diff --git a/pkg/advisory/diff_test.go b/pkg/advisory/diff_test.go index f19754df..87971ce1 100644 --- a/pkg/advisory/diff_test.go +++ b/pkg/advisory/diff_test.go @@ -40,7 +40,8 @@ func TestIndexDiff(t *testing.T) { }, Advisories: v2.Advisories{ { - ID: "CVE-2023-24535", + ID: "CGA-3333-3333-3333", + Aliases: []string{"CVE-2023-24535"}, Events: []v2.Event{ { Timestamp: v2.Timestamp(now), @@ -85,7 +86,8 @@ func TestIndexDiff(t *testing.T) { Name: "ko", Added: v2.Advisories{ { - ID: "CVE-2023-11111", + ID: "CGA-3333-3333-3333", + Aliases: []string{"CVE-2023-1111"}, Events: []v2.Event{ { Timestamp: v2.Timestamp(now), @@ -127,9 +129,10 @@ func TestIndexDiff(t *testing.T) { Name: "ko", Modified: []DiffResult{ { - ID: "CVE-2023-24535", + ID: "CGA-2222-2222-2222", Added: v2.Advisory{ - ID: "CVE-2023-24535", + ID: "CGA-2222-2222-2222", + Aliases: []string{"CVE-2023-24535"}, Events: []v2.Event{ { Timestamp: unixEpochTimestamp, @@ -138,8 +141,9 @@ func TestIndexDiff(t *testing.T) { }, }, Removed: v2.Advisory{ - ID: "CVE-2023-24535", + ID: "CGA-2222-2222-2222", Aliases: []string{ + "CVE-2023-24535", "GHSA-2222-2222-2222", }, Events: []v2.Event{ @@ -163,9 +167,10 @@ func TestIndexDiff(t *testing.T) { Name: "ko", Modified: []DiffResult{ { - ID: "CVE-2023-11111", + ID: "CGA-3333-3333-3333", Added: v2.Advisory{ - ID: "CVE-2023-11111", + ID: "CGA-3333-3333-3333", + Aliases: []string{"CVE-2023-11111"}, Events: []v2.Event{ { Timestamp: unixEpochTimestamp, @@ -178,7 +183,8 @@ func TestIndexDiff(t *testing.T) { }, }, Removed: v2.Advisory{ - ID: "CVE-2023-11111", + ID: "CGA-3333-3333-3333", + Aliases: []string{"CVE-2023-11111"}, Events: []v2.Event{ { Timestamp: unixEpochTimestamp, diff --git a/pkg/advisory/testdata/diff/added-advisory/a/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-advisory/a/ko.advisories.yaml index 5258893c..f360f4b1 100644 --- a/pkg/advisory/testdata/diff/added-advisory/a/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-advisory/a/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-24535 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2023-24535 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-advisory/b/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-advisory/b/ko.advisories.yaml index cfcfffe8..11297cce 100644 --- a/pkg/advisory/testdata/diff/added-advisory/b/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-advisory/b/ko.advisories.yaml @@ -4,12 +4,16 @@ package: name: ko advisories: - - id: CVE-2023-24535 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2023-24535 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination - - id: CVE-2023-11111 + - id: CGA-3333-3333-3333 + aliases: + - CVE-2023-1111 events: - timestamp: 2023-11-11T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-document/a/kaf.advisories.yaml b/pkg/advisory/testdata/diff/added-document/a/kaf.advisories.yaml index ddafe768..a8cb2cbe 100644 --- a/pkg/advisory/testdata/diff/added-document/a/kaf.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-document/a/kaf.advisories.yaml @@ -4,11 +4,12 @@ package: name: kaf advisories: - - id: CVE-2023-39325 + - id: CGA-2222-2222-2222 aliases: + - CVE-2023-39325 - GHSA-4374-p667-p6c8 events: - timestamp: 2023-10-25T23:52:38Z type: fixed data: - fixed-version: 0.2.6-r6 \ No newline at end of file + fixed-version: 0.2.6-r6 diff --git a/pkg/advisory/testdata/diff/added-document/b/kaf.advisories.yaml b/pkg/advisory/testdata/diff/added-document/b/kaf.advisories.yaml index ddafe768..a8cb2cbe 100644 --- a/pkg/advisory/testdata/diff/added-document/b/kaf.