openvex · puerco · Jul 11, 2024 · Jul 11, 2024
diff --git a/internal/cmd/options.go b/internal/cmd/options.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 	"time"
 
@@ -64,6 +65,7 @@ type vexStatementOptions struct {
 	Justification   string
 	ImpactStatement string
 	Vulnerability   string
+	Aliases         []string
 	ActionStatement string
 	Products        []string
 	Subcomponents   []string
@@ -107,6 +109,22 @@ func (so *vexStatementOptions) Validate() error {
 		return fmt.Errorf("--impact-statement can be set only when status is \"not_affected\" (status was %q)", so.Status)
 	}
 
+	if len(so.Aliases) > 0 {
+		previousLen := len(so.Aliases)
+		slices.Sort(so.Aliases)
+		so.Aliases = slices.Compact(so.Aliases)
+
+		if previousLen != len(so.Aliases) {
+			return errors.New("repeated aliases found")
+		}
+
+		for _, sa := range so.Aliases {
+			if sa == so.Vulnerability {
+				return errors.New("an alias cannot be the same as the vulnerability ID")
+			}
+		}
+	}
+
 	return nil
 }
 
@@ -119,6 +137,13 @@ func (so *vexStatementOptions) AddFlags(cmd *cobra.Command) {
 		"vulnerability to add to the statement (eg CVE-2023-12345)",
 	)
 
+	cmd.PersistentFlags().StringSliceVar(
+		&so.Aliases,
+		"aliases",
+		[]string{},
+		"list of aliases under which the vulnerability may be known (eg GO-2023-12345, GHSA-a1a1-b2b2-c3c3)",
+	)
+
 	cmd.PersistentFlags().StringSliceVarP(
 		&so.Products,
 		productLongFlag,
@@ -179,7 +204,8 @@ func (so *vexStatementOptions) ToStatement() vex.Statement {
 
 	s := vex.Statement{
 		Vulnerability: vex.Vulnerability{
-			Name: vex.VulnerabilityID(so.Vulnerability),
+			Name:    vex.VulnerabilityID(so.Vulnerability),
+			Aliases: []vex.VulnerabilityID{},
 		},
 		Timestamp:                &t,
 		LastUpdated:              nil,
@@ -204,6 +230,10 @@ func (so *vexStatementOptions) ToStatement() vex.Statement {
 		})
 	}
 
+	for _, sa := range so.Aliases {
+		s.Vulnerability.Aliases = append(s.Vulnerability.Aliases, vex.VulnerabilityID(sa))
+	}
+
 	for _, sc := range so.Subcomponents {
 		s.Products[0].Subcomponents = append(s.Products[0].Subcomponents, vex.Subcomponent{
 			Component: vex.Component{ID: sc},

diff --git a/internal/cmd/options_test.go b/internal/cmd/options_test.go
@@ -103,6 +103,22 @@ func TestVexStatementOptionsValidate(t *testing.T) {
 				Vulnerability: "CVE-2014-12345678",
 			}, true,
 		},
+		"repeated aliases found": {
+			vexStatementOptions{
+				Status:        string(vex.StatusUnderInvestigation),
+				Products:      []string{"pkg:golang/fmt"},
+				Vulnerability: "CVE-2014-12345678",
+				Aliases:       []string{"CVE-2014-1234", "CVE-2014-1234"},
+			}, true,
+		},
+		"repeated alias and vulnerability ID": {
+			vexStatementOptions{
+				Status:        string(vex.StatusUnderInvestigation),
+				Products:      []string{"pkg:golang/fmt"},
+				Vulnerability: "CVE-2014-12345678",
+				Aliases:       []string{"CVE-2014-1234", "CVE-2014-12345678"},
+			}, true,
+		},
 		"ok": {
 			vexStatementOptions{
 				Status:        string(vex.StatusUnderInvestigation),