commit | c3361ccf1ca7c1360bb26c7513dd185f93a829d1 | [log] [tgz] |
---|---|---|
author | Zvonimir Pavlinovic <zpavlinovic@google.com> | Wed Sep 22 10:56:17 2021 -0700 |
committer | Zvonimir Pavlinovic <zpavlinovic@google.com> | Fri Oct 08 18:33:37 2021 +0000 |
tree | 735290ba51dcbeb7b144d44677ee3302a2633f1e | |
parent | 5cb4fee858ee0745099079eea6fad206f604f86d [diff] |
vulndb/internal/audit: filter affected fields in vulnerabilities Filtering of vulnerabilities did not filter affected fields. This can lead to false positives. For instance, filtering would deem a vulnerability applicable to the current user code if a single affected field applies to it. Other affected fields would be kept too even though they might not apply to the code. If the code uses packages and symbols related to these non-applicable affected fields, audit will report them. The most prominent example of this is YAML vulnerability. This CL filters affected fields as well. Change-Id: I92a521a7eeadf12376a3c42f4fe69769ee1c3637 Reviewed-on: https://go-review.googlesource.com/c/exp/+/351454 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Trust: Julie Qiu <julie@golang.org>
This subrepository holds experimental and deprecated (in the old
directory) packages.
The idea for this subrepository originated as the pkg/exp
directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get
these packages.
Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.
In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)
Caveat emptor.