(gotNotes) > 0 {
-				t.Errorf("%s: affectedToModules() output unexpected notes = %s", tc.desc, gotNotes)
-			}
 		})
 
 	}
diff --git a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
index aefcd7af..4f871458 100644
--- a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
@@ -55,6 +55,6 @@ references:
     - web: https://bugzilla.redhat.com/show_bug.cgi?id=1954376
     - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
 notes:
-    - 'lint: github.com/apptainer/sif: bad version "1.2.1-0.20180103161547-0ef6afb2f6cd": HTTP GET /github.com/apptainer/sif/@v/v1.2.1-0.20180103161547-0ef6afb2f6cd.mod returned status 404 Not Found'
-    - 'lint: github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/apptainer/sif: bad version "1.2.1-0.20180103161547-0ef6afb2f6cd": HTTP GET /github.com/apptainer/sif/@v/v1.2.1-0.20180103161547-0ef6afb2f6cd.mod returned status 404 Not Found'
+    - lint: 'github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
index a0b2a589..8c8699ab 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
@@ -21,4 +21,4 @@ references:
     - web: https://github.com/42Atomys/stud42/issues/412
     - web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
 notes:
-    - 'lint: atomys.codes/stud42: bad version "0.23.0": HTTP GET /atomys.codes/stud42/@v/v0.23.0.mod returned status 404 Not Found'
+    - lint: 'atomys.codes/stud42: bad version "0.23.0": HTTP GET /atomys.codes/stud42/@v/v0.23.0.mod returned status 404 Not Found'
diff --git a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
index 7452c016..247b381b 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
@@ -25,5 +25,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-1777
     - web: https://mattermost.com/security-updates/
 notes:
-    - 'lint: github.com/mattermost/mattermost-server/v6: bad version "7.1.6": github.com/mattermost/mattermost-server/v6@v7.1.6: invalid version: should be v6, not v7'
-    - 'lint: github.com/mattermost/mattermost-server: bad version "7.1.0": github.com/mattermost/mattermost-server@v7.1.0: invalid version: should be v0 or v1, not v7'
+    - lint: 'github.com/mattermost/mattermost-server/v6: bad version "7.1.6": github.com/mattermost/mattermost-server/v6@v7.1.6: invalid version: should be v6, not v7'
+    - lint: 'github.com/mattermost/mattermost-server: bad version "7.1.0": github.com/mattermost/mattermost-server@v7.1.0: invalid version: should be v0 or v1, not v7'
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
index 800b751e..dc2f1c44 100644
--- a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -18,5 +18,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38867
     - report: https://github.com/zhaojh329/rttys/issues/117
 notes:
-    - 'lint: github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/rttys@v4.0.0: invalid version: should be v0 or v1, not v4'
-    - 'lint: github.com/zhaojh329/rttys: version issue: 1 unsupported version(s)'
+    - lint: 'github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/rttys@v4.0.0: invalid version: should be v0 or v1, not v4'
+    - lint: 'github.com/zhaojh329/rttys: version issue: 1 unsupported version(s)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
index 41704304..31f0dfa3 100644
--- a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
@@ -21,5 +21,5 @@ references:
     - fix: https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2
     - web: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0
 notes:
-    - 'lint: github.com/oauth2-proxy/oauth2-proxy: bad version "5.1.1": github.com/oauth2-proxy/oauth2-proxy@v5.1.1: invalid version: should be v0 or v1, not v5'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/oauth2-proxy/oauth2-proxy: bad version "5.1.1": github.com/oauth2-proxy/oauth2-proxy@v5.1.1: invalid version: should be v0 or v1, not v5'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
index 6840295a..3c1f0fc3 100644
--- a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
@@ -66,6 +66,6 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-5415
     - web: https://tanzu.vmware.com/security/cve-2020-5415
 notes:
-    - 'lint: github.com/concourse/concourse: bad version "6.3.0": github.com/concourse/concourse@v6.3.0: invalid version: should be v0 or v1, not v6'
-    - 'lint: github.com/concourse/dex: bad version "6.3.0": github.com/concourse/dex@v6.3.0: invalid version: should be v0 or v1, not v6'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/concourse/concourse: bad version "6.3.0": github.com/concourse/concourse@v6.3.0: invalid version: should be v0 or v1, not v6'
+    - lint: 'github.com/concourse/dex: bad version "6.3.0": github.com/concourse/dex@v6.3.0: invalid version: should be v0 or v1, not v6'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
index a33466f0..62371dd1 100644
--- a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
@@ -43,5 +43,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-25168
     - fix: https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 131 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 131 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
index 22b51de5..8c8feb69 100644
--- a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
@@ -40,6 +40,6 @@ references:
