commit | d14ac60d7feb04789d10f8b5dd283a6d6a030bdf | [log] [tgz] |
---|---|---|
author | Hana (Hyang-Ah) Kim <hyangah@gmail.com> | Thu Oct 20 20:38:29 2022 -0400 |
committer | Hyang-Ah Hana Kim <hyangah@gmail.com> | Fri Oct 21 17:36:15 2022 +0000 |
tree | 5cd97d1d6621cad36ea9864004bc81b17e71af23 | |
parent | 1067db0d0dda44ee75d06fd1802666efdd173898 [diff] |
internal/vulns: handle osv.Entry with multiple modules correctly VulnsForPackage returns all vulnerabilities affecting a package in a module version, but when the package param is empty, this is supposed to return all vulnerabilities affecting "any" package in a module version. Pkgsite uses this mode when computing the vulnerability affecting a module (for the version tab). An osv.Entry may carry information about a vulnerability that affects multiple modules. For example, GO-2022-0229 affects a package in Go standard library (stdlib module) and a package in golang.org/x/crypto module. Unfortunately, VulnsForPackage did not check the module name equality -- the module name info was added to VulnDB osv.Entry much later after this code was written. When VulnsForPackage was used to retrieve vulns for a given package, it wasn't an issue because the package name equality check would prevent picking a wrong osv.Affected entry. However, when it was used to retrieve vulns for a module, this bug caused it to select a vulnerability only based on the range info and behave incorrectly when multiple modules with different version ranges exist. This change adds the missing check on module name equality. Also, it makes TestVulnsForPackage a table-driven test and adds the case where osv.Entry carries packages from different modules. Fixes golang/go#56357 Change-Id: I58c7a21d543e510030e1ebddec907ebbd303f70f Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/444679 Reviewed-by: Jamal Carvalho <jamal@golang.org> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> TryBot-Result: kokoro <noreply+kokoro@google.com>
Pkg.go.dev is a website for discovering and evaluating Go packages and modules.
You can check it out at https://pkg.go.dev.
Pkgsite requires Go 1.19 to run. The last commit that works with Go 1.18 is 9ffe8b928e4fbd3ff7dcf984254629a47f8b6e63. The last commit that works with Go 1.17 is 4d836c6a652cde92f433967680dfd6171a91ec12.
If you want to report a bug or have a feature suggestion, please first check the known issues to see if your issue is already being discussed. If an issue does not already exist, feel free to file an issue.
For answers to frequently asked questions, see pkg.go.dev/about.
You can also chat with us on the #pkgsite Slack channel on the Gophers Slack.
We would love your help!
Our canonical Git repository is located at go.googlesource.com/pkgsite. There is a mirror of the repository at github.com/golang/pkgsite.
To contribute, please read our contributing guide.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.