data: update reports for OSV schema changes

Change-Id: I381c0225514627719d103395580f3b2d8d8efc2d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424899 Reviewed-by: Julie Qiu <julieqiu@google.com>
2022-08-18 15:09:12 -07:00 · 2022-08-18 15:09:12 -07:00 · b5cb765df4
--- a/data/reports/GO-2020-0001.yaml
+++ b/data/reports/GO-2020-0001.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/gin-gonic/gin
    symbols:
      - defaultLogFormatter
    versions:
      - fixed: 1.6.0
    packages:
      - package: github.com/gin-gonic/gin
        symbols:
          - defaultLogFormatter
 description: |
    The default Formatter for the Logger middleware (LoggerConfig.Formatter),
    which is included in the Default engine, allows attackers to inject arbitrary
@ -15,7 +17,7 @@ links:
    commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
 cve_metadata:
    id: CVE-2020-36567
-    cwe: "CWE-117 Improper Output Neutralization for Logs"
+    cwe: CWE-117 Improper Output Neutralization for Logs
    description: |
        Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
        allows remote attackers to inject arbitrary log lines.
--- a/data/reports/GO-2020-0002.yaml
+++ b/data/reports/GO-2020-0002.yaml
@ -1,7 +1,9 @@
-packages:
+modules:
  - module: github.com/proglottis/gpgme
    versions:
      - fixed: 0.1.1
    packages:
      - package: github.com/proglottis/gpgme
 description: |
    The Data, Context, or Key finalizers might run during or before GPGME
    operations. This will release the C structures that are still in use, leading
--- a/data/reports/GO-2020-0003.yaml
+++ b/data/reports/GO-2020-0003.yaml
@ -1,7 +1,9 @@
-packages:
+modules:
  - module: github.com/revel/revel
    versions:
      - fixed: 1.0.0
    packages:
      - package: github.com/revel/revel
 description: |
    An attacker can cause an application that accepts slice parameters
    (https://revel.github.io/manual/parameters.html#slices) to allocate large
--- a/data/reports/GO-2020-0004.yaml
+++ b/data/reports/GO-2020-0004.yaml
@ -1,15 +1,17 @@
-packages:
+modules:
  - module: github.com/nanobox-io/golang-nanoauth
    symbols:
      - Auth.ServerHTTP
      - Auth.ListenAndServeTLS
      - Auth.ListenAndServe
    derived_symbols:
      - ListenAndServe
      - ListenAndServeTLS
    versions:
      - introduced: 0.0.0-20160722212129-ac0cc4484ad4
        fixed: 0.0.0-20200131131040-063a3fb69896
    packages:
      - package: github.com/nanobox-io/golang-nanoauth
        symbols:
          - Auth.ServerHTTP
          - Auth.ListenAndServeTLS
          - Auth.ListenAndServe
        derived_symbols:
          - ListenAndServe
          - ListenAndServeTLS
 description: |
    If any of the ListenAndServe functions are called with an empty token,
    token authentication is disabled globally for all listeners.
--- a/data/reports/GO-2020-0005.yaml
+++ b/data/reports/GO-2020-0005.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: go.etcd.io/etcd
    package: go.etcd.io/etcd/wal
    symbols:
      - WAL.ReadAll
      - decoder.decodeRecord
    versions:
      - fixed: 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
    packages:
      - package: go.etcd.io/etcd/wal
        symbols:
          - WAL.ReadAll
          - decoder.decodeRecord
 description: |
    Malformed WALs can be constructed such that WAL.ReadAll can cause attempted
    out of bounds reads, or creation of arbitrarily sized slices, which may be used as
--- a/data/reports/GO-2020-0006.yaml
+++ b/data/reports/GO-2020-0006.yaml
@ -1,15 +1,17 @@
-packages:
+modules:
  - module: github.com/miekg/dns
    symbols:
      - Server.serveTCP
    derived_symbols:
      - ActivateAndServe
      - ListenAndServe
      - ListenAndServeTLS
      - Server.ActivateAndServe
      - Server.ListenAndServe
    versions:
      - fixed: 1.0.4-0.20180125103619-43913f2f4fbd
    packages:
      - package: github.com/miekg/dns
        symbols:
          - Server.serveTCP
        derived_symbols:
          - ActivateAndServe
          - ListenAndServe
          - ListenAndServeTLS
          - Server.ActivateAndServe
          - Server.ListenAndServe
 description: |
    An attacker may prevent TCP connections to a Server by opening
    a connection and leaving it idle, until the connection is closed by
--- a/data/reports/GO-2020-0007.yaml
+++ b/data/reports/GO-2020-0007.yaml
@ -1,14 +1,16 @@
-packages:
+modules:
  - module: github.com/seccomp/libseccomp-golang
    symbols:
      - ScmpFilter.addRuleGeneric
    derived_symbols:
      - ScmpFilter.AddRule
      - ScmpFilter.AddRuleConditional
      - ScmpFilter.AddRuleConditionalExact
      - ScmpFilter.AddRuleExact
    versions:
      - fixed: 0.9.1-0.20170424173420-06e7a29f36a3
    packages:
      - package: github.com/seccomp/libseccomp-golang
        symbols:
          - ScmpFilter.addRuleGeneric
        derived_symbols:
          - ScmpFilter.AddRule
          - ScmpFilter.AddRuleConditional
          - ScmpFilter.AddRuleConditionalExact
          - ScmpFilter.AddRuleExact
 description: |
    Filters containing rules with multiple syscall arguments are improperly
    constructed, such that all arguments are required to match rather than
--- a/data/reports/GO-2020-0008.yaml
+++ b/data/reports/GO-2020-0008.yaml
@ -1,15 +1,17 @@
-packages:
+modules:
  - module: github.com/miekg/dns
    symbols:
      - id
    derived_symbols:
      - Msg.SetAxfr
      - Msg.SetIxfr
      - Msg.SetNotify
      - Msg.SetQuestion
      - Msg.SetUpdate
    versions:
      - fixed: 1.1.25-0.20191211073109-8ebf2e419df7
    packages:
      - package: github.com/miekg/dns
        symbols:
          - id
        derived_symbols:
          - Msg.SetAxfr
          - Msg.SetIxfr
          - Msg.SetNotify
          - Msg.SetQuestion
          - Msg.SetUpdate
 description: |
    DNS message transaction IDs are generated using math/rand which
    makes them relatively predictable. This reduces the complexity
--- a/data/reports/GO-2020-0009.yaml
+++ b/data/reports/GO-2020-0009.yaml
@ -1,16 +1,41 @@
-packages:
+modules:
  - module: github.com/square/go-jose
    package: github.com/square/go-jose/cipher
    symbols:
      - cbcAEAD.computeAuthTag
    versions:
      - fixed: 0.0.0-20160903044734-789a4c4bd4c1
  - module: github.com/square/go-jose
    versions:
      - fixed: 0.0.0-20160903044734-789a4c4bd4c1
-    symbols:
+    packages:
-      - JsonWebEncryption.Decrypt
+      - package: github.com/square/go-jose/cipher
-      - JsonWebEncryption.DecryptMulti
+        goarch:
          - "386"
          - arm
          - armbe
          - amd64p32
          - mips
          - mipsle
          - mips64p32
          - mips64p32le
          - ppc
          - riscv
          - s390
          - sparc
        symbols:
          - cbcAEAD.computeAuthTag
      - package: github.com/square/go-jose
        goarch:
          - "386"
          - arm
          - armbe
          - amd64p32
          - mips
          - mipsle
          - mips64p32
          - mips64p32le
          - ppc
          - riscv
          - s390
          - sparc
        symbols:
          - JsonWebEncryption.Decrypt
          - JsonWebEncryption.DecryptMulti
 description: |
    On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
    with HMAC such that they can control how large the input buffer is when computing
@ -22,6 +47,10 @@ cves:
 ghsas:
  - GHSA-3fx4-7f69-5mmg
 credit: Quan Nguyen from Google's Information Security Engineering Team
 links:
    commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
    context:
      - https://www.openwall.com/lists/oss-security/2016/11/03/1
 arch:
  - "386"
  - arm
@ -35,7 +64,3 @@ arch:
  - riscv
  - s390
  - sparc
 links:
    commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
    context:
      - https://www.openwall.com/lists/oss-security/2016/11/03/1
--- a/data/reports/GO-2020-0010.yaml
+++ b/data/reports/GO-2020-0010.yaml
@ -1,17 +1,16 @@
-packages:
+modules:
  - module: github.com/square/go-jose
    package: github.com/square/go-jose/cipher
    symbols:
      - DeriveECDHES
      - ecDecrypterSigner.decryptKey
      - rawJsonWebKey.ecPublicKey
    versions:
      - fixed: 0.0.0-20160831185616-c7581939a365
  - module: github.com/square/go-jose
    versions:
      - fixed: 0.0.0-20160831185616-c7581939a365
-    symbols:
+    packages:
-      - JsonWebEncryption.Decrypt
+      - package: github.com/square/go-jose/cipher
        symbols:
          - DeriveECDHES
          - ecDecrypterSigner.decryptKey
          - rawJsonWebKey.ecPublicKey
      - package: github.com/square/go-jose
        symbols:
          - JsonWebEncryption.Decrypt
 description: |
    When using ECDH-ES an attacker can mount an invalid curve attack during
    decryption as the supplied public key is not checked to be on the same
--- a/data/reports/GO-2020-0011.yaml
+++ b/data/reports/GO-2020-0011.yaml
@ -1,10 +1,12 @@
-packages:
+modules:
  - module: github.com/square/go-jose
    symbols:
      - JsonWebEncryption.Decrypt
      - JsonWebSignature.Verify
    versions:
      - fixed: 0.0.0-20160922232413-2c5656adca99
    packages:
      - package: github.com/square/go-jose
        symbols:
          - JsonWebEncryption.Decrypt
          - JsonWebSignature.Verify
 description: |
    When decrypting JsonWebEncryption objects with multiple recipients
    or JsonWebSignature objects with multiple signatures the Decrypt
--- a/data/reports/GO-2020-0012.yaml
+++ b/data/reports/GO-2020-0012.yaml
@ -1,14 +1,15 @@
-packages:
+modules:
  - module: golang.org/x/crypto
    package: golang.org/x/crypto/ssh
    symbols:
      - parseED25519
      - ed25519PublicKey.Verify
      - parseSKEd25519
      - skEd25519PublicKey.Verify
      - NewPublicKey
    versions:
      - fixed: 0.0.0-20200220183623-bac4c82f6975
    packages:
      - package: golang.org/x/crypto/ssh
        symbols:
          - parseED25519
          - ed25519PublicKey.Verify
          - parseSKEd25519
          - skEd25519PublicKey.Verify
          - NewPublicKey
 description: |
    An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
    key, such that the library will panic when trying to verify a signature
--- a/data/reports/GO-2020-0013.yaml
+++ b/data/reports/GO-2020-0013.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: golang.org/x/crypto
    package: golang.org/x/crypto/ssh
    symbols:
      - NewClientConn
    versions:
      - fixed: 0.0.0-20170330155735-e4e2799dd7aa
    packages:
      - package: golang.org/x/crypto/ssh
        symbols:
          - NewClientConn
 description: |
    By default host key verification is disabled which allows for
    man-in-the-middle attacks against SSH clients if
--- a/data/reports/GO-2020-0014.yaml
+++ b/data/reports/GO-2020-0014.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: golang.org/x/net
    package: golang.org/x/net/html
    symbols:
      - inSelectIM
      - inSelectInTableIM
    versions:
      - fixed: 0.0.0-20190125091013-d26f9f9a57f3
    packages:
      - package: golang.org/x/net/html
        symbols:
          - inSelectIM
          - inSelectInTableIM
 description: |
    html.Parse does not properly handle "select" tags, which can lead
    to an infinite loop. If parsing user supplied input, this may be used
--- a/data/reports/GO-2020-0015.yaml
+++ b/data/reports/GO-2020-0015.yaml
@ -1,18 +1,16 @@
-packages:
+modules:
  - module: golang.org/x/text
    package: golang.org/x/text/encoding/unicode
    symbols:
      - utf16Decoder.Transform
    derived_symbols:
      - bomOverride.Transform
    versions:
      - fixed: 0.3.3
  - module: golang.org/x/text
    package: golang.org/x/text/transform
    symbols:
      - Transform
    versions:
      - fixed: 0.3.3
    packages:
      - package: golang.org/x/text/encoding/unicode
        symbols:
          - utf16Decoder.Transform
        derived_symbols:
          - bomOverride.Transform
      - package: golang.org/x/text/transform
        symbols:
          - Transform
 description: |
    An attacker could provide a single byte to a UTF16 decoder instantiated with
    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
--- a/data/reports/GO-2020-0016.yaml
+++ b/data/reports/GO-2020-0016.yaml
@ -1,13 +1,15 @@
-packages:
+modules:
  - module: github.com/ulikunitz/xz
    symbols:
      - readUvarint
    derived_symbols:
      - Reader.Read
      - blockHeader.UnmarshalBinary
      - streamReader.Read
    versions:
      - fixed: 0.5.8
    packages:
      - package: github.com/ulikunitz/xz
        symbols:
          - readUvarint
        derived_symbols:
          - Reader.Read
          - blockHeader.UnmarshalBinary
          - streamReader.Read
 description: |
    An attacker can construct a series of bytes such that calling
    Reader.Read on the bytes could cause an infinite loop. If
--- a/data/reports/GO-2020-0017.yaml
+++ b/data/reports/GO-2020-0017.yaml
@ -1,14 +1,18 @@
-packages:
+modules:
  - module: github.com/dgrijalva/jwt-go
    symbols:
      - MapClaims.VerifyAudience
    versions:
      - introduced: 0.0.0-20150717181359-44718f8a89b0
    packages:
      - package: github.com/dgrijalva/jwt-go
        symbols:
          - MapClaims.VerifyAudience
  - module: github.com/dgrijalva/jwt-go/v4
    symbols:
      - MapClaims.VerifyAudience
    versions:
      - fixed: 4.0.0-preview1
    packages:
      - package: github.com/dgrijalva/jwt-go/v4
        symbols:
          - MapClaims.VerifyAudience
 description: |
    If a JWT contains an audience claim with an array of strings, rather
    than a single string, and MapClaims.VerifyAudience is called with
--- a/data/reports/GO-2020-0018.yaml
+++ b/data/reports/GO-2020-0018.yaml
@ -1,17 +1,19 @@
-packages:
+modules:
  - module: github.com/satori/go.uuid
    symbols:
      - NewV1
      - NewV4
      - rfc4122Generator.getClockSequence
      - rfc4122Generator.getHardwareAddr
    derived_symbols:
      - NewV2
      - rfc4122Generator.NewV1
      - rfc4122Generator.NewV2
    versions:
      - fixed: 1.2.1-0.20181016170032-d91630c85102
    vulnerable_at: 1.2.1-0.20180103161547-0ef6afb2f6cd
    packages:
      - package: github.com/satori/go.uuid
        symbols:
          - NewV1
          - NewV4
          - rfc4122Generator.getClockSequence
          - rfc4122Generator.getHardwareAddr
        derived_symbols:
          - NewV2
          - rfc4122Generator.NewV1
          - rfc4122Generator.NewV2
 description: |
    UUIDs generated using NewV1 and NewV4 may not read the expected
    number of random bytes. These UUIDs may contain a significantly smaller
--- a/data/reports/GO-2020-0019.yaml
+++ b/data/reports/GO-2020-0019.yaml
@ -1,31 +1,33 @@
-packages:
+modules:
  - module: github.com/gorilla/websocket
    symbols:
      - Conn.advanceFrame
      - messageReader.Read
    derived_symbols:
      - Conn.Close
      - Conn.NextReader
      - Conn.ReadJSON
      - Conn.ReadMessage
      - Conn.WriteJSON
      - Conn.WritePreparedMessage
      - Dialer.Dial
      - Dialer.DialContext
      - NewClient
      - NewPreparedMessage
      - ReadJSON
      - Subprotocols
      - Upgrade
      - Upgrader.Upgrade
      - WriteJSON
      - httpProxyDialer.Dial
      - netDialerFunc.Dial
      - proxy_direct.Dial
      - proxy_envOnce.Get
      - proxy_socks5.Dial
    versions:
      - fixed: 1.4.1
    packages:
      - package: github.com/gorilla/websocket
        symbols:
          - Conn.advanceFrame
          - messageReader.Read
        derived_symbols:
          - Conn.Close
          - Conn.NextReader
          - Conn.ReadJSON
          - Conn.ReadMessage
          - Conn.WriteJSON
          - Conn.WritePreparedMessage
          - Dialer.Dial
          - Dialer.DialContext
          - NewClient
          - NewPreparedMessage
          - ReadJSON
          - Subprotocols
          - Upgrade
          - Upgrader.Upgrade
          - WriteJSON
          - httpProxyDialer.Dial
          - netDialerFunc.Dial
          - proxy_direct.Dial
          - proxy_envOnce.Get
          - proxy_socks5.Dial
 description: |
    An attacker can craft malicious WebSocket frames that cause an integer
    overflow in a variable which tracks the number of bytes remaining. This
--- a/data/reports/GO-2020-0020.yaml
+++ b/data/reports/GO-2020-0020.yaml
@ -1,18 +1,20 @@
-packages:
+modules:
  - module: github.com/gorilla/handlers
    symbols:
      - cors.ServeHTTP
    versions:
      - fixed: 1.3.0
    packages:
      - package: github.com/gorilla/handlers
        symbols:
          - cors.ServeHTTP
 description: |
    Usage of the CORS handler may apply improper CORS headers, allowing
    the requester to explicitly control the value of the Access-Control-Allow-Origin
    header, which bypasses the expected behavior of the Same Origin Policy.
 published: 2021-04-14T20:04:52Z
 credit: Evan J Johnson
 cve_metadata:
    id: CVE-2017-20146
    cwe: "CWE 284: Improper Access Control"
 links:
    pr: https://github.com/gorilla/handlers/pull/116
    commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
 cve_metadata:
    id: CVE-2017-20146
    cwe: 'CWE 284: Improper Access Control'
--- a/data/reports/GO-2020-0021.yaml
+++ b/data/reports/GO-2020-0021.yaml
@ -1,11 +1,13 @@
-packages:
+modules:
  - module: github.com/gogits/gogs
    symbols:
      - GetIssues
      - SearchRepositoryByName
      - SearchUserByName
    versions:
      - fixed: 0.5.8
    packages:
      - package: github.com/gogits/gogs
        symbols:
          - GetIssues
          - SearchRepositoryByName
          - SearchUserByName
 description: |
    Due to improper santization of user input, a number of methods are
    vulnerable to SQL injection if used with user input that has not
--- a/data/reports/GO-2020-0022.yaml
+++ b/data/reports/GO-2020-0022.yaml
@ -1,19 +1,21 @@
-packages:
+modules:
  - module: github.com/cloudflare/golz4
    symbols:
      - Uncompress
    versions:
      - fixed: 0.0.0-20140711154735-199f5f787806
    packages:
      - package: github.com/cloudflare/golz4
        symbols:
          - Uncompress
 description: |
    LZ4 bindings use a deprecated C API that is vulnerable to
    memory corruption, which could lead to arbitrary code execution
    if called with untrusted user input.
