internal/report, all: use time.Now as default created time

For new reports, the default created time is now time.Now(). An alternate time (e.g., for testing) can be provided via the WithCreated() option. Update tests to include a placeholder created time. Change-Id: I2c48ac56c89d2f33310fca58ae44ff7e9035f609 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/583837 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · May 15, 2024 · 6105628 · 6105628
1 parent 2ff2c86
commit 6105628
Show file tree

Hide file tree

Showing 58 changed files with 91 additions and 21 deletions.
diff --git a/cmd/issue/main.go b/cmd/issue/main.go
@@ -17,6 +17,7 @@ import (
 	"os"
 	"sort"
 	"strings"
+	"time"
 
 	"golang.org/x/vulndb/internal"
 	"golang.org/x/vulndb/internal/ghsa"
@@ -154,7 +155,7 @@ func constructIssue(ctx context.Context, c *issues.Client, ghsaClient *ghsa.Clie
 		for _, id := range sa.Identifiers {
 			ids = append(ids, id.Value)
 		}
-		body, err := worker.CreateGHSABody(sa, rc, pc)
+		body, err := worker.CreateGHSABody(sa, rc, pc, time.Now())
 		if err != nil {
 			return err
 		}

diff --git a/cmd/vulnreport/create.go b/cmd/vulnreport/create.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"time"
 
 	"golang.org/x/vulndb/cmd/vulnreport/log"
 	"golang.org/x/vulndb/internal/cve5"
@@ -247,7 +246,6 @@ func reportFromAliases(ctx context.Context, id, modulePath string, aliases []str
 		report.WithGoID(id),
 		report.WithModulePath(modulePath),
 		report.WithAliases(aliases),
-		report.WithCreated(time.Now()),
 	)
 
 	// Find any additional aliases referenced by the source aliases.

diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2020-9283.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2020-9283.txtar
@@ -28,3 +28,4 @@ references:
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
 source:
     id: CVE-2020-9283
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2021-27919.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2021-27919.txtar
@@ -24,3 +24,4 @@ references:
     - web: https://security.gentoo.org/glsa/202208-02
 source:
     id: CVE-2021-27919
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2021-3115.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2021-3115.txtar
@@ -26,3 +26,4 @@ references:
     - web: https://security.gentoo.org/glsa/202208-02
 source:
     id: CVE-2021-3115
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2022-39213.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2022-39213.txtar
@@ -34,3 +34,4 @@ references:
     - web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
 source:
     id: CVE-2022-39213
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-29407.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-29407.txtar
@@ -28,3 +28,4 @@ cve_metadata:
     cwe: 'CWE-834: Excessive Iteration'
 source:
     id: CVE-2023-29407
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-44378.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-44378.txtar
@@ -29,3 +29,4 @@ references:
     - fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
 source:
     id: CVE-2023-44378
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-45141.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-45141.txtar
@@ -29,3 +29,4 @@ references:
     - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
 source:
     id: CVE-2023-45141
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-45283.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-45283.txtar
@@ -39,3 +39,4 @@ cve_metadata:
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
 source:
     id: CVE-2023-45283
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-45285.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-45285.txtar
@@ -26,3 +26,4 @@ cve_metadata:
     cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
 source:
     id: CVE-2023-45285
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve4/testdata/cve/TestToReport/CVE-2023-45286.txtar b/internal/cve4/testdata/cve/TestToReport/CVE-2023-45286.txtar
@@ -31,3 +31,4 @@ cve_metadata:
     cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
 source:
     id: CVE-2023-45286
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2020-9283.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2020-9283.txtar
@@ -28,3 +28,4 @@ references:
     - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
 source:
     id: CVE-2020-9283
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2021-27919.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2021-27919.txtar
@@ -24,3 +24,4 @@ references:
     - web: https://security.gentoo.org/glsa/202208-02
 source:
     id: CVE-2021-27919
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2021-3115.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2021-3115.txtar
@@ -26,3 +26,4 @@ references:
     - web: https://security.gentoo.org/glsa/202208-02
 source:
     id: CVE-2021-3115
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2022-39213.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2022-39213.txtar
@@ -37,3 +37,4 @@ references:
     - web: https://github.com/pandatix/go-cvss/blob/master/SECURITY.md
 source:
     id: CVE-2022-39213
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-29407.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-29407.txtar
@@ -38,3 +38,4 @@ cve_metadata:
     cwe: 'CWE-834: Excessive Iteration'
 source:
     id: CVE-2023-29407
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-44378.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-44378.txtar
@@ -33,3 +33,4 @@ references:
     - fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
 source:
     id: CVE-2023-44378
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-45141.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-45141.txtar
@@ -30,3 +30,4 @@ references:
     - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
 source:
     id: CVE-2023-45141
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-45283.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-45283.txtar
@@ -100,3 +100,4 @@ notes:
     - fix: 'module merge error: could not merge versions of module std: range events must be in strictly ascending order (found 1.20.11>=1.20.11)'
 source:
     id: CVE-2023-45283
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-45285.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-45285.txtar
@@ -32,3 +32,4 @@ cve_metadata:
     cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
 source:
     id: CVE-2023-45285
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cve5/testdata/cve/TestToReport/CVE-2023-45286.txtar b/internal/cve5/testdata/cve/TestToReport/CVE-2023-45286.txtar
@@ -48,3 +48,4 @@ cve_metadata:
     cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
 source:
     id: CVE-2023-45286
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/cvelistrepo/txtar.go b/internal/cvelistrepo/txtar.go
@@ -49,6 +49,7 @@ var (
 		// A third-party CVE assigned by the Go CNA.
 		"CVE-2023-45286": "github.com/go-resty/resty/v2",
 	}
+	testTime = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
 )
 
