Improve the OSV models to allow for 3rd party use of the library.

internal/govulncheckshim/fixtures/snapshots/govulncheckshim_test.json

@@ -97,6 +97,9 @@
       "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
      }
     ],
+    "credits": [
+        { "name": "Jorropo" }
+    ],
     "schema_version": "1.3.1"
    }
   },

pkg/models/constants.go

@@ -0,0 +1,65 @@
+package models
+
+type Ecosystem string
+
+const (
+	EcosystemGo            Ecosystem = "Go"
+	EcosystemNPM           Ecosystem = "npm"
+	EcosystemOSSFuzz       Ecosystem = "OSS-Fuzz"
+	EcosystemPyPI          Ecosystem = "PyPI"
+	EcosystemRubyGems      Ecosystem = "RubyGems"
+	EcosystemCratesIO      Ecosystem = "crates.io"
+	EcosystemPackagist     Ecosystem = "Packagist"
+	EcosystemMaven         Ecosystem = "Maven"
+	EcosystemNuGet         Ecosystem = "NuGet"
+	EcosystemLinux         Ecosystem = "Linux"
+	EcosystemDebian        Ecosystem = "Debian"
+	EcosystemAlpine        Ecosystem = "Alpine"
+	EcosystemHex           Ecosystem = "Hex"
+	EcosystemAndroid       Ecosystem = "Android"
+	EcosystemGitHubActions Ecosystem = "GitHub Actions"
+	EcosystemPub           Ecosystem = "Pub"
+	EcosystemConanCenter   Ecosystem = "ConanCenter"
+)
+
+type SeverityType string
+
+const (
+	SeverityCVSSV2 SeverityType = "CVSS_V2"
+	SeverityCVSSV3 SeverityType = "CVSS_V3"
+)
+
+type RangeType string
+
+const (
+	RangeSemVer    RangeType = "SEMVER"
+	RangeEcosystem RangeType = "ECOSYSTEM"
+	RangeGit       RangeType = "GIT"
+)
+
+type ReferenceType string
+
+const (
+	ReferenceAdvisory ReferenceType = "ADVISORY"
+	ReferenceArticle  ReferenceType = "ARTICLE"
+	ReferenceReport   ReferenceType = "REPORT"
+	ReferenceFix      ReferenceType = "FIX"
+	ReferencePackage  ReferenceType = "PACKAGE"
+	ReferenceEvidence ReferenceType = "EVIDENCE"
+	ReferenceWeb      ReferenceType = "WEB"
+)
+
+type CreditType string
+
+const (
+	CreditFinder               CreditType = "FINDER"
+	CreditReporter             CreditType = "REPORTER"
+	CreditAnalyst              CreditType = "ANALYST"
+	CreditCoordinator          CreditType = "COORDINATOR"
+	CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec
+	CreditRemediationReviewer  CreditType = "REMEDIATION_REVIEWER"  //nolint:gosec
+	CreditRemediationVerifier  CreditType = "REMEDIATION_VERIFIER"  //nolint:gosec
+	CreditTool                 CreditType = "TOOL"
+	CreditSponsor              CreditType = "SPONSOR"
+	CreditOther                CreditType = "OTHER"
+)

pkg/models/results.go

@@ -1,8 +1,6 @@
 package models
 
 import (
-	"time"
-
 	"golang.org/x/exp/slices"
 )
 
@@ -40,41 +38,6 @@ type VulnerabilityFlattened struct {
 	GroupInfo     GroupInfo
 }
 
-type Vulnerability struct {
-	SchemaVersion string    `json:"schema_version"`
-	ID            string    `json:"id"`
-	Modified      time.Time `json:"modified"`
-	Published     time.Time `json:"published"`
-	Aliases       []string  `json:"aliases"`
-	Summary       string    `json:"summary"`
-	Details       string    `json:"details"`
-	Affected      []struct {
-		Package struct {
-			Ecosystem string `json:"ecosystem,omitempty"`
-			Name      string `json:"name,omitempty"`
-			Purl      string `json:"purl,omitempty"`
-		} `json:"package"`
-		Ranges []struct {
-			Type   string `json:"type"`
-			Events []struct {
-				Introduced   string `json:"introduced,omitempty"`
-				Fixed        string `json:"fixed,omitempty"`
-				LastAffected string `json:"last_affected,omitempty"`
-				Limit        string `json:"limit,omitempty"`
-			} `json:"events"`
-			DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
-		} `json:"ranges"`
-		Versions          []string               `json:"versions,omitempty"`
-		DatabaseSpecific  map[string]interface{} `json:"database_specific,omitempty"`
-		EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty"`
-	} `json:"affected"`
-	References []struct {
-		Type string `json:"type"`
-		URL  string `json:"url"`
-	} `json:"references"`
-	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
-}
-
 type SourceInfo struct {
 	Path string `json:"path"`
 	Type string `json:"type"`

