feat(CVE5): Add link to NVD and computed CVEList file and hash (#4422)

It only makes sense that we include the references to the places we
source our CVE data, both for triage, and just record keeping.

This PR also fixes a bug where empty urls are able to be saved, which
shouldn't happen based on the CVE5's quality requirements, but better
safe than sorry.

During this process, identifyPossibleURLs deduplication logic was moved
to its own function to be used better elsewhere if necessary.

Author: jess-lowe

vulnfeeds/cmd/cve-bulk-converter/main.go

@@ -5,15 +5,13 @@ import (
 	_ "embed"
 	"encoding/json"
 	"flag"
-	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"slices"
 	"strings"
 	"sync"
 
-	"github.com/go-git/go-git/v5"
 	"github.com/google/osv/vulnfeeds/cvelist2osv"
 	"github.com/google/osv/vulnfeeds/cves"
 	"github.com/google/osv/vulnfeeds/utility/logger"
@@ -53,16 +51,10 @@ func main() {
 		}
 	}
 
-	// Get the HEAD commit hash of the repo.
-	commitHash, err := getHeadCommit(*repoDir)
-	if err != nil {
-		logger.Warn("Failed to get HEAD commit hash", slog.Any("err", err))
-	}
-
 	// Start the worker pool.
 	for range *workers {
 		wg.Add(1)
-		go worker(&wg, jobs, *localOutputDir, cnaList, commitHash)
+		go worker(&wg, jobs, *localOutputDir, cnaList)
 	}
 
 	// Discover files and send them to the workers.
@@ -98,7 +90,7 @@ func main() {
 }
 
 // worker is a function that processes CVE files from the jobs channel.
-func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string, commitHash string) {
+func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string) {
 	defer wg.Done()
 	for path := range jobs {
 		data, err := os.ReadFile(path)
@@ -126,13 +118,11 @@ func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string
 		}
 
 		sourceLink := ""
-		if commitHash != "" {
-			baseDirCVEList := "cves/" // The base folder for the CVEListV5 repository.
-			idx := strings.Index(path, baseDirCVEList)
-			if idx != -1 {
-				relPath := path[idx:]
-				sourceLink = fmt.Sprintf("https://github.com/CVEProject/cvelistV5/blob/%s/%s", commitHash, relPath)
-			}
+		baseDirCVEList := "cves/" // The base folder for the CVEListV5 repository.
+		idx := strings.Index(path, baseDirCVEList)
+		if idx != -1 {
+			relPath := path[idx:]
+			sourceLink = "https://github.com/CVEProject/cvelistV5/tree/main/" + relPath
 		}
 
 		// Perform the conversion and export the results.
@@ -146,16 +136,3 @@ func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string
 		osvFile.Close()
 	}
 }
-
-func getHeadCommit(repoDir string) (string, error) {
-	r, err := git.PlainOpen(repoDir)
-	if err != nil {
-		return "", err
-	}
-	ref, err := r.Head()
-	if err != nil {
-		return "", err
-	}
-
-	return ref.Hash().String(), nil
-}

vulnfeeds/cvelist2osv/__snapshots__/converter_test.snap

@@ -10,6 +10,12 @@
   "id": "CVE-2025-9999",
   "modified": "2025-05-04T07:20:46.575Z",
   "published": "2025-05-04T07:20:46.575Z",
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9999"
+    }
+  ],
   "schema_version": "1.7.3"
 }
 ---
@@ -75,6 +81,10 @@
     {
       "type": "EVIDENCE",
       "url": "https://hackerone.com/reports/2972576"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1110"
     }
   ],
   "schema_version": "1.7.3",
@@ -136,6 +146,10 @@
     {
       "type": "ADVISORY",
       "url": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
     }
   ],
   "schema_version": "1.7.3",
@@ -319,6 +333,10 @@
     {
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21772"
     }
   ],
   "schema_version": "1.7.3",

vulnfeeds/cvelist2osv/converter.go

@@ -233,6 +233,15 @@ func ConvertAndExportCVEToOSV(cve cves.CVE5, vulnSink io.Writer, metricsSink io.
 	cveID := cve.Metadata.CVEID
 	cnaAssigner := cve.Metadata.AssignerShortName
 	references := identifyPossibleURLs(cve)
+
+	// Add NVD and computed source link to references
+	references = append(references, cves.Reference{URL: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID)})
+	if sourceLink != "" {
+		references = append(references, cves.Reference{URL: sourceLink})
+	}
+
+	references = deduplicateRefs(references)
+
 	metrics := ConversionMetrics{CVEID: cveID, CNA: cnaAssigner, UnresolvedRangesCount: 0, ResolvedRangesCount: 0}
 
 	// Create a base OSV record from the CVE.
@@ -269,7 +278,7 @@ func ConvertAndExportCVEToOSV(cve cves.CVE5, vulnSink io.Writer, metricsSink io.
 	return nil
 }
 
-// identifyPossibleURLs extracts and deduplicates all URLs from a CVE object.
+// identifyPossibleURLs extracts all URLs from a CVE object.
 // It searches for URLs in the CNA and ADP reference sections, as well as in
 // the 'collectionUrl' and 'repo' fields of the 'affected' entries.
 func identifyPossibleURLs(cve cves.CVE5) []cves.Reference {
@@ -290,6 +299,19 @@ func identifyPossibleURLs(cve cves.CVE5) []cves.Reference {
 		}
 	}
 
+	// Filter out empty URLs from CNA references if any
+	filteredRefs := make([]cves.Reference, 0, len(refs))
+	for _, ref := range refs {
+		if ref.URL != "" {
+			filteredRefs = append(filteredRefs, ref)
+		}
+	}
+	refs = filteredRefs
+
+	return refs
+}
+
+func deduplicateRefs(refs []cves.Reference) []cves.Reference {
 	// Deduplicate references by URL.
 	slices.SortStableFunc(refs, func(a, b cves.Reference) int {
 		return strings.Compare(a.URL, b.URL)

vulnfeeds/cvelist2osv/converter_test.go

@@ -85,7 +85,9 @@ func TestIdentifyPossibleURLs(t *testing.T) {
 				{URL: "http://a.com"},
 				{URL: "http://b.com"},
 				{URL: "http://c.com"},
+				{URL: "http://a.com"},
 				{URL: "http://d.com"},
+				{URL: "http://b.com"},
 			},
 		},
 		{
@@ -100,7 +102,7 @@ func TestIdentifyPossibleURLs(t *testing.T) {
 					},
 				},
 			},
-			expectedRefs: nil,
+			expectedRefs: []cves.Reference{},
 		},
 		{
 			name: "no references and CNA refs is empty slice",
@@ -137,7 +139,6 @@ func TestIdentifyPossibleURLs(t *testing.T) {
 				},
 			},
 			expectedRefs: []cves.Reference{
-				{URL: ""},
 				{URL: "http://a.com"},
 			},
 		},

vulnfeeds/vulns/vulns.go

@@ -425,6 +425,12 @@ func ClassifyReferenceLink(link string, tag string) osvschema.Reference_Type {
 	// Index 0 will always be "", so the length must be at least 2 to be relevant
 	if len(pathParts) >= 2 {
 		if u.Host == "github.com" {
+			// CVEProject CVEList reference
+			// Example: https://github.com/CVEProject/cvelistV5/blob/7dd48109ee33618242f36ae1d14d80950f2d0e59/cves/2021/45xxx/CVE-2021-45931.json
+			if len(pathParts) >= 3 && pathParts[1] == "CVEProject" {
+				return osvschema.Reference_ADVISORY
+			}
+
 			// Example: https://github.com/google/osv/commit/cd4e934d0527e5010e373e7fed54ef5daefba2f5
 			if len(pathParts) >= 3 && pathParts[len(pathParts)-2] == "commit" {
 				return osvschema.Reference_FIX

vulnfeeds/vulns/vulns_test.go

@@ -33,6 +33,7 @@ func TestClassifyReferenceLink(t *testing.T) {
 		{"https://github.com/Netflix/lemur/issues/117", "", osvschema.Reference_REPORT},
 		{"https://snyk.io/vuln/SNYK-PYTHON-TRYTOND-1730329", "", osvschema.Reference_ADVISORY},
 		{"https://nvd.nist.gov/vuln/detail/CVE-2021-23336", "", osvschema.Reference_ADVISORY},
+		{"https://github.com/CVEProject/cvelistV5/blob/545d1041e7c903230240d4c5f86550d266784f99/cves/2025/10xxx/CVE-2025-10316.json", "", osvschema.Reference_ADVISORY},
 		{"https://www.debian.org/security/2021/dsa-4878", "", osvschema.Reference_ADVISORY},
 		{"https://usn.ubuntu.com/usn/usn-4661-1", "", osvschema.Reference_ADVISORY},
 		{"http://www.ubuntu.com/usn/USN-2915-2", "", osvschema.Reference_ADVISORY},