reports: reformat

Run `vulnreport format` on all reports.

Change-Id: I442d0a3b12bf9a6e2e6b5c3ff5e201313d3929a1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/382515
Trust: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>

reports/GO-2020-0001.yaml

@@ -2,18 +2,18 @@ module: github.com/gin-gonic/gin
 versions:
   - fixed: v1.6.0
 description: |
-  The default Formatter for the Logger middleware (LoggerConfig.Formatter),
-  which is included in the Default engine, allows attackers to inject arbitrary
-  log entries by manipulating the request path.
-credit: "@thinkerou <thinkerou@gmail.com>"
+    The default Formatter for the Logger middleware (LoggerConfig.Formatter),
+    which is included in the Default engine, allows attackers to inject arbitrary
+    log entries by manipulating the request path.
+credit: '@thinkerou <thinkerou@gmail.com>'
 symbols:
   - defaultLogFormatter
 links:
-  pr: https://github.com/gin-gonic/gin/pull/2237
-  commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
+    pr: https://github.com/gin-gonic/gin/pull/2237
+    commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
 cve_metadata:
-  id: CVE-9999-0001
-  cwe: "CWE-20: Improper Input Validation"
-  description: |
-    Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
-    allows remote attackers to inject arbitrary log lines.
+    id: CVE-9999-0001
+    cwe: 'CWE-20: Improper Input Validation'
+    description: |
+        Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
+        allows remote attackers to inject arbitrary log lines.

reports/GO-2020-0002.yaml

@@ -2,12 +2,12 @@ module: github.com/proglottis/gpgme
 versions:
   - fixed: v0.1.1
 description: |
-  The Data, Context, or Key finalizers might run during or before GPGME
-  operations. This will release the C structures that are still in use, leading
-  to crashes and potentially code execution through a use-after-free.
+    The Data, Context, or Key finalizers might run during or before GPGME
+    operations. This will release the C structures that are still in use, leading
+    to crashes and potentially code execution through a use-after-free.
 cves:
   - CVE-2020-8945
 credit: Ulrich Obergfell <uobergfe@redhat.com>
 links:
-  pr: https://github.com/proglottis/gpgme/pull/23
-  commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
+    pr: https://github.com/proglottis/gpgme/pull/23
+    commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733

reports/GO-2020-0003.yaml

@@ -2,18 +2,18 @@ module: github.com/revel/revel
 versions:
   - fixed: v1.0.0
 description: |
-  An attacker can cause an application that accepts slice parameters
-  (https://revel.github.io/manual/parameters.html#slices) to allocate large
-  amounts of memory and crash through manipulating the request query sent to the application.
-credit: "@SYM01"
+    An attacker can cause an application that accepts slice parameters
+    (https://revel.github.io/manual/parameters.html#slices) to allocate large
+    amounts of memory and crash through manipulating the request query sent to the application.
+credit: '@SYM01'
 links:
-  pr: https://github.com/revel/revel/pull/1427
-  commit: https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605
-  context:
-    - https://github.com/revel/revel/issues/1424
+    pr: https://github.com/revel/revel/pull/1427
+    commit: https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605
+    context:
+      - https://github.com/revel/revel/issues/1424
 cve_metadata:
-  id: CVE-9999-0002
-  cwe: "CWE-400: Uncontrolled Resource Consumption"
-  description: |
-    Unsanitized input in the query parser in github.com/revel/revel before v1.0.0
-    allows remote attackers to cause resource exhaustion via memory allocation.
+    id: CVE-9999-0002
+    cwe: 'CWE-400: Uncontrolled Resource Consumption'
+    description: |
+        Unsanitized input in the query parser in github.com/revel/revel before v1.0.0
+        allows remote attackers to cause resource exhaustion via memory allocation.

reports/GO-2020-0004.yaml

@@ -3,24 +3,24 @@ versions:
   - introduced: v0.0.0-20160722212129-ac0cc4484ad4
     fixed: v0.0.0-20200131131040-063a3fb69896
 description: |
-  If any of the ListenAndServe functions are called with an empty token,
-  token authentication is disabled globally for all listeners.
+    If any of the ListenAndServe functions are called with an empty token,
+    token authentication is disabled globally for all listeners.
 
-  Also, a minor timing side channel was present allowing attackers with
-  very low latency and able to make a lot of requests to potentially
-  recover the token.
-credit: "@bouk"
+    Also, a minor timing side channel was present allowing attackers with
+    very low latency and able to make a lot of requests to potentially
+    recover the token.
+credit: '@bouk'
 symbols:
   - Auth.ServerHTTP
   - Auth.ListenAndServeTLS
   - Auth.ListenAndServe
 links:
-  pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
-  commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
+    pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
+    commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
 cve_metadata:
-  id: CVE-9999-0003
-  cwe: "CWE-305: Authentication Bypass by Primary Weakness"
-  description: |
-    Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
-    v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
-    is called with an empty token.
+    id: CVE-9999-0003
+    cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
+    description: |
+        Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
+        v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
+        is called with an empty token.

reports/GO-2020-0005.yaml

@@ -3,9 +3,9 @@ package: go.etcd.io/etcd/wal
 versions:
   - fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
 description: |
-  Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
-  out of bounds reads, or creation of arbitrarily sized slices, which may be used as
-  a DoS vector.
+    Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
+    out of bounds reads, or creation of arbitrarily sized slices, which may be used as
+    a DoS vector.
 cves:
   - CVE-2020-15106
   - CVE-2020-15112
@@ -14,7 +14,7 @@ symbols:
   - WAL.ReadAll
   - decoder.decodeRecord
 links:
-  pr: https://github.com/etcd-io/etcd/pull/11793
-  commit: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
-  context:
-    - https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf
+    pr: https://github.com/etcd-io/etcd/pull/11793
+    commit: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
+    context:
+      - https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf

reports/GO-2020-0006.yaml

@@ -2,14 +2,14 @@ module: github.com/miekg/dns
 versions:
   - fixed: v1.0.4-0.20180125103619-43913f2f4fbd
 description: |
-  An attacker may prevent TCP connections to a Server by opening
-  a connection and leaving it idle, until the connection is closed by
-  the server no other connections will be accepted.
+    An attacker may prevent TCP connections to a Server by opening
+    a connection and leaving it idle, until the connection is closed by
+    the server no other connections will be accepted.
 cves:
   - CVE-2017-15133
 credit: Pedro Sampaio
 symbols:
   - Server.serveTCP
 links:
-  pr: https://github.com/miekg/dns/pull/631
-  commit: https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e
+    pr: https://github.com/miekg/dns/pull/631
+    commit: https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e

reports/GO-2020-0007.yaml

@@ -2,15 +2,15 @@ module: github.com/seccomp/libseccomp-golang
 versions:
   - fixed: v0.9.1-0.20170424173420-06e7a29f36a3
 description: |
-  Filters containing rules with multiple syscall arguments are improperly
-  constructed, such that all arguments are required to match rather than
-  any of the arguments (AND is used rather than OR). These filters can be
-  bypassed by only specifying a subset of the arguments due to this
-  behavior.
+    Filters containing rules with multiple syscall arguments are improperly
+    constructed, such that all arguments are required to match rather than
+    any of the arguments (AND is used rather than OR). These filters can be
+    bypassed by only specifying a subset of the arguments due to this
+    behavior.
 cves:
   - CVE-2017-18367
-credit: "@ihac"
+credit: '@ihac'
 symbols:
   - ScmpFilter.addRuleGeneric
 links:
-  commit: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
+    commit: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e

reports/GO-2020-0008.yaml

@@ -2,16 +2,16 @@ module: github.com/miekg/dns
 versions:
   - fixed: v1.1.25-0.20191211073109-8ebf2e419df7
 description: |
-  DNS message transaction IDs are generated using math/rand which
-  makes them relatively predictable. This reduces the complexity
-  of response spoofing attacks against DNS clients.
+    DNS message transaction IDs are generated using math/rand which
+    makes them relatively predictable. This reduces the complexity
+    of response spoofing attacks against DNS clients.
 cves:
   - CVE-2019-19794
 symbols:
   - id
 links:
-  pr: https://github.com/miekg/dns/pull/1044
-  commit: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
-  context:
-    - https://github.com/miekg/dns/issues/1037
-    - https://github.com/miekg/dns/issues/1043
+    pr: https://github.com/miekg/dns/pull/1044
+    commit: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
+    context:
+      - https://github.com/miekg/dns/issues/1037
+      - https://github.com/miekg/dns/issues/1043

reports/GO-2020-0009.yaml

@@ -8,10 +8,10 @@ additional_packages:
 versions:
   - fixed: v0.0.0-20160903044734-789a4c4bd4c1
 description: |
-  On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
-  with HMAC such that they can control how large the input buffer is when computing
-  the HMAC authentication tag. This can can allow a manipulated ciphertext to be
-  verified as authentic, opening the door for padding oracle attacks.
+    On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
+    with HMAC such that they can control how large the input buffer is when computing
+    the HMAC authentication tag. This can can allow a manipulated ciphertext to be
+    verified as authentic, opening the door for padding oracle attacks.
 cves:
   - CVE-2016-9123
 credit: Quan Nguyen from Google's Information Security Engineering Team
@@ -31,6 +31,6 @@ arch:
   - s390
   - sparc
 links:
-  commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
-  context:
-    - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
+    context:
+      - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0010.yaml

@@ -7,9 +7,9 @@ additional_packages:
 versions:
   - fixed: v0.0.0-20160831185616-c7581939a365
 description: |
-  When using ECDH-ES an attacker can mount an invalid curve attack during
-  decryption as the supplied public key is not checked to be on the same
-  curve as the receivers private key.
+    When using ECDH-ES an attacker can mount an invalid curve attack during
+    decryption as the supplied public key is not checked to be on the same
+    curve as the receivers private key.
 cves:
   - CVE-2016-9121
 credit: Quan Nguyen from Google's Information Security Engineering Team
@@ -18,6 +18,6 @@ symbols:
   - ecDecrypterSigner.decryptKey
   - rawJsonWebKey.ecPublicKey
 links:
-  commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
-  context:
-    - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
+    context:
+      - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0011.yaml

@@ -2,11 +2,11 @@ module: github.com/square/go-jose
 versions:
   - fixed: v0.0.0-20160922232413-2c5656adca99
 description: |
-  When decrypting JsonWebEncryption objects with multiple recipients
-  or JsonWebSignature objects with multiple signatures the Decrypt
-  and Verify methods do not indicate which recipient or signature was
-  valid. This may lead a caller to rely on protected headers from an
-  invalid recipient or signature.
+    When decrypting JsonWebEncryption objects with multiple recipients
+    or JsonWebSignature objects with multiple signatures the Decrypt
+    and Verify methods do not indicate which recipient or signature was
+    valid. This may lead a caller to rely on protected headers from an
+    invalid recipient or signature.
 cves:
   - CVE-2016-9122
 credit: Quan Nguyen from Google's Information Security Engineering Team
@@ -14,6 +14,6 @@ symbols:
   - JsonWebEncryption.Decrypt
   - JsonWebSignature.Verify
 links:
-  commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
-  context:
-    - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
+    context:
+      - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0012.yaml

