cmd/vulnreport: allow fetching ghsas in OSV format in vulnreport

Add flag "ghsa-osv" that allows vulnreport create to use the new OSV-to-report logic. The flag is false by default because the feature is in progress. Change-Id: I064015650dfa29b3f657d57dc67c0edeb51003ee Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/516178 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
golang · Aug 23, 2023 · 0cee1e6 · 0cee1e6
1 parent f5ddfa8
commit 0cee1e6
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/cmd/vulnreport/main.go b/cmd/vulnreport/main.go
@@ -37,6 +37,7 @@ import (
 	"golang.org/x/vulndb/internal/cvelistrepo"
 	"golang.org/x/vulndb/internal/database"
 	"golang.org/x/vulndb/internal/derrors"
+	"golang.org/x/vulndb/internal/genericosv"
 	"golang.org/x/vulndb/internal/ghsa"
 	"golang.org/x/vulndb/internal/gitrepo"
 	"golang.org/x/vulndb/internal/issues"
@@ -52,6 +53,7 @@ var (
 	githubToken   = flag.String("ghtoken", "", "GitHub access token (default: value of VULN_GITHUB_ACCESS_TOKEN)")
 	skipSymbols   = flag.Bool("skip-symbols", false, "for lint and fix, don't load package for symbols checks")
 	skipAlias     = flag.Bool("skip-alias", false, "for fix, skip adding new GHSAs and CVEs")
+	ghsaOSV       = flag.Bool("ghsa-osv", false, "for create, fetch GHSAs in OSV format (experimental)")
 	updateIssue   = flag.Bool("up", false, "for commit, create a CL that updates (doesn't fix) the tracking bug")
 	closedOk      = flag.Bool("closed-ok", false, "for create & create-excluded, allow closed issues to be created")
 	cpuprofile    = flag.String("cpuprofile", "", "write cpuprofile to file")
@@ -478,11 +480,19 @@ func newReport(ctx context.Context, cfg *createCfg, parsed *parsedIssue) (*repor
 	var r *report.Report
 	switch {
 	case len(parsed.ghsas) > 0:
-		ghsa, err := cfg.ghsaClient.FetchGHSA(ctx, parsed.ghsas[0])
-		if err != nil {
-			return nil, err
+		if *ghsaOSV {
+			ghsa, err := genericosv.Fetch(parsed.ghsas[0])
+			if err != nil {
+				return nil, err
+			}
+			r = ghsa.ToReport(parsed.id)
+		} else {
+			ghsa, err := cfg.ghsaClient.FetchGHSA(ctx, parsed.ghsas[0])
+			if err != nil {
+				return nil, err
+			}
+			r = report.GHSAToReport(ghsa, parsed.modulePath)
 		}
-		r = report.GHSAToReport(ghsa, parsed.modulePath)
 	case len(parsed.cves) > 0:
 		cve, err := cvelistrepo.FetchCVE(ctx, loadCVERepo(ctx), parsed.cves[0])
 		if err != nil {