cmd/vulnreport: consider withdrawn status in vulnreport create commands

When converting from GHSA OSV to YAML, preserve the withdrawn status,
and consider it in the "create-like" commands of vulnreport:

 - for create, create-excluded, and unexclude, error if a report is
   withdrawn (there is no need to publish a new withdrawn report)
 - for regen, allow a withdrawn report (this allows us to withdraw
   published UNREVIEWED reports that were later withdrawn by the source)

Change-Id: Ifafd543c7620418280d6312cb7fedf558e46d04f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606356
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

cmd/vulnreport/create.go

@@ -43,5 +43,5 @@ func (c *create) close() error {
 
 func (c *create) run(ctx context.Context, input any) error {
 	iss := input.(*issues.Issue)
-	return c.reportFromIssue(ctx, iss)
+	return c.newReportFromIssue(ctx, iss)
 }

cmd/vulnreport/create_excluded.go

@@ -46,7 +46,7 @@ func (c *createExcluded) setup(ctx context.Context, env environment) error {
 
 func (c *createExcluded) run(ctx context.Context, input any) (err error) {
 	iss := input.(*issues.Issue)
-	return c.reportFromIssue(ctx, iss)
+	return c.newReportFromIssue(ctx, iss)
 }
 
 func (c *createExcluded) skip(input any) string {

cmd/vulnreport/creator.go

@@ -95,7 +95,7 @@ func skip(iss *issues.Issue, x *xrefer) string {
 	return ""
 }
 
-func (c *creator) reportFromIssue(ctx context.Context, iss *issues.Issue) error {
+func (c *creator) newReportFromIssue(ctx context.Context, iss *issues.Issue) error {
 	r, err := c.reportFromMeta(ctx, &reportMeta{
 		id:           iss.NewGoID(),
 		excluded:     excludedReason(iss),
@@ -107,6 +107,9 @@ func (c *creator) reportFromIssue(ctx context.Context, iss *issues.Issue) error
 	if err != nil {
 		return err
 	}
+	if r.Withdrawn != nil {
+		return fmt.Errorf("new report should not be created for withdrawn vulnerability; close issue #%d as excluded:OUT_OF_SCOPE instead", iss.Number)
+	}
 	return c.write(ctx, r)
 }
 

cmd/vulnreport/unexclude.go

@@ -72,6 +72,10 @@ func (u *unexclude) run(ctx context.Context, input any) (err error) {
 	if err != nil {
 		return err
 	}
+	if r.Withdrawn != nil {
+		_, _, issNum, _ := report.ParseFilepath(oldR.Filename)
+		return fmt.Errorf("unexcluded report should not be created for withdrawn vulnerability; delete excluded report %s and mark issue #%d as excluded:OUT_OF_SCOPE instead", oldR.Filename, issNum)
+	}
 	r.Unexcluded = oldR.Excluded
 	if err := u.write(ctx, r); err != nil {
 		return err

internal/genericosv/report.go

@@ -17,10 +17,10 @@ import (
 var _ report.Source = &Entry{}
 
 // ToReport converts OSV into a Go Report with the given ID.
-func (osv *Entry) ToReport(*proxy.Client, string) *report.Report {
+func (e *Entry) ToReport(*proxy.Client, string) *report.Report {
 	r := &report.Report{
-		Summary:     report.Summary(osv.Summary),
-		Description: report.Description(osv.Details),
+		Summary:     report.Summary(e.Summary),
+		Description: report.Description(e.Details),
 	}
 	addAlias := func(alias string) {
 		switch {
@@ -34,18 +34,23 @@ func (osv *Entry) ToReport(*proxy.Client, string) *report.Report {
 			r.UnknownAliases = append(r.UnknownAliases, alias)
 		}
 	}
-	addAlias(osv.ID)
-	for _, alias := range osv.Aliases {
+	addAlias(e.ID)
+	for _, alias := range e.Aliases {
 		addAlias(alias)
 	}
 
-	r.Modules = affectedToModules(osv.Affected)
+	r.Modules = affectedToModules(e.Affected)
 
-	for _, ref := range osv.References {
+	for _, ref := range e.References {
 		r.References = append(r.References, convertRef(ref))
 	}
 
-	r.Credits = convertCredits(osv.Credits)
+	r.Credits = convertCredits(e.Credits)
+
+	if e.IsWithdrawn() {
+		r.Withdrawn = &osv.Time{Time: e.Withdrawn}
+	}
+
 	return r
 }