internal/{report, symbols}: various fixes to support automation

Adds a few general improvements to make it more likely that
automation will succeed with no lint/fix errors for UNREVIEWED
reports.

Specifically:
- For CVEs:
    - don't populate a package if it is the same as the module path
    - fix incorrect classification of vulns as affecting stdlib
if their packages don't contain a "." (usually this is a mistake)
- Auto-convert "versions" to "non_go_versions" if none of the versions
exist according to the proxy
- Make error messages for symbol population more specific so it is
more clear what caused the error
- Add an advisory referencing the source ID if not present
- Improve classification of advisories by checking if a CVE/GHSA alias
is actually referenced
- Relax lint checks for unreviewed reports:
    - Unreviewed report summaries do not need to conform to style
    - Unreviewed reports must have at least one advisory, but may have more

Change-Id: I3762202d4eeb60cff3dc407c3f9ab9a208a91134
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/583476
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

internal/cve4/testdata/cve/TestToReport/CVE-2020-9283.txtar

@@ -26,6 +26,7 @@ references:
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-9283
 source:
     id: CVE-2020-9283
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2021-27919.txtar

@@ -22,6 +22,9 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
     - web: https://security.gentoo.org/glsa/202208-02
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-27919
+notes:
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2021-27919
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2021-3115.txtar

@@ -24,6 +24,9 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
     - web: https://security.netapp.com/advisory/ntap-20210219-0001/
     - web: https://security.gentoo.org/glsa/202208-02
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3115
+notes:
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2021-3115
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2022-39213.txtar

@@ -29,9 +29,10 @@ description: |-
 cves:
     - CVE-2022-39213
 references:
-    - advisory: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
+    - web: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
     - fix: https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4
     - web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39213
 source:
     id: CVE-2022-39213
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2023-29407.txtar

@@ -23,6 +23,7 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-29407
 cve_metadata:
     id: CVE-2023-29407
     cwe: 'CWE-834: Excessive Iteration'

internal/cve4/testdata/cve/TestToReport/CVE-2023-44378.txtar

@@ -24,9 +24,10 @@ description: |-
 cves:
     - CVE-2023-44378
 references:
-    - advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
+    - web: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
     - report: https://github.com/zkopru-network/zkopru/issues/116
     - fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-44378
 source:
     id: CVE-2023-44378
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2023-45141.txtar

@@ -26,7 +26,8 @@ description: |-
 cves:
     - CVE-2023-45141
 references:
-    - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+    - web: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45141
 source:
     id: CVE-2023-45141
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2023-45283.txtar

@@ -34,9 +34,12 @@ references:
     - fix: https://go.dev/cl/541175
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
     - web: http://www.openwall.com/lists/oss-security/2023/12/05/2
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45283
 cve_metadata:
     id: CVE-2023-45283
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
+notes:
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2023-45283
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2023-45285.txtar

@@ -21,9 +21,12 @@ references:
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
     - report: https://go.dev/issue/63845
     - fix: https://go.dev/cl/540257
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45285
 cve_metadata:
     id: CVE-2023-45285
     cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
+notes:
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2023-45285
     created: 1999-01-01T00:00:00Z

internal/cve4/testdata/cve/TestToReport/CVE-2023-45286.txtar

@@ -8,7 +8,7 @@ Expected output of TestToReport/CVE-2023-45286.
 id: GO-ID-PENDING
 modules:
     - module: github.com/go-resty/resty/v2
-      vulnerable_at: 2.12.0
+      vulnerable_at: 2.13.1
       packages:
         - package: github.com/go-resty/resty/v2
 summary: CVE-2023-45286 in github.com/go-resty/resty/v2
@@ -26,6 +26,7 @@ references:
     - report: https://github.com/go-resty/resty/issues/743
     - report: https://github.com/go-resty/resty/issues/739
     - fix: https://github.com/go-resty/resty/pull/745
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45286
 cve_metadata:
     id: CVE-2023-45286
     cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'

