vulndb/internal/audit: filter affected fields in vulnerabilities

Filtering of vulnerabilities did not filter affected fields. This can
lead to false positives. For instance, filtering would deem a
vulnerability applicable to the current user code if a single affected
field applies to it. Other affected fields would be kept too even though
they might not apply to the code. If the code uses packages and symbols
related to these non-applicable affected fields, audit will report them.
The most prominent example of this is YAML vulnerability. This CL
filters affected fields as well.

Change-Id: I92a521a7eeadf12376a3c42f4fe69769ee1c3637
Run-TryBot: Zvonimir Pavlinovic <>
TryBot-Result: Go Bot <>
Reviewed-by: Julie Qiu <>
Reviewed-by: Roland Shoemaker <>
Trust: Julie Qiu <>
2 files changed
tree: 735290ba51dcbeb7b144d44677ee3302a2633f1e
  1. apidiff/
  2. cmd/
  3. ebnf/
  4. ebnflint/
  5. errors/
  6. event/
  7. fsnotify/
  8. inotify/
  9. internal/
  10. io/
  11. jsonrpc2/
  12. mmap/
  13. rand/
  14. shiny/
  15. shootout/
  16. sumdb/
  17. utf8string/
  18. vulndb/
  19. winfsnotify/
  20. .gitattributes
  21. .gitignore
  23. codereview.cfg
  26. go.mod
  27. go.sum



This subrepository holds experimental and deprecated (in the old directory) packages.

The idea for this subrepository originated as the pkg/exp directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get these packages.

Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.

In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)

Caveat emptor.