Repository Vulnerability Alert Missing Fields

[OhZedTee]

Struct for repository_vulnerability_alert webhook event is missing fields that are mentioned in docs.

These fields need to be added to the struct, and tested.

The fields are:
alert.severity
alert.created_at
alert.ghsa_id
repository.watchers
repository.open_issues

The new structs should like as such (I used to show what should be added):
event_types.go

type RepositoryVulnerabilityAlertEvent struct {
	// Action is the action that was performed. Possible values are: "create", "dismiss", "resolve".
	Action *string `json:"action,omitempty"`

	//The security alert of the vulnerable dependency.
	Alert *struct {
		ID                         *int64           `json:"id,omitempty"`
		AffectedRange              *string          `json:"affected_range,omitempty"`
		AffectedPackageName        *string          `json:"affected_package_name,omitempty"`
		ExternalReference          *string          `json:"external_reference,omitempty"`
		ExternalIdentifier         *string          `json:"external_identifier,omitempty"`
                **GithubSecurityAdvisoryID *string          `json:"ghsa_id,omitempty"`**
                **Severity                 *string          `json:"severity,omitempty"`**
                **CreatedAt                *Timestamp       `json:"created_at,omitempty"`**
		FixedIn                    *string          `json:"fixed_in,omitempty"`
		Dismisser                  *User            `json:"dismisser,omitempty"`
		DismissReason              *string          `json:"dismiss_reason,omitempty"`
		DismissedAt                *Timestamp       `json:"dismissed_at,omitempty"`
	} `json:"alert,omitempty"`

	//The repository of the vulnerable dependency.
	Repository *Repository `json:"repository,omitempty"`
}

repos.go

// Repository represents a GitHub repository.
type Repository struct {
	ID                  *int64           `json:"id,omitempty"`
	NodeID              *string          `json:"node_id,omitempty"`
	Owner               *User            `json:"owner,omitempty"`
	Name                *string          `json:"name,omitempty"`
	FullName            *string          `json:"full_name,omitempty"`
	Description         *string          `json:"description,omitempty"`
	Homepage            *string          `json:"homepage,omitempty"`
	CodeOfConduct       *CodeOfConduct   `json:"code_of_conduct,omitempty"`
	DefaultBranch       *string          `json:"default_branch,omitempty"`
	MasterBranch        *string          `json:"master_branch,omitempty"`
	CreatedAt           *Timestamp       `json:"created_at,omitempty"`
	PushedAt            *Timestamp       `json:"pushed_at,omitempty"`
	UpdatedAt           *Timestamp       `json:"updated_at,omitempty"`
	HTMLURL             *string          `json:"html_url,omitempty"`
	CloneURL            *string          `json:"clone_url,omitempty"`
	GitURL              *string          `json:"git_url,omitempty"`
	MirrorURL           *string          `json:"mirror_url,omitempty"`
	SSHURL              *string          `json:"ssh_url,omitempty"`
	SVNURL              *string          `json:"svn_url,omitempty"`
	Language            *string          `json:"language,omitempty"`
	Fork                *bool            `json:"fork,omitempty"`
	ForksCount          *int             `json:"forks_count,omitempty"`
	NetworkCount        *int             `json:"network_count,omitempty"`
	OpenIssuesCount     *int             `json:"open_issues_count,omitempty"`
        **OpenIssues               *int            `json:"open_issues,omitempty"`**        
	StargazersCount     *int             `json:"stargazers_count,omitempty"`
	SubscribersCount    *int             `json:"subscribers_count,omitempty"`
	WatchersCount       *int             `json:"watchers_count,omitempty"`
        **Watchers                 *int             `json:"watchers,omitempty"`**
	Size                *int             `json:"size,omitempty"`
	AutoInit            *bool            `json:"auto_init,omitempty"`
	Parent              *Repository      `json:"parent,omitempty"`
	Source              *Repository      `json:"source,omitempty"`
	TemplateRepository  *Repository      `json:"template_repository,omitempty"`
	Organization        *Organization    `json:"organization,omitempty"`
	Permissions         *map[string]bool `json:"permissions,omitempty"`
	AllowRebaseMerge    *bool            `json:"allow_rebase_merge,omitempty"`
	AllowSquashMerge    *bool            `json:"allow_squash_merge,omitempty"`
	AllowMergeCommit    *bool            `json:"allow_merge_commit,omitempty"`
	DeleteBranchOnMerge *bool            `json:"delete_branch_on_merge,omitempty"`
	Topics              []string         `json:"topics,omitempty"`
	Archived            *bool            `json:"archived,omitempty"`
	Disabled            *bool            `json:"disabled,omitempty"`

	// Only provided when using RepositoriesService.Get while in preview
	License *License `json:"license,omitempty"`

	// Additional mutable fields when creating and editing a repository
	Private           *bool   `json:"private,omitempty"`
	HasIssues         *bool   `json:"has_issues,omitempty"`
	HasWiki           *bool   `json:"has_wiki,omitempty"`
	HasPages          *bool   `json:"has_pages,omitempty"`
	HasProjects       *bool   `json:"has_projects,omitempty"`
	HasDownloads      *bool   `json:"has_downloads,omitempty"`
	IsTemplate        *bool   `json:"is_template,omitempty"`
	LicenseTemplate   *string `json:"license_template,omitempty"`
	GitignoreTemplate *string `json:"gitignore_template,omitempty"`

	// Creating an organization repository. Required for non-owners.
	TeamID *int64 `json:"team_id,omitempty"`

