cmd/vulnreport: move find GHSA logic to newReport

This allows us to re-use the addGHSA function. Note this does slightly
change the behavior of vulnreport create, as the added GHSAs are not
taken into account when initially creating the report. This does not
matter much with the current implementation, as we arbitrarily choose
one alias to create the report based on.

Change-Id: Ia99eac8aaec603f5fd44f7b9d017957f8147fe06
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467295
Reviewed-by: Tim King <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: David Chase <[email protected]>

Author: tatianab

cmd/vulnreport/main.go

@@ -293,18 +293,6 @@ func createReport(ctx context.Context, cfg *createCfg, iss *issues.Issue) (r *re
 	if err != nil {
 		return nil, err
 	}
-	if len(parsed.ghsas) == 0 && len(parsed.cves) > 0 {
-		for _, cve := range parsed.cves {
-			sas, err := cfg.ghsaClient.ListForCVE(ctx, cve)
-			if err != nil {
-				return nil, err
-			}
-			for _, sa := range sas {
-				parsed.ghsas = append(parsed.ghsas, sa.ID)
-			}
-		}
-		parsed.ghsas = dedupeAndSort(parsed.ghsas)
-	}
 
 	r, err = newReport(ctx, cfg, parsed)
 	if err != nil {
@@ -449,6 +437,8 @@ func newReport(ctx context.Context, cfg *createCfg, parsed *parsedIssue) (*repor
 		r = &report.Report{}
 	}
 
+	addGHSAs(ctx, r, cfg.ghsaClient)
+
 	// Fill an any CVEs and GHSAs we found that may have been missed
 	// in report creation.
 	r.CVEs = dedupeAndSort(append(r.CVEs, parsed.cves...))