Google Git
Sign in
go / pkgsite / d14ac60d7feb04789d10f8b5dd283a6d6a030bdf
commitd14ac60d7feb04789d10f8b5dd283a6d6a030bdf[log] [tgz]
authorHana (Hyang-Ah) Kim <hyangah@gmail.com>Thu Oct 20 20:38:29 2022 -0400
committerHyang-Ah Hana Kim <hyangah@gmail.com>Fri Oct 21 17:36:15 2022 +0000
tree5cd97d1d6621cad36ea9864004bc81b17e71af23
parent1067db0d0dda44ee75d06fd1802666efdd173898 [diff]
internal/vulns: handle osv.Entry with multiple modules correctly

VulnsForPackage returns all vulnerabilities affecting a package
in a module version, but when the package param is empty, this
is supposed to return all vulnerabilities affecting "any" package
in a module version. Pkgsite uses this mode when computing the
vulnerability affecting a module (for the version tab).

An osv.Entry may carry information about a vulnerability that
affects multiple modules. For example, GO-2022-0229 affects
a package in Go standard library (stdlib module) and a package
in golang.org/x/crypto module.

Unfortunately, VulnsForPackage did not check the module name
equality -- the module name info was added to VulnDB osv.Entry
much later after this code was written. When VulnsForPackage
was used to retrieve vulns for a given package, it wasn't an
issue because the package name equality check would prevent
picking a wrong osv.Affected entry. However, when it was used
to retrieve vulns for a module, this bug caused it to select
a vulnerability only based on the range info and behave incorrectly
when multiple modules with different version ranges exist.

This change adds the missing check on module name equality.
Also, it makes TestVulnsForPackage a table-driven test
and adds the case where osv.Entry carries packages from different
modules.

Fixes golang/go#56357

Change-Id: I58c7a21d543e510030e1ebddec907ebbd303f70f
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/444679
Reviewed-by: Jamal Carvalho <jamal@golang.org>
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
5 files changed
tree: 5cd97d1d6621cad36ea9864004bc81b17e71af23
  1. cmd/
  2. deploy/
  3. devtools/
  4. doc/
  5. internal/
  6. migrations/
  7. static/
  8. tests/
  9. third_party/
  10. .dockerignore
  11. .eslintignore
  12. .eslintrc.yaml
  13. .gitignore
  14. .prettierignore
  15. .prettierrc.yaml
  16. .stylelintignore
  17. .stylelintrc.yaml
  18. all.bash
  19. CONTRIBUTING.md
  20. go.mod
  21. go.sum
  22. jest.config.js
  23. LICENSE
  24. package-lock.json
  25. package.json
  26. PATENTS
  27. README.md
  28. tsconfig.json
README.md

Pkg.go.dev

Go Reference

A site for discovering Go packages

Pkg.go.dev is a website for discovering and evaluating Go packages and modules.

You can check it out at https://pkg.go.dev.

Requirements

Pkgsite requires Go 1.19 to run. The last commit that works with Go 1.18 is 9ffe8b928e4fbd3ff7dcf984254629a47f8b6e63. The last commit that works with Go 1.17 is 4d836c6a652cde92f433967680dfd6171a91ec12.

Issues

If you want to report a bug or have a feature suggestion, please first check the known issues to see if your issue is already being discussed. If an issue does not already exist, feel free to file an issue.

For answers to frequently asked questions, see pkg.go.dev/about.

You can also chat with us on the #pkgsite Slack channel on the Gophers Slack.

Contributing

We would love your help!

Our canonical Git repository is located at go.googlesource.com/pkgsite. There is a mirror of the repository at github.com/golang/pkgsite.

To contribute, please read our contributing guide.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Links