 func UpdateTxtar(ctx context.Context, t *testing.T, url string) {
@@ -93,7 +94,8 @@ func TestToReport[S report.Source](t *testing.T, update, realProxy bool) error {
 				t.Fatalf("%s not found in testCVEs", id)
 			}
 
-			r := report.New(cve, pc, report.WithModulePath(mp))
+			r := report.New(cve, pc, report.WithModulePath(mp),
+				report.WithCreated(testTime))
 			b, err := yaml.Marshal(r)
 			if err != nil {
 				t.Fatal(err)

diff --git a/internal/genericosv/report_test.go b/internal/genericosv/report_test.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/vulndb/internal/proxy"
@@ -25,6 +26,7 @@ var (
 	testdataDir = "testdata"
 	testOSVDir  = filepath.Join(testdataDir, "osv")
 	testYAMLDir = filepath.Join(testdataDir, "yaml")
+	testTime    = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
 )
 
 // To update test cases to reflect new expected behavior
@@ -52,7 +54,7 @@ func TestToReport(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			got := report.New(osv, pc)
+			got := report.New(osv, pc, report.WithCreated(testTime))
 			// Keep record of what lints would apply to each generated report.
 			got.LintAsNotes(pc)
 

diff --git a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
@@ -40,3 +40,4 @@ references:
     - web: https://github.com/hashicorp/go-getter/releases
 source:
     id: GHSA-28r2-q6m8-9hpx
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml b/internal/genericosv/testdata/yaml/GHSA-33m6-q9v5-62r7.yaml
@@ -61,3 +61,4 @@ notes:
     - lint: 'summary: must begin with a capital letter'
 source:
     id: GHSA-33m6-q9v5-62r7
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
@@ -24,3 +24,4 @@ notes:
     - lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
 source:
     id: GHSA-3hwm-922r-47hw
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
@@ -29,3 +29,4 @@ notes:
     - lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
 source:
     id: GHSA-3wq5-3f56-v5xc
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -23,3 +23,4 @@ notes:
     - lint: 'summary: must begin with a capital letter'
 source:
     id: GHSA-54q4-74p3-mgcw
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
@@ -24,3 +24,4 @@ notes:
     - lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
 source:
     id: GHSA-5m6c-jp6f-2vcv
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
@@ -72,3 +72,4 @@ notes:
     - lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
 source:
     id: GHSA-627p-rr78-99rj
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
@@ -48,3 +48,4 @@ notes:
     - lint: 'summary: too long (found 163 characters, want <=125)'
 source:
     id: GHSA-66p8-j459-rq63
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
@@ -46,3 +46,4 @@ notes:
     - lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
 source:
     id: GHSA-69v6-xc2j-r2jf
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
@@ -35,3 +35,4 @@ references:
     - web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
 source:
     id: GHSA-6qfg-8799-r575
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
@@ -32,3 +32,4 @@ notes:
     - lint: 'summary: too long (found 142 characters, want <=125)'
 source:
     id: GHSA-6rg3-8h8x-5xfv
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
@@ -133,3 +133,4 @@ notes:
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.2.11 does not exist'
 source:
     id: GHSA-7943-82jg-wmw5
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -28,3 +28,4 @@ notes:
     - lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
 source:
     id: GHSA-7fxj-fr3v-r9gj
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
@@ -29,3 +29,4 @@ notes:
     - lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'
 source:
     id: GHSA-9689-rx4v-cqgc
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
@@ -22,3 +22,4 @@ notes:
     - lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist'
 source:
     id: GHSA-cf7g-cm7q-rq7f
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml b/internal/genericosv/testdata/yaml/GHSA-fv82-r8qv-ch4v.yaml
@@ -40,3 +40,4 @@ notes:
     - lint: 'summary: must begin with a capital letter'
 source:
     id: GHSA-fv82-r8qv-ch4v
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
@@ -27,3 +27,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ## )'
 source:
     id: GHSA-g5gj-9ggf-9vmq
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
@@ -26,3 +26,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ## )'
 source:
     id: GHSA-g9wh-3vrx-r7hg
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
@@ -33,3 +33,4 @@ notes:
     - lint: 'modules[0] "github.com/grafana/grafana": 6 versions do not exist: 8.1.0, 8.5.21, 9.0.0, 9.2.13, 9.3.0, 9.3.8'
 source:
     id: GHSA-hjv9-hm2f-rpcj
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml b/internal/genericosv/testdata/yaml/GHSA-hmfx-3pcx-653p.yaml
@@ -72,3 +72,4 @@ notes:
     - lint: 'description: possible markdown formatting (found `"USER $USERNAME"`)'
 source:
     id: GHSA-hmfx-3pcx-653p
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
@@ -59,3 +59,4 @@ notes:
     - lint: 'summary: must begin with a capital letter'
 source:
     id: GHSA-hv53-vf5m-8q94
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
@@ -33,3 +33,4 @@ references:
     - web: https://security.netapp.com/advisory/ntap-20230505-0007/
 source:
     id: GHSA-jh36-q97c-9928
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
@@ -64,3 +64,4 @@ notes:
     - lint: 'summary: too long (found 144 characters, want <=125)'
 source:
     id: GHSA-jmp2-wc4p-wfh2
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
@@ -74,3 +74,4 @@ notes:
     - lint: 'modules[0] "github.com/cilium/cilium": unsupported_versions: found 1 (want none)'
 source:
     id: GHSA-pg5p-wwp8-97g8
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
@@ -73,3 +73,4 @@ notes:
     - lint: 'modules[0] "github.com/sylabs/singularity": version 3.6.0 does not exist'
 source:
     id: GHSA-pmfr-63c2-jr5c
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
@@ -114,3 +114,4 @@ notes:
     - lint: 'description: possible markdown formatting (found `git+<protocol>://...`)'
 source:
     id: GHSA-vp35-85q5-9f25
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
@@ -34,3 +34,4 @@ notes:
     - lint: 'modules[1] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
 source:
     id: GHSA-w4xh-w33p-4v29
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml b/internal/genericosv/testdata/yaml/GHSA-wx8q-rgfr-cf6v.yaml
@@ -30,3 +30,4 @@ notes:
     - lint: 'description: possible markdown formatting (found ### )'
 source:
     id: GHSA-wx8q-rgfr-cf6v
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
@@ -76,3 +76,4 @@ notes:
     - lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.1.15 does not exist'
 source:
     id: GHSA-xmg8-99r8-jc2j
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
@@ -46,3 +46,4 @@ notes:
     - lint: 'modules[0] "github.com/goharbor/harbor": version 1.0.0 does not exist'
 source:
     id: GHSA-xx9w-464f-7h6f
+    created: 1999-01-01T00:00:00Z
diff --git a/internal/ghsa/ghsa2report_test.go b/internal/ghsa/ghsa2report_test.go
@@ -18,6 +18,8 @@ var (
 	realProxy = flag.Bool("proxy", false, "if true, contact the real module proxy and update expected responses")
 )
 