@@ -3,10 +3,10 @@ package: golang.org/x/crypto/ssh
 versions:
   - fixed: v0.0.0-20200220183623-bac4c82f6975
 description: |
-  An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
-  key, such that the library will panic when trying to verify a signature
-  with it. If verifying signatures using user supplied public keys, this
-  may be used as a denial of service vector.
+    An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
+    key, such that the library will panic when trying to verify a signature
+    with it. If verifying signatures using user supplied public keys, this
+    may be used as a denial of service vector.
 cves:
   - CVE-2020-9283
 credit: Alex Gaynor, Fish in a Barrel
@@ -17,7 +17,7 @@ symbols:
   - skEd25519PublicKey.Verify
   - NewPublicKey
 links:
-  pr: https://go-review.googlesource.com/c/crypto/+/220357
-  commit: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
-  context:
-    - https://groups.google.com/g/golang-announce/c/3L45YRc91SY
+    pr: https://go-review.googlesource.com/c/crypto/+/220357
+    commit: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
+    context:
+      - https://groups.google.com/g/golang-announce/c/3L45YRc91SY

reports/GO-2020-0013.yaml

@@ -3,17 +3,17 @@ package: golang.org/x/crypto/ssh
 versions:
   - fixed: v0.0.0-20170330155735-e4e2799dd7aa
 description: |
-  By default host key verification is disabled which allows for
-  man-in-the-middle attacks against SSH clients if
-  ClientConfig.HostKeyCallback is not set.
+    By default host key verification is disabled which allows for
+    man-in-the-middle attacks against SSH clients if
+    ClientConfig.HostKeyCallback is not set.
 cves:
   - CVE-2017-3204
 credit: Phil Pennock
 symbols:
   - NewClientConn
 links:
-  pr: https://go-review.googlesource.com/38701
-  commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
-  context:
-    - https://go.dev/issue/19767
-    - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
+    pr: https://go-review.googlesource.com/38701
+    commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
+    context:
+      - https://go.dev/issue/19767
+      - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/

reports/GO-2020-0014.yaml

@@ -3,9 +3,9 @@ package: golang.org/x/net/html
 versions:
   - fixed: v0.0.0-20190125091013-d26f9f9a57f3
 description: |
-  html.Parse does not properly handle "select" tags, which can lead
-  to an infinite loop. If parsing user supplied input, this may be used
-  as a denial of service vector.
+    html.Parse does not properly handle "select" tags, which can lead
+    to an infinite loop. If parsing user supplied input, this may be used
+    as a denial of service vector.
 cves:
   - CVE-2018-17846
 credit: '@tr3ee'
@@ -13,7 +13,7 @@ symbols:
   - inSelectIM
   - inSelectInTableIM
 links:
-  pr: https://go-review.googlesource.com/c/137275
-  commit: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
-  context:
-    - https://go.dev/issue/27842
+    pr: https://go-review.googlesource.com/c/137275
+    commit: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
+    context:
+      - https://go.dev/issue/27842

reports/GO-2020-0015.yaml

@@ -10,11 +10,11 @@ additional_packages:
 versions:
   - fixed: v0.3.3
 description: |
-  An attacker could provide a single byte to a UTF16 decoder instantiated with
-  UseBOM or ExpectBOM to trigger an infinite loop if the String function on
-  the Decoder is called, or the Decoder is passed to transform.String.
-  If used to parse user supplied input, this may be used as a denial of service
-  vector.
+    An attacker could provide a single byte to a UTF16 decoder instantiated with
+    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
+    the Decoder is called, or the Decoder is passed to transform.String.
+    If used to parse user supplied input, this may be used as a denial of service
+    vector.
 last_modified: 2021-06-07T12:00:00Z
 cves:
   - CVE-2020-14040
@@ -22,8 +22,8 @@ credit: '@abacabadabacaba and Anton Gyllenberg'
 symbols:
   - utf16Decoder.Transform
 links:
-  pr: https://go-review.googlesource.com/c/text/+/238238
-  commit: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
-  context:
-    - https://go.dev/issue/39491
-    - https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0
+    pr: https://go-review.googlesource.com/c/text/+/238238
+    commit: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
+    context:
+      - https://go.dev/issue/39491
+      - https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0

reports/GO-2020-0016.yaml

@@ -2,17 +2,17 @@ module: github.com/ulikunitz/xz
 versions:
   - fixed: v0.5.8
 description: |
-  An attacker can construct a series of bytes such that calling
-  Reader.Read on the bytes could cause an infinite loop. If
-  parsing user supplied input, this may be used as a denial of
-  service vector.
-credit: "@0xdecaf"
+    An attacker can construct a series of bytes such that calling
+    Reader.Read on the bytes could cause an infinite loop. If
+    parsing user supplied input, this may be used as a denial of
+    service vector.
 cves:
   - CVE-2021-29482
+credit: '@0xdecaf'
 symbols:
   - readUvarint
 links:
-  commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
-  context:
-    - https://github.com/ulikunitz/xz/issues/35
-    - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
+    commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
+    context:
+      - https://github.com/ulikunitz/xz/issues/35
+      - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27

reports/GO-2020-0017.yaml

@@ -8,16 +8,16 @@ additional_packages:
 versions:
   - introduced: v0.0.0-20150717181359-44718f8a89b0
 description: |
-  If a JWT contains an audience claim with an array of strings, rather
-  than a single string, and MapClaims.VerifyAudience is called with
-  req set to false, then audience verification will be bypassed,
-  allowing an invalid set of audiences to be provided.
+    If a JWT contains an audience claim with an array of strings, rather
+    than a single string, and MapClaims.VerifyAudience is called with
+    req set to false, then audience verification will be bypassed,
+    allowing an invalid set of audiences to be provided.
 cves:
   - CVE-2020-26160
-credit: "@christopher-wong"
+credit: '@christopher-wong'
 symbols:
   - MapClaims.VerifyAudience
 links:
-  commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
-  context:
-    - https://github.com/dgrijalva/jwt-go/issues/422
+    commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
+    context:
+      - https://github.com/dgrijalva/jwt-go/issues/422

reports/GO-2020-0018.yaml

@@ -2,18 +2,18 @@ module: github.com/satori/go.uuid
 versions:
   - fixed: v1.2.1-0.20181016170032-d91630c85102
 description: |
-  UUIDs generated using NewV1 and NewV4 may not read the expected
-  number of random bytes. These UUIDs may contain a significantly smaller
-  amount of entropy than expected, possibly leading to collisions.
-credit: "@josselin-c"
+    UUIDs generated using NewV1 and NewV4 may not read the expected
+    number of random bytes. These UUIDs may contain a significantly smaller
+    amount of entropy than expected, possibly leading to collisions.
 cves:
   - CVE-2021-3538
+credit: '@josselin-c'
 symbols:
   - NewV4
   - rfc4122Generator.getClockSequence
   - rfc4122Generator.getHardwareAddr
 links:
-  pr: https://github.com/satori/go.uuid/pull/75
-  commit: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
-  context:
-    - https://github.com/satori/go.uuid/issues/73
+    pr: https://github.com/satori/go.uuid/pull/75
+    commit: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
+    context:
+      - https://github.com/satori/go.uuid/issues/73

reports/GO-2020-0019.yaml

@@ -2,10 +2,10 @@ module: github.com/gorilla/websocket
 versions:
   - fixed: v1.4.1
 description: |
-  An attacker can craft malicious WebSocket frames that cause an integer
-  overflow in a variable which tracks the number of bytes remaining. This
-  may cause the server or client to get stuck attempting to read frames
-  in a loop, which can be used as a denial of service vector.
+    An attacker can craft malicious WebSocket frames that cause an integer
+    overflow in a variable which tracks the number of bytes remaining. This
+    may cause the server or client to get stuck attempting to read frames
+    in a loop, which can be used as a denial of service vector.
 cves:
   - CVE-2020-27813
 credit: Max Justicz
@@ -13,5 +13,5 @@ symbols:
   - Conn.advanceFrame
   - messageReader.Read
 links:
-  pr: https://github.com/gorilla/websocket/pull/537
-  commit: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37
+    pr: https://github.com/gorilla/websocket/pull/537
+    commit: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37

reports/GO-2020-0020.yaml

@@ -2,12 +2,12 @@ module: github.com/gorilla/handlers
 versions:
   - fixed: v1.3.0
 description: |
-  Usage of the CORS handler may apply improper CORS headers, allowing
-  the requester to explicitly control the value of the Access-Control-Allow-Origin
-  header, which bypasses the expected behavior of the Same Origin Policy.
+    Usage of the CORS handler may apply improper CORS headers, allowing
+    the requester to explicitly control the value of the Access-Control-Allow-Origin
+    header, which bypasses the expected behavior of the Same Origin Policy.
 credit: Evan J Johnson
 symbols:
   - cors.ServeHTTP
 links:
-  pr: https://github.com/gorilla/handlers/pull/116
-  commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
+    pr: https://github.com/gorilla/handlers/pull/116
+    commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145

reports/GO-2020-0021.yaml

@@ -2,9 +2,9 @@ module: github.com/gogits/gogs
 versions:
   - fixed: v0.5.8
 description: |
-  Due to improper santization of user input, a number of methods are
-  vulnerable to SQL injection if used with user input that has not
-  been santized by the caller.
+    Due to improper santization of user input, a number of methods are
+    vulnerable to SQL injection if used with user input that has not
+    been santized by the caller.
 cves:
   - CVE-2014-8681
 credit: Pascal Turbing and Jiahua (Joe) Chen
@@ -13,6 +13,6 @@ symbols:
   - SearchRepositoryByName
   - SearchUserByName
 links:
-  commit: https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8
-  context:
-    - https://seclists.org/fulldisclosure/2014/Nov/31
+    commit: https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8
+    context:
+      - https://seclists.org/fulldisclosure/2014/Nov/31

reports/GO-2020-0022.yaml

@@ -2,13 +2,13 @@ module: github.com/cloudflare/golz4
 versions:
   - fixed: v0.0.0-20140711154735-199f5f787806
 description: |
-  LZ4 bindings use a deprecated C API that is vulnerable to
-  memory corruption, which could lead to arbitrary code execution
-  if called with untrusted user input.
+    LZ4 bindings use a deprecated C API that is vulnerable to
+    memory corruption, which could lead to arbitrary code execution
+    if called with untrusted user input.
 credit: Yann Collet
 symbols:
   - Uncompress
 links:
-  commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
-  context:
-    - https://github.com/cloudflare/golz4/issues/5
+    commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
+    context:
+      - https://github.com/cloudflare/golz4/issues/5

