internal/ghsa: add references to SecurityAdvisory

tatianab · Tatiana Bradley · commit 708d76d38d76 · 2022-12-29T20:19:21.000Z
Adds a field References to the SecurityAdvisory, and populate the field via the GHSA client. This will allow us to populate references for GHSAs in vulnreport create. Change-Id: I59b63a68bd5d3b8a122f233a40ff0915ee9f9481 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459837 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tim King <taking@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/internal/ghsa/ghsa.go b/internal/ghsa/ghsa.go
@@ -30,6 +30,8 @@ type SecurityAdvisory struct {
 	Permalink string
 	// When the advisory was first published.
 	PublishedAt time.Time
+	// References linked to by this advisory.
+	References []Reference
 	// When the advisory was last updated; should always be >= PublishedAt.
 	UpdatedAt time.Time
 	// The vulnerabilities associated with this advisory.
@@ -43,6 +45,11 @@ type Identifier struct {
 	Value string
 }
 
+// A Reference is a URL linked to by the advisory.
+type Reference struct {
+	URL string
+}
+
 // A Vuln represents a vulnerability.
 type Vuln struct {
 	// The vulnerable Go package or module.
@@ -68,6 +75,7 @@ type gqlSecurityAdvisory struct {
 	Description     string
 	Origin          string
 	Permalink       githubv4.URI
+	References      []Reference
 	PublishedAt     time.Time
 	UpdatedAt       time.Time
 	Vulnerabilities struct {
@@ -104,6 +112,7 @@ func (sa *gqlSecurityAdvisory) securityAdvisory() (*SecurityAdvisory, error) {
 		Description: sa.Description,
 		Origin:      sa.Origin,
 		Permalink:   sa.Permalink.URL.String(),
+		References:  sa.References,
 		PublishedAt: sa.PublishedAt,
 		UpdatedAt:   sa.UpdatedAt,
 	}