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-document/b/kaf.advisories.yaml @@ -4,11 +4,12 @@ package: name: kaf advisories: - - id: CVE-2023-39325 + - id: CGA-2222-2222-2222 aliases: + - CVE-2023-39325 - GHSA-4374-p667-p6c8 events: - timestamp: 2023-10-25T23:52:38Z type: fixed data: - fixed-version: 0.2.6-r6 \ No newline at end of file + fixed-version: 0.2.6-r6 diff --git a/pkg/advisory/testdata/diff/added-document/b/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-document/b/ko.advisories.yaml index 4224bc11..3d3de8d4 100644 --- a/pkg/advisory/testdata/diff/added-document/b/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-document/b/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-24535 + - id: CGA-3333-3333-3333 + aliases: + - CVE-2023-24535 events: - timestamp: 2023-11-11T00:00:00Z - type: true-positive-determination \ No newline at end of file + type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event-fixed/a/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-event-fixed/a/ko.advisories.yaml index fe189a83..64919dde 100644 --- a/pkg/advisory/testdata/diff/added-event-fixed/a/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event-fixed/a/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-11111 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2023-11111 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event-fixed/a/nonexistent.advisories.yaml b/pkg/advisory/testdata/diff/added-event-fixed/a/nonexistent.advisories.yaml index 391c59e0..8bafabf1 100644 --- a/pkg/advisory/testdata/diff/added-event-fixed/a/nonexistent.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event-fixed/a/nonexistent.advisories.yaml @@ -4,7 +4,9 @@ package: name: nonexistent advisories: - - id: CVE-2023-33333 + - id: CGA-2323-2323-2323 + aliases: + - CVE-2023-33333 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event-fixed/b/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-event-fixed/b/ko.advisories.yaml index 8b8c2c1a..28bf024a 100644 --- a/pkg/advisory/testdata/diff/added-event-fixed/b/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event-fixed/b/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-11111 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2023-11111 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event-fixed/b/nonexistent.advisories.yaml b/pkg/advisory/testdata/diff/added-event-fixed/b/nonexistent.advisories.yaml index a43a4187..69f3ea49 100644 --- a/pkg/advisory/testdata/diff/added-event-fixed/b/nonexistent.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event-fixed/b/nonexistent.advisories.yaml @@ -4,7 +4,9 @@ package: name: nonexistent advisories: - - id: CVE-2023-33333 + - id: CGA-2323-2323-2323 + aliases: + - CVE-2023-33333 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event/a/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-event/a/ko.advisories.yaml index fe189a83..ff5b270b 100644 --- a/pkg/advisory/testdata/diff/added-event/a/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event/a/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-11111 + - id: CGA-3333-3333-3333 + aliases: + - CVE-2023-11111 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/added-event/b/ko.advisories.yaml b/pkg/advisory/testdata/diff/added-event/b/ko.advisories.yaml index 1b8c1052..b4075ab5 100644 --- a/pkg/advisory/testdata/diff/added-event/b/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/added-event/b/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-11111 + - id: CGA-3333-3333-3333 + aliases: + - CVE-2023-11111 