This report is a low impact vulnerability that is causing too many
false positives. Withdraw it for now to mitigate impact.
Updates golang/vulndb#2527
Updates golang/vulndb#2952
Change-Id: Iffad648eecbbda67e49a962592a33df9232f5fbb
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595995
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Move removal of description and packages (for UNREVIEWED reports)
to report.New so that these actions can be tested more easily.
Change-Id: Ie533f3ef5642f0866c91c28010482eec1d844739
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595275
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
A number of improvements to automatic version handling, including:
- Split version lists by major version rather than failing if they
are inconsistent
- Assume all previous major versions (that exist) are affected
- Put "non-Go" and "unsupported" version lists in their corresponding
major version (if it exists)
- Improve the guessVulnerableAt algorithm by adding consistency checks
Change-Id: I9737dbd7d21848570b8e469804628c0e0a3b0a89
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594899
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Don't spellcheck testdata/ files or the file containing known
misspellings.
Change-Id: Id9b7ff1050a091901904722fc6bdc7bb595b4574
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595384
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
For now, use a hard-coded list of words we've seen spelled
incorrectly.
Change-Id: I48ac311eb87214463d5c20a685dbfcb96a96df0a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595315
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Instead of storing version ranges as structs with paired
Introduced/Fixed versions, follow the OSV convention of
considering each version as its own object with an associated
type.
This simplifies operations such as sorting and merging version
lists, making it easier for us to improve automation.
The only effect on the user (vulndb maintainer) is that the
YAML syntax is now:
- introduced: xxx
- fixed: xxx
instead of
- introduced: xxx
fixed: xxx
As a convenience, however, the old format is still accepted for
writing reports. (However, it will be automatically converted to the
new format when vulnreport fix is run).
A follow up CL will make this change for all existing YAML reports.
This will NOT affect the published OSV files.
Change-Id: I91c524b311be5230db5d382f77de4a8e0cd1dda7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593820
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fix a bug in which an advisory link was sometimes not added.
This bug occurred because, if an existing link containing the source
alias was found (regardless of whether the link was marked as an
advisory), no advisory was added.
Change-Id: I21357453d6610f9ecd58da44feb8020a8cfa1444
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593819
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
There is an unknown bug causing unmarshal for OSV Severity field
to not work.
We don't use this field, so to work around this issue for now,
simply ignore the Severity field.
To do this, the dependency on osv-scanner was removed and the
relevant files were copied and modified as needed.
Change-Id: I956ea5d2c9c19f2992e6a1c9b723cea35f5e92d6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/593817
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Record the reason a report was previously excluded when
unexcluding it. This will allow us to take this info into account
when deciding the priority of new reports.
Change-Id: I6ad08f28ca7f9bec78280f30db35b0b6546085db
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592776
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
1) For commit, allow the user to specify a batch size with -batch=X
2) For fix, allow the user to skip all non-lint checks with -skip-checks
Change-Id: I1a42e793cecae6f3086c613e63f410e664f4cce8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592758
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
When using the existing corpus to prioritize new vulnerabilities,
treat unreviewed unexcluded reports the same as likely-binary excluded
reports.
Change-Id: Id803d05ecd33b4486086acac8ff124977b3725ef
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592777
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Previously, vulnreport triage only considered a subset of open
issues (namely, the ones being processed by the command) when
looking for duplicates. This meant that the command only worked
properly when operating on all open issues.
The command now considers all open issues when looking for duplicates.
Change-Id: Iefe17a46503e50bccdd7dc43561999aa1fae4db0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592757
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Command vulnreport review converts an unreviewed report
to a reviewed one, regenerating the report from the latest
version of the source and leaving TODOs as appropriate.
Change-Id: Ifc2bf85b00e5495852af6bd5086b6dc402cbebb2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592775
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Adds a command that allows the user (authenticated as a CNA) to
"reject" a CVE that will never be published.
This is intended for CVEs that were reserved but will never be assigned
to a vulnerability because, e.g, the year is not current.
Change-Id: Id60a0e5417d43e791ada898ff83bcef2563c2322
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592435
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Issues labeled OUT_OF_SCOPE should not get a report at all,
so skip them in "vulnreport create".
Change-Id: Ic7051c1ca96e1836653f4f5fc5633a771ccec805
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592455
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds a test framework that allows tests to inject fake/mock
dependencies into the vulnreport commands and record the expected
output of commands.
Some subcommand tests are left as TODOs, as they require additional
fake/mock dependencies that haven't been implemented yet.
Change-Id: I25f6085f2297e5b9d916f0927c1111ac2b49bef8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/590038
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The module scanning functionality is no longer used, so remove it.
Change-Id: Iade894e3f0bb3efa55b3a75082896a1070bdc326
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588760
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Where possible, unify Firestore operations so that there
are not separate functions for adding/updating/fetching
a record based on its type (CVE/GHSA). The intended operation
is inferred by given ID(s).
Change-Id: Ic82e3ab4c9d519c3101f95444bc0ad306fa2a14e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588759
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Rename CVERecord->CVE4Record and GHSARecord->LegacyGHSARecord.
Both of these need to be updated to support CVE JSON 5 and
GHSA OSV record formats, respectively, so this change makes
it more clear where the old formats are being relied on.
Change-Id: Ib339f0addbc16c37ed03383d64e7cdb30165f366
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/588758
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Refactor worker code so that the body of issues created from
CVEs and GHSAs have the same basic structure.
Change-Id: Icf082de5642fbb2c13bbb0478916afed52548585
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/586139
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>