Change-Id: I866e9c55973f7a2a921a0cc762a593dbbb16b29d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/469101
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tim King <taking@google.com>
Run-TryBot: Tim King <taking@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Fixes two issues with vulnreport's handling of reports in
the standard library:
- No longer overwrites package name with "std"
- No longer populates "cves" field if cve_metadata is present
(cve_metadata indicates we assigned the CVE)
Change-Id: I75892fe2464d54fb9e3e6d077518e5e602103c1b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/468895
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Streamline module/package inferrence for the standard library, and
add assumption that stdlib or x/ repos have CVEs assigned by the Go
CNA (this isn't the case for some older CVEs, but this will capture
the most common case).
Change-Id: I236f8b2fff0e71611ebdb8c1be32f8ed3673e483
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467859
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Avoid adding a TODO for reference types already present in a generated
report.
Change-Id: Ief6e83de23fddd12090c0db4507bce92bfcc2841
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467857
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Improve "ReferenceType" inference for URLs by allowing more possibilities
and requiring leading and trailing slashes (to reduce false positives).
Change-Id: Ibee7689f88a277aed2776684e45cae7a3d06ec5a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467856
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tim King <taking@google.com>
"skip_fix" is not needed in most cases, so remove the automatic TODO
for it in "vulnreport create".
Change-Id: Id18328e54c061cb3d80413a9f4d68b3f9efe102e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467858
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This allows us to re-use the addGHSA function. Note this does slightly
change the behavior of vulnreport create, as the added GHSAs are not
taken into account when initially creating the report. This does not
matter much with the current implementation, as we arbitrarily choose
one alias to create the report based on.
Change-Id: Ia99eac8aaec603f5fd44f7b9d017957f8147fe06
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/467295
Reviewed-by: Tim King <taking@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Change the default behavior of vulnreport fix to pull in all GHSAs
for existing CVEs (this can be turned off via the flag "skip-ghsa").
Also change the behavior to append to the list of GHSAs instead of
overwriting it.
Change-Id: I1bd8363b4868121b8630e988eee4ed598f995c6d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466575
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tim King <taking@google.com>
The current list of packages is mentioned in the ghsa, but 1) fix
mentions only unmarshal package and 2) even the ghsa description
explicitly mentions a file in the unmarshal package (this file is where
fix happens to be placed).
The current CL lists only unmarshal package and adds two symbols
mentioned in the fix. Note that there are no derived symbols since
the only symbol derived in theory is Generate itself, which already
appears in the set of initial symbols.
Updates golang/vulndb#53
Change-Id: I0a71c86de032b7334c8cb71b4cacb947e0a70d2d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Pull warnings related to stdlib version into one place and call a new function, IsStdLib, instead of storing a bool "std".
Change-Id: Icbbe5381d0ccd78178ba0eecb8be53a23f06d5f9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466663
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
Pull all the functionality into one loop over the modules.
The only behavior change is that we no longer skip a whole report if it contains the "std" module (because some reports contain both "std" and "x/" repos).
Change-Id: Id95f1844d25e672bb11cdcedeea4af5ffe113be5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466662
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
v1 does not contain a fix. Our YAML format does not support directly indicating that v2 onwards is fixed, so for now users will need to read the description of the vuln to determine that the fix is to migrate to v2.
Aliases: CVE-2022-31053, GHSA-75rw-34q6-72cr
Updates golang/vulndb#564
Change-Id: I2e39f363ebfbe7387a5bff4535af02f4d3b24d99
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466659
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
Vulnreport fix now checks packages (e.g., whether a package exists)
even if there are no symbols to check (unless skip_fix is set).
Change-Id: I09935c1f778ed0e08eeb411111177f328d026513
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466657
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tim King <taking@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Listed package was a module, not a package
Aliases: CVE-2021-3121, GHSA-c3h9-896r-86jm
Updates golang/vulndb#53
Change-Id: Iea87cda17b8b2885331fc5872c700525e37af72b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466658
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
These GHSAs were found by a modification of the behavior of vulnreport
fix.
Change-Id: I72415e876d84d30f81896108421d5bf998018c4f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466576
Reviewed-by: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Tatiana Bradley
Tim King
Maceo Thompson
Zvonimir Pavlinovic