x/vulndb: add Github issue form for external vulndb reports

Also deletes old markdown version. Change-Id: I90ff87b57722bdd37d1844c7ca6f43a1e2952d62 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/418594 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>
2022-07-08 17:41:44 -04:00 · 2022-07-08 17:41:44 -04:00 · a0a7497be9
--- a/.github/ISSUE_TEMPLATE/new_third_party_vuln.yml
+++ b/.github/ISSUE_TEMPLATE/new_third_party_vuln.yml
@ -0,0 +1,127 @@
+# Copyright 2021 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+name: Tell us about a public vulnerability in the Go Ecosystem
+description: |
+  Report an existing, public vulnerability in a publicly importable package in the Go ecosystem that is not yet in our database.
+title: "x/vulndb: potential Go vuln in <package>"
+labels: "Needs Triage,Direct External Report"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a vulnerability report!
+
+        Use this form only for PUBLIC vulnerabilities in publicly importable Go packages not maintained by the Go Team (i.e., anything outside the Go standard library, Go toolchain, and golang.org modules).
+
+        ❗ To report undisclosed Go vulnerabilities, please follow our [security policy](https://go.dev/security/policy) instead.
+
+        For questions or concerns, do not hesitate to reach out to us directly at security@golang.org.
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: A description of the vulnerability.
+    validations:
+      required: true
+  - type: textarea
+    id: affected
+    attributes:
+      label: Affected Modules, Packages, Versions and Symbols
+      description: |
+        The Go modules, packages, versions, and symbols this vulnerability affects.
+
+        Package versions should be in semver format, and should indicate when the vulnerability was introduced and when it was fixed, if known.
+
+        Symbols are functions, methods or structs that may trigger this vulnerability when used.
+      value: |
+        Module: github.com/example/module
+        Package: github.com/example/module/package
+        Versions:
+          - Introduced: 1.2.0
+          - Fixed: 1.2.4
+        Symbols:
+          - aFunction
+          - SomeType.AMethod
+
+        Module: github.com/example/module
+        Package: github.com/example/module/v2/package
+        Versions:
+          - Fixed: 2.4.5
+        Symbols:
+          - anotherFunction
+      render: shell
+    validations:
+      required: true
+  - type: dropdown
+    id: has-cve
+    attributes:
+      label: Does this vulnerability already have an associated CVE ID?
+      description: |
+        A CVE ID is a unique identifier for a vulnerability (see https://cve.mitre.org).
+        The Go Security team will assign a CVE ID for the vulnerability if it does not already have one.
+      multiple: false
+      options:
+      - "Yes"
+      - "No"
+      - "I'm not sure"
+    validations:
+      required: true
+  - type: input
+    id: cve
+    attributes:
+      label: CVE ID
+      description: If you selected "Yes" in the previous question, please include the CVE ID below.
+      placeholder: CVE-20XX-NNNN
+    validations:
+      required: false
+  - type: input
+    id: credit
+    attributes:
+      label: Credit
+      description: |
+        [Optional] The name of the person or organization that discovered or fixed this vulnerability.
+  - type: input
+    id: cwe
+    attributes:
+      label: CWE ID
+      description: |
+        [Optional] The CWE ID that best describes the class of vulnerability.
+        See https://cwe.mitre.org/data/definitions/699.html for a list of common types.
+  - type: input
+    id: pr
+    attributes:
+      label: Pull Request
+      description: |
+        The pull request(s) that fixed this vulnerability, if known.
+      placeholder: https://github.com/example/pull/123
+    validations:
+      required: false
+  - type: input
+    id: commit
+    attributes:
+      label: Commit
+      description: |
+        The commit(s) that fixed this vulnerability, if known.
+      placeholder: https://github.com/example/commit/abcdef
+    validations:
+      required: false
+  - type: textarea
+    id: links
+    attributes:
+      label: References
+      description: Links to more information about the vulnerability (e.g., advisories, reports, issue tracker entries, etc).
+      placeholder: |
+        - https://github.com/example/issues/123
+        - https://github.com/advisories/GHSA-abcd-efgh-ijkl
+    validations:
+      required: false
+  - type: textarea
+    id: more
+    attributes:
+      label: Additional information
+      description: |
+        Anything else you'd like us to know about this vulnerability?
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/new_vuln.md
+++ b/.github/ISSUE_TEMPLATE/new_vuln.md
@ -1,24 +0,0 @@
---
-name: Add a new Go vulnerability to the database
-about: Report a vulnerability that should be added to th Go vulnerability database.
-title: "x/vulndb: potential Go vuln in <package>: <CVE>"
---
-
-```
-module:
-package:
-versions:
-  - introduced:
-  - fixed:
-description:
-cves:
-  -
-credit:
-symbols:
-  -
-links:
-  pr:
-  commit:
-  context:
-    -
-```
--- a/.github/ISSUE_TEMPLATE/suggest_edit.yaml
+++ b/.github/ISSUE_TEMPLATE/suggest_edit.yaml
@ -1,3 +1,7 @@
+# Copyright 2021 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
 name: Suggest an edit to an existing report
 title: "x/vulndb: suggestion regarding <GO-XXXX-YYYY>"
 description: Let us know about missing or incorrect information in a vulndb report.