internal/cve4/testdata/proxy/TestToReport.json

@@ -8,11 +8,11 @@
 		"status_code": 200
 	},
 	"github.com/go-resty/resty/v2/@latest": {
-		"body": "{\"Version\":\"v2.12.0\",\"Time\":\"2024-03-17T20:50:19Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/go-resty/resty\",\"Ref\":\"refs/tags/v2.12.0\",\"Hash\":\"89d25d9d1aed90c422d5dd816e6788ac4e893def\"}}",
+		"body": "{\"Version\":\"v2.13.1\",\"Time\":\"2024-05-11T01:40:23Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/go-resty/resty\",\"Ref\":\"refs/tags/v2.13.1\",\"Hash\":\"baf7c1219b781803557018eba206ad8fa544941f\"}}",
 		"status_code": 200
 	},
 	"github.com/go-resty/resty/v2/@v/list": {
-		"body": "v2.3.0\nv2.2.0\nv2.9.1\nv2.6.0\nv2.0.0-rc.3\nv2.3.0-rc.1\nv2.0.0-rc.1\nv2.0.0-rc.4\nv2.0.0\nv2.4.0\nv2.10.0-rc.1\nv2.12.0\nv2.8.0\nv2.7.0\nv2.10.0-rc.3\nv2.1.0\nv2.10.0\nv2.11.0\nv2.9.0\nv2.0.0-rc.2\nv2.3.0-rc.2\nv2.5.0\nv2.10.0-rc.2\n",
+		"body": "v2.3.0\nv2.13.1\nv2.2.0\nv2.9.1\nv2.6.0\nv2.0.0-rc.3\nv2.13.0\nv2.3.0-rc.1\nv2.0.0-rc.1\nv2.0.0-rc.4\nv2.0.0\nv2.4.0\nv2.10.0-rc.1\nv2.12.0\nv2.8.0\nv2.7.0\nv2.10.0-rc.3\nv2.1.0\nv2.10.0\nv2.11.0\nv2.9.0\nv2.0.0-rc.2\nv2.3.0-rc.2\nv2.5.0\nv2.10.0-rc.2\n",
 		"status_code": 200
 	},
 	"github.com/gofiber/fiber/@latest": {

internal/cve5/report.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"golang.org/x/vulndb/internal/derrors"
+	"golang.org/x/vulndb/internal/idstr"
 	"golang.org/x/vulndb/internal/report"
 	"golang.org/x/vulndb/internal/stdlib"
 	"golang.org/x/vulndb/internal/version"
@@ -86,7 +87,7 @@ func FromReport(r *report.Report) (_ *CVERecord, err error) {
 		c.References = append(c.References, Reference{URL: ref.URL})
 	}
 	c.References = append(c.References, Reference{
-		URL: report.GoAdvisory(r.ID),
+		URL: idstr.GoAdvisory(r.ID),
 	})
 	for _, ref := range r.CVEMetadata.References {
 		c.References = append(c.References, Reference{URL: ref})
@@ -262,32 +263,37 @@ func affectedToModule(a *Affected, modulePath string) *report.Module {
 		pkgPath = modulePath
 	}
 
-	if stdlib.Contains(pkgPath) {
+	if stdlib.Contains(modulePath) && stdlib.Contains(pkgPath) {
 		if strings.HasPrefix(pkgPath, stdlib.ToolchainModulePath) {
 			modulePath = stdlib.ToolchainModulePath
 		} else {
 			modulePath = stdlib.ModulePath
 		}
 	}
 
-	var symbols []string
-	for _, s := range a.ProgramRoutines {
-		symbols = append(symbols, s.Name)
-	}
-
 	vs, uvs := convertVersions(a.Versions, a.DefaultStatus)
 