     - fix: https://github.com/ethereum/go-ethereum/commit/295693759e5ded05fec0b2fb39359965b60da785
     - web: https://blog.ethereum.org/2020/11/12/geth_security_release/
 notes:
-    - 'lint: github.com/ethereum/go-ethereum: bad version "1.19.7": HTTP GET /github.com/ethereum/go-ethereum/@v/v1.19.7.mod returned status 404 Not Found'
-    - 'lint: github.com/ethereum/go-ethereum: missing skip_fix and vulnerable_at: "github.com/ethereum/go-ethereum/core/vm"'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/ethereum/go-ethereum: bad version "1.19.7": HTTP GET /github.com/ethereum/go-ethereum/@v/v1.19.7.mod returned status 404 Not Found'
+    - lint: 'github.com/ethereum/go-ethereum: missing skip_fix and vulnerable_at: "github.com/ethereum/go-ethereum/core/vm"'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
index 3abb0ecd..64ab4318 100644
--- a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
@@ -28,4 +28,4 @@ ghsas:
 references:
     - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
 notes:
-    - 'lint: summary is too long: 110 characters (max 100)'
+    - lint: 'summary is too long: 110 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
index 31b1d4f8..9aa9ede7 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
@@ -128,5 +128,5 @@ references:
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.6
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.4.5
 notes:
-    - 'lint: github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/argo-cd@v2.2.11: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/argo-cd@v2.2.11: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
index 4f6688a0..a811921a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -24,5 +24,5 @@ references:
     - web: https://advisory.dw1.io/45
     - web: https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540
 notes:
-    - 'lint: github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/tidb@v6.2.0: invalid version: should be v0 or v1, not v6'
-    - 'lint: github.com/pingcap/tidb: version issue: 2 unsupported version(s)'
+    - lint: 'github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/tidb@v6.2.0: invalid version: should be v0 or v1, not v6'
+    - lint: 'github.com/pingcap/tidb: version issue: 2 unsupported version(s)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
index 1918576d..e201dc1e 100644
--- a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
@@ -25,5 +25,5 @@ references:
     - web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md
     - web: https://pivotal.io/security/cve-2018-15798
 notes:
-    - 'lint: github.com/concourse/concourse: bad version "5.2.8": github.com/concourse/concourse@v5.2.8: invalid version: should be v0 or v1, not v5'
-    - 'lint: github.com/concourse/concourse: missing skip_fix and vulnerable_at: "github.com/concourse/concourse/skymarshal/skyserver"'
+    - lint: 'github.com/concourse/concourse: bad version "5.2.8": github.com/concourse/concourse@v5.2.8: invalid version: should be v0 or v1, not v5'
+    - lint: 'github.com/concourse/concourse: missing skip_fix and vulnerable_at: "github.com/concourse/concourse/skymarshal/skyserver"'
diff --git a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
index 5ec2ae0e..a0dbff2a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
@@ -19,5 +19,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39220
     - fix: https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0
 notes:
-    - 'lint: github.com/drakkan/sftpgo: bad version "2.3.5": github.com/drakkan/sftpgo@v2.3.5: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/drakkan/sftpgo: bad version "2.3.5": github.com/drakkan/sftpgo@v2.3.5: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
index d26f91e9..04541fbd 100644
--- a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
@@ -36,4 +36,4 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-29652
     - fix: https://github.com/pomerium/pomerium/pull/2048
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
index 7e99b120..00983bef 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
@@ -25,4 +25,4 @@ references:
     - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
index 94fd6f7d..2cd6425e 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
@@ -24,4 +24,4 @@ references:
     - fix: https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad
     - web: https://www.debian.org/security/2022/dsa-5041
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
index 13adc12c..db1282c8 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
@@ -30,4 +30,4 @@ references:
     - web: https://grafana.com/security/security-advisories/cve-2023-0507/
     - web: https://security.netapp.com/advisory/ntap-20230413-0001/
 notes:
-    - 'lint: github.com/grafana/grafana: bad version "8.1.0": github.com/grafana/grafana@v8.1.0: invalid version: should be v0 or v1, not v8'
+    - lint: 'github.com/grafana/grafana: bad version "8.1.0": github.com/grafana/grafana@v8.1.0: invalid version: should be v0 or v1, not v8'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
index 4c5938f7..08ab5121 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
@@ -71,4 +71,4 @@ references:
     - web: https://github.com/containerd/containerd/releases/tag/v1.6.18
     - web: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
 notes:
-    - 'lint: references should contain at most one advisory link'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
index 7305407a..597c1fc7 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
@@ -53,4 +53,4 @@ references:
     - advisory: https://github.com/personnummer/go/security/advisories/GHSA-hv53-vf5m-8q94
     - web: https://pkg.go.dev/github.com/personnummer/go
 notes:
-    - 'lint: github.com/personnummer/go: bad version "3.0.1": github.com/personnummer/go@v3.0.1: invalid version: should be v0 or v1, not v3'
+    - lint: 'github.com/personnummer/go: bad version "3.0.1": github.com/personnummer/go@v3.0.1: invalid version: should be v0 or v1, not v3'
diff --git a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
index b8620c50..0031d107 100644
--- a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
@@ -59,5 +59,5 @@ references:
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 111 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 111 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
index 6196a3fd..bb9d7959 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
@@ -61,6 +61,6 @@ references:
     - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-29002
 notes:
-    - 'lint: github.com/cilium/cilium: version issue: 1 unsupported version(s)'
-    - 'lint: github.com/cilium/cilium: version issue: introduced and fixed versions must alternate'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/cilium/cilium: version issue: 1 unsupported version(s)'
+    - lint: 'github.com/cilium/cilium: version issue: introduced and fixed versions must alternate'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
index 9401befc..396fcf24 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
@@ -68,5 +68,5 @@ references:
     - web: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
     - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
 notes:
-    - 'lint: github.com/sylabs/singularity: bad version "3.6.0": github.com/sylabs/singularity@v3.6.0: invalid version: should be v0 or v1, not v3'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/sylabs/singularity: bad version "3.6.0": github.com/sylabs/singularity@v3.6.0: invalid version: should be v0 or v1, not v3'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
index 78ff63ae..39060ebb 100644
--- a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
@@ -28,6 +28,6 @@ references:
     - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
     - web: http://www.securityfocus.com/bid/102926
 notes:
-    - 'lint: github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git-lfs@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
-    - 'lint: github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git-lfs@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
-    - 'lint: github.com/git-lfs/git-lfs: missing skip_fix and vulnerable_at: "github.com/git-lfs/git-lfs/lfsapi"'
+    - lint: 'github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git-lfs@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
+    - lint: 'github.com/git-lfs/git-lfs: bad version "2.1.1-0.20170519163204-f913f5f9c7c6": github.com/git-lfs/git-lfs@v2.1.1-0.20170519163204-f913f5f9c7c6: invalid version: should be v0 or v1, not v2'
+    - lint: 'github.com/git-lfs/git-lfs: missing skip_fix and vulnerable_at: "github.com/git-lfs/git-lfs/lfsapi"'
diff --git a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
index de82cbc5..4d07ae61 100644
--- a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
@@ -28,5 +28,5 @@ references:
     - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-22565
     - web: https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
 notes:
-    - 'lint: references should contain at most one advisory link'
-    - 'lint: summary is too long: 106 characters (max 100)'
+    - lint: references should contain at most one advisory link
+    - lint: 'summary is too long: 106 characters (max 100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
index ebaf601d..852da5d1 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
@@ -72,5 +72,5 @@ references:
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.2.9
     - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.4
 notes:
-    - 'lint: github.com/argoproj/argo-cd: bad version "2.1.15": github.com/argoproj/argo-cd@v2.1.15: invalid version: should be v0 or v1, not v2'
-    - 'lint: references should contain at most one advisory link'
+    - lint: 'github.com/argoproj/argo-cd: bad version "2.1.15": github.com/argoproj/argo-cd@v2.1.15: invalid version: should be v0 or v1, not v2'
+    - lint: references should contain at most one advisory link
diff --git a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
index feab332f..f7a3065e 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
@@ -42,4 +42,4 @@ ghsas:
 references:
     - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
 notes:
-    - 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
+    - lint: 'github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
diff --git a/internal/report/report.go b/internal/report/report.go
index b2480ff1..222bc523 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -102,13 +102,13 @@ var ExcludedReasons = []ExcludedReason{
 // single-element mapping of type to URL.
