cmd/vulnreport, internal/report: add support for summary field in YAML

Adds a field, "summary", which corresponds to the OSV "summary" and
CVE "title" field. This field is pulled automatically from GHSAs in
"vulnreport create".

Currently, this field is not required and is not
populated in the OSV/CVE conversion. Introducing it now will make
it easier for us to begin publishing this field later, to reduce
the backfill burden.

For golang/go#56443

Change-Id: Ib93efad656daeac4b13a97d83d46952dbced14b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475336
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: tatianab

cmd/vulnreport/main.go

@@ -561,6 +561,9 @@ func addTODOs(r *report.Report) {
 			}
 		}
 	}
+	if r.Summary == "" {
+		r.Summary = "TODO: add a short (one phrase) summary"
+	}
 	if r.Description == "" {
 		r.Description = todo
 	}

internal/report/ghsa.go

@@ -14,6 +14,7 @@ import (
 // GHSAToReport creates a Report struct from a given GHSA SecurityAdvisory and modulePath.
 func GHSAToReport(sa *ghsa.SecurityAdvisory, modulePath string) *Report {
 	r := &Report{
+		Summary:     sa.Summary,
 		Description: sa.Description,
 	}
 	var cves, ghsas []string

internal/report/report.go

@@ -184,6 +184,9 @@ type Report struct {
 
 	Modules []*Module `yaml:",omitempty"`
 
+	// Summary is a short phrase describing the vulnerability.
+	Summary string `yaml:",omitempty"`
+
 	// Description is the CVE description from an existing CVE. If we are
 	// assigning a CVE ID ourselves, use CVEMetadata.Description instead.
 	Description string     `yaml:",omitempty"`