 published: 2021-04-14T20:04:52Z
 credit: Yann Collet
 cve_metadata:
    id: CVE-2014-125026
    cwe: "CWE 94: Improper Control of Generation of Code ('Code Injection')"
 links:
    commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
    context:
      - https://github.com/cloudflare/golz4/issues/5
 cve_metadata:
    id: CVE-2014-125026
    cwe: 'CWE 94: Improper Control of Generation of Code (''Code Injection'')'
--- a/data/reports/GO-2020-0023.yaml
+++ b/data/reports/GO-2020-0023.yaml
@ -1,19 +1,21 @@
-packages:
+modules:
  - module: github.com/robbert229/jwt
    symbols:
      - Algorithm.validateSignature
    versions:
      - fixed: 0.0.0-20170426191122-ca1404ee6e83
    packages:
      - package: github.com/robbert229/jwt
        symbols:
          - Algorithm.validateSignature
 description: |
    Token validation methods are susceptible to a timing side-channel
    during HMAC comparison. With a large enough number of requests
    over a low latency connection, an attacker may use this to determine
    the expected HMAC.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2015-10004
    cwe: "CWE 208: Information Exposure Through Timing Discrepancy"
 links:
    commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
    context:
      - https://github.com/robbert229/jwt/issues/12
 cve_metadata:
    id: CVE-2015-10004
    cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'
--- a/data/reports/GO-2020-0024.yaml
+++ b/data/reports/GO-2020-0024.yaml
@ -1,25 +1,27 @@
-packages:
+modules:
  - module: github.com/btcsuite/go-socks
    package: github.com/btcsuite/go-socks/socks
    symbols:
      - proxiedConn.LocalAddr
      - proxiedConn.RemoteAddr
    versions:
      - fixed: 0.0.0-20130808000456-233bccbb1abe
    packages:
      - package: github.com/btcsuite/go-socks/socks
        symbols:
          - proxiedConn.LocalAddr
          - proxiedConn.RemoteAddr
  - module: github.com/btcsuitereleases/go-socks
    package: github.com/btcsuitereleases/go-socks/socks
    symbols:
      - proxiedConn.LocalAddr
      - proxiedConn.RemoteAddr
    versions:
      - fixed: 0.0.0-20130808000456-233bccbb1abe
    packages:
      - package: github.com/btcsuitereleases/go-socks/socks
        symbols:
          - proxiedConn.LocalAddr
          - proxiedConn.RemoteAddr
 description: |
    The RemoteAddr and LocalAddr methods on the returned net.Conn may
    call themselves, leading to an infinite loop which will crash the
    program due to a stack overflow.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2013-10005
    cwe: "CWE 400: Uncontrolled Resource Consumption"
 links:
    commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc
 cve_metadata:
    id: CVE-2013-10005
    cwe: 'CWE 400: Uncontrolled Resource Consumption'
--- a/data/reports/GO-2020-0025.yaml
+++ b/data/reports/GO-2020-0025.yaml
@ -1,25 +1,29 @@
-packages:
+modules:
  - module: github.com/cloudfoundry/archiver
    symbols:
      - tgzExtractor.Extract
      - zipExtractor.Extract
    versions:
      - fixed: 0.0.0-20180523222229-09b5706aa936
    packages:
      - package: github.com/cloudfoundry/archiver
        symbols:
          - tgzExtractor.Extract
          - zipExtractor.Extract
  - module: code.cloudfoundry.org/archiver
    symbols:
      - tgzExtractor.Extract
      - zipExtractor.Extract
    versions:
      - fixed: 0.0.0-20180523222229-09b5706aa936
    packages:
      - package: code.cloudfoundry.org/archiver
        symbols:
          - tgzExtractor.Extract
          - zipExtractor.Extract
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
    target directory.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2018-25046
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
    commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
    context:
      - https://snyk.io/research/zip-slip-vulnerability
 cve_metadata:
    id: CVE-2018-25046
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
--- a/data/reports/GO-2020-0026.yaml
+++ b/data/reports/GO-2020-0026.yaml
@ -1,15 +1,16 @@
-packages:
+modules:
  - module: github.com/openshift/source-to-image
    package: github.com/openshift/source-to-image/pkg/tar
    symbols:
      - stiTar.ExtractTarStreamFromTarReader
      - stiTar.extractLink
      - New
    derived_symbols:
      - stiTar.ExtractTarStream
      - stiTar.ExtractTarStreamWithLogging
    versions:
      - fixed: 1.1.10-0.20180427153919-f5cbcbc5cc6f
    packages:
      - package: github.com/openshift/source-to-image/pkg/tar
        symbols:
          - stiTar.ExtractTarStreamFromTarReader
          - stiTar.extractLink
          - New
        derived_symbols:
          - stiTar.ExtractTarStream
          - stiTar.ExtractTarStreamWithLogging
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
--- a/data/reports/GO-2020-0027.yaml
+++ b/data/reports/GO-2020-0027.yaml
@ -1,18 +1,16 @@
-packages:
+modules:
  - module: github.com/google/fscrypt
    package: github.com/google/fscrypt/pam
    symbols:
      - NewHandle
      - SetProcessPrivileges
      - Handle.StopAsPamUser
    versions:
      - fixed: 0.2.4
  - module: github.com/google/fscrypt
    package: github.com/google/fscrypt/security
    symbols:
      - UserKeyringID
    versions:
      - fixed: 0.2.4
    packages:
      - package: github.com/google/fscrypt/pam
        symbols:
          - NewHandle
          - SetProcessPrivileges
          - Handle.StopAsPamUser
      - package: github.com/google/fscrypt/security
        symbols:
          - UserKeyringID
 description: |
    After dropping and then elevating process privileges euid, guid, and groups
    are not properly restored to their original values, allowing an unprivileged
--- a/data/reports/GO-2020-0028.yaml
+++ b/data/reports/GO-2020-0028.yaml
@ -1,12 +1,14 @@
-packages:
+modules:
  - module: github.com/miekg/dns
    symbols:
      - setTA
    derived_symbols:
      - ParseZone
      - ReadRR
    versions:
      - fixed: 1.0.10
    packages:
      - package: github.com/miekg/dns
        symbols:
          - setTA
        derived_symbols:
          - ParseZone
          - ReadRR
 description: |
    Due to a nil pointer dereference, parsing a malformed zone file
    containing TA records may cause a panic. If parsing user supplied
--- a/data/reports/GO-2020-0029.yaml
+++ b/data/reports/GO-2020-0029.yaml
@ -1,17 +1,19 @@
-packages:
+modules:
  - module: github.com/gin-gonic/gin
    symbols:
      - Context.ClientIP
    versions:
      - fixed: 0.0.0-20141229113116-0099840c98ae
    packages:
      - package: github.com/gin-gonic/gin
        symbols:
          - Context.ClientIP
 description: |
    Due to improper HTTP header santization, a malicious user can spoof their
    source IP address by setting the X-Forwarded-For header. This may allow
    a user to bypass IP based restrictions, or obfuscate their true source.
 published: 2021-04-14T20:04:52Z
 credit: '@nl5887'
 cves:
  - CVE-2020-28483
 credit: '@nl5887'
 links:
    pr: https://github.com/gin-gonic/gin/pull/182
    commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829
--- a/data/reports/GO-2020-0031.yaml
+++ b/data/reports/GO-2020-0031.yaml
@ -1,7 +1,9 @@
-packages:
+modules:
  - module: github.com/proglottis/gpgme
    versions:
      - fixed: 0.1.1
    packages:
      - package: github.com/proglottis/gpgme
 description: |
    Due to improper setting of finalizers, memory passed to C may be freed before it is used,
    leading to crashes due to memory corruption or possible code execution.
--- a/data/reports/GO-2020-0032.yaml
+++ b/data/reports/GO-2020-0032.yaml
@ -1,19 +1,25 @@
-packages:
+modules:
  - module: github.com/goadesign/goa
    symbols:
      - Controller.FileHandler
    versions:
      - fixed: 1.4.3
    packages:
      - package: github.com/goadesign/goa
        symbols:
          - Controller.FileHandler
  - module: goa.design/goa
    symbols:
      - Controller.FileHandler
    versions:
      - fixed: 1.4.3
    packages:
      - package: goa.design/goa
        symbols:
          - Controller.FileHandler
  - module: goa.design/goa/v3
    symbols:
      - Controller.FileHandler
    versions:
      - fixed: 3.0.9
    packages:
      - package: goa.design/goa/v3
        symbols:
          - Controller.FileHandler
 description: |
    Due to improper santization of user input, Controller.FileHandler allows
    for directory traversal, allowing an attacker to read files outside of
@ -25,7 +31,8 @@ links:
    commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
 cve_metadata:
    id: CVE-2019-25073
-    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory('Path Traversal')"
+    cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory(''Path
        Traversal'')'
    description: |
        Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
        v1.4.3 allow remote attackers to read files outside of the intended directory.
--- a/data/reports/GO-2020-0033.yaml
+++ b/data/reports/GO-2020-0033.yaml
@ -1,24 +1,26 @@
-packages:
+modules:
  - module: aahframe.work
    symbols:
      - HTTPEngine.Handle
    derived_symbols:
      - Application.Run
      - Application.ServeHTTP
      - Application.Start
    versions:
      - fixed: 0.12.4
    packages:
      - package: aahframe.work
        symbols:
          - HTTPEngine.Handle
        derived_symbols:
          - Application.Run
          - Application.ServeHTTP
          - Application.Start
 description: |
    Due to improper santization of user input, HTTPEngine.Handle allows
    for directory traversal, allowing an attacker to read files outside of
    the target directory that the server has permission to read.
 published: 2021-04-14T20:04:52Z
 credit: '@snyff'
 cve_metadata:
    id: CVE-2020-36559
    cwe: "CWE 23: Relative Path Traversal"
 links:
    pr: https://github.com/go-aah/aah/pull/267
    commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
    context:
      - https://github.com/go-aah/aah/issues/266
 cve_metadata:
    id: CVE-2020-36559
    cwe: 'CWE 23: Relative Path Traversal'
--- a/data/reports/GO-2020-0034.yaml
+++ b/data/reports/GO-2020-0034.yaml
@ -1,19 +1,21 @@
-packages:
+modules:
  - module: github.com/artdarek/go-unzip
    symbols:
      - Unzip.Extract
    versions:
      - fixed: 1.0.0
    packages:
      - package: github.com/artdarek/go-unzip
        symbols:
          - Unzip.Extract
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
    target directory.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2020-36560
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
    pr: https://github.com/artdarek/go-unzip/pull/2
    commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
    context:
      - https://snyk.io/research/zip-slip-vulnerability
 cve_metadata:
    id: CVE-2020-36560
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
--- a/data/reports/GO-2020-0035.yaml
+++ b/data/reports/GO-2020-0035.yaml
@ -1,19 +1,21 @@
-packages:
+modules:
  - module: github.com/yi-ge/unzip
    symbols:
      - Unzip.Extract
    versions:
      - fixed: 1.0.3-0.20200308084313-2adbaa4891b9
    packages:
      - package: github.com/yi-ge/unzip
        symbols:
          - Unzip.Extract
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
    target directory.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2020-36561
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
 links:
    pr: https://github.com/yi-ge/unzip/pull/1
    commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
    context:
      - https://snyk.io/research/zip-slip-vulnerability
 cve_metadata:
    id: CVE-2020-36561
    cwe: 'CWE 29: Path Traversal: "\..\filename"'
--- a/data/reports/GO-2020-0036.yaml
+++ b/data/reports/GO-2020-0036.yaml
@ -1,20 +1,24 @@
-packages:
+modules:
  - module: gopkg.in/yaml.v2
    symbols:
      - yaml_parser_fetch_more_tokens
    derived_symbols:
      - Decoder.Decode
      - Unmarshal
      - UnmarshalStrict
    versions:
      - fixed: 2.2.8
    packages:
      - package: gopkg.in/yaml.v2
        symbols:
          - yaml_parser_fetch_more_tokens
        derived_symbols:
          - Decoder.Decode
          - Unmarshal
          - UnmarshalStrict
  - module: github.com/go-yaml/yaml
-    symbols:
+    packages:
-      - yaml_parser_fetch_more_tokens
+      - package: github.com/go-yaml/yaml
-    derived_symbols:
+        symbols:
-      - Decoder.Decode