	// API URLs
	URL              *string `json:"url,omitempty"`
	ArchiveURL       *string `json:"archive_url,omitempty"`
	AssigneesURL     *string `json:"assignees_url,omitempty"`
	BlobsURL         *string `json:"blobs_url,omitempty"`
	BranchesURL      *string `json:"branches_url,omitempty"`
	CollaboratorsURL *string `json:"collaborators_url,omitempty"`
	CommentsURL      *string `json:"comments_url,omitempty"`
	CommitsURL       *string `json:"commits_url,omitempty"`
	CompareURL       *string `json:"compare_url,omitempty"`
	ContentsURL      *string `json:"contents_url,omitempty"`
	ContributorsURL  *string `json:"contributors_url,omitempty"`
	DeploymentsURL   *string `json:"deployments_url,omitempty"`
	DownloadsURL     *string `json:"downloads_url,omitempty"`
	EventsURL        *string `json:"events_url,omitempty"`
	ForksURL         *string `json:"forks_url,omitempty"`
	GitCommitsURL    *string `json:"git_commits_url,omitempty"`
	GitRefsURL       *string `json:"git_refs_url,omitempty"`
	GitTagsURL       *string `json:"git_tags_url,omitempty"`
	HooksURL         *string `json:"hooks_url,omitempty"`
	IssueCommentURL  *string `json:"issue_comment_url,omitempty"`
	IssueEventsURL   *string `json:"issue_events_url,omitempty"`
	IssuesURL        *string `json:"issues_url,omitempty"`
	KeysURL          *string `json:"keys_url,omitempty"`
	LabelsURL        *string `json:"labels_url,omitempty"`
	LanguagesURL     *string `json:"languages_url,omitempty"`
	MergesURL        *string `json:"merges_url,omitempty"`
	MilestonesURL    *string `json:"milestones_url,omitempty"`
	NotificationsURL *string `json:"notifications_url,omitempty"`
	PullsURL         *string `json:"pulls_url,omitempty"`
	ReleasesURL      *string `json:"releases_url,omitempty"`
	StargazersURL    *string `json:"stargazers_url,omitempty"`
	StatusesURL      *string `json:"statuses_url,omitempty"`
	SubscribersURL   *string `json:"subscribers_url,omitempty"`
	SubscriptionURL  *string `json:"subscription_url,omitempty"`
	TagsURL          *string `json:"tags_url,omitempty"`
	TreesURL         *string `json:"trees_url,omitempty"`
	TeamsURL         *string `json:"teams_url,omitempty"`

	// TextMatches is only populated from search results that request text matches
	// See: search.go and https://docs.github.com/en/free-pro-team@latest/rest/reference/search/#text-match-metadata
	TextMatches []*TextMatch `json:"text_matches,omitempty"`

	// Visibility is only used for Create and Edit endpoints. The visibility field
	// overrides the field parameter when both are used.
	// Can be one of public, private or internal.
	Visibility *string `json:"visibility,omitempty"`
}

I don't mind performing the code change if you could assign this issue to me.

[gmlewis]

Thank you, @OhZedTee !

What is the difference between WatchersCount and Watchers and between OpenIssuesCount and OpenIssues ?

I couldn't get your "docs" URL link above to work.

[OhZedTee]

I've updated the link, thank you. I don't see a clear difference, in my testing they seem to have the same value but I did notice the Github API add these new fields. Not sure if they plan to deprecate one or the other, but since I was checking for missing fields in the Repository Vulnerability Alert, I noticed this as well.

In the doc, you'll see the fields in the example Webhook payload right before the sender object.

[gmlewis]

Weird! If you feel like it, it might be nice to contact GitHub tech support and ask them what the differences are between these fields... If you do that, feel free to report back here as to the differences. Thank you!

[OhZedTee]

Good idea, I'll get in touch.

EDIT: I've opened a support ticket with them to get clarity.

[OhZedTee]

Hi @gmlewis,

I've received a response from GitHub. This is what they had to say verbatim:

What's going on here is this: sometimes when we deprecate a field, 
we keep both the new field and the deprecated field in order to prevent 
introducing breaking changes.

Although I can't provide a lot of context for why, 
Repository.open_issues is the deprecated field, 
and Repository.open_issues_count is the current field.

Interestingly, both Repository.watchers and Repository.watchers_count 
are deprecated, and the current field is actually Repository.stargazers_count.

In short: what used to be known as "Watching" was changed to mean "Starring".
As a result of that, watchers, watchers_count and stargazers_count all 
correspond to the number of users that have starred a repository, 
while subscribers_count corresponds to the number of watchers.

A bit more context on the watcher/stargazer/subscriber change can be found here:

https://developer.github.com/changes/2012-09-05-watcher-api/

So maybe it's best to add the deprecated field because it's currently there to stay, however, the new field is open_issues_count.

[gmlewis]

OK, awesome, @OhZedTee !
Thank you so much! Could you please make a PR when you get a chance and label the deprecated fields as deprecated per Go coding guidelines? See: https://blog.golang.org/godoc

Something like:

// Deprecated: OldField old description goes here.
OldField *string `...`

[OhZedTee]

Sure, I can do that once this PR and Issue are closed. Would you like a separate associated Issue with that PR? Or is the PR enough?

[gmlewis]

Just a new PR would be fantastic... you can refer to this issue (probably closed by then) in the description as a reference.

Thank you, @OhZedTee !

[gmlewis]

Alternatively, you could add the changes to #1898... I'm fine either way... your call.

[OhZedTee]

I'll add it as a new PR for visibility (Issue #1005 / PR #1025 was how I found that the fields were missing in the first place).