x/vulndb: add link to importers of a package in new automated issues

Tatiana Bradley · Tatiana Bradley · commit 421e78b1885e · 2022-04-26T19:05:50.000Z
The worker now includes a link in the automated issue description to pkg.go.dev/?tab=importedby for the affected module, as a starting point in detecting false positive vulnerability reports. For golang/go#51944 Change-Id: I3caaaba69c07e7a3e24977cf5ea5e92559ce8628 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402394 Reviewed-by: Julie Qiu <julieqiu@google.com>
diff --git a/internal/worker/worker.go b/internal/worker/worker.go
@@ -301,6 +301,7 @@ func newCVEBody(sr storeRecord) (string, error) {
 	if r.Links.PR != "" {
 		fmt.Fprintf(&intro, "\n- PR: %s", r.Links.PR)
 	}
+	fmt.Fprintf(&intro, "\n- Imported by: https://pkg.go.dev/%s?tab=importedby", cr.Module)
 	for _, l := range r.Links.Context {
 		fmt.Fprintf(&intro, "\n- %s", l)
 	}
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
@@ -227,6 +227,7 @@ a description
 Links:
 - NIST: https://nvd.nist.gov/vuln/detail/ID1
 - JSON: https://github.com/CVEProject/cvelist/tree//
+- Imported by: https://pkg.go.dev/a.Module?tab=importedby
 
 See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.
 

Original file line number	Diff line number	Diff line change
`@@ -301,6 +301,7 @@ func newCVEBody(sr storeRecord) (string, error) {`
`301`	`301`	`if r.Links.PR != "" {`
`302`	`302`	`fmt.Fprintf(&intro, "\n- PR: %s", r.Links.PR)`
`303`	`303`	`}`
	`304`	`+ fmt.Fprintf(&intro, "\n- Imported by: https://pkg.go.dev/%s?tab=importedby", cr.Module)`
`304`	`305`	`for _, l := range r.Links.Context {`
`305`	`306`	`fmt.Fprintf(&intro, "\n- %s", l)`
`306`	`307`	`}`