+          - yaml_parser_fetch_more_tokens
-      - Unmarshal
+        derived_symbols:
-      - UnmarshalStrict
+          - Decoder.Decode
          - Unmarshal
          - UnmarshalStrict
 description: |
    Due to unbounded aliasing, a crafted YAML file can cause consumption
    of significant system resources. If parsing user supplied input, this
--- a/data/reports/GO-2020-0037.yaml
+++ b/data/reports/GO-2020-0037.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/tendermint/tendermint
    package: github.com/tendermint/tendermint/rpc/client
    symbols:
      - makeHTTPClient
    versions:
      - fixed: 0.31.1
    packages:
      - package: github.com/tendermint/tendermint/rpc/client
        symbols:
          - makeHTTPClient
 description: |
    Due to support of Gzip compression in request bodies, as well
    as a lack of limiting response body sizes, a malicious server
@ -12,9 +13,9 @@ description: |
    resources, which may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 credit: '@guagualvcha'
 cve_metadata:
    id: CVE-2019-25072
    cwe: "CWE-400: Uncontrolled Resource Consumption"
 links:
    pr: https://github.com/tendermint/tendermint/pull/3430
    commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
 cve_metadata:
    id: CVE-2019-25072
    cwe: 'CWE-400: Uncontrolled Resource Consumption'
--- a/data/reports/GO-2020-0038.yaml
+++ b/data/reports/GO-2020-0038.yaml
@ -1,15 +1,17 @@
-packages:
+modules:
  - module: github.com/pion/dtls
    symbols:
      - Conn.handleIncomingPacket
    derived_symbols:
      - Client
      - Dial
      - Listener.Accept
      - Resume
      - Server
    versions:
      - fixed: 1.5.2
    packages:
      - package: github.com/pion/dtls
        symbols:
          - Conn.handleIncomingPacket
        derived_symbols:
          - Client
          - Dial
          - Listener.Accept
          - Resume
          - Server
 description: |
    Due to improper verification of packets, unencrypted packets containing
    application data are accepted after the initial handshake. This allows
--- a/data/reports/GO-2020-0039.yaml
+++ b/data/reports/GO-2020-0039.yaml
@ -1,15 +1,17 @@
-packages:
+modules:
  - module: gopkg.in/macaron.v1
    symbols:
      - staticHandler
    derived_symbols:
      - Context.Next
      - LoggerInvoker.Invoke
      - Macaron.Run
      - Macaron.ServeHTTP
      - Router.ServeHTTP
    versions:
      - fixed: 1.3.7
    packages:
      - package: gopkg.in/macaron.v1
        symbols:
          - staticHandler
        derived_symbols:
          - Context.Next
          - LoggerInvoker.Invoke
          - Macaron.Run
          - Macaron.ServeHTTP
          - Router.ServeHTTP
 description: |
    Due to improper request santization, a specifically crafted URL
    can cause the static file handler to redirect to an attacker chosen
--- a/data/reports/GO-2020-0040.yaml
+++ b/data/reports/GO-2020-0040.yaml
@ -1,13 +1,15 @@
-packages:
+modules:
  - module: github.com/shiyanhui/dht
    packages:
      - package: github.com/shiyanhui/dht
 description: |
    Due to unchecked type assertions, maliciously crafted messages can
    cause panics, which may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 credit: '@hMihaiDavid'
 cve_metadata:
    id: CVE-2020-36562
    cwe: "CWE-400: Uncontrolled Resource Consumption"
 links:
    context:
      - https://github.com/shiyanhui/dht/issues/57
 cve_metadata:
    id: CVE-2020-36562
    cwe: 'CWE-400: Uncontrolled Resource Consumption'
--- a/data/reports/GO-2020-0041.yaml
+++ b/data/reports/GO-2020-0041.yaml
@ -1,36 +1,34 @@
-packages:
+modules:
  - module: github.com/unknwon/cae
    package: github.com/unknwon/cae/tz
    symbols:
      - TzArchive.syncFiles
      - TzArchive.ExtractToFunc
    derived_symbols:
      - Create
      - ExtractTo
      - Open
      - OpenFile
      - TzArchive.Close
      - TzArchive.ExtractTo
      - TzArchive.Flush
      - TzArchive.Open
    versions:
      - fixed: 1.0.1
  - module: github.com/unknwon/cae
    package: github.com/unknwon/cae/zip
    symbols:
      - ZipArchive.Open
      - ZipArchive.ExtractToFunc
    derived_symbols:
      - Create
      - ExtractTo
      - ExtractToFunc
      - Open
      - OpenFile
      - ZipArchive.Close
      - ZipArchive.ExtractTo
      - ZipArchive.Flush
    versions:
      - fixed: 1.0.1
    packages:
      - package: github.com/unknwon/cae/tz
        symbols:
          - TzArchive.syncFiles
          - TzArchive.ExtractToFunc
        derived_symbols:
          - Create
          - ExtractTo
          - Open
          - OpenFile
          - TzArchive.Close
          - TzArchive.ExtractTo
          - TzArchive.Flush
          - TzArchive.Open
      - package: github.com/unknwon/cae/zip
        symbols:
          - ZipArchive.Open
          - ZipArchive.ExtractToFunc
        derived_symbols:
          - Create
          - ExtractTo
          - ExtractToFunc
          - Open
          - OpenFile
          - ZipArchive.Close
          - ZipArchive.ExtractTo
          - ZipArchive.Flush
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
--- a/data/reports/GO-2020-0042.yaml
+++ b/data/reports/GO-2020-0042.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/sassoftware/go-rpmutils
    package: github.com/sassoftware/go-rpmutils/cpio
    symbols:
      - Extract
    versions:
      - fixed: 0.1.0
    packages:
      - package: github.com/sassoftware/go-rpmutils/cpio
        symbols:
          - Extract
 description: |
    Due to improper path santization, RPMs containing relative file
    paths can cause files to be written (or overwritten) outside of the
--- a/data/reports/GO-2020-0043.yaml
+++ b/data/reports/GO-2020-0043.yaml
@ -1,12 +1,13 @@
-packages:
+modules:
  - module: github.com/mholt/caddy
    package: github.com/mholt/caddy/caddyhttp/httpserver
    symbols:
      - httpContext.MakeServers
      - Server.serveHTTP
      - assertConfigsCompatible
    versions:
      - fixed: 0.10.13
    packages:
      - package: github.com/mholt/caddy/caddyhttp/httpserver
        symbols:
          - httpContext.MakeServers
          - Server.serveHTTP
          - assertConfigsCompatible
 description: |
    Due to improper TLS verification when serving traffic for multiple
    SNIs, an attacker may bypass TLS client authentication by indicating
--- a/data/reports/GO-2020-0045.yaml
+++ b/data/reports/GO-2020-0045.yaml
@ -1,23 +1,25 @@
-packages:
+modules:
  - module: github.com/dinever/golf
    symbols:
      - randomBytes
    derived_symbols:
      - Context.Render
      - Context.RenderFromString
    versions:
      - fixed: 0.3.0
    packages:
      - package: github.com/dinever/golf
        symbols:
          - randomBytes
        derived_symbols:
          - Context.Render
          - Context.RenderFromString
 description: |
    CSRF tokens are generated using math/rand, which is not a cryptographically secure
    rander number generation, making predicting their values relatively trivial and
    allowing an attacker to bypass CSRF protections which relatively few requests.
 published: 2021-04-14T20:04:52Z
 credit: '@elithrar'
 cve_metadata:
    id: CVE-2016-15005
    cwe: "CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
 links:
    pr: https://github.com/dinever/golf/pull/24
    commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
    context:
      - https://github.com/dinever/golf/issues/20
 cve_metadata:
    id: CVE-2016-15005
    cwe: 'CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
--- a/data/reports/GO-2020-0046.yaml
+++ b/data/reports/GO-2020-0046.yaml
@ -1,17 +1,21 @@
-packages:
+modules:
  - module: github.com/russellhaering/goxmldsig
    symbols:
      - ValidationContext.validateSignature
    versions:
      - fixed: 1.1.0
    packages:
      - package: github.com/russellhaering/goxmldsig
        symbols:
          - ValidationContext.validateSignature
  - module: github.com/russellhaering/gosaml2
    symbols:
      - SAMLServiceProvider.validateAssertionSignatures
    derived_symbols:
      - SAMLServiceProvider.RetrieveAssertionInfo
      - SAMLServiceProvider.ValidateEncodedResponse
    versions:
      - fixed: 0.6.0
    packages:
      - package: github.com/russellhaering/gosaml2
        symbols:
          - SAMLServiceProvider.validateAssertionSignatures
        derived_symbols:
          - SAMLServiceProvider.RetrieveAssertionInfo
          - SAMLServiceProvider.ValidateEncodedResponse
 description: |
    Due to a nil pointer dereference, a malformed XML Digital Signature
    can cause a panic during validation. If user supplied signatures are
--- a/data/reports/GO-2020-0047.yaml
+++ b/data/reports/GO-2020-0047.yaml
@ -1,17 +1,19 @@
-packages:
+modules:
  - module: github.com/RobotsAndPencils/go-saml
-    symbols:
+    packages:
-      - AuthnRequest.Validate
+      - package: github.com/RobotsAndPencils/go-saml
-      - NewAuthnRequest
+        symbols:
-      - NewSignedResponse
+          - AuthnRequest.Validate
          - NewAuthnRequest
          - NewSignedResponse
 description: |
    XML Digital Signatures generated and validated using this package use
    SHA-1, which may allow an attacker to craft inputs which cause hash
    collisions depending on their control over the input.
 published: 2021-04-14T20:04:52Z
 cve_metadata:
    id: CVE-2020-36563
    cwe: "CWE 328: Use of Weak Hash"
 links:
    context:
      - https://github.com/RobotsAndPencils/go-saml/pull/38
 cve_metadata:
    id: CVE-2020-36563
    cwe: 'CWE 328: Use of Weak Hash'
--- a/data/reports/GO-2020-0048.yaml
+++ b/data/reports/GO-2020-0048.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/antchfx/xmlquery
    symbols:
      - LoadURL
    versions:
      - fixed: 1.3.1
    packages:
      - package: github.com/antchfx/xmlquery
        symbols:
          - LoadURL
 description: |
    LoadURL does not check the Content-Type of loaded resources,
    which can cause a panic due to nil pointer deference if the loaded
--- a/data/reports/GO-2020-0049.yaml
+++ b/data/reports/GO-2020-0049.yaml
@ -1,21 +1,23 @@
-packages:
+modules:
  - module: github.com/justinas/nosurf
    symbols:
      - VerifyToken
      - verifyToken
    derived_symbols:
      - CSRFHandler.ServeHTTP
    versions:
      - fixed: 1.1.1
    packages:
      - package: github.com/justinas/nosurf
        symbols:
          - VerifyToken
          - verifyToken
        derived_symbols:
          - CSRFHandler.ServeHTTP
 description: |
    Due to improper validation of caller input, validation is silently disabled
    if the provided expected token is malformed, causing any user supplied token
    to be considered valid.
 published: 2021-04-14T20:04:52Z
 credit: '@aeneasr'
 cve_metadata:
    id: CVE-2020-36564
    cwe: "CWE 345: Insufficient Verification of Data Authenticity"
 links:
    pr: https://github.com/justinas/nosurf/pull/60
    commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
 cve_metadata:
    id: CVE-2020-36564
    cwe: 'CWE 345: Insufficient Verification of Data Authenticity'
--- a/data/reports/GO-2020-0050.yaml
+++ b/data/reports/GO-2020-0050.yaml
@ -1,12 +1,14 @@
-packages:
+modules:
  - module: github.com/russellhaering/goxmldsig
    symbols:
      - ValidationContext.findSignature
    derived_symbols:
      - ValidationContext.Validate
    versions:
      - fixed: 1.1.0
    vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
    packages:
      - package: github.com/russellhaering/goxmldsig
        symbols:
          - ValidationContext.findSignature
        derived_symbols:
          - ValidationContext.Validate
 description: |
    Due to the behavior of encoding/xml, a crafted XML document may cause
    XML Digital Signature validation to be entirely bypassed, causing an
--- a/data/reports/GO-2021-0051.yaml
+++ b/data/reports/GO-2021-0051.yaml
@ -1,20 +1,25 @@
-packages:
+modules:
  - module: github.com/labstack/echo/v4
    symbols:
      - common.static
    versions:
      - fixed: 4.1.18-0.20201215153152-4422e3b66b9f
    packages:
      - package: github.com/labstack/echo/v4
        goos:
          - windows
        symbols:
          - common.static
 description: |
    Due to improper sanitization of user input on Windows, the static file handler
    allows for directory traversal, allowing an attacker to read files outside of
    the target directory that the server has permission to read.