-	return &report.Module{
-		Module:              modulePath,
-		Versions:            vs,
-		UnsupportedVersions: uvs,
-		Packages: []*report.Package{
+	// Add a package if we have any meaningful package-level data.
+	var pkgs []*report.Package
+	if pkgPath != modulePath || len(a.ProgramRoutines) != 0 || len(a.Platforms) != 0 {
+		var symbols []string
+		for _, s := range a.ProgramRoutines {
+			symbols = append(symbols, s.Name)
+		}
+		pkgs = []*report.Package{
 			{
 				Package: pkgPath,
 				Symbols: symbols,
 				GOOS:    a.Platforms,
 			},
-		},
+		}
+	}
+
+	return &report.Module{
+		Module:              modulePath,
+		Versions:            vs,
+		UnsupportedVersions: uvs,
+		Packages:            pkgs,
 	}
 }
 
@@ -315,19 +321,21 @@ var (
 )
 
 func toVersionRange(cvr *VersionRange, defaultStatus VersionStatus) (*report.VersionRange, bool) {
+	intro, fixed := version.TrimPrefix(string(cvr.Introduced)), version.TrimPrefix(string(cvr.Fixed))
+
 	// Handle special cases where the info is not quite correctly encoded but
 	// we can still figure out the intent.
 
 	// Case one: introduced version is of the form "<= X, < Y".
-	if m := introducedFixedRE.FindStringSubmatch(string(cvr.Introduced)); len(m) == 3 {
+	if m := introducedFixedRE.FindStringSubmatch(intro); len(m) == 3 {
 		return &report.VersionRange{
 			Introduced: m[1],
 			Fixed:      m[2],
 		}, true
 	}
 
 	// Case two: introduced version is of the form "< Y".
-	if m := fixedRE.FindStringSubmatch(string(cvr.Introduced)); len(m) == 2 {
+	if m := fixedRE.FindStringSubmatch(intro); len(m) == 2 {
 		return &report.VersionRange{
 			Fixed: m[1],
 		}, true
@@ -336,21 +344,20 @@ func toVersionRange(cvr *VersionRange, defaultStatus VersionStatus) (*report.Ver
 	// For now, don't attempt to fix any other messed up cases.
 	if cvr.VersionType != typeSemver ||
 		cvr.LessThanOrEqual != "" ||
-		!version.IsValid(string(cvr.Introduced)) ||
-		!version.IsValid(string(cvr.Fixed)) ||
+		!version.IsValid(intro) ||
+		!version.IsValid(fixed) ||
 		cvr.Status != StatusAffected ||
 		defaultStatus != StatusUnaffected {
 		return nil, false
 	}
 
-	introduced := string(cvr.Introduced)
-	if introduced == "0" {
-		introduced = ""
+	if intro == "0" {
+		intro = ""
 	}
 
 	return &report.VersionRange{
-		Introduced: introduced,
-		Fixed:      string(cvr.Fixed),
+		Introduced: intro,
+		Fixed:      fixed,
 	}, true
 }
 
@@ -360,7 +367,7 @@ func toUnsupported(cvr *VersionRange, defaultStatus VersionStatus) report.Unsupp
 	case cvr.Fixed != "":
 		version = fmt.Sprintf("%s from %s before %s", cvr.Status, cvr.Introduced, cvr.Fixed)
 	case cvr.LessThanOrEqual != "":
-		version = fmt.Sprintf("%s from %s to %s", cvr.Status, cvr.Introduced, cvr.Fixed)
+		version = fmt.Sprintf("%s from %s to %s", cvr.Status, cvr.Introduced, cvr.LessThanOrEqual)
 	default:
 		version = fmt.Sprintf("%s at %s", cvr.Status, cvr.Introduced)
 	}

internal/cve5/testdata/cve/TestToReport/CVE-2020-9283.txtar

@@ -9,8 +9,6 @@ id: GO-ID-PENDING
 modules:
     - module: golang.org/x/crypto
       vulnerable_at: 0.23.0
-      packages:
-        - package: golang.org/x/crypto
 summary: CVE-2020-9283 in golang.org/x/crypto
 description: |-
     golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a
@@ -26,6 +24,7 @@ references:
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-9283
 source:
     id: CVE-2020-9283
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2021-27919.txtar

