internal/report: make check for Go CNA more robust in cve-to-report

Instead of checking if the CVE is for a first party module, check
directly who assigned the CVE. That way we can decide correctly
when to populate "cve_metadata" vs. "cves".

Change-Id: Ic2ff5fbf0f380b2ae77decc290a341c888624e97
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547976
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

internal/report/cve.go

@@ -81,22 +81,30 @@ func cveToReport(c *cveschema.CVE, id, modulePath string) *Report {
 		Credits:     credits,
 		References:  refs,
 	}
-	r.addCVE(c.Metadata.ID, modulePath)
+	r.addCVE(c.Metadata.ID, getCWE(c), isGoCNA(c))
 	return r
 }
 
-func (r *Report) addCVE(cveID, modulePath string) {
-	// New standard library and x/ repo CVEs are likely maintained by
-	// the Go CNA.
-	if stdlib.IsStdModule(modulePath) || stdlib.IsCmdModule(modulePath) ||
-		stdlib.IsXModule(modulePath) {
+func getCWE(c *cveschema.CVE) string {
+	if len(c.ProblemType.Data) == 0 || len(c.ProblemType.Data[0].Description) == 0 {
+		return ""
+	}
+	return c.ProblemType.Data[0].Description[0].Value
+}
+
+func isGoCNA(c *cveschema.CVE) bool {
+	return c.Assigner == "[email protected]"
+}
+
+func (r *Report) addCVE(cveID, cwe string, isGoCNA bool) {
+	if isGoCNA {
 		r.CVEMetadata = &CVEMeta{
 			ID:  cveID,
-			CWE: "TODO",
+			CWE: cwe,
 		}
-	} else {
-		r.CVEs = append(r.CVEs, cveID)
+		return
 	}
+	r.CVEs = append(r.CVEs, cveID)
 }
 
 func CVE5ToReport(c *cveschema5.CVERecord, id, modulePath string, pc *proxy.Client) *Report {
@@ -163,6 +171,17 @@ func cve5ToReport(c *cveschema5.CVERecord, id, modulePath string) *Report {
 		References:  refs,
 	}
 
-	r.addCVE(c.Metadata.ID, modulePath)
+	r.addCVE(c.Metadata.ID, getCWE5(&cna), isGoCNA5(&cna))
 	return r
 }
+
+func getCWE5(c *cveschema5.CNAPublishedContainer) string {
+	if len(c.ProblemTypes) == 0 || len(c.ProblemTypes[0].Descriptions) == 0 {
+		return ""
+	}
+	return c.ProblemTypes[0].Descriptions[0].Description
+}
+
+func isGoCNA5(c *cveschema5.CNAPublishedContainer) bool {
+	return c.ProviderMetadata.OrgID == GoOrgUUID
+}

internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar

@@ -12,13 +12,12 @@ modules:
         - package: n/a
 description: |
     golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
+cves:
+    - CVE-2020-9283
 references:
     - web: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY
     - web: http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html
     - web: https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
-cve_metadata:
-    id: CVE-2020-9283
-    cwe: TODO

internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar

@@ -12,11 +12,10 @@ modules:
         - package: archive/zip
 description: |
     archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
+cves:
+    - CVE-2021-27919
 references:
     - web: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
     - web: https://security.gentoo.org/glsa/202208-02
-cve_metadata:
-    id: CVE-2021-27919
-    cwe: TODO

internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar

@@ -12,12 +12,11 @@ modules:
         - package: cmd/go
 description: |
     Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
+cves:
+    - CVE-2021-3115
 references:
     - web: https://groups.google.com/g/golang-announce/c/mperVMGa98w
     - web: https://blog.golang.org/path-security
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
     - web: https://security.netapp.com/advisory/ntap-20210219-0001/
     - web: https://security.gentoo.org/glsa/202208-02
-cve_metadata:
-    id: CVE-2021-3115
-    cwe: TODO

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar

@@ -25,4 +25,4 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
 cve_metadata:
     id: CVE-2023-29407
-    cwe: TODO
+    cwe: 'CWE-834: Excessive Iteration'

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar

@@ -24,4 +24,4 @@ references:
     - web: http://www.openwall.com/lists/oss-security/2023/12/05/2
 cve_metadata:
     id: CVE-2023-45283
-    cwe: TODO
+    cwe: 'CWE-41: Improper Resolution of Path Equivalence'

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar

@@ -22,4 +22,4 @@ references:
     - web: https://pkg.go.dev/vuln/GO-2023-2383
 cve_metadata:
     id: CVE-2023-45285
-    cwe: TODO
+    cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'

internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar

@@ -13,12 +13,13 @@ modules:
 summary: HTTP request body disclosure in github.com/go-resty/resty/v2
 description: |
     A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
-cves:
-    - CVE-2023-45286
 credits:
     - Logan Attwood (@lattwood)
 references:
     - report: https://github.com/go-resty/resty/issues/743
     - report: https://github.com/go-resty/resty/issues/739
     - fix: https://github.com/go-resty/resty/pull/745
     - web: https://pkg.go.dev/vuln/GO-2023-2328
+cve_metadata:
+    id: CVE-2023-45286
+    cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'

internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar

@@ -12,13 +12,12 @@ modules:
         - package: n/a
 description: |
     golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
+cves:
+    - CVE-2020-9283
 references:
     - web: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY
     - web: http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html
     - web: https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html
     - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
-cve_metadata:
-    id: CVE-2020-9283
-    cwe: TODO

internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar

@@ -12,11 +12,10 @@ modules:
         - package: archive/zip
 description: |
     archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
+cves:
+    - CVE-2021-27919
 references:
     - web: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
     - web: https://security.gentoo.org/glsa/202208-02
-cve_metadata:
-    id: CVE-2021-27919
-    cwe: TODO

internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar

@@ -12,12 +12,11 @@ modules:
         - package: cmd/go
 description: |
     Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
+cves:
+    - CVE-2021-3115
 references:
     - web: https://groups.google.com/g/golang-announce/c/mperVMGa98w
     - web: https://blog.golang.org/path-security
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
     - web: https://security.netapp.com/advisory/ntap-20210219-0001/
     - web: https://security.gentoo.org/glsa/202208-02
-cve_metadata:
-    id: CVE-2021-3115
-    cwe: TODO

internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar

@@ -22,4 +22,4 @@ references:
     - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
 cve_metadata:
     id: CVE-2023-29407
-    cwe: TODO
+    cwe: 'CWE-834: Excessive Iteration'

internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar

@@ -23,4 +23,4 @@ references:
     - web: http://www.openwall.com/lists/oss-security/2023/12/05/2
 cve_metadata:
     id: CVE-2023-45283
-    cwe: TODO
+    cwe: 'CWE-41: Improper Resolution of Path Equivalence'

internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar

@@ -19,4 +19,4 @@ references:
     - web: https://pkg.go.dev/vuln/GO-2023-2383
 cve_metadata:
     id: CVE-2023-45285
-    cwe: TODO
+    cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'

internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar

@@ -12,10 +12,11 @@ modules:
         - package: github.com/go-resty/resty/v2
 description: |
     A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
-cves:
-    - CVE-2023-45286
 references:
     - report: https://github.com/go-resty/resty/issues/743
     - report: https://github.com/go-resty/resty/issues/739
     - fix: https://github.com/go-resty/resty/pull/745
     - web: https://pkg.go.dev/vuln/GO-2023-2328
+cve_metadata:
+    id: CVE-2023-45286
+    cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'