 type Reference osv.Reference
 
-func (r *Reference) MarshalYAML() (interface{}, error) {
+func (r *Reference) MarshalYAML() (any, error) {
 	return map[string]string{
 		strings.ToLower(string(r.Type)): r.URL,
 	}, nil
 }
 
-func (r *Reference) UnmarshalYAML(n *yaml.Node) (err error) {
+func (r *Reference) UnmarshalYAML(n *yaml.Node) error {
 	if n.Kind != yaml.MappingNode || len(n.Content) != 2 || n.Content[0].Kind != yaml.ScalarNode || n.Content[1].Kind != yaml.ScalarNode {
 		return &yaml.TypeError{Errors: []string{
 			fmt.Sprintf("line %d: report.Reference must contain a mapping with one value", n.Line),
@@ -119,6 +119,50 @@ func (r *Reference) UnmarshalYAML(n *yaml.Node) (err error) {
 	return nil
 }
 
+// A Note is a note about the report.
+// May be typed or untyped (with Type left blank).
+type Note struct {
+	Body string
+	Type NoteType
+}
+
+type NoteType string
+
+const (
+	NoteTypeNone   NoteType = ""
+	NoteTypeLint   NoteType = "LINT"
+	NoteTypeFix    NoteType = "FIX"
+	NoteTypeCreate NoteType = "CREATE"
+)
+
+func (n *Note) MarshalYAML() (any, error) {
+	if n.Type == NoteTypeNone {
+		return n.Body, nil
+	}
+	return map[string]string{
+		strings.ToLower(string(n.Type)): n.Body,
+	}, nil
+}
+
+func (n *Note) UnmarshalYAML(node *yaml.Node) error {
+	// Handle untyped notes.
+	if node.Kind == yaml.ScalarNode {
+		n.Type = NoteTypeNone
+		n.Body = node.Value
+		return nil
+	}
+
+	// Handle typed notes.
+	if node.Kind != yaml.MappingNode || len(node.Content) != 2 || node.Content[0].Kind != yaml.ScalarNode || node.Content[1].Kind != yaml.ScalarNode {
+		return &yaml.TypeError{Errors: []string{
+			fmt.Sprintf("line %d: typed Note must contain a mapping with one value", node.Line),
+		}}
+	}
+	n.Type = NoteType(strings.ToUpper(node.Content[0].Value))
+	n.Body = node.Content[1].Value
+	return nil
+}
+
 // Report represents a vulnerability report in the vulndb.
 // Remember to update doc/format.md when this structure changes.
 type Report struct {
@@ -153,11 +197,11 @@ type Report struct {
 	// to fill in the ID string.
 	CVEMetadata *CVEMeta `yaml:"cve_metadata,omitempty"`
 
-	// Freeform notes about the report. This field is ignored when creating
+	// Notes about the report. This field is ignored when creating
 	// OSV and CVE records. It can be used to document decisions made when
 	// creating the report, outstanding issues, or anything else worth
 	// mentioning.
-	Notes []string `yaml:",omitempty"`
+	Notes []*Note `yaml:",omitempty"`
 }
 
 // GoCVE returns the CVE assigned to this report by the Go CNA,