Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include module names #1

Closed
knqyf263 opened this issue Apr 26, 2021 · 5 comments · May be fixed by #2
Closed

Include module names #1

knqyf263 opened this issue Apr 26, 2021 · 5 comments · May be fixed by #2

Comments

@knqyf263
Copy link
Contributor

Hi, thank you for the great database!

Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

module: github.com/bytom/bytom
package: github.com/bytom/bytom/p2p/discover

vulndb/reports/GO-2021-0079.yaml

Line 1 in e0c00fa

module: github.com/bytom/bytom

On the other hand, the API doesn't include it.

$ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .

[
  {
    "ID": "GO-2021-0079",
    "Published": "2021-04-14T12:00:00Z",
    "Modified": "2021-04-14T12:00:00Z",
    "Withdrawn": null,
    "Aliases": [
      "CVE-2018-18206"
    ],
    "Package": {
      "Name": "github.com/bytom/bytom/p2p/discover",
      "Ecosystem": "go"
    },
    "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
    "Affects": {
      "Ranges": [
        {
          "Type": 2,
          "Introduced": "",
          "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
        }
      ]
    },
    "References": [
      {
        "Type": "code review",
        "URL": "https://github.com/Bytom/bytom/pull/1307"
      },
      {
        "Type": "fix",
        "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
      }
    ],
    "Extra": {
      "Go": {
        "Symbols": [
          "Network.checkTopicRegister"
        ],
        "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
      }
    }
  }
]

Is it possible to include it?
@knqyf263 knqyf263 mentioned this issue Apr 28, 2021
Open
@josieang
Copy link
Contributor

josieang commented May 3, 2021

On another note, it seems that "github.com/bytom/bytom/p2p/discover" in the Package.Name field is just a directory, it's not a package or a module. Is the plan to allow vulnerabilities to be associated with directories?

@vearutop
Copy link

Maybe the idea is to check parent "directory" of a package until there is a module match or there is no parent.

@zpavlinovic
Copy link
Contributor

Design of vulnerabilities is coupled with the vulnerability db layout. So the module info is not available in the json file per se, but it can be read from the relative path at which the json file is located in the db.

For instance, given db located at $DBPATH, the module path for json file

$DBPATH/github.com/some/module/foo.json

is github.com/some/module/foo.

@knqyf263 knqyf263 mentioned this issue Sep 4, 2021
Closed
@julieqiu julieqiu mentioned this issue Dec 6, 2021
Closed
@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021
edited
Loading

Moved to the Go issue tracker: golang/go#50006.

The x/vulndb issue tracker is currently only meant for use by the Go security team for tracking CVEs that should be included in the Go vulnerability database.

@julieqiu julieqiu closed this as completed Dec 6, 2021
@GoVulnBot GoVulnBot mentioned this issue Dec 30, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/460416 mentions this issue: data/reports: add GHSA to GO-2020-0001.yaml

gopherbot pushed a commit that referenced this issue Jan 3, 2023
@neild
data/reports: add GHSA to GO-2020-0001.yaml
16a8c71 
Aliases: CVE-2020-36567, GHSA-6vm3-jj99-7229

Updates #1
Fixes #1209

Change-Id: I6d09a050d6a3d137de3dfff0b86e6320d226c0f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/460416
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
@golang golang deleted a comment from ulfatufo Jan 4, 2023
@GoVulnBot GoVulnBot mentioned this issue May 4, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue May 12, 2023
Closed
gopherbot pushed a commit that referenced this issue Jul 22, 2024
@tatianab
cmd/vulnreport: fix bug in duplicate-finding for triage
6a3e504 
Fix a bug in which the "likely duplicate" label was applied
to all issues that have duplicates on the tracker. (For example,
if #1 and #2 both refer to GHSA-xxxx-yyyy-zzzz, only one of
these should be marked as a duplicate).

This also revealed some bugs in the fake in-memory implementation
of the GHSA API, which are now fixed.

Change-Id: Ifd98befdf3e23f1fc95df38533107de9c921b195
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599456
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add module knqyf263/vulndb
6 participants
@zpavlinovic @vearutop @knqyf263 @julieqiu @gopherbot @josieang