Add new excluded reason, WITHDRAWN, which indicates
that a report was withdrawn before we got a chance
to publish it in vulndb.
This allows us to keep better track of withdrawn reports
(as opposed to completely omitting them from our
records).
Change-Id: I7209edc88e903787b0c79556177af8f34fed8a4e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607818
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Remove the "possible duplicate" label and instead
label all suspected duplicates as "duplicate" and
post a comment of the form "Duplicate of #NNN" to
the issue.
Update the instructions for the triager.
This is OK because the duplicate-finding check is
almost always correct.
Change-Id: I9d036f3a0490564000a13d783353608cde39880a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606236
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Re-arrange the docs so that reference-style info about triage
is in triage.md, and add a new page vulnreport.md.
Update the descriptions of the triage states in triage.md
Change-Id: I75c5fe555a3cbcb0eedcec58fe811f5b5caef0b6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600236
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Command vulnreport create now decides whether to generate a REVIEWED
or UNREVIEWED report based on issue's labels.
This can be overridden with flag "-status=<REVIEW_STATUS>". The "unreviewed"
flag is removed.
Change-Id: I8f8b808c6f9bbcaeb0dc176fb6cb875b8f9ccee4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/587976
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Adds the beginnings of a guide that can be used as a
reference for the current vulndb triager, in combination
with the older triage guide.
The goal is to document new features / processes
so we can get started with experimenting with them
without needing to overhaul the whole guide before we
have worked out the final process.
Change-Id: Iad8256414fda78ebbdbfc44776a46786cbbb034c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/587975
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
This is a previously-excluded binary report used
to demonstrate the usage of the new "non_go_versions" field.
Aliases: CVE-2024-23319, GHSA-4fp6-574p-fc35
For golang/vulndb#2539
Change-Id: I06fa51de3e32d78bdc53bf8262e84d92e5af2d95
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568058
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
A non-Go version range can be used to specify versions used by
module maintainers that do not conform to Go's module
version conventions (https://go.dev/doc/modules/version-numbers).
For now, these versions are not published in OSV. In the future,
they will likely be published in an ecosystem_specific field
and used for display purposes.
Change-Id: I3fcd13a832fd91bce3dfaccd56e63a06e95410b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568057
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Say that we should write a report if the NIST page says "awaiting analysis".
Change-Id: Ieabecd3743b6495c679650e950a466f5846aec70
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/555895
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add a new YAML field, "notes", which can be used to add notes to a report
to, e.g., document why certain decisions were made. These notes are only
stored in the YAML files, and not published to OSV or CVE records.
Change-Id: I3e9a328d4b61595b393ab3d1747870c13736dd0a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/503875
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Updates triage.md to better match current state of triaging.
Change-Id: Ide8ead20b6af380f3f2d9121ff78b372a6953643
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/503039
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Update docs to match current reality of the YAML format.
Change-Id: Ie5e23b1af1b7c53037feb47eae08b2cddb753999
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/503037
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
- triage.md: Mention that you must be at repo root to run some
vulnreport commands, and fix a heading level.
- format.md: document vulnerable_at, and add some more information
about credit.
Change-Id: I3194b70fbc8ff15cf4a8b9b938b27a1034862b43
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475918
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
If you run `vulnreport create-excluded` on master, you'll get a new commit
on master. You need to be on another branch.
Change-Id: I10abad871a04f5e54f96bec40828529d631e8b71
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475916
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds more details for how to add a new report to triage.md.
Added details come from fricition from onboarding.
Change-Id: I92f7064e65da021429cae9dbe664b48e47f4a74e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/447075
Run-TryBot: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
The toolchain binaries (cmd/...) are in module "cmd" (according to
go/src/cmd/go.mod), but we've been putting "std" as the module in
reports. Fix the reports. Put in a lint check to prevent backsliding.
Our ecosystem-specific OSV spec states that toolchain binaries
get a path of "toolchain", so convert "cmd" to "toolchain" at
generation time.
Put toolchain reports in toolchain.json for consistency.
Change-Id: I8513438496d2c84846483febd874710cdbf67dea
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/425005
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
The move of reports from reports/ to data/reports broke lookups of
the publication date from the git history. Set the publication
date for all existing reports based on the history from the old
location.
Change-Id: I7a4dd9121894d037c689db7398311b234bdf270b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424377
Reviewed-by: Julie Qiu <julieqiu@google.com>
Add support for recording the reason no report exists for a CVE or GHSA.
Excluded reports are placed in the excluded/ directory, and follow the
same format as normal reports except:
- Excluded reports have a "excluded" field indicating why the
report has been excluded.
- Excluded reports must have at least one associated CVE or GHSA.
- Excluded reports need have no other fields set.
Change-Id: I4b346567bd2b0ac08c78a9bc5ae26f721a8c3147
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/422638
Reviewed-by: Julie Qiu <julieqiu@google.com>
All Go standard library reports to x/vulndb should follow the same
format, which is now documented in triage.md.
Change-Id: Idce3501cd7c26e1d2a02dd8e74c8a89a3144c123
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/389534
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Documentation for the vulndb reports now reflects refactored Package and
adds documentation for GHSA IDs.
Additionally reformats document for readability, adds more examples, and
makes wording more consistent throughout.
Change-Id: I64798238ac3f1476c64691bdbcefa15d8de8e375
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406254
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
A doc folder is created for documentation about x/vulndb and format.md
is moved to that directory.
Change-Id: Ibb9c946cdae8b0cc5626eb47a1272de1783d5ad7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373500
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Zvonimir Pavlinovic
Tatiana Bradley
Jonathan Amsterdam
Tim King
Maceo Thompson
Damien Neil
ariathaker
Tatiana Bradley
Julie Qiu