It is not always clear which major version is best to list in the summary,
so just pick the base module if we are automatically creating the summary.
(For REVIEWED reports, the triager can pick the best major version).
Change-Id: Ifee6380136f59e9a67ef31734b0e00986340fe6d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600478
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
If a CVE version range doesn't specify a default status,
but specifies that the given range is "affected", assume
the intended default is "unaffected".
Change-Id: I03f2d1edea60dde1a759d5078a48ee459f28b4bf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600477
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
When converting a CVE v5 record to a Report, use the module
proxy to determine if a given package candidate exists
(rather than a heuristic like whether it has a slash or not).
This gives more accurate package results.
Change-Id: I33c923b3cd8a0a91a1297aba3d1ded35f363befd
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600476
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The create algorithm has diverged somewhat for UNREVIEWED
and REVIEWED reports (for example, UNREVIEWED reports don't have
packages or descriptions), so add test outputs for REVIEWED reports
too.
Change-Id: I2dac20a957b6dd9e7d23841800580523eb8a5ffc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600555
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Re-arrange the docs so that reference-style info about triage
is in triage.md, and add a new page vulnreport.md.
Update the descriptions of the triage states in triage.md
Change-Id: I75c5fe555a3cbcb0eedcec58fe811f5b5caef0b6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/600236
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Add a test case for which our automation ought to do a better
job: it should be able to identify the v8 version of the module
(as it is present in the CVE), and also correctly pull out the
version ranges.
Change-Id: Ie74132e57897d8f7d6afa33ae5ce74f787dae451
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599635
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Fix a bug in which the "likely duplicate" label was applied
to all issues that have duplicates on the tracker. (For example,
if #1 and #2 both refer to GHSA-xxxx-yyyy-zzzz, only one of
these should be marked as a duplicate).
This also revealed some bugs in the fake in-memory implementation
of the GHSA API, which are now fixed.
Change-Id: Ifd98befdf3e23f1fc95df38533107de9c921b195
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599456
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add a simple check for package existence in vulnreport fix, which
pings pkg.go.dev to determine if a package exists.
This is more likely to succeed (and faster) than the package/symbol
check which downloads the whole package. We now skip this symbol-check
when there are no symbols listed.
There are still some cases in which this fails incorrectly (e.g. if pkgsite
for some reason couldn't cache the given package/version), so the check
can be bypassed.
Change-Id: I922eae0dec9a376210f0f0fd1d70a67da934ffaa
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599180
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Before writing YAML/OSV/CVE files, check if their contents would
be modified. The main benefit of this is that we now only print
out the written filename if its contents change, which is helpful
for determining the impact of batch operations.
Change-Id: Ieae133a1697d98b99cb40dda56826a5c46f40487
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599179
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Unify the display of xrefs in the worker and in vulnreport xref.
Call out duplicate aliases more prominently, as they indicate a problem,
whereas module xrefs are informational.
Change-Id: I3898ab1709bb3bfd6aefcfa4aef236af5f270fa7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599176
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
The algorithm that determines priority for a report
relies on the affected modules. Sometimes not all affected
modules are known at the outset (e.g., because they are
fixed during report creation).
Ensure that we don't accidentally create UNREVIEWED reports
which are high priority by re-checking the priority of a report
after creating it. As an extra safeguard, also do this check in
the TestLintReports function which acts as a presubmit check.
This involves some refactoring of the priority algorithm. The only
change to the fundamental behavior is that an override list
now exists, where we can add modules that should always have a
certain priority regardless of what the priority algorithm would
say.
Also, the xref command now addionally prints out the priority decision
for a report.
Change-Id: Ia3301022678d7392fb3deb059f9a248dcb153ecc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/598415
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Very minor tweaks:
- Remove (c) pseudosymbol.
- Remove "All Rights Reserved."
- Change "Google Inc." (no longer exists) to "Google LLC".
[git-generate]
echo '
,s/\(c\) //
,s/ All rights reserved.//
,s/Google Inc./Google LLC/
w
q
' | sam -d LICENSE
Change-Id: I1b38c9645228a4669ff017ff995d2b8518afb55b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/598531
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
Adds a command that makes it easier to withdraw an
existing report.
Usage:
$ vulnreport -reason="..." withdraw NNN
Change-Id: Iabe6c1a4b0d0ce15692bb6be743876a790dec437
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595996
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
This was a backup option in case osv.dev did not have the GHSA yet;
this is no longer needed now that we're pulling directly from Github.
Change-Id: Ib5a1b9752eac1efe2a91ef0403771d5575180402
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597755
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Fetch GHSA OSV from github.com/github/advisory-database instead
of osv.dev, as osv.dev sometimes makes edits to the OSV or has
an older version of it.
Unfortunately this requires making two HTTP requests: the first to
determine the published year/month of the GHSA from api.github.com,
and the second to pull the OSV from the GHSA database git repo. There
is no way (that I am aware of) to make a direct API call to get GHSAs
in OSV format.
Change-Id: I8bfd580b1e8ee38f9bc6b8afb08415e0de1a3040
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597735
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
In the inspect command, display stats on the number of
withdrawn and unreviewed reports in the corpus.
Change-Id: I724a4f2bc00dbe279c2b20ecd9da5fcd961c029c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596181
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
For first-party reports where we have assigned our own CVE,
auto-populate "cve_metadata" instead of "cves".
Change-Id: Ifa23ece087f03a294e07ba4fba4267a0de890431
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596179
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
For unreviewed reports with "non_go_versions", add an explanation
that the versions list may not match external advisories to the
"details" section of the OSV.
In the future, this should probably be part of the pkgsite UI, or embedded
in structured OSV field, instead of placed in the OSV details, but it is
causing enough confusion that it seems worth it to clarify this sooner rather
than later.
Change-Id: Id1409182f7fdef37c0a781d6e2ba06b1fc57c080
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596182
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
- data/reports/GO-2024-2965.yaml
Fixesgolang/vulndb#2965
Change-Id: Ie7d4aa18bd5f26132a0af9cc8a377645984f15e6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596495
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tim King <taking@google.com>
- data/excluded/GO-2024-2960.yaml
Fixesgolang/vulndb#2960
Change-Id: I233033892ec64baa67d3876b6e78b21058761c57
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595965
Reviewed-by: Tim King <taking@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tatiana Bradley
Ian Cottrell
Russ Cox
Zvonimir Pavlinovic
Tim King
Gopher Robot