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/a/ko.advisories.yaml b/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/a/ko.advisories.yaml index e1175a7c..27c42065 100644 --- a/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/a/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/a/ko.advisories.yaml @@ -4,8 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-24535 + - id: CGA-2222-2222-2222 aliases: + - CVE-2023-24535 - GHSA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z diff --git a/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/b/ko.advisories.yaml b/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/b/ko.advisories.yaml index 5258893c..f360f4b1 100644 --- a/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/b/ko.advisories.yaml +++ b/pkg/advisory/testdata/diff/modified-advisory-outside-of-events/b/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2023-24535 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2023-24535 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/diff/same/a/kaf.advisories.yaml b/pkg/advisory/testdata/diff/same/a/kaf.advisories.yaml index ddafe768..a8cb2cbe 100644 --- a/pkg/advisory/testdata/diff/same/a/kaf.advisories.yaml +++ b/pkg/advisory/testdata/diff/same/a/kaf.advisories.yaml @@ -4,11 +4,12 @@ package: name: kaf advisories: - - id: CVE-2023-39325 + - id: CGA-2222-2222-2222 aliases: + - CVE-2023-39325 - GHSA-4374-p667-p6c8 events: - timestamp: 2023-10-25T23:52:38Z type: fixed data: - fixed-version: 0.2.6-r6 \ No newline at end of file + fixed-version: 0.2.6-r6 diff --git a/pkg/advisory/testdata/diff/same/b/kaf.advisories.yaml b/pkg/advisory/testdata/diff/same/b/kaf.advisories.yaml index ddafe768..a8cb2cbe 100644 --- a/pkg/advisory/testdata/diff/same/b/kaf.advisories.yaml +++ b/pkg/advisory/testdata/diff/same/b/kaf.advisories.yaml @@ -4,11 +4,12 @@ package: name: kaf advisories: - - id: CVE-2023-39325 + - id: CGA-2222-2222-2222 aliases: + - CVE-2023-39325 - GHSA-4374-p667-p6c8 events: - timestamp: 2023-10-25T23:52:38Z type: fixed data: - fixed-version: 0.2.6-r6 \ No newline at end of file + fixed-version: 0.2.6-r6 diff --git a/pkg/advisory/testdata/validate/alias-missing-cve/ko.advisories.yaml b/pkg/advisory/testdata/validate/alias-missing-cve/ko.advisories.yaml index 90d7bd1a..653eb2d0 100644 --- a/pkg/advisory/testdata/validate/alias-missing-cve/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/alias-missing-cve/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: GHSA-2222-2222-2222 + - id: CGA-42mf-6jm5-fv45 + aliases: + - GHSA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/validate/alias-missing-ghsa/ko.advisories.yaml b/pkg/advisory/testdata/validate/alias-missing-ghsa/ko.advisories.yaml index 521cae0b..b1c2f113 100644 --- a/pkg/advisory/testdata/validate/alias-missing-ghsa/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/alias-missing-ghsa/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2222-2222 + - id: CGA-42mf-6jm5-fv45 + aliases: + - CVE-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/validate/alias-not-missing/ko.advisories.yaml b/pkg/advisory/testdata/validate/alias-not-missing/ko.advisories.yaml index 5c40b25d..ada719fd 100644 --- a/pkg/advisory/testdata/validate/alias-not-missing/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/alias-not-missing/ko.advisories.yaml @@ -4,8 +4,9 @@ package: name: ko advisories: - - id: CVE-2222-2222 + - id: CGA-42mf-6jm5-fv45 aliases: + - CVE-2222-2222 - GHSA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z diff --git a/pkg/advisory/testdata/validate/duplicate-advisory-by-id-and-alias/ko.advisories.yaml