@@ -37,6 +37,7 @@ import (
3737 "golang.org/x/vulndb/internal/cvelistrepo"
3838 "golang.org/x/vulndb/internal/database"
3939 "golang.org/x/vulndb/internal/derrors"
40+ "golang.org/x/vulndb/internal/genericosv"
4041 "golang.org/x/vulndb/internal/ghsa"
4142 "golang.org/x/vulndb/internal/gitrepo"
4243 "golang.org/x/vulndb/internal/issues"
5253 githubToken = flag .String ("ghtoken" , "" , "GitHub access token (default: value of VULN_GITHUB_ACCESS_TOKEN)" )
5354 skipSymbols = flag .Bool ("skip-symbols" , false , "for lint and fix, don't load package for symbols checks" )
5455 skipAlias = flag .Bool ("skip-alias" , false , "for fix, skip adding new GHSAs and CVEs" )
56+ ghsaOSV = flag .Bool ("ghsa-osv" , false , "for create, fetch GHSAs in OSV format (experimental)" )
5557 updateIssue = flag .Bool ("up" , false , "for commit, create a CL that updates (doesn't fix) the tracking bug" )
5658 closedOk = flag .Bool ("closed-ok" , false , "for create & create-excluded, allow closed issues to be created" )
5759 cpuprofile = flag .String ("cpuprofile" , "" , "write cpuprofile to file" )
@@ -478,11 +480,19 @@ func newReport(ctx context.Context, cfg *createCfg, parsed *parsedIssue) (*repor
478480 var r * report.Report
479481 switch {
480482 case len (parsed .ghsas ) > 0 :
481- ghsa , err := cfg .ghsaClient .FetchGHSA (ctx , parsed .ghsas [0 ])
482- if err != nil {
483- return nil , err
483+ if * ghsaOSV {
484+ ghsa , err := genericosv .Fetch (parsed .ghsas [0 ])
485+ if err != nil {
486+ return nil , err
487+ }
488+ r = ghsa .ToReport (parsed .id )
489+ } else {
490+ ghsa , err := cfg .ghsaClient .FetchGHSA (ctx , parsed .ghsas [0 ])
491+ if err != nil {
492+ return nil , err
493+ }
494+ r = report .GHSAToReport (ghsa , parsed .modulePath )
484495 }
485- r = report .GHSAToReport (ghsa , parsed .modulePath )
486496 case len (parsed .cves ) > 0 :
487497 cve , err := cvelistrepo .FetchCVE (ctx , loadCVERepo (ctx ), parsed .cves [0 ])
488498 if err != nil {
0 commit comments