fix: add github security advisory problems to legacy vuln info

cmars · cmars · commit 8a07fca18481 · 2025-07-29T15:06:59.000-05:00
This maps GHSA problems back onto legacy JSON output.
diff --git a/internal/legacy/transform/transform.go b/internal/legacy/transform/transform.go
@@ -53,6 +53,8 @@ func ProcessProblemForVuln(
 		return processCveProblem(vuln, prob)
 	case string(testapi.Cwe):
 		return processCweProblem(vuln, prob)
+	case string(testapi.Ghsa):
+		return processGhsaProblem(vuln, prob)
 	case string(testapi.SnykLicense):
 		return processSnykLicenseProblem(vuln, prob, logger)
 	default:
@@ -386,6 +388,19 @@ func processCweProblem(v *definitions.Vulnerability, prob *testapi.Problem) erro
 	return nil
 }
 
+func processGhsaProblem(v *definitions.Vulnerability, prob *testapi.Problem) error {
+	ensureVulnHasIdentifiers(v)
+	ghsa, err := prob.AsGithubSecurityAdvisoryProblem()
+	if err != nil {
+		return fmt.Errorf("converting problem to github security advisory: %w", err)
+	}
+	if v.Identifiers.GHSA == nil {
+		v.Identifiers.GHSA = &[]string{}
+	}
+	*v.Identifiers.GHSA = append(*v.Identifiers.GHSA, ghsa.Id)
+	return nil
+}
+
 // processSnykLicenseProblem processes a Snyk license problem by extracting its data and populating the vulnerability.
 func processSnykLicenseProblem(v *definitions.Vulnerability, prob *testapi.Problem, logger *zerolog.Logger) error {
 	license, err := prob.AsSnykLicenseProblem()
diff --git a/internal/legacy/transform/transform_test.go b/internal/legacy/transform/transform_test.go
@@ -25,6 +25,10 @@ func TestProcessProblemForVuln_Identifiers(t *testing.T) {
 	err = cweProblem.FromCweProblem(testapi.CweProblem{Id: "cwe-problem-id", Source: testapi.Cwe})
 	require.NoError(t, err)
 
+	ghsaProblem := &testapi.Problem{}
+	err = ghsaProblem.FromGithubSecurityAdvisoryProblem(testapi.GithubSecurityAdvisoryProblem{Id: "ghsa-problem-id", Source: testapi.Ghsa})
+	require.NoError(t, err)
+
 	// Setup invalid problem
 	malformedProblem := &testapi.Problem{} // empty union
 
@@ -59,6 +63,18 @@ func TestProcessProblemForVuln_Identifiers(t *testing.T) {
 				require.Len(t, v.Identifiers.CVE, 0)
 			},
 		},
+		{
+			name:    "should add GHSA identifier to empty vulnerability",
+			vuln:    &definitions.Vulnerability{},
+			problem: ghsaProblem,
+			assertFunc: func(t *testing.T, v *definitions.Vulnerability) {
+				t.Helper()
+				require.NotNil(t, v.Identifiers)
+				require.Len(t, *v.Identifiers.GHSA, 1)
+				assert.Equal(t, "ghsa-problem-id", (*v.Identifiers.GHSA)[0])
+				require.Len(t, v.Identifiers.CVE, 0)
+			},
+		},
 		{
 			name: "should append CWE identifier to existing CVE",
 			vuln: &definitions.Vulnerability{