 published: 2021-04-14T20:04:52Z
 credit: '@little-cui (Apache ServiceComb)'
 cve_metadata:
    id: CVE-2020-36565
    cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
 os:
  - windows
 links:
    pr: https://github.com/labstack/echo/pull/1718
    commit: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
 cve_metadata:
    id: CVE-2020-36565
    cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path
        Traversal'')'
 os:
  - windows
--- a/data/reports/GO-2021-0052.yaml
+++ b/data/reports/GO-2021-0052.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/gin-gonic/gin
    symbols:
      - Context.ClientIP
    versions:
      - fixed: 1.6.3-0.20210406033725-bfc8ca285eb4
    packages:
      - package: github.com/gin-gonic/gin
        symbols:
          - Context.ClientIP
 description: |
    Due to improper HTTP header santization, a malicious user can spoof their
    source IP address by setting the X-Forwarded-For header. This may allow
--- a/data/reports/GO-2021-0053.yaml
+++ b/data/reports/GO-2021-0053.yaml
@ -1,7 +1,9 @@
-packages:
+modules:
  - module: github.com/gogo/protobuf
    versions:
      - fixed: 1.3.2
    packages:
      - package: github.com/gogo/protobuf
 description: |
    Due to improper bounds checking, maliciously crafted input to generated
    Unmarshal methods can cause an out-of-bounds panic. If parsing messages
--- a/data/reports/GO-2021-0054.yaml
+++ b/data/reports/GO-2021-0054.yaml
@ -1,11 +1,13 @@
-packages:
+modules:
  - module: github.com/tidwall/gjson
    symbols:
      - unwrap
    derived_symbols:
      - Result.ForEach
    versions:
      - fixed: 1.6.6
    packages:
      - package: github.com/tidwall/gjson
        symbols:
          - unwrap
        derived_symbols:
          - Result.ForEach
 description: |
    Due to improper bounds checking, maliciously crafted JSON objects
    can cause an out-of-bounds panic. If parsing user input, this may
--- a/data/reports/GO-2021-0057.yaml
+++ b/data/reports/GO-2021-0057.yaml
@ -1,30 +1,32 @@
-packages:
+modules:
  - module: github.com/buger/jsonparser
    symbols:
      - searchKeys
    derived_symbols:
      - ArrayEach
      - Delete
      - EachKey
      - FuzzDelete
      - FuzzEachKey
      - FuzzGetBoolean
      - FuzzGetFloat
      - FuzzGetInt
      - FuzzGetString
      - FuzzGetUnsafeString
      - FuzzObjectEach
      - FuzzSet
      - Get
      - GetBoolean
      - GetFloat
      - GetInt
      - GetString
      - GetUnsafeString
      - ObjectEach
      - Set
    versions:
      - fixed: 1.1.1
    packages:
      - package: github.com/buger/jsonparser
        symbols:
          - searchKeys
        derived_symbols:
          - ArrayEach
          - Delete
          - EachKey
          - FuzzDelete
          - FuzzEachKey
          - FuzzGetBoolean
          - FuzzGetFloat
          - FuzzGetInt
          - FuzzGetString
          - FuzzGetUnsafeString
          - FuzzObjectEach
          - FuzzSet
          - Get
          - GetBoolean
          - GetFloat
          - GetInt
          - GetString
          - GetUnsafeString
          - ObjectEach
          - Set
 description: |
    Due to improper bounds checking, maliciously crafted JSON objects
    can cause an out-of-bounds panic. If parsing user input, this may
--- a/data/reports/GO-2021-0058.yaml
+++ b/data/reports/GO-2021-0058.yaml
@ -1,24 +1,20 @@
-packages:
+modules:
  - module: github.com/crewjam/saml
    symbols:
      - IdpAuthnRequest.Validate
      - ServiceProvider.ParseXMLResponse
      - ServiceProvider.ValidateLogoutResponseForm
      - ServiceProvider.ValidateLogoutResponseRedirect
    derived_symbols:
      - IdentityProvider.ServeSSO
      - ServiceProvider.ParseResponse
      - ServiceProvider.ValidateLogoutResponseRequest
    versions:
      - fixed: 0.4.3
  - module: github.com/crewjam/saml
    package: github.com/crewjam/saml/samlidp
    versions:
      - fixed: 0.4.3
  - module: github.com/crewjam/saml
    package: github.com/crewjam/saml/samlsp
    versions:
      - fixed: 0.4.3
    packages:
      - package: github.com/crewjam/saml
        symbols:
          - IdpAuthnRequest.Validate
          - ServiceProvider.ParseXMLResponse
          - ServiceProvider.ValidateLogoutResponseForm
          - ServiceProvider.ValidateLogoutResponseRedirect
        derived_symbols:
          - IdentityProvider.ServeSSO
          - ServiceProvider.ParseResponse
          - ServiceProvider.ValidateLogoutResponseRequest
      - package: github.com/crewjam/saml/samlidp
      - package: github.com/crewjam/saml/samlsp
 description: |
    Due to the behavior of encoding/xml, a crafted XML document may cause
    XML Digital Signature validation to be entirely bypassed, causing an
--- a/data/reports/GO-2021-0059.yaml
+++ b/data/reports/GO-2021-0059.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/tidwall/gjson
    symbols:
      - sqaush
    versions:
      - fixed: 1.6.4
    packages:
      - package: github.com/tidwall/gjson
        symbols:
          - sqaush
 description: |
    Due to improper bounds checking, maliciously crafted JSON objects
    can cause an out-of-bounds panic. If parsing user input, this may
--- a/data/reports/GO-2021-0060.yaml
+++ b/data/reports/GO-2021-0060.yaml
@ -1,14 +1,16 @@
-packages:
+modules:
  - module: github.com/russellhaering/gosaml2
    symbols:
      - parseResponse
    derived_symbols:
      - SAMLServiceProvider.RetrieveAssertionInfo
      - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
      - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
      - SAMLServiceProvider.ValidateEncodedResponse
    versions:
      - fixed: 0.6.0
    packages:
      - package: github.com/russellhaering/gosaml2
        symbols:
          - parseResponse
        derived_symbols:
          - SAMLServiceProvider.RetrieveAssertionInfo
          - SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
          - SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
          - SAMLServiceProvider.ValidateEncodedResponse
 description: |
    Due to the behavior of encoding/xml, a crafted XML document may cause
    XML Digital Signature validation to be entirely bypassed, causing an
--- a/data/reports/GO-2021-0061.yaml
+++ b/data/reports/GO-2021-0061.yaml
@ -1,29 +1,33 @@
-packages:
+modules:
  - module: gopkg.in/yaml.v2
    symbols:
      - decoder.unmarshal
    derived_symbols:
      - Decoder.Decode
      - Unmarshal
      - UnmarshalStrict
    versions:
      - fixed: 2.2.3
    packages:
      - package: gopkg.in/yaml.v2
        symbols:
          - decoder.unmarshal
        derived_symbols:
          - Decoder.Decode
          - Unmarshal
          - UnmarshalStrict
  - module: github.com/go-yaml/yaml
-    symbols:
+    packages:
-      - decoder.unmarshal
+      - package: github.com/go-yaml/yaml
-    derived_symbols:
+        symbols:
-      - Decoder.Decode
+          - decoder.unmarshal
-      - Unmarshal
+        derived_symbols:
-      - UnmarshalStrict
+          - Decoder.Decode
          - Unmarshal
          - UnmarshalStrict
 description: |
    Due to unbounded alias chasing, a maliciously crafted YAML file
    can cause the system to consume significant system resources. If
    parsing user input, this may be used as a denial of service vector.
 cve_metadata:
    id: CVE-2021-4235
    cwe: "CWE 400: Uncontrolled Resource Consumption"
 published: 2021-04-14T20:04:52Z
 credit: '@simonferquel'
 links:
    pr: https://github.com/go-yaml/yaml/pull/375
    commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
 cve_metadata:
    id: CVE-2021-4235
    cwe: 'CWE 400: Uncontrolled Resource Consumption'
--- a/data/reports/GO-2021-0063.yaml
+++ b/data/reports/GO-2021-0063.yaml
@ -1,12 +1,13 @@
-packages:
+modules:
  - module: github.com/ethereum/go-ethereum
    package: github.com/ethereum/go-ethereum/les
    symbols:
      - serverHandler.handleMsg
    derived_symbols:
      - PrivateLightServerAPI.Benchmark
    versions:
      - fixed: 1.9.25
    packages:
      - package: github.com/ethereum/go-ethereum/les
        symbols:
          - serverHandler.handleMsg
        derived_symbols:
          - PrivateLightServerAPI.Benchmark
 description: |
    Due to a nil pointer dereference, a malicously crafted RPC message
    can cause a panic. If handling RPC messages from untrusted clients,
--- a/data/reports/GO-2021-0064.yaml
+++ b/data/reports/GO-2021-0064.yaml
@ -1,16 +1,18 @@
-packages:
+modules:
  - module: k8s.io/client-go
    package: k8s.io/client-go/transport
    symbols:
      - requestInfo.toCurl
    versions:
      - fixed: 0.20.0-alpha.2
    packages:
      - package: k8s.io/client-go/transport
        symbols:
          - requestInfo.toCurl
  - module: k8s.io/kubernetes
    package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
    symbols:
      - requestInfo.toCurl
    versions:
      - fixed: 1.20.0-alpha.2
    packages:
      - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
        symbols:
          - requestInfo.toCurl
 description: |
    Authorization tokens may be inappropriately logged if the verbosity
    level is set to a debug level.
--- a/data/reports/GO-2021-0065.yaml
+++ b/data/reports/GO-2021-0065.yaml
@ -1,16 +1,18 @@
-packages:
+modules:
  - module: k8s.io/client-go
    package: k8s.io/client-go/transport
    symbols:
      - debuggingRoundTripper.RoundTrip
    versions:
      - fixed: 0.17.0
    packages:
      - package: k8s.io/client-go/transport
        symbols:
          - debuggingRoundTripper.RoundTrip
  - module: k8s.io/kubernetes
    package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
    symbols:
      - debuggingRoundTripper.RoundTrip
    versions:
      - fixed: 1.16.0-beta.1
    packages:
      - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
        symbols:
          - debuggingRoundTripper.RoundTrip
 description: |
    Authorization tokens may be inappropriately logged if the verbosity
    level is set to a debug level.
