cmd/vulnreport: add command vulnreport withdraw

Adds a command that makes it easier to withdraw an
existing report.

Usage:

$ vulnreport -reason="..." withdraw NNN

Change-Id: Iabe6c1a4b0d0ce15692bb6be743876a790dec437
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595996
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

cmd/vulnreport/main.go

@@ -60,6 +60,7 @@ var commands = map[string]command{
 	"symbols":         &symbolsCmd{},
 	"osv":             &osvCmd{},
 	"unexclude":       &unexclude{},
+	"withdraw":        &withdraw{},
 	"xref":            &xref{},
 }
 

cmd/vulnreport/withdraw.go

@@ -0,0 +1,70 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"time"
+
+	"golang.org/x/vulndb/internal/osv"
+	"golang.org/x/vulndb/internal/report"
+)
+
+var reason = flag.String("reason", "", "the reason this report is being withdrawn")
+
+type withdraw struct {
+	*fixer
+	*filenameParser
+}
+
+func (withdraw) name() string { return "withdraw" }
+
+func (withdraw) usage() (string, string) {
+	const desc = "withdraws a report"
+	return filenameArgs, desc
+}
+
+func (w *withdraw) setup(ctx context.Context, env environment) error {
+	if *reason == "" {
+		return fmt.Errorf("flag -reason must be provided")
+	}
+	w.fixer = new(fixer)
+	w.filenameParser = new(filenameParser)
+	return setupAll(ctx, env, w.fixer, w.filenameParser)
+}
+
+func (w *withdraw) close() error {
+	return nil
+}
+
+func (w *withdraw) skip(input any) string {
+	r := input.(*yamlReport)
+
+	if r.IsExcluded() {
+		return "excluded; can't be withdrawn"
+	}
+
+	if r.Withdrawn != nil {
+		return "already withdrawn"
+	}
+
+	if r.CVEMetadata != nil {
+		return "withdrawing Go-published report not yet supported"
+	}
+
+	return ""
+}
+
+func (w *withdraw) run(ctx context.Context, input any) (err error) {
+	r := input.(*yamlReport)
+	r.Withdrawn = &osv.Time{Time: time.Now()}
+	r.Summary = "WITHDRAWN: " + r.Summary
+	r.Description = report.Description(
+		fmt.Sprintf("(This report has been withdrawn with reason: %q). %s",
+			*reason, r.Description))
+	return w.fixAndWriteAll(ctx, r, false)
+}

internal/osv/time.go

@@ -37,3 +37,11 @@ func (t *Time) UnmarshalJSON(data []byte) error {
 	t.Time = time.UTC()
 	return nil
 }
+
+func (t Time) MarshalYAML() (interface{}, error) {
+	if !t.IsZero() {
+		return t.UTC().Format(time.RFC3339), nil
+	}
+
+	return t, nil
+}

internal/report/osv.go

@@ -131,16 +131,11 @@ func (r *Report) ToOSV(lastModified time.Time) (osv.Entry, error) {
 		})
 	}
 
-	var withdrawn *osv.Time
-	if r.Withdrawn != nil {
-		withdrawn = &osv.Time{Time: *r.Withdrawn}
-	}
-
 	entry := osv.Entry{
 		ID:            r.ID,
 		Published:     osv.Time{Time: r.Published},
 		Modified:      osv.Time{Time: lastModified},
-		Withdrawn:     withdrawn,
+		Withdrawn:     r.Withdrawn,
 		Related:       r.Related,
 		Summary:       toParagraphs(r.Summary.String()),
 		Credits:       credits,

internal/report/report.go

@@ -308,7 +308,7 @@ type Report struct {
 	// assigning a CVE ID ourselves, use CVEMetadata.Description instead.
 	Description Description `yaml:",omitempty"`
 	Published   time.Time   `yaml:",omitempty"`
-	Withdrawn   *time.Time  `yaml:",omitempty"`
+	Withdrawn   *osv.Time   `yaml:",omitempty"`
 
 	// CVE are CVE IDs for existing CVEs.
 	// If we are assigning a CVE ID ourselves, use CVEMetadata.ID instead.