internal/report: add single-report priority override

Change-Id: Icc3df6dc395a05e834c342f2ca7f848299e23f81
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/620356
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

all_test.go

@@ -140,7 +140,7 @@ func TestLintReports(t *testing.T) {
 			// This can happen because the initial quick triage algorithm
 			// doesn't know about all affected modules - just the one
 			// listed in the Github issue.
-			if r.IsUnreviewed() {
+			if r.IsUnreviewed() && !r.UnreviewedOK {
 				pr, _ := priority.AnalyzeReport(r, rc, modulesToImports)
 				if pr.Priority == priority.High {
 					t.Errorf("UNREVIEWED report %s is high priority (should be REVIEWED) - reason: %s", filename, pr.Reason)

data/reports/GO-2024-3171.yaml

@@ -21,3 +21,4 @@ source:
     id: GHSA-mc76-5925-c5p6
     created: 2024-10-11T13:24:14.982923-04:00
 review_status: UNREVIEWED
+unreviewed_ok: true

internal/report/report.go

@@ -372,6 +372,9 @@ type Report struct {
 	SourceMeta *SourceMeta `yaml:"source,omitempty"`
 
 	ReviewStatus ReviewStatus `yaml:"review_status,omitempty"`
+	// Allow this report to be UNREVIEWED regardless of it's modules'
+	// priorities.
+	UnreviewedOK bool `yaml:"unreviewed_ok,omitempty"`
 
 	// (For unexcluded reports) The reason this report was previously
 	// excluded. Not published to OSV.

internal/triage/priority/priority.go

@@ -95,8 +95,6 @@ var override map[string]Priority = map[string]Priority{
 	// information without intervention.
 	"github.com/argoproj/argo-cd":    Low,
 	"github.com/argoproj/argo-cd/v2": Low,
-	// For #3171
-	"github.com/containers/common": Low,
 }
 
 func priority(mp string, importers int, sc map[reportState]int) *Result {