From 849daebb293446b118166fa9afb04cfe680bafa8 Mon Sep 17 00:00:00 2001
From: Dan Luhring <dluhring@chainguard.dev>
Date: Tue, 9 Jul 2024 15:25:09 -0400
Subject: [PATCH] fix(osv): move aliases to related field

See https://github.com/google/osv.dev/issues/2374 for motivation.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---
 pkg/advisory/osv.go                                        | 7 ++++---
 pkg/advisory/testdata/osv/expected/CGA-37qj-pjrf-fmrw.json | 2 +-
 pkg/advisory/testdata/osv/expected/CGA-5f5c-53mg-6p2v.json | 2 +-
 pkg/advisory/testdata/osv/expected/CGA-6mjr-v678-c6gm.json | 2 +-
 pkg/advisory/testdata/osv/expected/CGA-gg4h-ppqq-vf35.json | 2 +-
 pkg/advisory/testdata/osv/expected/CGA-mm7m-x6cw-5fg4.json | 2 +-
 pkg/advisory/testdata/osv/expected/CGA-vj68-6p3f-8xmr.json | 2 +-
 7 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/pkg/advisory/osv.go b/pkg/advisory/osv.go
index 429c8548..184b8832 100644
--- a/pkg/advisory/osv.go
+++ b/pkg/advisory/osv.go
@@ -148,8 +148,9 @@ func BuildOSVDataset(_ context.Context, opts OSVOptions) error {
 					continue
 				}
 
-				// Note: The OSV data should include our advisory ID itself among the listed aliases.
-				aliases := append([]string{adv.ID}, adv.Aliases...)
+				// Note: The OSV data should include our advisory ID itself among the listed
+				// related vulnerability IDs.
+				related := append([]string{adv.ID}, adv.Aliases...)
 
 				affecteds := make([]models.Affected, 0, len(affectedPackages))
 				for _, pkg := range affectedPackages {
@@ -161,7 +162,7 @@ func BuildOSVDataset(_ context.Context, opts OSVOptions) error {
 
 				entry := models.Vulnerability{
 					ID:       adv.ID,
-					Aliases:  aliases,
+					Related:  related,
 					Affected: affecteds,
 					Modified: advisoryLastUpdated,
 				}
diff --git a/pkg/advisory/testdata/osv/expected/CGA-37qj-pjrf-fmrw.json b/pkg/advisory/testdata/osv/expected/CGA-37qj-pjrf-fmrw.json
index 8738907d..a9b51cf2 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-37qj-pjrf-fmrw.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-37qj-pjrf-fmrw.json
@@ -1,7 +1,7 @@
 {
   "modified": "2022-09-15T02:40:18Z",
   "id": "CGA-37qj-pjrf-fmrw",
-  "aliases": [
+  "related": [
     "CGA-37qj-pjrf-fmrw",
     "CVE-2020-8927"
   ],
diff --git a/pkg/advisory/testdata/osv/expected/CGA-5f5c-53mg-6p2v.json b/pkg/advisory/testdata/osv/expected/CGA-5f5c-53mg-6p2v.json
index ff3d1fab..62f7abb4 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-5f5c-53mg-6p2v.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-5f5c-53mg-6p2v.json
@@ -1,7 +1,7 @@
 {
   "modified": "2023-05-04T14:34:34Z",
   "id": "CGA-5f5c-53mg-6p2v",
-  "aliases": [
+  "related": [
     "CGA-5f5c-53mg-6p2v",
     "GHSA-33pg-m6jh-5237"
   ],
diff --git a/pkg/advisory/testdata/osv/expected/CGA-6mjr-v678-c6gm.json b/pkg/advisory/testdata/osv/expected/CGA-6mjr-v678-c6gm.json
index ab1413d3..f54722f2 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-6mjr-v678-c6gm.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-6mjr-v678-c6gm.json
@@ -1,7 +1,7 @@
 {
   "modified": "2023-02-07T16:50:17Z",
   "id": "CGA-6mjr-v678-c6gm",
-  "aliases": [
+  "related": [
     "CGA-6mjr-v678-c6gm",
     "CVE-2022-4450"
   ],
diff --git a/pkg/advisory/testdata/osv/expected/CGA-gg4h-ppqq-vf35.json b/pkg/advisory/testdata/osv/expected/CGA-gg4h-ppqq-vf35.json
index 0bfed0ac..2525e6fe 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-gg4h-ppqq-vf35.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-gg4h-ppqq-vf35.json
@@ -1,7 +1,7 @@
 {
   "modified": "2023-05-04T14:34:34Z",
   "id": "CGA-gg4h-ppqq-vf35",
-  "aliases": [
+  "related": [
     "CGA-gg4h-ppqq-vf35",
     "GHSA-6wrf-mxfj-pf5p"
   ],
diff --git a/pkg/advisory/testdata/osv/expected/CGA-mm7m-x6cw-5fg4.json b/pkg/advisory/testdata/osv/expected/CGA-mm7m-x6cw-5fg4.json
index 76e79fcb..6161b8ce 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-mm7m-x6cw-5fg4.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-mm7m-x6cw-5fg4.json
@@ -1,7 +1,7 @@
 {
   "modified": "2023-04-08T16:32:54Z",
   "id": "CGA-mm7m-x6cw-5fg4",
-  "aliases": [
+  "related": [
     "CGA-mm7m-x6cw-5fg4",
     "CVE-2023-0466"
   ],
diff --git a/pkg/advisory/testdata/osv/expected/CGA-vj68-6p3f-8xmr.json b/pkg/advisory/testdata/osv/expected/CGA-vj68-6p3f-8xmr.json
index d843d2d1..f6a9b361 100644
--- a/pkg/advisory/testdata/osv/expected/CGA-vj68-6p3f-8xmr.json
+++ b/pkg/advisory/testdata/osv/expected/CGA-vj68-6p3f-8xmr.json
@@ -1,7 +1,7 @@
 {
   "modified": "2023-03-28T14:54:27Z",
   "id": "CGA-vj68-6p3f-8xmr",
-  "aliases": [
+  "related": [
     "CGA-vj68-6p3f-8xmr",
     "CVE-2023-0465"
   ],