cmd/issue: add command issue placeholder

Add a command, `issue placeholder` which can be used to publish a
placeholder issue for a CVE.

Example usage: `issue placeholder CVE-1234-5678 CVE-0000-1111` would
create two issues on the x/vulndb tracker, one for each CVE.

The placeholder issue does not reveal anything about the CVE, and the
command is intended to be used to create tracking issues for CVEs that
have been preannounced but not yet published.

Change-Id: I95ace0eaffe83f77ebc58d4ec755f0276e748c02
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/559601
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

cmd/issue/main.go

@@ -19,6 +19,7 @@ import (
 	"strings"
 
 	"golang.org/x/vulndb/internal"
+	"golang.org/x/vulndb/internal/cveschema5"
 	"golang.org/x/vulndb/internal/ghsa"
 	"golang.org/x/vulndb/internal/gitrepo"
 	"golang.org/x/vulndb/internal/issues"
@@ -35,9 +36,12 @@ var (
 func main() {
 	ctx := context.Background()
 	flag.Usage = func() {
-		fmt.Fprintf(flag.CommandLine.Output(), "usage: issue [cmd] [filename]\n")
-		fmt.Fprintf(flag.CommandLine.Output(), "	triage: [filename]\n")
-		fmt.Fprintf(flag.CommandLine.Output(), "	excluded: [filename]\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "usage: issue [cmd] [filename | cves]\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "	triage [filename]: create issues to triage on the tracker for the aliases listed in the file\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "	excluded [filename]: create excluded issues on the tracker for the aliases listed in the file\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "	placeholder [cve(s)]: create a placeholder issue on the tracker for the given CVE(s)\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "Flags:\n")
 		flag.PrintDefaults()
 	}
 	flag.Parse()
@@ -59,6 +63,8 @@ func main() {
 		err = createIssueToTriage(ctx, c, ghsaClient, pc, filename)
 	case "excluded":
 		err = createExcluded(ctx, c, ghsaClient, pc, filename)
+	case "placeholder":
+		err = createPlaceholder(ctx, c, flag.Args()[1:])
 	default:
 		err = fmt.Errorf("unsupported command: %q", cmd)
 	}
@@ -93,6 +99,21 @@ func createExcluded(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Clie
 	return nil
 }
 
+func createPlaceholder(ctx context.Context, c *issues.Client, args []string) error {
+	for _, arg := range args {
+		if !cveschema5.IsCVE(arg) {
+			return fmt.Errorf("%q is not a CVE", arg)
+		}
+		aliases := []string{arg}
+		packages := []string{"<placeholder>"}
+		bodies := []string{fmt.Sprintf("This is a placeholder issue for %q.", arg)}
+		if err := publishIssue(ctx, c, packages, aliases, bodies, []string{}); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func constructIssue(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Client, pc *proxy.Client, alias string, labels []string) (err error) {
 	var ghsas []*ghsa.SecurityAdvisory
 	if strings.HasPrefix(alias, "GHSA") {
@@ -143,17 +164,22 @@ func constructIssue(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Clie
 		}
 		bodies = append(bodies, body)
 	}
-	sort.Strings(ids)
+	return publishIssue(ctx, c, []string{pkgPath}, ids, bodies, labels)
+}
+
+func publishIssue(ctx context.Context, c *issues.Client, packages, aliases, bodies, labels []string) error {
+	sort.Strings(aliases)
 	iss := &issues.Issue{
-		Title:  fmt.Sprintf("x/vulndb: potential Go vuln in %s: %s", pkgPath, strings.Join(ids, ", ")),
+		Title: fmt.Sprintf("x/vulndb: potential Go vuln in %s: %s", strings.Join(packages, ", "),
+			strings.Join(aliases, ", ")),
 		Body:   strings.Join(bodies, "\n\n----------\n\n"),
 		Labels: labels,
 	}
 	issNum, err := c.CreateIssue(ctx, iss)
 	if err != nil {
 		return err
 	}
-	fmt.Printf("created https://github.com/golang/vulndb/issues/%d (%s)\n", issNum, strings.Join(ids, ", "))
+	fmt.Printf("published issue https://%s/issues/%d (%s)\n", *issueRepo, issNum, strings.Join(aliases, ", "))
 	return nil
 }