--- a/data/reports/GO-2021-0066.yaml
+++ b/data/reports/GO-2021-0066.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: k8s.io/kubernetes
    package: k8s.io/kubernetes/pkg/credentialprovider
    symbols:
      - readDockerConfigFileFromBytes
      - readDockerConfigJSONFileFromBytes
    versions:
      - fixed: 1.20.0-alpha.1
    packages:
      - package: k8s.io/kubernetes/pkg/credentialprovider
        symbols:
          - readDockerConfigFileFromBytes
          - readDockerConfigJSONFileFromBytes
 description: |
    Attempting to read a malformed .dockercfg may cause secrets to be
    inappropriately logged.
--- a/data/reports/GO-2021-0067.yaml
+++ b/data/reports/GO-2021-0067.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: std
    package: archive/zip
    symbols:
      - toValidName
    versions:
      - introduced: 1.16.0
        fixed: 1.16.1
    packages:
      - package: archive/zip
        symbols:
          - toValidName
 description: |
    Using Reader.Open on an archive containing a file with a path
    prefixed by "../" will cause a panic due to a stack overflow.
--- a/data/reports/GO-2021-0068.yaml
+++ b/data/reports/GO-2021-0068.yaml
@ -1,11 +1,14 @@
 do_not_export: true
-packages:
+modules:
  - module: std
    package: cmd/go
    versions:
      - fixed: 1.14.14
      - introduced: 1.15.0
        fixed: 1.15.7
    packages:
      - package: cmd/go
        goos:
          - windows
 description: |
    The go command may execute arbitrary code at build time when using cgo on Windows.
    This can be triggered by running go get on a malicious module, or any other time
@ -14,8 +17,6 @@ published: 2021-04-14T20:04:52Z
 cves:
  - CVE-2021-3115
 credit: RyotaK
 os:
  - windows
 links:
    pr: https://go.dev/cl/284783
    commit: https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
@ -24,3 +25,5 @@ links:
      - https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
      - https://go.dev/cl/284780
      - https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
 os:
  - windows
--- a/data/reports/GO-2021-0069.yaml
+++ b/data/reports/GO-2021-0069.yaml
@ -1,13 +1,14 @@
-packages:
+modules:
  - module: std
    package: math/big
    symbols:
      - nat.divRecursiveStep
    versions:
      - introduced: 1.14.0
        fixed: 1.14.12
      - introduced: 1.15.0
        fixed: 1.15.5
    packages:
      - package: math/big
        symbols:
          - nat.divRecursiveStep
 description: |
    A number of math/big.Int methods can panic when provided large inputs due
    to a flawed division method.
--- a/data/reports/GO-2021-0070.yaml
+++ b/data/reports/GO-2021-0070.yaml
@ -1,12 +1,13 @@
-packages:
+modules:
  - module: github.com/opencontainers/runc
    package: github.com/opencontainers/runc/libcontainer/user
    symbols:
      - GetExecUser
    derived_symbols:
      - GetExecUserPath
    versions:
      - fixed: 0.1.0
    packages:
      - package: github.com/opencontainers/runc/libcontainer/user
        symbols:
          - GetExecUser
        derived_symbols:
          - GetExecUserPath
 description: |
    GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
    improperly interpret numeric UIDs as usernames. If the method is used without
--- a/data/reports/GO-2021-0071.yaml
+++ b/data/reports/GO-2021-0071.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/lxc/lxd
    package: github.com/lxc/lxd/shared
    symbols:
      - IdmapSet.doUidshiftIntoContainer
    versions:
      - fixed: 0.0.0-20151004155856-19c6961cc101
    packages:
      - package: github.com/lxc/lxd/shared
        symbols:
          - IdmapSet.doUidshiftIntoContainer
 description: |
    A race between chown and chmod operations during a container
    filesystem shift may allow a user who can modify the filesystem to
--- a/data/reports/GO-2021-0072.yaml
+++ b/data/reports/GO-2021-0072.yaml
@ -1,32 +1,30 @@
-packages:
+modules:
  - module: github.com/docker/distribution
    package: github.com/docker/distribution/registry/handlers
    symbols:
      - copyFullPayload
    derived_symbols:
      - blobUploadHandler.PatchBlobData
      - blobUploadHandler.PutBlobUploadComplete
      - imageManifestHandler.GetImageManifest
      - imageManifestHandler.PutImageManifest
    versions:
      - fixed: 2.7.0-rc.0+incompatible
  - module: github.com/docker/distribution
    package: github.com/docker/distribution/registry/storage
    symbols:
      - blobStore.Get
    derived_symbols:
      - PurgeUploads
      - Walk
      - blobStore.Enumerate
      - blobStore.Get
      - linkedBlobStore.Enumerate
      - linkedBlobStore.Get
      - manifestStore.Enumerate
      - manifestStore.Get
      - registry.Enumerate
      - registry.Repositories
    versions:
      - fixed: 2.7.0-rc.0+incompatible
    packages:
      - package: github.com/docker/distribution/registry/handlers
        symbols:
          - copyFullPayload
        derived_symbols:
          - blobUploadHandler.PatchBlobData
          - blobUploadHandler.PutBlobUploadComplete
          - imageManifestHandler.GetImageManifest
          - imageManifestHandler.PutImageManifest
      - package: github.com/docker/distribution/registry/storage
        symbols:
          - blobStore.Get
        derived_symbols:
          - PurgeUploads
          - Walk
          - blobStore.Enumerate
          - blobStore.Get
          - linkedBlobStore.Enumerate
          - linkedBlobStore.Get
          - manifestStore.Enumerate
          - manifestStore.Get
          - registry.Enumerate
          - registry.Repositories
 description: |
    Various storage methods do not impose limits on how much content is accepted
    from user requests, allowing a malicious user to force the caller to allocate
--- a/data/reports/GO-2021-0073.yaml
+++ b/data/reports/GO-2021-0073.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/lfsapi
    symbols:
      - sshGetLFSExeAndArgs
    versions:
      - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
    packages:
      - package: github.com/git-lfs/git-lfs/lfsapi
        symbols:
          - sshGetLFSExeAndArgs
 description: |
    Arbitrary command execution can be triggered by improperly
    sanitized SSH URLs in LFS configuration files. This can be
--- a/data/reports/GO-2021-0075.yaml
+++ b/data/reports/GO-2021-0075.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/ethereum/go-ethereum
    package: github.com/ethereum/go-ethereum/les
    symbols:
      - protocolManager.handleMsg
    versions:
      - fixed: 1.8.11
    packages:
      - package: github.com/ethereum/go-ethereum/les
        symbols:
          - protocolManager.handleMsg
 description: |
    Due to improper argument validation in RPC messages, a maliciously crafted
    message can cause a panic, leading to denial of service.
--- a/data/reports/GO-2021-0076.yaml
+++ b/data/reports/GO-2021-0076.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/evanphx/json-patch
    symbols:
      - partialArray.add
    versions:
      - fixed: 0.5.2
    packages:
      - package: github.com/evanphx/json-patch
        symbols:
          - partialArray.add
 description: |
    A malicious JSON patch can cause a panic due to an out-of-bounds
    write attempt. This can be used as a denial of service vector if
--- a/data/reports/GO-2021-0077.yaml
+++ b/data/reports/GO-2021-0077.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: go.etcd.io/etcd
    package: go.etcd.io/etcd/auth
    symbols:
      - authStore.AuthInfoFromTLS
    versions:
      - fixed: 0.5.0-alpha.5.0.20190108173120-83c051b701d3
    packages:
      - package: go.etcd.io/etcd/auth
        symbols:
          - authStore.AuthInfoFromTLS
 description: |
    A user can use a valid client certificate that contains a CommonName that matches a
    valid RBAC username to authenticate themselves as that user, despite lacking the
--- a/data/reports/GO-2021-0078.yaml
+++ b/data/reports/GO-2021-0078.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: golang.org/x/net
    package: golang.org/x/net/html
    symbols:
      - inBodyIM
      - inFramesetIM
    versions:
      - fixed: 0.0.0-20180816102801-aaf60122140d
    packages:
      - package: golang.org/x/net/html
        symbols:
          - inBodyIM
          - inFramesetIM
 description: |
    The HTML parser does not properly handle "in frameset" insertion mode, and can be made
    to panic when operating on malformed HTML that contains <template> tags. If operating
--- a/data/reports/GO-2021-0079.yaml
+++ b/data/reports/GO-2021-0079.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/bytom/bytom
    package: github.com/bytom/bytom/p2p/discover
    symbols:
      - Network.checkTopicRegister
    versions:
      - fixed: 1.0.4-0.20180831054840-1ac3c8ac4f2b
    packages:
      - package: github.com/bytom/bytom/p2p/discover
        symbols:
          - Network.checkTopicRegister
 description: |
    A malformed query can cause an out-of-bounds panic due to improper
    validation of arguments. If processing queries from untrusted
--- a/data/reports/GO-2021-0081.yaml
+++ b/data/reports/GO-2021-0081.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/containers/image
    package: github.com/containers/image/docker
    symbols:
      - dockerClient.getBearerToken
    versions:
      - fixed: 2.0.2-0.20190802080134-634605d06e73+incompatible
    packages:
      - package: github.com/containers/image/docker
        symbols:
          - dockerClient.getBearerToken
 description: |
    The HTTP client used to connect to the container registry authorization
    service explicitly disables TLS verification, allowing an attacker that
--- a/data/reports/GO-2021-0082.yaml
+++ b/data/reports/GO-2021-0082.yaml
@ -1,8 +1,9 @@
-packages:
+modules:
  - module: github.com/facebook/fbthrift
    package: github.com/facebook/fbthrift/thrift/lib/go/thrift
    versions:
      - fixed: 0.31.1-0.20200311080807-483ed864d69f
    packages:
      - package: github.com/facebook/fbthrift/thrift/lib/go/thrift
 description: |
    Thirft Servers preallocate memory for the declared size of messages before
    checking the actual size of the message. This allows a malicious user to
--- a/data/reports/GO-2021-0083.yaml
+++ b/data/reports/GO-2021-0083.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/hybridgroup/gobot
    package: github.com/hybridgroup/gobot/platforms/mqtt
    symbols:
      - Adaptor.newTLSConfig
    versions:
      - fixed: 1.12.1-0.20190521122906-c1aa4f867846
    packages:
      - package: github.com/hybridgroup/gobot/platforms/mqtt
        symbols:
          - Adaptor.newTLSConfig
 description: |
    TLS certificate verification is skipped when connecting to a MQTT server.
    This allows an attacker who can MITM the connection to read, or forge,
--- a/data/reports/GO-2021-0084.yaml
+++ b/data/reports/GO-2021-0084.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: github.com/astaxie/beego
    package: github.com/astaxie/beego/session
    symbols:
      - FileProvider.SessionRead
      - FileProvider.SessionRegenerate
    versions:
      - fixed: 1.12.2-0.20200613154013-bac2b31afecc
    packages:
      - package: github.com/astaxie/beego/session
        symbols:
          - FileProvider.SessionRead
          - FileProvider.SessionRegenerate
 description: |
    Session data is stored using permissive permissions, allowing local users
    with filesystem access to read arbitrary data.
