When a httpSource is used without a Cache implementation, only fetch
packages which are represented in the index. Previously if there
wasn't a Cache implementation every pacakge was enumerated, ignoring
the contents of the retrieved index.
Change-Id: I8e8e0ce412b3ded188afd6bb109d96efb7e7f27c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/333455
Trust: Roland Shoemaker <roland@golang.org>
Trust: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
In order to match the current state of the public vulnerability format,
don't prefix SEMVER strings with 'v' or 'go' so that they are valid.
Also update osv.Affects.AffectsSemver so that it can take SEMVER strings
which either do or don't have the prefix.
Change-Id: I879f5c0387338290fe0aaa7ab8391e1c19de681e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/326489
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Both were missing symbols in the additional_packages section.
Change-Id: I65d159ef58d169743ead440c2fa79d71e183285a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/326509
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Since it doesn't support doing things with sockets.
Updates golang/go#46419.
Change-Id: I22c86706d5ab9ffc6b62ca850aab6621eddedea7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/324089
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Match the current state of https://tinyurl.com/vuln-json, also fix a
minor bug in deploy-db.sh.
Change-Id: Ib6c225637cb538ef263b7bf182d30e36e76a43e3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/321509
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Also remove a few improper reports, and format all of the YAML
a bit more nicely.
Change-Id: I1d4d79578228a775489c286991dbe1386e079a66
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1062398
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Blergh, all incompatible version of github.com/go-yaml/yaml are vulnerable,
so add it back with an empty versions list.
Change-Id: I881192ea57e4be02fb534d7a1f2951a004c7e648
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1055920
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Results of testing new CVE triaging tooling. Also adds a file which
tracks which CVEs have been triaged. Still need to add all of the
false positives, but would like to fine tune the triage tooling first
to hopefully cut down the number of them.
Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804
Reviewed-by: Roland Shoemaker <bracewell@google.com>
fsCache is the only cache implementation available. In order to be
integrated in goaudit, it needs to be made publicly accessable as
go audit and cache do not live in the same repo. fsCache will be made
private again once go audit and client live in the same space in the
near future.
Change-Id: I4dd86f407ce83f2162e8a1921f86643bbefdd456
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1033548
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Check the proxy to determine valid versions and canonical module
import paths. This should provent rogue database entries that
do not cleanly apply to real go.mod files.
Change-Id: Iea1b531fe5bed7a0825102c6ac877a515f24c0f5
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1032616
Reviewed-by: Roland Shoemaker <bracewell@google.com>
github.com/dgrijalva/jwt-go is not module per se. Hence, its pkg
versions require +incompatible annotation. Also, corresponding pkgs do
not have /vX suffixes.
Change-Id: I434b1a6af7ecd22b161d344a2ffe115fa9b883e9
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1027982
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Some vulnerabilities, such as GO-2020-0002.toml, do not have CVE
metadata. Accessing CVEMetadata.ID without checking if CVEMetadata is
nil can lead to a nil dereference.
Change-Id: I06a24a7d80a0e8be768af198a1b6254f15de98d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1026682
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Roland Shoemaker
Roland Shoemaker
knqyf263
Filippo Valsorda
Zvonimir Pavlinovic