From 327fd39a0ef669b500eb4ded2e1e777eddffedcd Mon Sep 17 00:00:00 2001
From: Tatiana Bradley <tatianabradley@google.com>
Date: Tue, 18 Apr 2023 18:15:18 -0400
Subject: internal/{osv,vuln}: consolidate refs to special module paths

Change-Id: Ia3c4f84c5559adef42b9f8659231024a7fc062a9
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/486455
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
---
 internal/osv/affected.go |  2 +-
 internal/vuln/vulns.go   | 34 +++++++++++++++-------------------
 2 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/internal/osv/affected.go b/internal/osv/affected.go
index 8cbd84c1..e552b3a6 100644
--- a/internal/osv/affected.go
+++ b/internal/osv/affected.go
@@ -11,7 +11,7 @@ func (e Entry) AffectedModulesAndPackages() []string {
 	var affected []string
 	for _, a := range e.Affected {
 		switch a.Module.Path {
-		case "stdlib", "toolchain":
+		case GoStdModulePath, GoCmdModulePath:
 			// Name specific standard library packages and tools.
 			for _, p := range a.EcosystemSpecific.Packages {
 				affected = append(affected, p.Path)
diff --git a/internal/vuln/vulns.go b/internal/vuln/vulns.go
index a7852882..6edf3720 100644
--- a/internal/vuln/vulns.go
+++ b/internal/vuln/vulns.go
@@ -17,14 +17,6 @@ import (
 	"golang.org/x/pkgsite/internal/version"
 )
 
-const (
-	// The vulndb stores vulns in cmd/go under the modulepath toolchain.
-	vulnCmdGoModulePath = "toolchain"
-	// The vulndb stores vulns under the modulepath stdlib for all other packages
-	// in the standard library.
-	vulnStdlibModulePath = "stdlib"
-)
-
 // A Vuln contains information to display about a vulnerability.
 type Vuln struct {
 	// The vulndb ID.
@@ -51,17 +43,21 @@ func VulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
 func vulnsForPackage(ctx context.Context, modulePath, vers, packagePath string, vc *Client) (_ []Vuln, err error) {
 	defer derrors.Wrap(&err, "vulnsForPackage(%q, %q, %q)", modulePath, vers, packagePath)
 
-	// Stdlib pages requested at master will map to a pseudo version that puts
-	// all vulns in range. We can't really tell you're at master so version.IsPseudo
-	// is the best we can do. The result is vulns won't be reported for a pseudoversion
-	// that refers to a commit that is in a vulnerable range.
-	if modulePath == stdlib.ModulePath && version.IsPseudo(vers) {
-		return nil, nil
-	}
-	if modulePath == stdlib.ModulePath && strings.HasPrefix(packagePath, "cmd/go") {
-		modulePath = vulnCmdGoModulePath
-	} else if modulePath == stdlib.ModulePath {
-		modulePath = vulnStdlibModulePath
+	// Handle special module paths.
+	if modulePath == stdlib.ModulePath {
+		// Stdlib pages requested at master will map to a pseudo version
+		// that puts all vulns in range.
+		// We can't really tell you're at master so version.IsPseudo
+		// is the best we can do. The result is vulns won't be reported for a
+		// pseudoversion that refers to a commit that is in a vulnerable range.
+		switch {
+		case version.IsPseudo(vers):
+			return nil, nil
+		case strings.HasPrefix(packagePath, "cmd/"):
+			modulePath = osv.GoCmdModulePath
+		default:
+			modulePath = osv.GoStdModulePath
+		}
 	}
 
 	// Get all the vulns for this package/version.
-- 
cgit v1.3