Blergh, all incompatible version of github.com/go-yaml/yaml are vulnerable,
so add it back with an empty versions list.
Change-Id: I881192ea57e4be02fb534d7a1f2951a004c7e648
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1055920
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Results of testing new CVE triaging tooling. Also adds a file which
tracks which CVEs have been triaged. Still need to add all of the
false positives, but would like to fine tune the triage tooling first
to hopefully cut down the number of them.
Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804
Reviewed-by: Roland Shoemaker <bracewell@google.com>
fsCache is the only cache implementation available. In order to be
integrated in goaudit, it needs to be made publicly accessable as
go audit and cache do not live in the same repo. fsCache will be made
private again once go audit and client live in the same space in the
near future.
Change-Id: I4dd86f407ce83f2162e8a1921f86643bbefdd456
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1033548
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Check the proxy to determine valid versions and canonical module
import paths. This should provent rogue database entries that
do not cleanly apply to real go.mod files.
Change-Id: Iea1b531fe5bed7a0825102c6ac877a515f24c0f5
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1032616
Reviewed-by: Roland Shoemaker <bracewell@google.com>
github.com/dgrijalva/jwt-go is not module per se. Hence, its pkg
versions require +incompatible annotation. Also, corresponding pkgs do
not have /vX suffixes.
Change-Id: I434b1a6af7ecd22b161d344a2ffe115fa9b883e9
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1027982
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Some vulnerabilities, such as GO-2020-0002.toml, do not have CVE
metadata. Accessing CVEMetadata.ID without checking if CVEMetadata is
nil can lead to a nil dereference.
Change-Id: I06a24a7d80a0e8be768af198a1b6254f15de98d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1026682
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Filippo Valsorda
Roland Shoemaker
Zvonimir Pavlinovic