internal/report: strip the major version from module path when fixing summary

tatianab · tatianab · commit e5d28b9f46bc · 2024-07-29T18:12:07.000Z
It is not always clear which major version is best to list in the summary, so just pick the base module if we are automatically creating the summary. (For REVIEWED reports, the triager can pick the best major version). Change-Id: Ifee6380136f59e9a67ef31734b0e00986340fe6d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600478 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-45286.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-45286.txtar
@@ -33,7 +33,7 @@ modules:
       vulnerable_at: 2.13.1
       packages:
         - package: github.com/go-resty/resty/v2
-summary: CVE-2023-45286 in github.com/go-resty/resty/v2
+summary: CVE-2023-45286 in github.com/go-resty/resty
 description: |-
     A race condition in go-resty can result in HTTP request body disclosure across
     requests. This condition can be triggered by calling sync.Pool.Put with the same
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2024-21527.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2024-21527.txtar
@@ -13,7 +13,7 @@ modules:
       versions:
         - fixed: 8.1.0
       vulnerable_at: 8.0.3
-summary: CVE-2024-21527 in github.com/gotenberg/gotenberg/v7
+summary: CVE-2024-21527 in github.com/gotenberg/gotenberg
 cves:
     - CVE-2024-21527
 credits:
@@ -51,7 +51,7 @@ modules:
       vulnerable_at: 8.0.3
       packages:
         - package: github.com/gotenberg/gotenberg/v8/pkg/modules/webhook
-summary: CVE-2024-21527 in github.com/gotenberg/gotenberg/v8
+summary: CVE-2024-21527 in github.com/gotenberg/gotenberg
 description: |-
     Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before
     8.1.0; versions of the package
diff --git a/internal/genericosv/testdata/yaml/GHSA-m99c-q26r-m7m7_REVIEWED.yaml b/internal/genericosv/testdata/yaml/GHSA-m99c-q26r-m7m7_REVIEWED.yaml
@@ -10,7 +10,7 @@ modules:
       vulnerable_at: 13.0.2
       packages:
         - package: github.com/evmos/evmos/v13/x/vesting
-summary: Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos/v13
+summary: Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos
 description: |-
     ### Impact _What kind of vulnerability is it? Who is impacted?_
 
diff --git a/internal/genericosv/testdata/yaml/GHSA-v6rw-hhgg-wc4x_REVIEWED.yaml b/internal/genericosv/testdata/yaml/GHSA-v6rw-hhgg-wc4x_REVIEWED.yaml
@@ -6,7 +6,7 @@ modules:
       versions:
         - fixed: 12.0.0
       vulnerable_at: 12.0.0-rc4
-summary: Evmos vulnerable to DOS and transaction fee expropriation through Authz exploit in github.com/evmos/evmos/v11
+summary: Evmos vulnerable to DOS and transaction fee expropriation through Authz exploit in github.com/evmos/evmos
 description: |-
     ## Impact _What kind of vulnerability is it? Who is impacted?_
 
diff --git a/internal/report/fix.go b/internal/report/fix.go
@@ -58,12 +58,20 @@ func (r *Report) fixSummary() {
 
 	// Add a path if one exists and is needed.
 	if paths := r.nonStdPaths(); len(paths) > 0 && !containsPath(summary, paths) {
-		summary = fmt.Sprintf("%s in %s", summary, paths[0])
+		summary = fmt.Sprintf("%s in %s", summary, stripMajor(paths[0]))
 	}
 
 	r.Summary = Summary(fixSpelling(summary))
 }
 
+func stripMajor(path string) string {
+	base, _, ok := module.SplitPathVersion(path)
+	if !ok {
+		return path
+	}
+	return base
+}
+
 func (v *Version) commitHashToVersion(modulePath string, pc *proxy.Client) {
 	if v == nil {
 		return