+var testTime = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
+
 func TestGHSAToReport(t *testing.T) {
 	updatedTime := time.Date(2022, 01, 01, 01, 01, 00, 00, time.UTC)
 	sa := &SecurityAdvisory{
@@ -64,7 +66,10 @@ func TestGHSAToReport(t *testing.T) {
 				GHSAs:       []string{"G1"},
 				CVEs:        []string{"C1"},
 				References:  []*report.Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
-				SourceMeta:  &report.SourceMeta{ID: "G1_blah"},
+				SourceMeta: &report.SourceMeta{
+					ID:      "G1_blah",
+					Created: &testTime,
+				},
 			},
 		},
 		{
@@ -90,13 +95,17 @@ func TestGHSAToReport(t *testing.T) {
 				GHSAs:       []string{"G1"},
 				CVEs:        []string{"C1"},
 				References:  []*report.Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
-				SourceMeta:  &report.SourceMeta{ID: "G1_blah"},
+				SourceMeta: &report.SourceMeta{
+					ID:      "G1_blah",
+					Created: &testTime,
+				},
 			},
 		},
 	} {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
-			got := report.New(sa, pc, report.WithModulePath(test.module))
+			got := report.New(sa, pc, report.WithModulePath(test.module),
+				report.WithCreated(testTime))
 			if diff := cmp.Diff(*got, *test.want); diff != "" {
 				t.Errorf("mismatch (-want, +got):\n%s", diff)
 			}

diff --git a/internal/report/new.go b/internal/report/new.go
@@ -30,9 +30,7 @@ func New(src Source, pc *proxy.Client, opts ...NewOption) *Report {
 	r.SourceMeta = &SourceMeta{
 		ID: src.SourceID(),
 	}
-	if !cfg.Created.IsZero() {
-		r.SourceMeta.Created = &cfg.Created
-	}
+	r.SourceMeta.Created = &cfg.Created
 
 	r.Fix(pc)
 	return r
@@ -79,7 +77,8 @@ const PendingID = "GO-ID-PENDING"
 
 func newCfg(opts []NewOption) *cfg {
 	h := &cfg{
-		GoID: PendingID,
+		GoID:    PendingID,
+		Created: time.Now(),
 	}
 	for _, opt := range opts {
 		opt(h)