pkg/models/vulnerability.go

@@ -0,0 +1,99 @@
+package models
+
+import "time"
+
+// Package identifies the affected code library or command provided by the
+// package.
+//
+// See: https://ossf.github.io/osv-schema/#affectedpackage-field
+type Package struct {
+	Ecosystem Ecosystem `json:"ecosystem,omitempty"`
+	Name      string    `json:"name,omitempty"`
+	Purl      string    `json:"purl,omitempty"`
+}
+
+// Event describes a single version that either:
+//
+//   - Introduces a vulnerability: {"introduced": string}
+//   - Fixes a vulnerability: {"fixed": string}
+//   - Describes the last known affected version: {"last_affected": string}
+//   - Sets an upper limit on the range being described: {"limit": string}
+//
+// Event instances form part of a “timeline” of status changes for the affected
+// package described by the Affected struct.
+//
+// See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields
+type Event struct {
+	Introduced   string `json:"introduced,omitempty"`
+	Fixed        string `json:"fixed,omitempty"`
+	LastAffected string `json:"last_affected,omitempty"`
+	Limit        string `json:"limit,omitempty"`
+}
+
+// Range describes the affected range of given version for a specific package.
+//
+// See: https://ossf.github.io/osv-schema/#affectedranges-field
+type Range struct {
+	Type             RangeType              `json:"type"`
+	Events           []Event                `json:"events"`
+	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
+}
+
+// Severity is used to describe the severity of a vulnerability for an affected
+// package using one or more quantitative scoring methods.
+//
+// See: https://ossf.github.io/osv-schema/#severity-field
+type Severity struct {
+	Type  SeverityType `json:"type"`
+	Score string       `json:"score"`
+}
+
+// Affected describes an affected package version, meaning one instance that
+// contains the vulnerability.
+//
+// See: https://ossf.github.io/osv-schema/#affected-fields
+type Affected struct {
+	Package           Package                `json:"package"`
+	Severity          Severity               `json:"severity,omitempty"`
+	Ranges            []Range                `json:"ranges"`
+	Versions          []string               `json:"versions,omitempty"`
+	DatabaseSpecific  map[string]interface{} `json:"database_specific,omitempty"`
+	EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty"`
+}
+
+// Reference links to additional information, advisories, issue tracker entries,
+// and so on about the vulnerability itself.
+//
+// See: https://ossf.github.io/osv-schema/#references-field
+type Reference struct {
+	Type ReferenceType `json:"type"`
+	URL  string        `json:"url"`
+}
+
+// Credit gives credit for the discovery, confirmation, patch, or other events
+// in the life cycle of a vulnerability.
+//
+// See: https://ossf.github.io/osv-schema/#credits-fields
+type Credit struct {
+	Name    string     `json:"name"`
+	Contact []string   `json:"contact,omitempty"`
+	Type    CreditType `json:"type"`
+}
+
+// Vulnerability is the core Open Source Vulnerability (OSV) data type.
+//
+// The full documentation for the schema is available at
+// https://ossf.github.io/osv-schema.
+type Vulnerability struct {
+	SchemaVersion    string                 `json:"schema_version"`
+	ID               string                 `json:"id"`
+	Modified         time.Time              `json:"modified"`
+	Published        time.Time              `json:"published"`
+	Aliases          []string               `json:"aliases"`
+	Summary          string                 `json:"summary"`
+	Details          string                 `json:"details"`
+	Affected         []Affected             `json:"affected"`
+	References       []Reference            `json:"references"`
+	Credits          []Credit               `json:"credits"`
+	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
+}