b/pkg/advisory/testdata/validate/duplicate-advisory-by-id-and-alias/ko.advisories.yaml deleted file mode 100644 index 108dec02..00000000 --- a/pkg/advisory/testdata/validate/duplicate-advisory-by-id-and-alias/ko.advisories.yaml +++ /dev/null @@ -1,19 +0,0 @@ -schema-version: 2.0.1 - -package: - name: ko - -advisories: - - id: GHSA-2222-2222-2222 - events: - - timestamp: 1970-01-01T00:00:00Z - type: true-positive-determination - - - id: CVE-2022-2222 - aliases: - - GHSA-2222-2222-2222 - events: - - timestamp: 1970-01-01T00:00:00Z - type: fixed - data: - fixed-version: 1.0.0-r3 diff --git a/pkg/advisory/testdata/validate/duplicate-advisory-by-id/ko.advisories.yaml b/pkg/advisory/testdata/validate/duplicate-advisory-by-id/ko.advisories.yaml index 6d0fe59d..50dedbc4 100644 --- a/pkg/advisory/testdata/validate/duplicate-advisory-by-id/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/duplicate-advisory-by-id/ko.advisories.yaml @@ -4,12 +4,12 @@ package: name: ko advisories: - - id: GHSA-2222-2222-2222 + - id: CGA-42mf-6jm5-fv45 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination - - id: GHSA-2222-2222-2222 + - id: CGA-42mf-6jm5-fv45 events: - timestamp: 1970-01-01T00:00:00Z type: fixed diff --git a/pkg/advisory/testdata/validate/file-package-name-mismatch/ko-0.15.advisories.yaml b/pkg/advisory/testdata/validate/file-package-name-mismatch/ko-0.15.advisories.yaml index 5219750b..534d9e41 100644 --- a/pkg/advisory/testdata/validate/file-package-name-mismatch/ko-0.15.advisories.yaml +++ b/pkg/advisory/testdata/validate/file-package-name-mismatch/ko-0.15.advisories.yaml @@ -4,12 +4,12 @@ package: name: ko advisories: - - id: GHSA-2222-2222-2222 + - id: CGA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination - - id: GHSA-3333-3333-3333 + - id: CGA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: fixed diff --git a/pkg/advisory/testdata/validate/no-duplicates/ko.advisories.yaml b/pkg/advisory/testdata/validate/no-duplicates/ko.advisories.yaml index 5219750b..aa7d695b 100644 --- a/pkg/advisory/testdata/validate/no-duplicates/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/no-duplicates/ko.advisories.yaml @@ -4,12 +4,12 @@ package: name: ko advisories: - - id: GHSA-2222-2222-2222 + - id: CGA-2222-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination - - id: GHSA-3333-3333-3333 + - id: CGA-3333-3333-3333 events: - timestamp: 1970-01-01T00:00:00Z type: fixed diff --git a/pkg/advisory/testdata/validate/package-existence/advisories/ko.advisories.yaml b/pkg/advisory/testdata/validate/package-existence/advisories/ko.advisories.yaml index 521cae0b..81436204 100644 --- a/pkg/advisory/testdata/validate/package-existence/advisories/ko.advisories.yaml +++ b/pkg/advisory/testdata/validate/package-existence/advisories/ko.advisories.yaml @@ -4,7 +4,9 @@ package: name: ko advisories: - - id: CVE-2222-2222 + - id: CGA-2222-2222-2222 + aliases: + - CVE-2222-2222 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/testdata/validate/package-existence/advisories/mo.advisories.yaml b/pkg/advisory/testdata/validate/package-existence/advisories/mo.advisories.yaml index 2d18d912..036839b1 100644 --- a/pkg/advisory/testdata/validate/package-existence/advisories/mo.advisories.yaml +++ b/pkg/advisory/testdata/validate/package-existence/advisories/mo.advisories.yaml @@ -4,7 +4,9 @@ package: name: mo advisories: - - id: CVE-3333-3333 + - id: CGA-3333-3333-3333 + aliases: + - CVE-3333-3333 events: - timestamp: 1970-01-01T00:00:00Z type: true-positive-determination diff --git a/pkg/advisory/validate.go