reports/GO-2020-0023.yaml

@@ -2,13 +2,13 @@ module: github.com/robbert229/jwt
 versions:
   - fixed: v0.0.0-20170426191122-ca1404ee6e83
 description: |
-  Token validation methods are susceptible to a timing side-channel
-  during HMAC comparison. With a large enough number of requests
-  over a low latency connection, an attacker may use this to determine
-  the expected HMAC.
+    Token validation methods are susceptible to a timing side-channel
+    during HMAC comparison. With a large enough number of requests
+    over a low latency connection, an attacker may use this to determine
+    the expected HMAC.
 symbols:
   - Algorithm.validateSignature
 links:
-  commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
-  context:
-    - https://github.com/robbert229/jwt/issues/12
+    commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
+    context:
+      - https://github.com/robbert229/jwt/issues/12

reports/GO-2020-0024.yaml

@@ -11,11 +11,11 @@ additional_packages:
 versions:
   - fixed: v0.0.0-20130808000456-233bccbb1abe
 description: |
-  The RemoteAddr and LocalAddr methods on the returned net.Conn may
-  call themselves, leading to an infinite loop which will crash the
-  program due to a stack overflow.
+    The RemoteAddr and LocalAddr methods on the returned net.Conn may
+    call themselves, leading to an infinite loop which will crash the
+    program due to a stack overflow.
 symbols:
   - proxiedConn.LocalAddr
   - proxiedConn.RemoteAddr
 links:
-  commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc
+    commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc

reports/GO-2020-0025.yaml

@@ -9,13 +9,13 @@ additional_packages:
 versions:
   - fixed: v0.0.0-20180523222229-09b5706aa936
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 symbols:
   - tgzExtractor.Extract
   - zipExtractor.Extract
 links:
-  commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0026.yaml

@@ -3,9 +3,9 @@ package: github.com/openshift/source-to-image/pkg/tar
 versions:
   - fixed: v1.1.10-0.20180427153919-f5cbcbc5cc6f
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 cves:
   - CVE-2018-1103
 symbols:
@@ -13,6 +13,6 @@ symbols:
   - stiTar.extractLink
   - New
 links:
-  commit: https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    commit: https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0027.yaml

@@ -8,9 +8,9 @@ additional_packages:
 versions:
   - fixed: v0.2.4
 description: |
-  After dropping and then elevating process privileges euid, guid, and groups
-  are not properly restored to their original values, allowing an unprivileged
-  user to gain membership in the root group.
+    After dropping and then elevating process privileges euid, guid, and groups
+    are not properly restored to their original values, allowing an unprivileged
+    user to gain membership in the root group.
 cves:
   - CVE-2018-6558
 symbols:
@@ -18,6 +18,6 @@ symbols:
   - SetProcessPrivileges
   - Handle.StopAsPamUser
 links:
-  commit: https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b
-  context:
-    - https://github.com/google/fscrypt/issues/77
+    commit: https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b
+    context:
+      - https://github.com/google/fscrypt/issues/77

reports/GO-2020-0028.yaml

@@ -2,15 +2,15 @@ module: github.com/miekg/dns
 versions:
   - fixed: v1.0.10
 description: |
-  Due to a nil pointer dereference, parsing a malformed zone file
-  containing TA records may cause a panic. If parsing user supplied
-  input, this may be used as a denial of service vector.
+    Due to a nil pointer dereference, parsing a malformed zone file
+    containing TA records may cause a panic. If parsing user supplied
+    input, this may be used as a denial of service vector.
 cves:
   - CVE-2018-17419
-credit: "@tr3ee"
+credit: '@tr3ee'
 symbols:
   - setTA
 links:
-  commit: https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d
-  context:
-    - https://github.com/miekg/dns/issues/742
+    commit: https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d
+    context:
+      - https://github.com/miekg/dns/issues/742

reports/GO-2020-0029.yaml

@@ -2,12 +2,12 @@ module: github.com/gin-gonic/gin
 versions:
   - fixed: v0.0.0-20141229113116-0099840c98ae
 description: |
-  Due to improper HTTP header santization, a malicious user can spoof their
-  source IP address by setting the X-Forwarded-For header. This may allow
-  a user to bypass IP based restrictions, or obfuscate their true source.
-credit: "@nl5887"
+    Due to improper HTTP header santization, a malicious user can spoof their
+    source IP address by setting the X-Forwarded-For header. This may allow
+    a user to bypass IP based restrictions, or obfuscate their true source.
+credit: '@nl5887'
 symbols:
   - Context.ClientIP
 links:
-  commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829
-  pr: https://github.com/gin-gonic/gin/pull/182
+    pr: https://github.com/gin-gonic/gin/pull/182
+    commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829

reports/GO-2020-0031.yaml

@@ -2,11 +2,11 @@ module: github.com/proglottis/gpgme
 versions:
   - fixed: v0.1.1
 description: |
-  Due to improper setting of finalizers, memory passed to C may be freed before it is used,
-  leading to crashes due to memory corruption or possible code execution.
+    Due to improper setting of finalizers, memory passed to C may be freed before it is used,
+    leading to crashes due to memory corruption or possible code execution.
 cves:
   - CVE-2020-8945
 links:
-  commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
-  context:
-    - https://bugzilla.redhat.com/show_bug.cgi?id=1795838
+    commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
+    context:
+      - https://bugzilla.redhat.com/show_bug.cgi?id=1795838

reports/GO-2020-0032.yaml

@@ -13,18 +13,19 @@ additional_packages:
 versions:
   - fixed: v1.4.3
 description: |
-  Due to improper santization of user input, Controller.FileHandler allows
-  for directory traversal, allowing an attacker to read files outside of
-  the target directory that the server has permission to read.
-credit: "@christi3k"
+    Due to improper santization of user input, Controller.FileHandler allows
+    for directory traversal, allowing an attacker to read files outside of
+    the target directory that the server has permission to read.
+credit: '@christi3k'
 symbols:
   - Controller.FileHandler
 links:
-  pr: https://github.com/goadesign/goa/pull/2388
-  commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
+    pr: https://github.com/goadesign/goa/pull/2388
+    commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
 cve_metadata:
-  id: CVE-9999-0012
-  cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
-  description: |
-    Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
-    v1.4.3 allow remote attackers to read files outside of the intended directory.
+    id: CVE-9999-0012
+    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
+        Traversal'')'
+    description: |
+        Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
+        v1.4.3 allow remote attackers to read files outside of the intended directory.

reports/GO-2020-0033.yaml

@@ -2,14 +2,14 @@ module: aahframe.work
 versions:
   - fixed: v0.12.4
 description: |
-  Due to improper santization of user input, HTTPEngine.Handle allows
-  for directory traversal, allowing an attacker to read files outside of
-  the target directory that the server has permission to read.
-credit: "@snyff"
+    Due to improper santization of user input, HTTPEngine.Handle allows
+    for directory traversal, allowing an attacker to read files outside of
+    the target directory that the server has permission to read.
+credit: '@snyff'
 symbols:
   - HTTPEngine.Handle
 links:
-  pr: https://github.com/go-aah/aah/pull/267
-  commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
-  context:
-    - https://github.com/go-aah/aah/issues/266
+    pr: https://github.com/go-aah/aah/pull/267
+    commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
+    context:
+      - https://github.com/go-aah/aah/issues/266

reports/GO-2020-0034.yaml

@@ -2,13 +2,13 @@ module: github.com/artdarek/go-unzip
 versions:
   - fixed: v1.0.0
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 symbols:
   - Unzip.Extract
 links:
-  pr: https://github.com/artdarek/go-unzip/pull/2
-  commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    pr: https://github.com/artdarek/go-unzip/pull/2
+    commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0035.yaml

@@ -2,13 +2,13 @@ module: github.com/yi-ge/unzip
 versions:
   - fixed: v1.0.3-0.20200308084313-2adbaa4891b9
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 symbols:
   - Unzip.Extract
 links:
-  pr: https://github.com/yi-ge/unzip/pull/1
-  commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    pr: https://github.com/yi-ge/unzip/pull/1
+    commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0036.yaml

@@ -1,22 +1,20 @@
 module: gopkg.in/yaml.v2
 additional_packages:
-  # all of the incompatible versions of github.com/go-yaml/yaml
-  # are affected
   - module: github.com/go-yaml/yaml
     symbols:
       - yaml_parser_fetch_more_tokens
 versions:
   - fixed: v2.2.8
 description: |
-  Due to unbounded aliasing, a crafted YAML file can cause consumption
-  of significant system resources. If parsing user supplied input, this
-  may be used as a denial of service vector.
+    Due to unbounded aliasing, a crafted YAML file can cause consumption
+    of significant system resources. If parsing user supplied input, this
+    may be used as a denial of service vector.
 cves:
   - CVE-2019-11254
 symbols:
   - yaml_parser_fetch_more_tokens
 links:
-  pr: https://github.com/go-yaml/yaml/pull/555
-  commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
-  context:
-    - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
+    pr: https://github.com/go-yaml/yaml/pull/555
+    commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
+    context:
+      - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496

reports/GO-2020-0037.yaml

@@ -3,13 +3,13 @@ package: github.com/tendermint/tendermint/rpc/client
 versions:
   - fixed: v0.31.1
 description: |
-  Due to support of Gzip compression in request bodies, as well
-  as a lack of limiting response body sizes, a malicious server
-  can cause a client to consume a significant amount of system
-  resources, which may be used as a denial of service vector.
-credit: "@guagualvcha"
+    Due to support of Gzip compression in request bodies, as well
+    as a lack of limiting response body sizes, a malicious server
+    can cause a client to consume a significant amount of system
+    resources, which may be used as a denial of service vector.
+credit: '@guagualvcha'
 symbols:
   - makeHTTPClient
 links:
-  pr: https://github.com/tendermint/tendermint/pull/3430
-  commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
+    pr: https://github.com/tendermint/tendermint/pull/3430
+    commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613

reports/GO-2020-0038.yaml

@@ -2,16 +2,16 @@ module: github.com/pion/dtls
 versions:
   - fixed: v1.5.2
 description: |
-  Due to improper verification of packets, unencrypted packets containing
-  application data are accepted after the initial handshake. This allows
-  an attacker to inject arbitrary data which the client/server believes
-  was encrypted, despite not knowing the session key.
+    Due to improper verification of packets, unencrypted packets containing
+    application data are accepted after the initial handshake. This allows
+    an attacker to inject arbitrary data which the client/server believes
+    was encrypted, despite not knowing the session key.
 cves:
   - CVE-2019-20786
 symbols:
   - Conn.handleIncomingPacket
 links:
-  pr: https://github.com/pion/dtls/pull/128
-  commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
-  context:
-    - https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
+    pr: https://github.com/pion/dtls/pull/128
+    commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
+    context:
+      - https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf

reports/GO-2020-0039.yaml

@@ -2,16 +2,16 @@ module: gopkg.in/macaron.v1
 versions:
   - fixed: v1.3.7
 description: |
-  Due to improper request santization, a specifically crafted URL
-  can cause the static file handler to redirect to an attacker chosen
-  URL, allowing for open redirect attacks.
+    Due to improper request santization, a specifically crafted URL
+    can cause the static file handler to redirect to an attacker chosen
+    URL, allowing for open redirect attacks.
 cves:
   - CVE-2020-12666
-credit: "@ev0A"
+credit: '@ev0A'
 symbols:
   - staticHandler
 links:
-  pr: https://github.com/go-macaron/macaron/pull/199
-  commit: https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245
-  context:
-    - https://github.com/go-macaron/macaron/issues/198
+    pr: https://github.com/go-macaron/macaron/pull/199
+    commit: https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245
+    context:
+      - https://github.com/go-macaron/macaron/issues/198

reports/GO-2020-0040.yaml

@@ -1,8 +1,8 @@
 module: github.com/shiyanhui/dht
 description: |
-  Due to unchecked type assertions, maliciously crafted messages can
-  cause panics, which may be used as a denial of service vector.
-credit: "@hMihaiDavid"
+    Due to unchecked type assertions, maliciously crafted messages can
+    cause panics, which may be used as a denial of service vector.
+credit: '@hMihaiDavid'
 links:
-  context:
-    - https://github.com/shiyanhui/dht/issues/57
+    context:
+      - https://github.com/shiyanhui/dht/issues/57

reports/GO-2020-0041.yaml

@@ -1,7 +1,6 @@
 module: github.com/unknwon/cae
 package: github.com/unknwon/cae/tz
 additional_packages:
-  # CVE-2020-7664
   - module: github.com/unknwon/cae
     package: github.com/unknwon/cae/zip
     symbols:
@@ -12,15 +11,15 @@ additional_packages:
 versions:
   - fixed: v1.0.1
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 cves:
   - CVE-2020-7668
 symbols:
   - TzArchive.syncFiles
   - TzArchive.ExtractToFunc
 links:
-  commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0042.yaml

@@ -3,14 +3,14 @@ package: github.com/sassoftware/go-rpmutils/cpio
 versions:
   - fixed: v0.1.0
 description: |
-  Due to improper path santization, RPMs containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, RPMs containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 cves:
   - CVE-2020-7667
 symbols:
   - Extract
 links:
-  commit: https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    commit: https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2020-0043.yaml

@@ -3,10 +3,10 @@ package: github.com/mholt/caddy/caddyhttp/httpserver
 versions:
   - fixed: v0.10.13
 description: |
-  Due to improper TLS verification when serving traffic for multiple
-  SNIs, an attacker may bypass TLS client authentication by indicating
-  an SNI during the TLS handshake that is different from the name in
-  the HTTP Host header.
+    Due to improper TLS verification when serving traffic for multiple
+    SNIs, an attacker may bypass TLS client authentication by indicating
+    an SNI during the TLS handshake that is different from the name in
+    the HTTP Host header.
 cves:
   - CVE-2018-21246
 symbols:
@@ -14,7 +14,7 @@ symbols:
   - Server.serveHTTP
   - assertConfigsCompatible
 links:
-  pr: https://github.com/caddyserver/caddy/pull/2099
-  commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
-  context:
-    - https://bugs.gentoo.org/715214
+    pr: https://github.com/caddyserver/caddy/pull/2099
+    commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
+    context:
+      - https://bugs.gentoo.org/715214

reports/GO-2020-0045.yaml

@@ -2,14 +2,14 @@ module: github.com/dinever/golf
 versions:
   - fixed: v0.3.0
 description: |
-  CSRF tokens are generated using math/rand, which is not a cryptographically secure
-  rander number generation, making predicting their values relatively trivial and
-  allowing an attacker to bypass CSRF protections which relatively few requests.
-credit: "@elithrar"
+    CSRF tokens are generated using math/rand, which is not a cryptographically secure
+    rander number generation, making predicting their values relatively trivial and
+    allowing an attacker to bypass CSRF protections which relatively few requests.
+credit: '@elithrar'
 symbols:
   - randomBytes
 links:
-  pr: https://github.com/dinever/golf/pull/24
-  commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
-  context:
-    - https://github.com/dinever/golf/issues/20
+    pr: https://github.com/dinever/golf/pull/24
+    commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
+    context:
+      - https://github.com/dinever/golf/issues/20

reports/GO-2020-0047.yaml

@@ -1,12 +1,12 @@
 module: github.com/RobotsAndPencils/go-saml
 description: |
-  XML Digital Signatures generated and validated using this package use
-  SHA-1, which may allow an attacker to craft inputs which cause hash
-  collisions depending on their control over the input.
+    XML Digital Signatures generated and validated using this package use
+    SHA-1, which may allow an attacker to craft inputs which cause hash
+    collisions depending on their control over the input.
 symbols:
   - AuthnRequest.Validate
   - NewAuthnRequest
   - NewSignedResponse
 links:
-  context:
-    - https://github.com/RobotsAndPencils/go-saml/pull/38
+    context:
+      - https://github.com/RobotsAndPencils/go-saml/pull/38

reports/GO-2020-0048.yaml

@@ -2,16 +2,16 @@ module: github.com/antchfx/xmlquery
 versions:
   - fixed: v1.3.1
 description: |
-  LoadURL does not check the Content-Type of loaded resources,
-  which can cause a panic due to nil pointer deference if the loaded
-  resource is not XML. If user supplied URLs are loaded, this may be
-  used as a denial of service vector.
+    LoadURL does not check the Content-Type of loaded resources,
+    which can cause a panic due to nil pointer deference if the loaded
+    resource is not XML. If user supplied URLs are loaded, this may be
+    used as a denial of service vector.
 cves:
   - CVE-2020-25614
-credit: "@dwisiswant0"
+credit: '@dwisiswant0'
 symbols:
   - LoadURL
 links:
-  commit: https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821
-  context:
-    - https://github.com/antchfx/xmlquery/issues/39
+    commit: https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821
+    context:
+      - https://github.com/antchfx/xmlquery/issues/39

reports/GO-2020-0049.yaml

@@ -2,13 +2,13 @@ module: github.com/justinas/nosurf
 versions:
   - fixed: v1.1.1
 description: |
-  Due to improper validation of caller input, validation is silently disabled
-  if the provided expected token is malformed, causing any user supplied token
-  to be considered valid.
-credit: "@aeneasr"
+    Due to improper validation of caller input, validation is silently disabled
+    if the provided expected token is malformed, causing any user supplied token
+    to be considered valid.
+credit: '@aeneasr'
 symbols:
   - VerifyToken
   - verifyToken
 links:
-  pr: https://github.com/justinas/nosurf/pull/60
-  commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
+    pr: https://github.com/justinas/nosurf/pull/60
+    commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314

reports/GO-2020-0050.yaml

@@ -2,15 +2,15 @@ module: github.com/russellhaering/goxmldsig
 versions:
   - fixed: v1.1.0
 description: |
-  Due to the behavior of encoding/xml, a crafted XML document may cause
-  XML Digital Signature validation to be entirely bypassed, causing an
-  unsigned document to appear signed.
+    Due to the behavior of encoding/xml, a crafted XML document may cause
+    XML Digital Signature validation to be entirely bypassed, causing an
+    unsigned document to appear signed.
 cves:
   - CVE-2020-15216
-credit: "@jupenur"
+credit: '@jupenur'
 symbols:
   - ValidationContext.findSignature
 links:
-  commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
-  context:
-    - https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
+    commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
+    context:
+      - https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

reports/GO-2021-0051.yaml

@@ -2,14 +2,14 @@ module: github.com/labstack/echo/v4
 versions:
   - fixed: v4.1.18-0.20201215153152-4422e3b66b9f
 description: |
-  Due to improper sanitization of user input on Windows, the static file handler
-  allows for directory traversal, allowing an attacker to read files outside of
-  the target directory that the server has permission to read.
-credit: "@little-cui (Apache ServiceComb)"
+    Due to improper sanitization of user input on Windows, the static file handler
+    allows for directory traversal, allowing an attacker to read files outside of
+    the target directory that the server has permission to read.
+credit: '@little-cui (Apache ServiceComb)'
 symbols:
   - common.static
 os:
   - windows
 links:
-  pr: https://github.com/labstack/echo/pull/1718
-  commit: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
+    pr: https://github.com/labstack/echo/pull/1718
+    commit: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

reports/GO-2021-0052.yaml

@@ -1,17 +1,17 @@
 module: github.com/gin-gonic/gin
-description: |
-  Due to improper HTTP header santization, a malicious user can spoof their
-  source IP address by setting the X-Forwarded-For header. This may allow
-  a user to bypass IP based restrictions, or obfuscate their true source.
-cves:
-  - CVE-2020-28483
-credit: "@sorenh"
-symbols:
-  - Context.ClientIP
 versions:
   - fixed: v1.6.3-0.20210406033725-bfc8ca285eb4
+description: |
+    Due to improper HTTP header santization, a malicious user can spoof their
+    source IP address by setting the X-Forwarded-For header. This may allow
+    a user to bypass IP based restrictions, or obfuscate their true source.
+cves:
+  - CVE-2020-28483
+credit: '@sorenh'
+symbols:
+  - Context.ClientIP
 links:
-  commit: https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711
-  pr: https://github.com/gin-gonic/gin/pull/2632
-  context:
-    - https://github.com/gin-gonic/gin/pull/2474
+    pr: https://github.com/gin-gonic/gin/pull/2632
+    commit: https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711
+    context:
+      - https://github.com/gin-gonic/gin/pull/2474

reports/GO-2021-0053.yaml

@@ -2,10 +2,10 @@ module: github.com/gogo/protobuf
 versions:
   - fixed: v1.3.2
 description: |
-  Due to improper bounds checking, maliciously crafted input to generated
-  Unmarshal methods can cause an out-of-bounds panic. If parsing messages
-  from untrusted parties, this may be used as a denial of service vector.
+    Due to improper bounds checking, maliciously crafted input to generated
+    Unmarshal methods can cause an out-of-bounds panic. If parsing messages
+    from untrusted parties, this may be used as a denial of service vector.
 cves:
   - CVE-2021-3121
 links:
-  commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
+    commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc

reports/GO-2021-0054.yaml

@@ -2,15 +2,15 @@ module: github.com/tidwall/gjson
 versions:
   - fixed: v1.6.6
 description: |
-  Due to improper bounds checking, maliciously crafted JSON objects
-  can cause an out-of-bounds panic. If parsing user input, this may
-  be used as a denial of service vector.
+    Due to improper bounds checking, maliciously crafted JSON objects
+    can cause an out-of-bounds panic. If parsing user input, this may
+    be used as a denial of service vector.
 cves:
   - CVE-2020-36067
-credit: "@toptotu"
+credit: '@toptotu'
 symbols:
   - unwrap
 links:
-  commit: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
-  context:
-    - https://github.com/tidwall/gjson/issues/196
+    commit: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
+    context:
+      - https://github.com/tidwall/gjson/issues/196

reports/GO-2021-0056.yaml

@@ -3,15 +3,15 @@ package: github.com/dexidp/dex/connector/saml
 versions:
   - fixed: v0.0.0-20201214082111-324b1c886b40
 description: |
-  Due to the behavior of encoding/xml, a crafted XML document may cause
-  XML Digital Signature validation to be entirely bypassed, causing an
-  unsigned document to appear signed.
+    Due to the behavior of encoding/xml, a crafted XML document may cause
+    XML Digital Signature validation to be entirely bypassed, causing an
+    unsigned document to appear signed.
 cves:
   - CVE-2020-15216
 credit: Juho Nurminen (Mattermost)
 symbols:
   - provider.HandlePOST
 links:
-  commit: https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
-  context:
-    - https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
+    commit: https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
+    context:
+      - https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5

reports/GO-2021-0057.yaml

@@ -2,16 +2,16 @@ module: github.com/buger/jsonparser
 versions:
   - fixed: v1.1.1
 description: |
-  Due to improper bounds checking, maliciously crafted JSON objects
-  can cause an out-of-bounds panic. If parsing user input, this may
-  be used as a denial of service vector.
+    Due to improper bounds checking, maliciously crafted JSON objects
+    can cause an out-of-bounds panic. If parsing user input, this may
+    be used as a denial of service vector.
 cves:
   - CVE-2020-35381
-credit: "@toptotu"
+credit: '@toptotu'
 symbols:
   - searchKeys
 links:
-  pr: https://github.com/buger/jsonparser/pull/221
-  commit: https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42
-  context:
-    - https://github.com/buger/jsonparser/issues/219
+    pr: https://github.com/buger/jsonparser/pull/221
+    commit: https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42
+    context:
+      - https://github.com/buger/jsonparser/issues/219

reports/GO-2021-0058.yaml

@@ -11,9 +11,9 @@ additional_packages:
 versions:
   - fixed: v0.4.3
 description: |
-  Due to the behavior of encoding/xml, a crafted XML document may cause
-  XML Digital Signature validation to be entirely bypassed, causing an
-  unsigned document to appear signed.
+    Due to the behavior of encoding/xml, a crafted XML document may cause
+    XML Digital Signature validation to be entirely bypassed, causing an
+    unsigned document to appear signed.
 cves:
   - CVE-2020-27846
 symbols:
@@ -22,6 +22,6 @@ symbols:
   - ServiceProvider.ValidateLogoutResponseForm
   - ServiceProvider.ValidateLogoutResponseRedirect
 links:
-  commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
-  context:
-    - https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
+    commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
+    context:
+      - https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9

reports/GO-2021-0059.yaml

@@ -2,15 +2,15 @@ module: github.com/tidwall/gjson
 versions:
   - fixed: v1.6.4
 description: |
-  Due to improper bounds checking, maliciously crafted JSON objects
-  can cause an out-of-bounds panic. If parsing user input, this may
-  be used as a denial of service vector.
+    Due to improper bounds checking, maliciously crafted JSON objects
+    can cause an out-of-bounds panic. If parsing user input, this may
+    be used as a denial of service vector.
 cves:
   - CVE-2020-35380
-credit: "@toptotu"
+credit: '@toptotu'
 symbols:
   - sqaush
 links:
-  commit: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
-  context:
-    - https://github.com/tidwall/gjson/issues/192
+    commit: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
+    context:
+      - https://github.com/tidwall/gjson/issues/192

reports/GO-2021-0060.yaml

@@ -2,15 +2,15 @@ module: github.com/russellhaering/gosaml2
 versions:
   - fixed: v0.6.0
 description: |
-  Due to the behavior of encoding/xml, a crafted XML document may cause
-  XML Digital Signature validation to be entirely bypassed, causing an
-  unsigned document to appear signed.
+    Due to the behavior of encoding/xml, a crafted XML document may cause
+    XML Digital Signature validation to be entirely bypassed, causing an
+    unsigned document to appear signed.
 cves:
   - CVE-2020-29509
 credit: Juho Nurminen
 symbols:
   - parseResponse
 links:
-  commit: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
-  context:
-    - https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
+    commit: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
+    context:
+      - https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg

reports/GO-2021-0061.yaml

@@ -1,19 +1,17 @@
 module: gopkg.in/yaml.v2
 additional_packages:
-  # all of the incompatible versions of github.com/go-yaml/yaml
-  # are affected
   - module: github.com/go-yaml/yaml
     symbols:
       - decoder.unmarshal
 versions:
   - fixed: v2.2.3
 description: |
-  Due to unbounded alias chasing, a maliciously crafted YAML file
-  can cause the system to consume significant system resources. If
-  parsing user input, this may be used as a denial of service vector.
-credit: "@simonferquel"
+    Due to unbounded alias chasing, a maliciously crafted YAML file
+    can cause the system to consume significant system resources. If
+    parsing user input, this may be used as a denial of service vector.
+credit: '@simonferquel'
 symbols:
   - decoder.unmarshal
 links:
-  pr: https://github.com/go-yaml/yaml/pull/375
-  commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
+    pr: https://github.com/go-yaml/yaml/pull/375
+    commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241

reports/GO-2021-0063.yaml

@@ -3,14 +3,14 @@ package: github.com/ethereum/go-ethereum/les
 versions:
   - fixed: v1.9.25
 description: |
-  Due to a nil pointer dereference, a malicously crafted RPC message
-  can cause a panic. If handling RPC messages from untrusted clients,
-  this may be used as a denial of service vector.
+    Due to a nil pointer dereference, a malicously crafted RPC message
+    can cause a panic. If handling RPC messages from untrusted clients,
+    this may be used as a denial of service vector.
 cves:
   - CVE-2020-26264
-credit: "@zsfelfoldi"
+credit: '@zsfelfoldi'
 symbols:
   - serverHandler.handleMsg
 links:
-  pr: https://github.com/ethereum/go-ethereum/pull/21896
-  commit: https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
+    pr: https://github.com/ethereum/go-ethereum/pull/21896
+    commit: https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46

reports/GO-2021-0064.yaml

@@ -10,15 +10,15 @@ additional_packages:
 versions:
   - fixed: v0.20.0-alpha.2
 description: |
-  Authorization tokens may be inappropriately logged if the verbosity
-  level is set to a debug level.
+    Authorization tokens may be inappropriately logged if the verbosity
+    level is set to a debug level.
 cves:
   - CVE-2020-8565
-credit: "@sfowl"
+credit: '@sfowl'
 symbols:
   - requestInfo.toCurl
 links:
-  pr: https://github.com/kubernetes/kubernetes/pull/95316
-  commit: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
-  context:
-    - https://github.com/kubernetes/kubernetes/issues/95623
+    pr: https://github.com/kubernetes/kubernetes/pull/95316
+    commit: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
+    context:
+      - https://github.com/kubernetes/kubernetes/issues/95623

reports/GO-2021-0065.yaml

@@ -10,14 +10,14 @@ additional_packages:
 versions:
   - fixed: v0.17.0
 description: |
-  Authorization tokens may be inappropriately logged if the verbosity
-  level is set to a debug level.
+    Authorization tokens may be inappropriately logged if the verbosity
+    level is set to a debug level.
 cves:
   - CVE-2019-11250
 symbols:
   - debuggingRoundTripper.RoundTrip
 links:
-  pr: https://github.com/kubernetes/kubernetes/pull/81330
-  commit: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
-  context:
-    - https://github.com/kubernetes/kubernetes/issues/81114
+    pr: https://github.com/kubernetes/kubernetes/pull/81330
+    commit: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
+    context:
+      - https://github.com/kubernetes/kubernetes/issues/81114

reports/GO-2021-0066.yaml

@@ -3,16 +3,16 @@ package: k8s.io/kubernetes/pkg/credentialprovider
 versions:
   - fixed: v1.20.0-alpha.1
 description: |
-  Attempting to read a malformed .dockercfg may cause secrets to be
-  inappropriately logged.
+    Attempting to read a malformed .dockercfg may cause secrets to be
+    inappropriately logged.
 cves:
   - CVE-2020-8564
-credit: "@sfowl"
+credit: '@sfowl'
 symbols:
   - readDockerConfigFileFromBytes
   - readDockerConfigJSONFileFromBytes
 links:
-  pr: https://github.com/kubernetes/kubernetes/pull/94712
-  commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
-  context:
-    - https://github.com/kubernetes/kubernetes/issues/95622
+    pr: https://github.com/kubernetes/kubernetes/pull/94712
+    commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
+    context:
+      - https://github.com/kubernetes/kubernetes/issues/95622

reports/GO-2021-0067.yaml

@@ -4,16 +4,16 @@ versions:
   - introduced: go1.16
     fixed: go1.16.1
 description: |
-  Using Reader.Open on an archive containing a file with a path
-  prefixed by "../" will cause a panic due to a stack overflow.
-  If parsing user supplied archives, this may be used as a
-  denial of service vector.
+    Using Reader.Open on an archive containing a file with a path
+    prefixed by "../" will cause a panic due to a stack overflow.
+    If parsing user supplied archives, this may be used as a
+    denial of service vector.
 cves:
   - CVE-2021-27919
 symbols:
   - toValidName
 links:
-  pr: https://go-review.googlesource.com/c/go/+/300489
-  commit: https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
-  context:
-    - https://go.dev/issue/44916
+    pr: https://go-review.googlesource.com/c/go/+/300489
+    commit: https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
+    context:
+      - https://go.dev/issue/44916

reports/GO-2021-0068.yaml

@@ -5,18 +5,18 @@ versions:
   - fixed: go1.14.14
   - fixed: go1.15.7
 description: |
-  The go command may execute arbitrary code at build time when using cgo on Windows.
-  This can be triggered by running go get on a malicious module, or any other time
-  the code is built.
+    The go command may execute arbitrary code at build time when using cgo on Windows.
+    This can be triggered by running go get on a malicious module, or any other time
+    the code is built.
 cves:
   - CVE-2021-3115
 credit: RyotaK
 os:
   - windows
 links:
-  pr: https://go.dev/cl/284783
-  commit: https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
-  context:
-    - https://go.dev/issue/43783
-    - https://go.dev/cl/284780
-    - https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
+    pr: https://go.dev/cl/284783
+    commit: https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
+    context:
+      - https://go.dev/issue/43783
+      - https://go.dev/cl/284780
+      - https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0

reports/GO-2021-0069.yaml

@@ -6,14 +6,14 @@ versions:
   - introduced: go1.15
     fixed: go1.15.5
 description: |
-  A number of math/big.Int methods can panic when provided large inputs due
-  to a flawed division method.
+    A number of math/big.Int methods can panic when provided large inputs due
+    to a flawed division method.
 cves:
   - CVE-2020-28362
 symbols:
   - nat.divRecursiveStep
 links:
-  pr: https://go-review.googlesource.com/c/go/+/269657
-  commit: https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c
-  context:
-    - https://go.dev/issue/42552
+    pr: https://go-review.googlesource.com/c/go/+/269657
+    commit: https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c
+    context:
+      - https://go.dev/issue/42552

reports/GO-2021-0070.yaml

@@ -3,19 +3,19 @@ package: github.com/opencontainers/runc/libcontainer/user
 versions:
   - fixed: v0.1.0
 description: |
-  GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
-  improperly interpret numeric UIDs as usernames. If the method is used without
-  verifying that usernames are formatted as expected, it may allow a user to
-  gain unexpected privileges.
+    GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
+    improperly interpret numeric UIDs as usernames. If the method is used without
+    verifying that usernames are formatted as expected, it may allow a user to
+    gain unexpected privileges.
 cves:
   - CVE-2016-3697
 symbols:
   - GetExecUser
 links:
-  pr: https://github.com/opencontainers/runc/pull/708
-  commit: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
-  context:
-    - https://github.com/docker/docker/issues/21436
-    - http://rhn.redhat.com/errata/RHSA-2016-1034.html
-    - http://rhn.redhat.com/errata/RHSA-2016-2634.html
-    - https://security.gentoo.org/glsa/201612-28
+    pr: https://github.com/opencontainers/runc/pull/708
+    commit: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
+    context:
+      - https://github.com/docker/docker/issues/21436
+      - http://rhn.redhat.com/errata/RHSA-2016-1034.html
+      - http://rhn.redhat.com/errata/RHSA-2016-2634.html
+      - https://security.gentoo.org/glsa/201612-28

reports/GO-2021-0071.yaml

@@ -3,17 +3,17 @@ package: github.com/lxc/lxd/shared
 versions:
   - fixed: v0.0.0-20151004155856-19c6961cc101
 description: |
-  A race between chown and chmod operations during a container
-  filesystem shift may allow a user who can modify the filesystem to
-  chmod an arbitrary path of their choice, rather than the expected
-  path.
+    A race between chown and chmod operations during a container
+    filesystem shift may allow a user who can modify the filesystem to
+    chmod an arbitrary path of their choice, rather than the expected
+    path.
 cves:
   - CVE-2015-1340
 credit: Seth Arnold
 symbols:
   - IdmapSet.doUidshiftIntoContainer
 links:
-  pr: https://github.com/lxc/lxd/pull/1189
-  commit: https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
-  context:
-    - https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270
+    pr: https://github.com/lxc/lxd/pull/1189
+    commit: https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
+    context:
+      - https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270

reports/GO-2021-0072.yaml

@@ -10,16 +10,16 @@ additional_packages:
 versions:
   - fixed: v2.7.0-rc.0+incompatible
 description: |
-  Various storage methods do not impose limits on how much content is accepted
-  from user requests, allowing a malicious user to force the caller to allocate
-  an arbitrary amount of memory.
+    Various storage methods do not impose limits on how much content is accepted
+    from user requests, allowing a malicious user to force the caller to allocate
+    an arbitrary amount of memory.
 cves:
   - CVE-2017-11468
 symbols:
   - copyFullPayload
 links:
-  pr: https://github.com/distribution/distribution/pull/2340
-  commit: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
-  context:
-    - https://access.redhat.com/errata/RHSA-2017:2603
-    - http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html
+    pr: https://github.com/distribution/distribution/pull/2340
+    commit: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
+    context:
+      - https://access.redhat.com/errata/RHSA-2017:2603
+      - http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html

reports/GO-2021-0073.yaml

@@ -3,17 +3,17 @@ package: github.com/git-lfs/git-lfs/lfsapi
 versions:
   - fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
 description: |
-  Arbitrary command execution can be triggered by improperly
-  sanitized SSH URLs in LFS configuration files. This can be
-  triggered by cloning a malicious repository.
+    Arbitrary command execution can be triggered by improperly
+    sanitized SSH URLs in LFS configuration files. This can be
+    triggered by cloning a malicious repository.
 cves:
   - CVE-2017-17831
 symbols:
   - sshGetLFSExeAndArgs
 links:
-  pr: https://github.com/git-lfs/git-lfs/pull/2241
-  commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
-  context:
-    - http://blog.recurity-labs.com/2017-08-10/scm-vulns
-    - https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
-    - http://www.securityfocus.com/bid/102926
+    pr: https://github.com/git-lfs/git-lfs/pull/2241
+    commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
+    context:
+      - http://blog.recurity-labs.com/2017-08-10/scm-vulns
+      - https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
+      - http://www.securityfocus.com/bid/102926

reports/GO-2021-0075.yaml

@@ -3,14 +3,14 @@ package: github.com/ethereum/go-ethereum/les
 versions:
   - fixed: v1.8.11
 description: |
-  Due to improper argument validation in RPC messages, a maliciously crafted
-  message can cause a panic, leading to denial of service.
+    Due to improper argument validation in RPC messages, a maliciously crafted
+    message can cause a panic, leading to denial of service.
 cves:
   - CVE-2018-12018
 symbols:
   - protocolManager.handleMsg
 links:
-  pr: https://github.com/ethereum/go-ethereum/pull/16891
-  commit: https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4
-  context:
-    - https://peckshield.com/2018/06/27/EPoD/
+    pr: https://github.com/ethereum/go-ethereum/pull/16891
+    commit: https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4
+    context:
+      - https://peckshield.com/2018/06/27/EPoD/

reports/GO-2021-0076.yaml

@@ -2,13 +2,13 @@ module: github.com/evanphx/json-patch
 versions:
   - fixed: v0.5.2
 description: |
-  A malicious JSON patch can cause a panic due to an out-of-bounds
-  write attempt. This can be used as a denial of service vector if
-  exposed to arbitrary user input.
+    A malicious JSON patch can cause a panic due to an out-of-bounds
+    write attempt. This can be used as a denial of service vector if
+    exposed to arbitrary user input.
 cves:
   - CVE-2018-14632
 symbols:
   - partialArray.add
 links:
-  pr: https://github.com/evanphx/json-patch/pull/57
-  commit: https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03
+    pr: https://github.com/evanphx/json-patch/pull/57
+    commit: https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03

reports/GO-2021-0077.yaml

@@ -3,14 +3,14 @@ package: go.etcd.io/etcd/auth
 versions:
   - fixed: v0.5.0-alpha.5.0.20190108173120-83c051b701d3
 description: |
-  A user can use a valid client certificate that contains a CommonName that matches a
-  valid RBAC username to authenticate themselves as that user, despite lacking the
-  required credentials. This may allow authentication bypass, but requires a certificate
-  that is issued by a CA trusted by the server.
+    A user can use a valid client certificate that contains a CommonName that matches a
+    valid RBAC username to authenticate themselves as that user, despite lacking the
+    required credentials. This may allow authentication bypass, but requires a certificate
+    that is issued by a CA trusted by the server.
 cves:
   - CVE-2018-16886
 symbols:
   - authStore.AuthInfoFromTLS
 links:
-  pr: https://github.com/etcd-io/etcd/pull/10366
-  commit: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
+    pr: https://github.com/etcd-io/etcd/pull/10366
+    commit: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2

reports/GO-2021-0078.yaml

@@ -3,9 +3,9 @@ package: golang.org/x/net/html
 versions:
   - fixed: v0.0.0-20180816102801-aaf60122140d
 description: |
-  The HTML parser does not properly handle "in frameset" insertion mode, and can be made
-  to panic when operating on malformed HTML that contains <template> tags. If operating
-  on user input, this may be a vector for a denial of service attack.
+    The HTML parser does not properly handle "in frameset" insertion mode, and can be made
+    to panic when operating on malformed HTML that contains <template> tags. If operating
+    on user input, this may be a vector for a denial of service attack.
 cves:
   - CVE-2018-17075
 credit: Kunpei Sakai
@@ -13,9 +13,9 @@ symbols:
   - inBodyIM
   - inFramesetIM
 links:
-  pr: https://go-review.googlesource.com/123776
-  commit: https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50
-  context:
-    - https://go.dev/issue/27016
-    - https://bugs.chromium.org/p/chromium/issues/detail?id=829668
-    - https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906
+    pr: https://go-review.googlesource.com/123776
+    commit: https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50
+    context:
+      - https://go.dev/issue/27016
+      - https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+      - https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906

reports/GO-2021-0079.yaml

@@ -3,15 +3,15 @@ package: github.com/bytom/bytom/p2p/discover
 versions:
   - fixed: v1.0.4-0.20180831054840-1ac3c8ac4f2b
 description: |
-  A malformed query can cause an out-of-bounds panic due to improper
-  validation of arguments. If processing queries from untrusted
-  parties, this may be used as a vector for denial of service
-  attacks.
+    A malformed query can cause an out-of-bounds panic due to improper
+    validation of arguments. If processing queries from untrusted
+    parties, this may be used as a vector for denial of service
+    attacks.
 cves:
   - CVE-2018-18206
-credit: "@yahtoo"
+credit: '@yahtoo'
 symbols:
   - Network.checkTopicRegister
 links:
-  pr: https://github.com/Bytom/bytom/pull/1307
-  commit: https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42
+    pr: https://github.com/Bytom/bytom/pull/1307
+    commit: https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42

reports/GO-2021-0081.yaml

@@ -3,16 +3,16 @@ package: github.com/containers/image/docker
 versions:
   - fixed: v2.0.2-0.20190802080134-634605d06e73+incompatible
 description: |
-  The HTTP client used to connect to the container registry authorization
-  service explicitly disables TLS verification, allowing an attacker that
-  is able to MITM the connection to steal credentials.
+    The HTTP client used to connect to the container registry authorization
+    service explicitly disables TLS verification, allowing an attacker that
+    is able to MITM the connection to steal credentials.
 cves:
   - CVE-2019-10214
 symbols:
   - dockerClient.getBearerToken
 links:
-  pr: https://github.com/containers/image/pull/669
-  commit: https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
-  context:
-    - https://github.com/containers/image/issues/654
-    - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
+    pr: https://github.com/containers/image/pull/669
+    commit: https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
+    context:
+      - https://github.com/containers/image/issues/654
+      - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214

reports/GO-2021-0082.yaml

@@ -3,14 +3,14 @@ package: github.com/facebook/fbthrift/thrift/lib/go/thrift
 versions:
   - fixed: v0.31.1-0.20200311080807-483ed864d69f
 description: |
-  Thirft Servers preallocate memory for the declared size of messages before
-  checking the actual size of the message. This allows a malicious user to
-  send messages that declare that they are significantly larger than they
-  actually are, allowing them to force the server to allocate significant
-  amounts of memory. This can be used as a denial of service vector.
+    Thirft Servers preallocate memory for the declared size of messages before
+    checking the actual size of the message. This allows a malicious user to
+    send messages that declare that they are significantly larger than they
+    actually are, allowing them to force the server to allocate significant
+    amounts of memory. This can be used as a denial of service vector.
 cves:
   - CVE-2019-11939
 links:
-  commit: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
-  context:
-    - https://www.facebook.com/security/advisories/cve-2019-11939
+    commit: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
+    context:
+      - https://www.facebook.com/security/advisories/cve-2019-11939

reports/GO-2021-0083.yaml

@@ -3,14 +3,14 @@ package: github.com/hybridgroup/gobot/platforms/mqtt
 versions:
   - fixed: v1.12.1-0.20190521122906-c1aa4f867846
 description: |
-  TLS certificate verification is skipped when connecting to a MQTT server.
-  This allows an attacker who can MITM the connection to read, or forge,
-  messages passed between the client and server.
+    TLS certificate verification is skipped when connecting to a MQTT server.
+    This allows an attacker who can MITM the connection to read, or forge,
+    messages passed between the client and server.
 cves:
   - CVE-2019-12496
 symbols:
   - Adaptor.newTLSConfig
 links:
-  commit: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
-  context:
-    - https://github.com/hybridgroup/gobot/releases/tag/v1.13.0
+    commit: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
+    context:
+      - https://github.com/hybridgroup/gobot/releases/tag/v1.13.0

reports/GO-2021-0084.yaml

@@ -3,16 +3,16 @@ package: github.com/astaxie/beego/session
 versions:
   - fixed: v1.12.2-0.20200613154013-bac2b31afecc
 description: |
-  Session data is stored using permissive permissions, allowing local users
-  with filesystem access to read arbitrary data.
+    Session data is stored using permissive permissions, allowing local users
+    with filesystem access to read arbitrary data.
 cves:
   - CVE-2019-16354
-credit: "@nicowaisman"
+credit: '@nicowaisman'
 symbols:
   - FileProvider.SessionRead
   - FileProvider.SessionRegenerate
 links:
-  pr: https://github.com/beego/beego/pull/3975
-  commit: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
-  context:
-    - https://github.com/beego/beego/issues/3763
+    pr: https://github.com/beego/beego/pull/3975
+    commit: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
+    context:
+      - https://github.com/beego/beego/issues/3763

reports/GO-2021-0085.yaml

@@ -8,13 +8,13 @@ additional_packages:
 versions:
   - fixed: v1.0.0-rc8.0.20190930145003-cad42f6e0932
 description: |
-  AppArmor restrictions may be bypassed due to improper validation of mount
-  targets, allowing a malicious image to mount volumes over e.g. /proc.
+    AppArmor restrictions may be bypassed due to improper validation of mount
+    targets, allowing a malicious image to mount volumes over e.g. /proc.
 cves:
   - CVE-2019-16884
 credit: Leopold Schabel
 links:
-  pr: https://github.com/opencontainers/runc/pull/2130
-  commit: https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4
-  context:
-    - https://github.com/opencontainers/runc/issues/2128
+    pr: https://github.com/opencontainers/runc/pull/2130
+    commit: https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4
+    context:
+      - https://github.com/opencontainers/runc/issues/2128

reports/GO-2021-0086.yaml

@@ -3,11 +3,11 @@ package: github.com/documize/community/domain/section/markdown
 versions:
   - fixed: v1.76.3-0.20191119114751-a4384210d4d0
 description: |
-  HTML content in markdown is not santized during rendering, possibly allowing
-  XSS if used to render untrusted user input.
+    HTML content in markdown is not santized during rendering, possibly allowing
+    XSS if used to render untrusted user input.
 cves:
   - CVE-2019-19619
 symbols:
   - Provider.Render
 links:
-  commit: https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3
+    commit: https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3

reports/GO-2021-0087.yaml

@@ -3,16 +3,16 @@ package: github.com/opencontainers/runc/libcontainer
 versions:
   - fixed: v1.0.0-rc9.0.20200122160610-2fc03cc11c77
 description: |
-  A race while mounting volumes allows a possible symlink-exchange
-  attack, allowing a user whom can start multiple containers with
-  custom volume mount configurations to escape the container.
+    A race while mounting volumes allows a possible symlink-exchange
+    attack, allowing a user whom can start multiple containers with
+    custom volume mount configurations to escape the container.
 cves:
   - CVE-2019-19921
 credit: Leopold Schabel
 symbols:
   - mountToRootfs
 links:
-  pr: https://github.com/opencontainers/runc/pull/2207
-  commit: https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
-  context:
-    - https://github.com/opencontainers/runc/issues/2197
+    pr: https://github.com/opencontainers/runc/pull/2207
+    commit: https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
+    context:
+      - https://github.com/opencontainers/runc/issues/2197

reports/GO-2021-0088.yaml

@@ -3,15 +3,15 @@ package: github.com/facebook/fbthrift/thrift/lib/go/thrift
 versions:
   - fixed: v0.31.1-0.20190225164308-c461c1bd1a3e
 description: |
-  Skip ignores unknown fields, rather than failing. A malicious user can craft small
-  messages with unknown fields which can take significant resources to parse. If a
-  server accepts messages from an untrusted user, it may be used as a denial of service
-  vector.
+    Skip ignores unknown fields, rather than failing. A malicious user can craft small
+    messages with unknown fields which can take significant resources to parse. If a
+    server accepts messages from an untrusted user, it may be used as a denial of service
+    vector.
 cves:
   - CVE-2019-3564
 symbols:
   - Skip
 links:
-  commit: https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156
-  context:
-    - https://www.facebook.com/security/advisories/cve-2019-3564
+    commit: https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156
+    context:
+      - https://www.facebook.com/security/advisories/cve-2019-3564

reports/GO-2021-0089.yaml

@@ -2,16 +2,16 @@ module: github.com/buger/jsonparser
 versions:
   - fixed: v0.0.0-20200321185410-91ac96899e49
 description: |
-  Parsing malformed JSON which contain opening brackets, but not closing brackets,
-  leads to an infinite loop. If operating on untrusted user input this can be
-  used as a denial of service vector.
+    Parsing malformed JSON which contain opening brackets, but not closing brackets,
+    leads to an infinite loop. If operating on untrusted user input this can be
+    used as a denial of service vector.
 cves:
   - CVE-2020-10675
 credit: Cong Wang
 symbols:
   - findKeyStart
 links:
-  pr: https://github.com/buger/jsonparser/pull/192
-  commit: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
-  context:
-    - https://github.com/buger/jsonparser/issues/188
+    pr: https://github.com/buger/jsonparser/pull/192
+    commit: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
+    context:
+      - https://github.com/buger/jsonparser/issues/188

reports/GO-2021-0090.yaml

@@ -4,16 +4,16 @@ versions:
   - introduced: v0.33.0
     fixed: v0.34.0-dev1.0.20200702134149-480b995a3172
 description: |
-  Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
-  these signatures, they cause failure during verification. A malicious proposer can use this to force
-  consensus failures.
+    Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
+    these signatures, they cause failure during verification. A malicious proposer can use this to force
+    consensus failures.
 cves:
   - CVE-2020-15091
 credit: Neeraj Murarka
 symbols:
   - VoteSet.MakeCommit
 links:
-  pr: https://github.com/tendermint/tendermint/pull/5426
-  commit: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
-  context:
-    - https://github.com/tendermint/tendermint/issues/4926
+    pr: https://github.com/tendermint/tendermint/pull/5426
+    commit: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
+    context:
+      - https://github.com/tendermint/tendermint/issues/4926

reports/GO-2021-0091.yaml

@@ -2,16 +2,16 @@ module: github.com/gofiber/fiber
 versions:
   - fixed: v1.12.6-0.20200710202935-a8ad5454363f
 description: |
-  Due to improper input validation when uploading a file, a malicious user may
-  force the server to return arbitrary HTTP headers when the uploaded
-  file is downloaded.
+    Due to improper input validation when uploading a file, a malicious user may
+    force the server to return arbitrary HTTP headers when the uploaded
+    file is downloaded.
 cves:
   - CVE-2020-15111
 credit: Hasibul Hasan and Abdullah Shaleh
 symbols:
   - Ctx.Attachment
 links:
-  pr: github.com/gofiber/fiber/pull/579
-  commit: https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a
-  context:
-    - https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh
+    pr: github.com/gofiber/fiber/pull/579
+    commit: https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a
+    context:
+      - https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh

reports/GO-2021-0092.yaml

@@ -2,13 +2,13 @@ module: github.com/ory/fosite
 versions:
   - fixed: v0.31.0
 description: |
-  Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
-  replayed.
+    Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
+    replayed.
 cves:
   - CVE-2020-15222
 symbols:
   - Fosite.AuthenticateClient
 links:
-  commit: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
-  context:
-    - https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43
+    commit: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
+    context:
+      - https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43

reports/GO-2021-0094.yaml

@@ -2,18 +2,18 @@ module: github.com/hashicorp/go-slug
 versions:
   - fixed: v0.5.0
 description: |
-  Protections against directory traversal during archive extraction can be
-  bypassed by chaining multiple symbolic links within the archive. This allows
-  a malicious attacker to cause files to be created outside of the target
-  directory. Additionally if the attacker is able to read extracted files
-  they may create symbolic links to arbitrary files on the system which the
-  unpacker has permissions to read.
+    Protections against directory traversal during archive extraction can be
+    bypassed by chaining multiple symbolic links within the archive. This allows
+    a malicious attacker to cause files to be created outside of the target
+    directory. Additionally if the attacker is able to read extracted files
+    they may create symbolic links to arbitrary files on the system which the
+    unpacker has permissions to read.
 cves:
   - CVE-2020-29529
 symbols:
   - Unpack
 links:
-  pr: https://github.com/hashicorp/go-slug/pull/12
-  commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
-  context:
-    - https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
+    pr: https://github.com/hashicorp/go-slug/pull/12
+    commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
+    context:
+      - https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug

reports/GO-2021-0095.yaml

@@ -3,16 +3,16 @@ package: github.com/google/go-tpm/tpm
 versions:
   - fixed: v0.3.0
 description: |
-  Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
-  is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
-  allowing them to use the created key.
+    Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
+    is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
+    allowing them to use the created key.
 cves:
   - CVE-2020-8918
 credit: Chris Fenner
 symbols:
   - CreateWrapKey
 links:
-  pr: https://github.com/google/go-tpm/pull/195
-  commit: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
-  context:
-    - https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw
+    pr: https://github.com/google/go-tpm/pull/195
+    commit: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
+    context:
+      - https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw

reports/GO-2021-0096.yaml

@@ -2,11 +2,11 @@ module: github.com/proglottis/gpgme
 versions:
   - fixed: v0.1.1
 description: |
-  Due to improper setting of finalizers, memory passed to C may be freed before it is used,
-  leading to crashes due to memory corruption or possible code execution.
+    Due to improper setting of finalizers, memory passed to C may be freed before it is used,
+    leading to crashes due to memory corruption or possible code execution.
 cves:
   - CVE-2020-8945
 credit: Ulrich Obergfell
 links:
-  pr: https://github.com/proglottis/gpgme/pull/23
-  commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
+    pr: https://github.com/proglottis/gpgme/pull/23
+    commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733

reports/GO-2021-0097.yaml

@@ -2,23 +2,23 @@ module: github.com/dhowden/tag
 versions:
   - fixed: v0.0.0-20201120070457-d52dcb253c63
 description: |
-  Due to improper bounds checking, a number of methods can trigger a panic due to attempted
-  out-of-bounds reads. If the package is used to parse user supplied input, this may be
-  used as a vector for a denial of service attack.
+    Due to improper bounds checking, a number of methods can trigger a panic due to attempted
+    out-of-bounds reads. If the package is used to parse user supplied input, this may be
+    used as a vector for a denial of service attack.
 cves:
   - CVE-2020-29242
   - CVE-2020-29243
   - CVE-2020-29244
   - CVE-2020-29245
-credit: "@Jayl1n"
+credit: '@Jayl1n'
 symbols:
   - readPICFrame
   - readAPICFrame
   - readTextWithDescrFrame
   - readAtomData
 links:
-  commit: https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96
-  context:
-    - https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e
-    - https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e
-    - https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d
+    commit: https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96
+    context:
+      - https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e
+      - https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e
+      - https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d

reports/GO-2021-0098.yaml

@@ -23,16 +23,16 @@ additional_packages:
 versions:
   - fixed: v1.5.1-0.20210113180018-fc664697ed2c
 description: |
-  Due to the standard library behavior of exec.LookPath on Windows a number of methods may
-  result in arbitrary code execution when cloning or operating on untrusted Git repositories.
+    Due to the standard library behavior of exec.LookPath on Windows a number of methods may
+    result in arbitrary code execution when cloning or operating on untrusted Git repositories.
 cves:
   - CVE-2021-21237
-credit: "@Ry0taK"
+credit: '@Ry0taK'
 symbols:
   - PipeCommand
 os:
   - windows
 links:
-  commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
-  context:
-    - https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
+    commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
+    context:
+      - https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5

reports/GO-2021-0099.yaml

@@ -3,15 +3,15 @@ package: github.com/deislabs/oras/pkg/content
 versions:
   - fixed: v0.9.0
 description: |
-  Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
-  content store may result in directory traversal during archive extraction, allowing a
-  malicious archive to write paths to arbitrary paths that the process can write to.
+    Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
+    content store may result in directory traversal during archive extraction, allowing a
+    malicious archive to write paths to arbitrary paths that the process can write to.
 cves:
   - CVE-2021-21272
 credit: Chris Smowton
 symbols:
   - extractTarDirectory
 links:
-  commit: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
-  context:
-    - https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
+    commit: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
+    context:
+      - https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx

reports/GO-2021-0100.yaml

@@ -3,18 +3,18 @@ package: github.com/containers/storage/pkg/archive
 versions:
   - fixed: v1.28.1
 description: |
-  Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
-  on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
-  can use this to cause denial of service if they are able to cause the caller to attempt to
-  decompress an archive they control.
+    Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
+    on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
+    can use this to cause denial of service if they are able to cause the caller to attempt to
+    decompress an archive they control.
 cves:
   - CVE-2021-20291
 credit: Aviv Sasson (Palo Alto Networks)
 symbols:
   - cmdStream
 links:
-  commit: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
-  pr: https://github.com/containers/storage/pull/860
-  context:
-    - https://github.com/advisories/GHSA-7qw8-847f-pggm
-    - https://bugzilla.redhat.com/show_bug.cgi?id=1939485
+    pr: https://github.com/containers/storage/pull/860
+    commit: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
+    context:
+      - https://github.com/advisories/GHSA-7qw8-847f-pggm
+      - https://bugzilla.redhat.com/show_bug.cgi?id=1939485

reports/GO-2021-0101.yaml

@@ -4,14 +4,14 @@ versions:
   - introduced: v0.0.0-20151001171628-53dd39833a08
   - fixed: v0.13.0
 description: |
-  Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
-  this package is used to parse untrusted input, this may be used as a vector for a denial of
-  service attack.
+    Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
+    this package is used to parse untrusted input, this may be used as a vector for a denial of
+    service attack.
 cves:
   - CVE-2019-0210
 symbols:
   - TSimpleJSONProtocol.safePeekContains
 links:
-  commit: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
-  context:
-    - https://github.com/advisories/GHSA-jq7p-26h5-w78r
+    commit: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
+    context:
+      - https://github.com/advisories/GHSA-jq7p-26h5-w78r

reports/GO-2021-0102.yaml

@@ -10,15 +10,15 @@ additional_packages:
 versions:
   - fixed: v0.0.0-20191101214924-b1b5c44e050f
 description: |
-  Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
-  nonce size. If this package is used to decrypt user supplied messages without checking the size of
-  supplied nonces, this may be used as a vector for a denial of service attack.
+    Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
+    nonce size. If this package is used to decrypt user supplied messages without checking the size of
+    supplied nonces, this may be used as a vector for a denial of service attack.
 cves:
   - CVE-2019-11289
 symbols:
   - AesGCM.Decrypt
 links:
-  commit: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
-  context:
-    - https://github.com/advisories/GHSA-5796-p3m6-9qj4
-    - https://www.cloudfoundry.org/blog/cve-2019-11289/
+    commit: https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
+    context:
+      - https://github.com/advisories/GHSA-5796-p3m6-9qj4
+      - https://www.cloudfoundry.org/blog/cve-2019-11289/

reports/GO-2021-0103.yaml

@@ -3,16 +3,16 @@ versions:
   - introduced: v0.1.0
   - fixed: v1.1.1
 description: |
-  Due to improper bounds checking, certain mathmatical operations can cause a panic via an
-  out of bounds read. If this package is used to process untrusted user inputs, this may be used
-  as a vector for a denial of service attack.
+    Due to improper bounds checking, certain mathmatical operations can cause a panic via an
+    out of bounds read. If this package is used to process untrusted user inputs, this may be used
+    as a vector for a denial of service attack.
 cves:
   - CVE-2020-26242
 credit: Dima Stebaev
 symbols:
   - udivrem
 links:
-  commit: https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
-  pr: https://github.com/holiman/uint256/pull/80
-  context:
-    - https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m
+    pr: https://github.com/holiman/uint256/pull/80
+    commit: https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
+    context:
+      - https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m

reports/GO-2021-0104.yaml

@@ -2,18 +2,18 @@ module: github.com/pion/webrtc/v3
 versions:
   - fixed: v3.0.15
 description: |
-  Due to improper error handling, DTLS connections were not killed when certificate verification
-  failed, causing users who did not check the connection state to continue to use the connection.
-  This could allow allow an attacker which holds the ICE password, but not a valid certificate,
-  to bypass this restriction.
+    Due to improper error handling, DTLS connections were not killed when certificate verification
+    failed, causing users who did not check the connection state to continue to use the connection.
+    This could allow allow an attacker which holds the ICE password, but not a valid certificate,
+    to bypass this restriction.
 cves:
   - CVE-2021-28681
 credit: Gaukas Wang (@Gaukas)
 symbols:
   - DTLSTransport.Start
 links:
-  commit: https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
-  pr: https://github.com/pion/webrtc/pull/1709
-  context:
-    - https://github.com/pion/webrtc/issues/1708
-    - https://github.com/advisories/GHSA-74xm-qj29-cq8p
+    pr: https://github.com/pion/webrtc/pull/1709
+    commit: https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
+    context:
+      - https://github.com/pion/webrtc/issues/1708
+      - https://github.com/advisories/GHSA-74xm-qj29-cq8p

reports/GO-2021-0105.yaml

@@ -4,15 +4,15 @@ versions:
   - introduced: v1.9.4
   - fixed: v1.9.20
 description: |
-  Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement,
-  causing users of this package to reject a canonical chain.
+    Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement,
+    causing users of this package to reject a canonical chain.
 cves:
   - CVE-2020-26265
 credit: John Youngseok Yang (Software Platform Lab)
 symbols:
   - StateDB.createObject
 links:
-  commit: https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
-  pr: https://github.com/ethereum/go-ethereum/pull/21080
-  context:
-    - https://github.com/advisories/GHSA-xw37-57qp-9mm4
+    pr: https://github.com/ethereum/go-ethereum/pull/21080
+    commit: https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
+    context:
+      - https://github.com/advisories/GHSA-xw37-57qp-9mm4

reports/GO-2021-0106.yaml

@@ -2,12 +2,12 @@ module: github.com/whyrusleeping/tar-utils
 versions:
   - fixed: v0.0.0-20201201191210-20a61371de5b
 description: |
-  Due to improper path santization, archives containing relative file
-  paths can cause files to be written (or overwritten) outside of the
-  target directory.
+    Due to improper path santization, archives containing relative file
+    paths can cause files to be written (or overwritten) outside of the
+    target directory.
 symbols:
   - Extractor.outputPath
 links:
-  commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
-  context:
-    - https://snyk.io/research/zip-slip-vulnerability
+    commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
+    context:
+      - https://snyk.io/research/zip-slip-vulnerability

reports/GO-2021-0107.yaml

@@ -2,12 +2,12 @@ module: github.com/ecnepsnai/web
 versions:
   - fixed: v1.5.2
 description: |
-  Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a
-  nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
-  authentication bypass.
+    Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a
+    nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
+    authentication bypass.
 symbols:
   - Server.socketHandler
 links:
-  commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
-  context:
-    - https://github.com/advisories/GHSA-5gjg-jgh4-gppm
+    commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
+    context:
+      - https://github.com/advisories/GHSA-5gjg-jgh4-gppm

reports/GO-2021-0108.yaml

@@ -2,16 +2,16 @@ module: github.com/gofiber/fiber
 versions:
   - fixed: v1.12.6
 description: |
-  Due to improper input sanitization, a maliciously constructed filename could cause a file
-  download to use an attacker controlled filename, as well as injecting additional headers
-  into an HTTP response.
+    Due to improper input sanitization, a maliciously constructed filename could cause a file
+    download to use an attacker controlled filename, as well as injecting additional headers
+    into an HTTP response.
 cves:
   - CVE-2020-15111
 credit: Hasibul Hasan and Abdullah Shaleh
 symbols:
   - Ctx.Attachment
 links:
-  commit: https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f
-  pr: https://github.com/gofiber/fiber/pull/579
-  context:
-    - https://github.com/advisories/GHSA-9cx9-x2gp-9qvh
+    pr: https://github.com/gofiber/fiber/pull/579
+    commit: https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f
+    context:
+      - https://github.com/advisories/GHSA-9cx9-x2gp-9qvh