internal/report: allow reports to have both cves and cve_metadata

Allow YAML reports to populate both "cves" and "cve_metadata". This is
needed for GO-2023-2102.

For golang/go#61184

Change-Id: I920eb2a0cffc0007cca31a52bd1edfe8ee1dd40d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/534239
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

internal/report/cve5.go

@@ -27,9 +27,6 @@ var (
 func (r *Report) ToCVE5() (_ *cveschema5.CVERecord, err error) {
 	defer derrors.Wrap(&err, "ToCVERecord(%q)", r.ID)
 
-	if len(r.CVEs) > 0 {
-		return nil, errors.New("report has CVE ID is wrong section (should be in cve_metadata for self-issued CVEs)")
-	}
 	if r.CVEMetadata == nil {
 		return nil, errors.New("report missing cve_metadata section")
 	}

internal/report/lint.go

@@ -97,12 +97,6 @@ func (m *Module) lintVersions(addPkgIssue func(string)) {
 }
 
 func (r *Report) lintCVEs(addIssue func(string)) {
-	if len(r.CVEs) > 0 && r.CVEMetadata != nil && r.CVEMetadata.ID != "" {
-		// TODO(https://go.dev/issue/61184): consider allowing both these fields
-		// to be populated.
-		addIssue("only one of cve and cve_metadata.id should be present")
-	}
-
 	for _, cve := range r.CVEs {
 		if !cveschema5.IsCVE(cve) {
 			addIssue("malformed cve identifier")

internal/report/lint_test.go

@@ -321,7 +321,7 @@ func TestLintOffline(t *testing.T) {
 				r.CVEs = []string{"CVE-0000-1111"}
 				r.CVEMetadata = validCVEMetadata
 			}),
-			want: []string{"only one of cve and cve_metadata.id should be present"},
+			want: nil,
 		},
 		{
 			desc: "missing cve metadata required fields",