@@ -22,6 +22,9 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
     - web: https://security.gentoo.org/glsa/202208-02
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-27919
+notes:
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2021-27919
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2021-3115.txtar

@@ -24,6 +24,9 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
     - web: https://security.netapp.com/advisory/ntap-20210219-0001/
     - web: https://security.gentoo.org/glsa/202208-02
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3115
+notes:
+    - fix: 'cmd: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2021-3115
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2022-39213.txtar

@@ -12,8 +12,6 @@ modules:
         - introduced: 0.2.0
           fixed: 0.4.0
       vulnerable_at: 0.3.0
-      packages:
-        - package: github.com/pandatix/go-cvss
 summary: Out-of-bounds Read in go-cvss in github.com/pandatix/go-cvss
 description: |-
     go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS).
@@ -32,9 +30,10 @@ description: |-
 cves:
     - CVE-2022-39213
 references:
-    - advisory: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
+    - web: https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx
     - fix: https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4
     - web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39213
 source:
     id: CVE-2022-39213
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2023-29407.txtar

@@ -33,6 +33,7 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-29407
 cve_metadata:
     id: CVE-2023-29407
     cwe: 'CWE-834: Excessive Iteration'

internal/cve5/testdata/cve/TestToReport/CVE-2023-44378.txtar

@@ -11,8 +11,6 @@ modules:
       versions:
         - fixed: 0.9.0
       vulnerable_at: 0.9.0-alpha
-      packages:
-        - package: github.com/consensys/gnark
 summary: |-
     gnark vulnerable to unsoundness in variable comparison/non-unique binary
     decomposition in github.com/consensys/gnark
@@ -28,9 +26,10 @@ description: |-
 cves:
     - CVE-2023-44378
 references:
-    - advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
+    - web: https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
     - report: https://github.com/zkopru-network/zkopru/issues/116
     - fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-44378
 source:
     id: CVE-2023-44378
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2023-45141.txtar

@@ -8,10 +8,9 @@ Expected output of TestToReport/CVE-2023-45141.
 id: GO-ID-PENDING
 modules:
     - module: github.com/gofiber/fiber
-      versions:
+      non_go_versions:
         - fixed: 2.50.0
-      packages:
-        - package: github.com/gofiber/fiber
+      vulnerable_at: 1.14.6
 summary: CSRF Token Validation Vulnerability in fiber in github.com/gofiber/fiber
 description: |-
     Fiber is an express inspired web framework written in Go. A Cross-Site Request
@@ -27,7 +26,8 @@ description: |-
 cves:
     - CVE-2023-45141
 references:
-    - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+    - web: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45141
 source:
     id: CVE-2023-45141
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2023-45283.txtar

@@ -93,11 +93,15 @@ references:
     - fix: https://go.dev/cl/541175
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
     - web: http://www.openwall.com/lists/oss-security/2023/12/05/2
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45283
 cve_metadata:
     id: CVE-2023-45283
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
 notes:
     - fix: 'module merge error: could not merge versions of module std: range events must be in strictly ascending order (found 1.20.11>=1.20.11)'
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
+    - fix: 'std: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2023-45283
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/cve/TestToReport/CVE-2023-45285.txtar

@@ -27,9 +27,12 @@ references:
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
     - report: https://go.dev/issue/63845
     - fix: https://go.dev/cl/540257
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45285
 cve_metadata:
     id: CVE-2023-45285
     cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
+notes:
+    - fix: 'cmd: could not add vulnerable_at: not implemented for std/cmd'
 source:
     id: CVE-2023-45285
     created: 1999-01-01T00:00:00Z