--- a/data/reports/GO-2021-0085.yaml
+++ b/data/reports/GO-2021-0085.yaml
@ -1,12 +1,14 @@
-packages:
+modules:
  - module: github.com/opencontainers/runc
    package: github.com/opencontainers/runc/libcontainer
    versions:
      - fixed: 1.0.0-rc8.0.20190930145003-cad42f6e0932
    packages:
      - package: github.com/opencontainers/runc/libcontainer
  - module: github.com/opencontainers/selinux
    package: github.com/opencontainers/selinux/go-selinux
    versions:
      - fixed: 1.3.1-0.20190929122143-5215b1806f52
    packages:
      - package: github.com/opencontainers/selinux/go-selinux
 description: |
    AppArmor restrictions may be bypassed due to improper validation of mount
    targets, allowing a malicious image to mount volumes over e.g. /proc.
--- a/data/reports/GO-2021-0086.yaml
+++ b/data/reports/GO-2021-0086.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/documize/community
    package: github.com/documize/community/domain/section/markdown
    symbols:
      - Provider.Render
    versions:
      - fixed: 1.76.3-0.20191119114751-a4384210d4d0
    packages:
      - package: github.com/documize/community/domain/section/markdown
        symbols:
          - Provider.Render
 description: |
    HTML content in markdown is not santized during rendering, possibly allowing
    XSS if used to render untrusted user input.
--- a/data/reports/GO-2021-0087.yaml
+++ b/data/reports/GO-2021-0087.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/opencontainers/runc
    package: github.com/opencontainers/runc/libcontainer
    symbols:
      - mountToRootfs
    versions:
      - fixed: 1.0.0-rc9.0.20200122160610-2fc03cc11c77
    packages:
      - package: github.com/opencontainers/runc/libcontainer
        symbols:
          - mountToRootfs
 description: |
    A race while mounting volumes allows a possible symlink-exchange
    attack, allowing a user whom can start multiple containers with
--- a/data/reports/GO-2021-0088.yaml
+++ b/data/reports/GO-2021-0088.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/facebook/fbthrift
    package: github.com/facebook/fbthrift/thrift/lib/go/thrift
    symbols:
      - Skip
    versions:
      - fixed: 0.31.1-0.20190225164308-c461c1bd1a3e
    packages:
      - package: github.com/facebook/fbthrift/thrift/lib/go/thrift
        symbols:
          - Skip
 description: |
    Skip ignores unknown fields, rather than failing. A malicious user can craft small
    messages with unknown fields which can take significant resources to parse. If a
--- a/data/reports/GO-2021-0089.yaml
+++ b/data/reports/GO-2021-0089.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/buger/jsonparser
    symbols:
      - findKeyStart
    versions:
      - fixed: 0.0.0-20200321185410-91ac96899e49
    packages:
      - package: github.com/buger/jsonparser
        symbols:
          - findKeyStart
 description: |
    Parsing malformed JSON which contain opening brackets, but not closing brackets,
    leads to an infinite loop. If operating on untrusted user input this can be
--- a/data/reports/GO-2021-0090.yaml
+++ b/data/reports/GO-2021-0090.yaml
@ -1,13 +1,14 @@
-packages:
+modules:
  - module: github.com/tendermint/tendermint
    package: github.com/tendermint/tendermint/types
    symbols:
      - VoteSet.MakeCommit
    derived_symbols:
      - MakeCommit
    versions:
      - introduced: 0.33.0
        fixed: 0.34.0-dev1.0.20200702134149-480b995a3172
    packages:
      - package: github.com/tendermint/tendermint/types
        symbols:
          - VoteSet.MakeCommit
        derived_symbols:
          - MakeCommit
 description: |
    Proposed commits may contain signatures for blocks not contained
    within the commit. Instead of skipping these signatures, they
--- a/data/reports/GO-2021-0091.yaml
+++ b/data/reports/GO-2021-0091.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/gofiber/fiber
    symbols:
      - Ctx.Attachment
    versions:
      - fixed: 1.12.6-0.20200710202935-a8ad5454363f
    packages:
      - package: github.com/gofiber/fiber
        symbols:
          - Ctx.Attachment
 description: |
    Due to improper input validation when uploading a file, a malicious user may
    force the server to return arbitrary HTTP headers when the uploaded
--- a/data/reports/GO-2021-0092.yaml
+++ b/data/reports/GO-2021-0092.yaml
@ -1,12 +1,14 @@
-packages:
+modules:
  - module: github.com/ory/fosite
    symbols:
      - Fosite.AuthenticateClient
    derived_symbols:
      - Fosite.NewAccessRequest
      - Fosite.NewRevocationRequest
    versions:
      - fixed: 0.31.0
    packages:
      - package: github.com/ory/fosite
        symbols:
          - Fosite.AuthenticateClient
        derived_symbols:
          - Fosite.NewAccessRequest
          - Fosite.NewRevocationRequest
 description: |
    Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
    replayed.
--- a/data/reports/GO-2021-0094.yaml
+++ b/data/reports/GO-2021-0094.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/hashicorp/go-slug
    symbols:
      - Unpack
    versions:
      - fixed: 0.5.0
    packages:
      - package: github.com/hashicorp/go-slug
        symbols:
          - Unpack
 description: |
    Protections against directory traversal during archive extraction can be
    bypassed by chaining multiple symbolic links within the archive. This allows
--- a/data/reports/GO-2021-0095.yaml
+++ b/data/reports/GO-2021-0095.yaml
@ -1,10 +1,11 @@
-packages:
+modules:
  - module: github.com/google/go-tpm
    package: github.com/google/go-tpm/tpm
    symbols:
      - CreateWrapKey
    versions:
      - fixed: 0.3.0
    packages:
      - package: github.com/google/go-tpm/tpm
        symbols:
          - CreateWrapKey
 description: |
    Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
    is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
--- a/data/reports/GO-2021-0096.yaml
+++ b/data/reports/GO-2021-0096.yaml
@ -1,7 +1,9 @@
-packages:
+modules:
  - module: github.com/proglottis/gpgme
    versions:
      - fixed: 0.1.1
    packages:
      - package: github.com/proglottis/gpgme
 description: |
    Due to improper setting of finalizers, memory passed to C may be freed before it is used,
    leading to crashes due to memory corruption or possible code execution.
--- a/data/reports/GO-2021-0097.yaml
+++ b/data/reports/GO-2021-0097.yaml
@ -1,12 +1,14 @@
-packages:
+modules:
  - module: github.com/dhowden/tag
    symbols:
      - readPICFrame
      - readAPICFrame
      - readTextWithDescrFrame
      - readAtomData
    versions:
      - fixed: 0.0.0-20201120070457-d52dcb253c63
    packages:
      - package: github.com/dhowden/tag
        symbols:
          - readPICFrame
          - readAPICFrame
          - readTextWithDescrFrame
          - readAtomData
 description: |
    Due to improper bounds checking, a number of methods can trigger a panic due to attempted
    out-of-bounds reads. If the package is used to parse user supplied input, this may be
--- a/data/reports/GO-2021-0098.yaml
+++ b/data/reports/GO-2021-0098.yaml
@ -1,29 +1,29 @@
-packages:
+modules:
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/commands
    symbols:
      - PipeCommand
    versions:
      - fixed: 1.5.1-0.20210113180018-fc664697ed2c
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/creds
    symbols:
      - AskPassCredentialHelper.getFromProgram
      - commandCredentialHelper.Approve
    versions:
      - fixed: 1.5.1-0.20210113180018-fc664697ed2c
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/lfs
    symbols:
      - pipeExtensions
    versions:
      - fixed: 1.5.1-0.20210113180018-fc664697ed2c
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/lfshttp
    symbols:
      - sshAuthClient.Resolve
    versions:
      - fixed: 1.5.1-0.20210113180018-fc664697ed2c
    packages:
      - package: github.com/git-lfs/git-lfs/commands
        goos:
          - windows
        symbols:
          - PipeCommand
      - package: github.com/git-lfs/git-lfs/creds
        goos:
          - windows
        symbols:
          - AskPassCredentialHelper.getFromProgram
          - commandCredentialHelper.Approve
      - package: github.com/git-lfs/git-lfs/lfs
        goos:
          - windows
        symbols:
          - pipeExtensions
      - package: github.com/git-lfs/git-lfs/lfshttp
        goos:
          - windows
        symbols:
          - sshAuthClient.Resolve
 description: |
    Due to the standard library behavior of exec.LookPath on Windows a number of methods may
    result in arbitrary code execution when cloning or operating on untrusted Git repositories.
