refactor: move externally depended upon functions into a top level 'external' folder

external/.golangci.yaml

@@ -0,0 +1,144 @@
+version: "2"
+
+linters:
+  default: all
+  # prettier-ignore
+  disable:
+    - forbidigo
+    - paralleltest
+    - tparallel
+    - cyclop           #
+    - depguard         # Too annoying
+    - err113           # will re-add later (another-rex)
+    - exhaustruct      # overkill (g-rath)
+    - forcetypeassert  # too hard (g-rath)
+    - funlen           #
+    - funcorder        #
+    - gochecknoglobals # disagree with, for non changing variables (another-rex)
+    - gocognit         #
+    - goconst          # not everything should be a constant
+    - gocyclo          #
+    - godot            # comments are fine without full stops (g-rath)
+    - godox            # to-do comments are fine (g-rath)
+    - ireturn          # disagree with, sort of (g-rath)
+    - lll              # line length is hard (g-rath)
+    - maintidx         #
+    - mnd              # not every number is magic (g-rath)
+    - nestif           #
+    - noctx            # Most of these don't need a context
+    - noinlineerr      #
+    - nonamedreturns   # disagree with, for now (another-rex)
+    - tagliatelle      # we're parsing data from external sources (g-rath)
+    - testpackage      # will re-add later (another-rex)
+    - varnamelen       # maybe later (g-rath)
+    - wrapcheck        # too difficult, will re-add later (another-rex)
+    - wsl              # disagree with, for now (g-rath)
+    - wsl_v5           # disagree with, for now (g-rath)
+  settings:
+    exhaustive:
+      default-signifies-exhaustive: true
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+    nlreturn:
+      block-size: 2
+    revive:
+      rules:
+        - name: increment-decrement
+          disabled: true
+        - name: blank-imports
+          disabled: false
+        - name: context-as-argument
+          disabled: false
+        - name: context-keys-type
+          disabled: false
+        - name: dot-imports
+          disabled: false
+        - name: empty-block
+          disabled: false
+        - name: error-naming
+          disabled: false
+        - name: error-return
+          disabled: false
+        - name: error-strings
+          disabled: false
+        - name: errorf
+          disabled: false
+        - name: exported
+          disabled: false
+          arguments:
+            # TODO: get these all enabled
+            - "check-private-receivers"
+            # - "check-public-interface"
+            - "disable-checks-on-constants"
+            - "disable-checks-on-functions"
+            - "disable-checks-on-methods"
+            - "disable-checks-on-types"
+            - "disable-checks-on-variables"
+        - name: import-alias-naming
+          disabled: false
+        - name: import-shadowing
+          disabled: false
+        - name: indent-error-flow
+          disabled: false
+        - name: package-comments
+          disabled: false
+        - name: range
+          disabled: false
+        - name: receiver-naming
+          disabled: false
+        - name: redefines-builtin-id
+          disabled: false
+        - name: redundant-test-main-exit
+          disabled: false
+        - name: superfluous-else
+          disabled: false
+        - name: time-naming
+          disabled: false
+        - name: unexported-return
+          disabled: false
+        - name: unreachable-code
+          disabled: false
+        - name: unused-parameter
+          disabled: false
+        - name: use-any
+          disabled: false
+        - name: var-declaration
+          disabled: false
+        - name: var-naming
+          disabled: false
+          arguments:
+            - [] # AllowList
+            - [] # DenyList
+            - - skip-package-name-checks: true
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - path: _test\.go
+        linters:
+          - dupl
+      - path-except: _test\.go
+        text: use `testutility.GetCurrentWorkingDirectory`
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0

external/cmd/ids/README.md

@@ -0,0 +1,25 @@
+# IDs Tool
+
+This utility assigns IDs to OSV records in a directory. It ensures that IDs are unique and follow a specified prefix and year format.
+
+It is predominately used by [PYSEC](https://github.com/pypa/advisory-database/blob/main/.github/workflows/automation.yaml) and [Malicious Packages](https://github.com/ossf/malicious-packages/blob/main/.github/workflows/assign-osv-ids.yml).
+
+## Usage
+
+```bash
+go run main.go [flags]
+```
+
+### Flags
+
+- `-prefix`: Vulnerability prefix (e.g., "PYSEC"). Required field.
+- `-dir`: Path to vulnerabilities. Required field.
+- `-format`: Format of OSV reports in the repository. Must be "json" or "yaml" (default: "yaml").
+
+## Description
+
+The tool performs the following steps:
+1. Walks the specified directory to find unassigned vulnerabilities (files starting with `PREFIX-0000-`).
+2. Determines the maximum allocated ID for each year.
+3. Assigns new IDs to unassigned vulnerabilities, incrementing the counter for the respective year.
+4. Renames the files to match the new IDs.