Update Insight service API and client

api/insights-v1.yml

@@ -757,6 +757,55 @@ components:
           type: integer
         link:
           type: string
+    PackageVulnerability:
+      type: object
+      description: |
+        Subset of OSV schema required to perform policy
+        decision by various tools
+      properties:
+        id:
+          type: string
+          description: Vulnerability identifier
+        summary:
+          type: string
+          description: Short summary of vulnerability
+        aliases:
+          type: array
+          items:
+            type: string
+          description: |
+            Alias identifiers of the same vulnerability in
+            other databases
+        related:
+          type: array
+          items:
+            type: string
+          description: |
+            Related vulnerability identifiers for similar issues
+            in
+        severities:
+          type: array
+          items:
+            type: object
+            properties:
+              type:
+                type: string
+                enum:
+                  - UNSPECIFIED
+                  - CVSS_V3
+                  - CVSS_V2
+              score:
+                type: string
+                description: Type specific vulnerability score
+              risk:
+                type: string
+                enum:
+                  - CRITICAL
+                  - HIGH
+                  - MEDIUM
+                  - LOW
+                  - UNKNOWN
+                description: Normalized risk rating computed from score
     PackageVersionInsight:
       type: object
       properties:
@@ -778,3 +827,7 @@ components:
             $ref: '#/components/schemas/PackageDependency'
         scorecard:
           $ref: '#/components/schemas/Scorecard'
+        vulnerabilities:
+          type: array
+          items:
+            $ref: '#/components/schemas/PackageVulnerability'

gen/insightapi/insights.types.go

@@ -1021,6 +1021,28 @@ const (
 	LicenseZlibAcknowledgement License = "zlib-acknowledgement"
 )
 
+// Defines values for PackageVulnerabilitySeveritiesRisk.
+const (
+	PackageVulnerabilitySeveritiesRiskCRITICAL PackageVulnerabilitySeveritiesRisk = "CRITICAL"
+
+	PackageVulnerabilitySeveritiesRiskHIGH PackageVulnerabilitySeveritiesRisk = "HIGH"
+
+	PackageVulnerabilitySeveritiesRiskLOW PackageVulnerabilitySeveritiesRisk = "LOW"
+
+	PackageVulnerabilitySeveritiesRiskMEDIUM PackageVulnerabilitySeveritiesRisk = "MEDIUM"
+
+	PackageVulnerabilitySeveritiesRiskUNKNOWN PackageVulnerabilitySeveritiesRisk = "UNKNOWN"
+)
+
+// Defines values for PackageVulnerabilitySeveritiesType.
+const (
+	PackageVulnerabilitySeveritiesTypeCVSSV2 PackageVulnerabilitySeveritiesType = "CVSS_V2"
+
+	PackageVulnerabilitySeveritiesTypeCVSSV3 PackageVulnerabilitySeveritiesType = "CVSS_V3"
+
+	PackageVulnerabilitySeveritiesTypeUNSPECIFIED PackageVulnerabilitySeveritiesType = "UNSPECIFIED"
+)
+
 // Defines values for ScorecardVersion.
 const (
 	ScorecardVersionV2 ScorecardVersion = "V2"
@@ -1133,14 +1155,47 @@ type PackageVersion struct {
 
 // PackageVersionInsight defines model for PackageVersionInsight.
 type PackageVersionInsight struct {
-	Dependencies   *[]PackageDependency  `json:"dependencies,omitempty"`
+	Dependencies    *[]PackageDependency    `json:"dependencies,omitempty"`
-	Dependents     *PackageDependents    `json:"dependents,omitempty"`
+	Dependents      *PackageDependents      `json:"dependents,omitempty"`
-	Licenses       *[]License            `json:"licenses,omitempty"`
+	Licenses        *[]License              `json:"licenses,omitempty"`
-	PackageVersion *PackageVersion       `json:"package_version,omitempty"`
+	PackageVersion  *PackageVersion         `json:"package_version,omitempty"`
-	Projects       *[]PackageProjectInfo `json:"projects,omitempty"`
+	Projects        *[]PackageProjectInfo   `json:"projects,omitempty"`
-	Scorecard      *Scorecard            `json:"scorecard,omitempty"`
+	Scorecard       *Scorecard              `json:"scorecard,omitempty"`
+	Vulnerabilities *[]PackageVulnerability `json:"vulnerabilities,omitempty"`
 }
 
+// Subset of OSV schema required to perform policy
+// decision by various tools
+type PackageVulnerability struct {
+	// Alias identifiers of the same vulnerability in
+	// other databases
+	Aliases *[]string `json:"aliases,omitempty"`
+
+	// Vulnerability identifier
+	Id *string `json:"id,omitempty"`
+
+	// Related vulnerability identifiers for similar issues
+	// in
+	Related    *[]string `json:"related,omitempty"`
+	Severities *[]struct {
+		// Normalized risk rating computed from score
+		Risk *PackageVulnerabilitySeveritiesRisk `json:"risk,omitempty"`
+
+		// Type specific vulnerability score
+		Score *string                             `json:"score,omitempty"`
+		Type  *PackageVulnerabilitySeveritiesType `json:"type,omitempty"`
+	} `json:"severities,omitempty"`
+
+	// Short summary of vulnerability
+	Summary *string `json:"summary,omitempty"`
+}
+
+// Normalized risk rating computed from score
+type PackageVulnerabilitySeveritiesRisk string
+
+// PackageVulnerabilitySeveritiesType defines model for PackageVulnerability.Severities.Type.
+type PackageVulnerabilitySeveritiesType string
+
 // Scorecard defines model for Scorecard.
 type Scorecard struct {
 	Content *ScorecardContentV2 `json:"content,omitempty"`

pkg/analyzer/json_dump.go

@@ -25,9 +25,9 @@ func NewJsonDumperAnalyzer(dir string) (Analyzer, error) {
 			if err != nil {
 				return nil, fmt.Errorf("cannot create dir: %w", err)
 			}
+		} else {
+			return nil, fmt.Errorf("cannot stat dir: %w", err)
 		}
-
-		return nil, fmt.Errorf("cannot stat dir: %w", err)
 	}
 
 	if !fi.IsDir() {