@ -33,9 +33,9 @@ cves:
 ghsas:
  - GHSA-cx3w-xqmc-84g5
 credit: '@Ry0taK'
 os:
  - windows
 links:
    commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
    context:
      - https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
 os:
  - windows
--- a/data/reports/GO-2021-0099.yaml
+++ b/data/reports/GO-2021-0099.yaml
@ -1,12 +1,13 @@
-packages:
+modules:
  - module: github.com/deislabs/oras
    package: github.com/deislabs/oras/pkg/content
    symbols:
      - extractTarDirectory
    derived_symbols:
      - fileWriter.Commit
    versions:
      - fixed: 0.9.0
    packages:
      - package: github.com/deislabs/oras/pkg/content
        symbols:
          - extractTarDirectory
        derived_symbols:
          - fileWriter.Commit
 description: |
    Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
    content store may result in directory traversal during archive extraction, allowing a
--- a/data/reports/GO-2021-0100.yaml
+++ b/data/reports/GO-2021-0100.yaml
@ -1,24 +1,25 @@
-packages:
+modules:
  - module: github.com/containers/storage
    package: github.com/containers/storage/pkg/archive
    symbols:
      - cmdStream
    derived_symbols:
      - ApplyLayer
      - ApplyUncompressedLayer
      - Archiver.CopyFileWithTar
      - Archiver.CopyWithTar
      - Archiver.TarUntar
      - Archiver.UntarPath
      - CopyResource
      - CopyTo
      - DecompressStream
      - IsArchivePath
      - Untar
      - UntarPath
      - UntarUncompressed
    versions:
      - fixed: 1.28.1
    packages:
      - package: github.com/containers/storage/pkg/archive
        symbols:
          - cmdStream
        derived_symbols:
          - ApplyLayer
          - ApplyUncompressedLayer
          - Archiver.CopyFileWithTar
          - Archiver.CopyWithTar
          - Archiver.TarUntar
          - Archiver.UntarPath
          - CopyResource
          - CopyTo
          - DecompressStream
          - IsArchivePath
          - Untar
          - UntarPath
          - UntarUncompressed
 description: |
    Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
    on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
--- a/data/reports/GO-2021-0101.yaml
+++ b/data/reports/GO-2021-0101.yaml
@ -1,58 +1,59 @@
-packages:
+modules:
  - module: github.com/apache/thrift
    package: github.com/apache/thrift/lib/go/thrift
    symbols:
      - TSimpleJSONProtocol.safePeekContains
    derived_symbols:
      - Skip
      - SkipDefaultDepth
      - TJSONProtocol.ParseElemListBegin
      - TJSONProtocol.ReadBool
      - TJSONProtocol.ReadByte
      - TJSONProtocol.ReadDouble
      - TJSONProtocol.ReadFieldBegin
      - TJSONProtocol.ReadFieldEnd
      - TJSONProtocol.ReadI16
      - TJSONProtocol.ReadI32
      - TJSONProtocol.ReadI64
      - TJSONProtocol.ReadListBegin
      - TJSONProtocol.ReadListEnd
      - TJSONProtocol.ReadMapBegin
      - TJSONProtocol.ReadMapEnd
      - TJSONProtocol.ReadMessageBegin
      - TJSONProtocol.ReadMessageEnd
      - TJSONProtocol.ReadSetBegin
      - TJSONProtocol.ReadSetEnd
      - TJSONProtocol.ReadStructBegin
      - TJSONProtocol.ReadStructEnd
      - TSimpleJSONProtocol.ParseElemListBegin
      - TSimpleJSONProtocol.ParseF64
      - TSimpleJSONProtocol.ParseI64
      - TSimpleJSONProtocol.ParseListBegin
      - TSimpleJSONProtocol.ParseListEnd
      - TSimpleJSONProtocol.ParseObjectEnd
      - TSimpleJSONProtocol.ParseObjectStart
      - TSimpleJSONProtocol.ReadByte
      - TSimpleJSONProtocol.ReadDouble
      - TSimpleJSONProtocol.ReadI16
      - TSimpleJSONProtocol.ReadI32
      - TSimpleJSONProtocol.ReadI64
      - TSimpleJSONProtocol.ReadListBegin
      - TSimpleJSONProtocol.ReadListEnd
      - TSimpleJSONProtocol.ReadMapBegin
      - TSimpleJSONProtocol.ReadMapEnd
      - TSimpleJSONProtocol.ReadMessageBegin
      - TSimpleJSONProtocol.ReadMessageEnd
      - TSimpleJSONProtocol.ReadSetBegin
      - TSimpleJSONProtocol.ReadSetEnd
      - TSimpleJSONProtocol.ReadStructBegin
      - TSimpleJSONProtocol.ReadStructEnd
      - TStandardClient.Call
      - TStandardClient.Recv
      - tApplicationException.Read
    versions:
      - introduced: 0.0.0-20151001171628-53dd39833a08
      - fixed: 0.13.0
    packages:
      - package: github.com/apache/thrift/lib/go/thrift
        symbols:
          - TSimpleJSONProtocol.safePeekContains
        derived_symbols:
          - Skip
          - SkipDefaultDepth
          - TJSONProtocol.ParseElemListBegin
          - TJSONProtocol.ReadBool
          - TJSONProtocol.ReadByte
          - TJSONProtocol.ReadDouble
          - TJSONProtocol.ReadFieldBegin
          - TJSONProtocol.ReadFieldEnd
          - TJSONProtocol.ReadI16
          - TJSONProtocol.ReadI32
          - TJSONProtocol.ReadI64
          - TJSONProtocol.ReadListBegin
          - TJSONProtocol.ReadListEnd
          - TJSONProtocol.ReadMapBegin
          - TJSONProtocol.ReadMapEnd
          - TJSONProtocol.ReadMessageBegin
          - TJSONProtocol.ReadMessageEnd
          - TJSONProtocol.ReadSetBegin
          - TJSONProtocol.ReadSetEnd
          - TJSONProtocol.ReadStructBegin
          - TJSONProtocol.ReadStructEnd
          - TSimpleJSONProtocol.ParseElemListBegin
          - TSimpleJSONProtocol.ParseF64
          - TSimpleJSONProtocol.ParseI64
          - TSimpleJSONProtocol.ParseListBegin
          - TSimpleJSONProtocol.ParseListEnd
          - TSimpleJSONProtocol.ParseObjectEnd
          - TSimpleJSONProtocol.ParseObjectStart
          - TSimpleJSONProtocol.ReadByte
          - TSimpleJSONProtocol.ReadDouble
          - TSimpleJSONProtocol.ReadI16
          - TSimpleJSONProtocol.ReadI32
          - TSimpleJSONProtocol.ReadI64
          - TSimpleJSONProtocol.ReadListBegin
          - TSimpleJSONProtocol.ReadListEnd
          - TSimpleJSONProtocol.ReadMapBegin
          - TSimpleJSONProtocol.ReadMapEnd
          - TSimpleJSONProtocol.ReadMessageBegin
          - TSimpleJSONProtocol.ReadMessageEnd
          - TSimpleJSONProtocol.ReadSetBegin
          - TSimpleJSONProtocol.ReadSetEnd
          - TSimpleJSONProtocol.ReadStructBegin
          - TSimpleJSONProtocol.ReadStructEnd
          - TStandardClient.Call
          - TStandardClient.Recv
          - tApplicationException.Read
 description: |
    Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
    this package is used to parse untrusted input, this may be used as a vector for a denial of
--- a/data/reports/GO-2021-0102.yaml
+++ b/data/reports/GO-2021-0102.yaml
@ -1,16 +1,18 @@
-packages:
+modules:
  - module: code.cloudfoundry.org/gorouter
    package: code.cloudfoundry.org/gorouter/common/secure
    symbols:
      - AesGCM.Decrypt
    versions:
      - fixed: 0.0.0-20191101214924-b1b5c44e050f
    packages:
      - package: code.cloudfoundry.org/gorouter/common/secure
        symbols:
          - AesGCM.Decrypt
  - module: github.com/cloudfoundry/gorouter
    package: github.com/cloudfoundry/gorouter/common/secure
    symbols:
      - AesGCM.Decrypt
    versions:
      - fixed: 0.0.0-20191101214924-b1b5c44e050f
    packages:
      - package: github.com/cloudfoundry/gorouter/common/secure
        symbols:
          - AesGCM.Decrypt
 description: |
    Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
    nonce size. If this package is used to decrypt user supplied messages without checking the size of
--- a/data/reports/GO-2021-0103.yaml
+++ b/data/reports/GO-2021-0103.yaml
@ -1,17 +1,19 @@
-packages:
+modules:
  - module: github.com/holiman/uint256
    symbols:
      - udivrem
    derived_symbols:
      - Int.AddMod
      - Int.Div
      - Int.Mod
      - Int.MulMod
      - Int.SDiv
      - Int.SMod
    versions:
      - introduced: 0.1.0
      - fixed: 1.1.1
    packages:
      - package: github.com/holiman/uint256
        symbols:
          - udivrem
        derived_symbols:
          - Int.AddMod
          - Int.Div
          - Int.Mod
          - Int.MulMod
          - Int.SDiv
          - Int.SMod
 description: |
    Due to improper bounds checking, certain mathmatical operations can cause a panic via an
    out of bounds read. If this package is used to process untrusted user inputs, this may be used
--- a/data/reports/GO-2021-0104.yaml
+++ b/data/reports/GO-2021-0104.yaml
@ -1,18 +1,20 @@
-packages:
+modules:
  - module: github.com/pion/webrtc/v3
    symbols:
      - DTLSTransport.Start
    derived_symbols:
      - PeerConnection.AddTrack
      - PeerConnection.AddTransceiverFromTrack
      - PeerConnection.CreateDataChannel
      - PeerConnection.RemoveTrack
      - PeerConnection.SetLocalDescription
      - PeerConnection.SetRemoteDescription
      - operations.Done
      - operations.Enqueue
    versions:
      - fixed: 3.0.15
    packages:
      - package: github.com/pion/webrtc/v3
        symbols:
          - DTLSTransport.Start
        derived_symbols:
          - PeerConnection.AddTrack
          - PeerConnection.AddTransceiverFromTrack
          - PeerConnection.CreateDataChannel
          - PeerConnection.RemoveTrack
          - PeerConnection.SetLocalDescription
          - PeerConnection.SetRemoteDescription
          - operations.Done
          - operations.Enqueue
 description: |
    Due to improper error handling, DTLS connections were not killed when certificate verification
    failed, causing users who did not check the connection state to continue to use the connection.
--- a/data/reports/GO-2021-0105.yaml
+++ b/data/reports/GO-2021-0105.yaml
@ -1,11 +1,12 @@
-packages:
+modules:
  - module: github.com/ethereum/go-ethereum
    package: github.com/ethereum/go-ethereum/core
    symbols:
      - StateDB.createObject
    versions:
      - introduced: 1.9.4
      - fixed: 1.9.20
    packages:
      - package: github.com/ethereum/go-ethereum/core
        symbols:
          - StateDB.createObject
 description: |
    Due to an incorrect state calculation, a specific set of
    transactions could cause a consensus disagreement,
--- a/data/reports/GO-2021-0106.yaml
+++ b/data/reports/GO-2021-0106.yaml
@ -1,18 +1,21 @@
-packages:
+modules:
  - module: github.com/whyrusleeping/tar-utils
    symbols:
      - Extractor.outputPath
    versions:
      - fixed: 0.0.0-20201201191210-20a61371de5b
    packages:
      - package: github.com/whyrusleeping/tar-utils
        symbols:
          - Extractor.outputPath
 description: |
    Due to improper path santization, archives containing relative file
    paths can cause files to be written (or overwritten) outside of the
    target directory.
 published: 2021-07-28T18:08:05Z
 cve_metadata:
    id: CVE-2020-36566
    cwe: "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
 links:
    commit: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
    context:
      - https://snyk.io/research/zip-slip-vulnerability
 cve_metadata:
    id: CVE-2020-36566
    cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path
        Traversal'')'
--- a/data/reports/GO-2021-0107.yaml
+++ b/data/reports/GO-2021-0107.yaml
@ -1,20 +1,22 @@
-packages:
+modules:
  - module: github.com/ecnepsnai/web
    symbols:
      - Server.socketHandler
    derived_symbols:
      - Server.Socket
    versions:
      - fixed: 1.5.2
    packages:
      - package: github.com/ecnepsnai/web
        symbols:
          - Server.socketHandler
        derived_symbols:
          - Server.Socket
 description: |
    Web Sockets do not execute any AuthenticateMethod methods which may be set,leading to a
    nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or
    authentication bypass.
 published: 2021-07-28T18:08:05Z
 cve_metadata:
    id: CVE-2021-4236
    cwe: 'CWE-400: Uncontrolled Resource Consumption'
 ghsas:
  - GHSA-5gjg-jgh4-gppm
 links:
    commit: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
 cve_metadata:
    id: CVE-2021-4236
    cwe: 'CWE-400: Uncontrolled Resource Consumption'
--- a/data/reports/GO-2021-0108.yaml
+++ b/data/reports/GO-2021-0108.yaml
@ -1,9 +1,11 @@
-packages:
+modules:
  - module: github.com/gofiber/fiber
    symbols:
      - Ctx.Attachment
    versions:
      - fixed: 1.12.6
    packages:
      - package: github.com/gofiber/fiber
        symbols:
          - Ctx.Attachment
 description: |
    Due to improper input sanitization, a maliciously constructed filename could cause a file
    download to use an attacker controlled filename, as well as injecting additional headers
--- a/Показать больше
+++ b/Показать больше