static/frontend/vuln,internal/osv: display info about unreviewed meaning on vuln page

For UNREVIEWED reports, display the word "Unreviewed" under the title,
and add a blurb to the feedback section explaining its meaning.

Currently, don't display anything special for a REVIEWED report. This is the
default.

Change-Id: I43ad7c324f6712a22a035c4aac725808cd50e7c3
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/586101
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
kokoro-CI: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

internal/osv/affected.go

@@ -33,3 +33,7 @@ func (e *Entry) AffectsStandardLibrary() bool {
 	}
 	return false
 }
+
+func (e *Entry) IsUnreviewed() bool {
+	return e.DatabaseSpecific.ReviewStatus == ReviewStatusUnreviewed
+}

internal/osv/osv.go

@@ -233,4 +233,6 @@ type DatabaseSpecific struct {
 	// The URL of the Go advisory for this vulnerability, of the form
 	// "https://pkg.go.dev/GO-YYYY-XXXX".
 	URL string `json:"url,omitempty"`
+	// The review status of this report (UNREVIEWED or REVIEWED).
+	ReviewStatus ReviewStatus `json:"review_status,omitempty"`
 }

internal/osv/review_status.go

@@ -0,0 +1,67 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package osv
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+type ReviewStatus int
+
+const (
+	ReviewStatusUnknown ReviewStatus = iota
+	ReviewStatusUnreviewed
+	ReviewStatusReviewed
+)
+
+var statusStrs = []string{
+	ReviewStatusUnknown:    "",
+	ReviewStatusUnreviewed: "UNREVIEWED",
+	ReviewStatusReviewed:   "REVIEWED",
+}
+
+func (r ReviewStatus) String() string {
+	if !r.IsValid() {
+		return fmt.Sprintf("INVALID(%d)", r)
+	}
+	return statusStrs[r]
+}
+
+func ReviewStatusValues() []string {
+	return statusStrs[1:]
+}
+
+func (r ReviewStatus) IsValid() bool {
+	return int(r) >= 0 && int(r) < len(statusStrs)
+}
+
+func ToReviewStatus(s string) (ReviewStatus, bool) {
+	for stat, str := range statusStrs {
+		if s == str {
+			return ReviewStatus(stat), true
+		}
+	}
+	return 0, false
+}
+
+func (r ReviewStatus) MarshalJSON() ([]byte, error) {
+	if !r.IsValid() {
+		return nil, fmt.Errorf("MarshalJSON: unrecognized review status: %d", r)
+	}
+	return json.Marshal(r.String())
+}
+
+func (r *ReviewStatus) UnmarshalJSON(b []byte) error {
+	var s string
+	if err := json.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	if rs, ok := ToReviewStatus(s); ok {
+		*r = rs
+		return nil
+	}
+	return fmt.Errorf("UnmarshalJSON: unrecognized review status: %s", s)
+}

static/frontend/vuln/entry/entry.tmpl

@@ -138,6 +138,11 @@
     </ul>
   {{end}}
   <h2>Feedback</h2>
+  {{if $e.IsUnreviewed}}
+    <div>
+    This report is <a href="https://go.dev/doc/security/vuln/database#database-specificreview-status">unreviewed</a>. It was automatically generated from a third-party source and its details have not been verified by the Go team. 
+    </div>
+  {{end}}
   <div>
     See anything missing or incorrect?
     <a target="_blank" rel="noopener" href="https://github.com/golang/vulndb/issues/new?assignees=&labels=Needs+Triage%2CSuggested+Edit&template=suggest_edit.yaml&title=x%2Fvulndb%3A+suggestion+regarding+{{$e.ID}}&report={{$e.ID}}">

static/frontend/vuln/vuln.tmpl

@@ -54,6 +54,9 @@
       {{with .Withdrawn}}
         <li class="go-textSubtle">Withdrawn: {{.Format "Jan 02, 2006"}}</li>
       {{end}}
+      {{if .IsUnreviewed}}
+        <li class="go-textSubtle">Unreviewed</li>
+      {{end}}
     </ul>
 {{end}}