b/pkg/advisory/validate.go index 088cda27..2a3cd380 100644 --- a/pkg/advisory/validate.go +++ b/pkg/advisory/validate.go @@ -269,25 +269,39 @@ func (opts ValidateOptions) validateAliasSetCompleteness(ctx context.Context) er adv := doc.Advisories[i] var advErrs []error - switch { - case strings.HasPrefix(adv.ID, "CVE-"): - ghsas, err := opts.AliasFinder.GHSAsForCVE(ctx, adv.ID) - if err != nil { - return fmt.Errorf("failed to query GHSA aliases for CVE %q: %w", adv.ID, err) - } - for _, ghsa := range ghsas { - if !slices.Contains(adv.Aliases, ghsa) { - advErrs = append(advErrs, fmt.Errorf("missing GHSA alias %q from set [%s]", ghsa, strings.Join(adv.Aliases, ", "))) + for _, a := range adv.Aliases { + switch { + case strings.HasPrefix(a, "CVE-"): + cve := a + ghsas, err := opts.AliasFinder.GHSAsForCVE(ctx, cve) + if err != nil { + return fmt.Errorf("querying GHSA aliases for CVE %q: %w", cve, err) + } + for _, ghsa := range ghsas { + if !slices.Contains(adv.Aliases, ghsa) { + advErrs = append(advErrs, fmt.Errorf( + "missing %q (an alias of %q) from set [%s]", + ghsa, + cve, + strings.Join(adv.Aliases, ", "), + )) + } } - } - case strings.HasPrefix(adv.ID, "GHSA-"): - cve, err := opts.AliasFinder.CVEForGHSA(ctx, adv.ID) - if err != nil { - return fmt.Errorf("failed to query CVE alias for GHSA %q: %w", adv.ID, err) - } - if cve != "" { - advErrs = append(advErrs, fmt.Errorf("%q should be listed as an alias, and %q should be the advisory ID", adv.ID, cve)) + case strings.HasPrefix(a, "GHSA-"): + ghsa := a + cve, err := opts.AliasFinder.CVEForGHSA(ctx, ghsa) + if err != nil { + return fmt.Errorf("querying CVE alias for GHSA %q: %w", ghsa, err) + } + if cve != "" && !slices.Contains(adv.Aliases, cve) { + advErrs = append(advErrs, fmt.Errorf( + "missing %q (an alias of %q) from set [%s]", + cve, + ghsa, + strings.Join(adv.Aliases, ", "), + )) + } } } diff --git a/pkg/advisory/validate_test.go b/pkg/advisory/validate_test.go index 7fe1ae6f..82a6677b 100644 --- a/pkg/advisory/validate_test.go +++ b/pkg/advisory/validate_test.go @@ -288,10 +288,6 @@ func TestValidate(t *testing.T) { name: "duplicate-advisory-by-id", shouldBeValid: false, }, - { - name: "duplicate-advisory-by-id-and-alias", - shouldBeValid: false, - }, { name: "no-duplicates", shouldBeValid: true, diff --git a/pkg/configs/advisory/v2/advisory.go b/pkg/configs/advisory/v2/advisory.go index 3fbcc079..11e38dbb 100644 --- a/pkg/configs/advisory/v2/advisory.go +++ b/pkg/configs/advisory/v2/advisory.go @@ -167,7 +167,7 @@ func (adv Advisory) isFixedVersion(version, packageType string, latest Event) bo func (adv Advisory) Validate() error { return errorhelpers.LabelError(adv.ID, errors.Join( - vuln.ValidateID(adv.ID), + vuln.ValidateCGAID(adv.ID), adv.validateAliases(), adv.validateEvents(), ), diff --git a/pkg/configs/advisory/v2/advisory_test.go b/pkg/configs/advisory/v2/advisory_test.go index 03232eb6..d9093cb7 100644 --- a/pkg/configs/advisory/v2/advisory_test.go +++ b/pkg/configs/advisory/v2/advisory_test.go @@ -16,7 +16,8 @@ func TestAdvisory_Validate(t *testing.T) { { name: "valid", adv: Advisory{ - ID: "CVE-2020-0001", + ID: "CGA-2222-2222-2222", + Aliases: []string{"CVE-2020-0001"}, Events: []Event{ { Timestamp: testTime, @@ -32,8 +33,9 @@ func TestAdvisory_Validate(t *testing.T) { { name: "valid with aliases", adv: Advisory{ - ID: "CVE-2020-0001", + ID: "CGA-2222-2222-2222", Aliases: []string{ + "CVE-2020-0001", "GHSA-5j9q-4xjw-3j3q", "GO-2023-0001", }, @@ -68,8 +70,9 @@ func TestAdvisory_Validate(t *testing.T) { { name: "invalid alias", adv: Advisory{ - ID: "CVE-2020-0001", + ID: "CGA-2222-2222-2222", Aliases: []string{ + "CVE-2020-0001", "DSA-12345678", }, Events: []Event{ @@ -87,7 +90,7 @@ func TestAdvisory_Validate(t *testing.T) { { name: "duplicate aliases", adv: Advisory{ - ID: "CVE-2020-0001", + ID: "CGA-2222-2222-2222", Aliases: []string{ "GHSA-5j9q-4xjw-3j3q", "GHSA-5j9q-4xjw-3j3q", @@ -126,8 +129,9 @@ func TestAdvisory_Validate(t *testing.T) { { name: "CGA ID in alias instead of advisory CVE/GHSA ID", adv: Advisory{ - ID: "CGA-3j9q-4fjf-3jsq", + ID: "CGA-2222-2222-2222", Aliases: []string{ + "CGA-3j9q-4fjf-3jsq", "CVE-2020-0001", "GHSA-5j9q-4xjw-3j3q", }, diff --git a/pkg/configs/advisory/v2/document_test.go b/pkg/configs/advisory/v2/document_test.go index 9958becf..f5f40978 100644 --- a/pkg/configs/advisory/v2/document_test.go +++ b/pkg/configs/advisory/v2/document_test.go @@ -19,7 +19,8 @@ import ( func TestDocument_Validate(t *testing.T) { testTime := Timestamp(time.Date(2022, 9, 26, 0, 0, 0, 0, time.UTC)) testValidAdvisory := Advisory{ - ID: "CVE-2020-0001", + ID: "CGA-2222-2222-2222", + Aliases: []string{"CVE-2020-0001"}, Events: []Event{ { Timestamp: testTime, @@ -122,8 +123,9 @@ func TestDocument_full_coverage(t *testing.T) { }, Advisories: Advisories{ { - ID: "CVE-2000-0001", + ID: "CGA-2222-2222-2222", Aliases: []string{ + "CVE-2000-0001", "GHSA-xxxx-xxxx-xxx9", "GO-2000-0001", }, diff --git a/pkg/configs/advisory/v2/testdata/full.advisories.yaml b/pkg/configs/advisory/v2/testdata/full.advisories.yaml index 84b5b0c1..1ecd9137 100644 --- a/pkg/configs/advisory/v2/testdata/full.advisories.yaml +++ b/pkg/configs/advisory/v2/testdata/full.advisories.yaml @@ -4,8 +4,9 @@ package: name: full advisories: - - id: CVE-2000-0001 + - id: CGA-2222-2222-2222 aliases: + - CVE-2000-0001 - GHSA-xxxx-xxxx-xxx9 - GO-2000-0001 events: diff --git a/pkg/configs/advisory/v2/testdata/future.advisories.yaml b/pkg/configs/advisory/v2/testdata/future.advisories.yaml index 1aa6af95..3a0ef9bb 100644 --- a/pkg/configs/advisory/v2/testdata/future.advisories.yaml +++ b/pkg/configs/advisory/v2/testdata/future.advisories.yaml @@ -4,8 +4,9 @@ package: name: future advisories: - - id: CVE-2000-0001 + - id: CGA-2222-2222-2222 aliases: + - CVE-2000-0001 - GHSA-xxxx-xxxx-xxx9 - GO-2000-0001 - DSA-2000-0001 @@ -27,4 +28,3 @@ advisories: data: type: future-false-positive-type note: Something something false positive. - diff --git a/pkg/vuln/id.go b/pkg/vuln/id.go index 74e0feb3..024c278b 100644 --- a/pkg/vuln/id.go +++ b/pkg/vuln/id.go @@ -21,3 +21,12 @@ func ValidateID(id string) error { return nil } + +// ValidateCGAID returns an error if the given ID is not a valid CGA ID. +func ValidateCGAID(id string) error { + if !RegexCGA.MatchString(id) { + return fmt.Errorf("%q is not a valid CGA ID", id) + } + + return nil +} diff --git a/pkg/vuln/id_test.go b/pkg/vuln/id_test.go index 7d9dec1c..fda27944 100644 --- a/pkg/vuln/id_test.go +++ b/pkg/vuln/id_test.go @@ -63,3 +63,40 @@ func TestValidateID(t *testing.T) { }) } } + +func TestValidateCGAID(t *testing.T) { + tests := []struct { + name string + id string + wantErr bool + }{ + { + name: "valid CGA", + id: "CGA-xg8w-q25p-9gcc", + wantErr: false, + }, + { + name: "invalid characters", + id: "CGA-4aj9-honk-9j91", + wantErr: true, + }, + { + name: "valid CVE (but not CGA)", + id: "CVE-2018-9999", + wantErr: true, + }, + { + name: "empty", + id: "", + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := ValidateCGAID(tt.id); (err != nil) != tt.wantErr { + t.Errorf("ValidateCGAID() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +}