Google Git
Sign in
go / vuln / 0396c4c102e274da19a8eb032d2b84198d1709c9^! / .
commit0396c4c102e274da19a8eb032d2b84198d1709c9[log] [tgz]
authorJulie Qiu <julie@golang.org>Wed Mar 23 16:46:59 2022 -0400
committerJulie Qiu <julie@golang.org>Wed Mar 23 21:17:57 2022 +0000
tree8854b0f5dc857d7035419ab9b7d2122739ae4261
parente77e5878722729461d17191b83aca1e0562bd89b [diff]
doc: split README.md contents to vulndb.md

The README.md is modified to reflect that govulncheck and the vulncheck
API now live in this repository.

Information about the vulnerability database protocol is moved to
doc/vulndb.md.

Change-Id: Id85ddb1523a8ad8894542635981a37b446a9bb2e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395275
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>

diff --git a/README.md b/README.md
index 8a89c2b..2ae14e8 100644
--- a/README.md
+++ b/README.md

@@ -1,47 +1,15 @@
-# Go Vulnerability Database
+# Go Vulnerability Management
 
 [![Go Reference](https://pkg.go.dev/badge/golang.org/x/vuln.svg)](https://pkg.go.dev/golang.org/x/vuln)
 
-This repository contains code for hosting the Go Vulnerability Database. The
-actual reports can be found at [x/vulndb](https://go.googlesource.com/vulndb).
+This repository contains the following:
 
-Neither the code, nor the data, nor the existence of this repository is to be
-considered stable. See the
-[Draft Design](https://golang.org/design/draft-vulndb) for details on this
-project.
+- Package client: a client for interacting with the Go vulnerability database
+- Package vulncheck: an API for detecting vulnerabilities in Go packages
+- Command govulncheck: a CLI for detecting vulnerabilities in Go packages
 
-## Accessing the database
-
-The Go vulnerability database is rooted at
-`https://storage.googleapis.com/go-vulndb` and provides data as JSON. We
-recommend using
-[client.Client](https://pkg.go.dev/golang.org/x/vuln/client#Client) to read
-data from the Go vulnerability database.
-
-Do not rely on the contents of the x/vulndb repository. The YAML files in that
-repository are maintained using an internal format that is subject to change
-without warning.
-
-The endpoints the table below are supported. For each path:
-
-- $base is the path portion of a Go vulnerability database URL (`https://storage.googleapis.com/go-vulndb`).
-- $module is a module path
-- $vuln is a Go vulnerabilitiy ID (for example, `GO-2021-1234`)
-
-| Path                | Description                                                                                                                               |
-| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| $base/index.json    | List of module paths in the database mapped to its last modified timestamp ([link](https://storage.googleapis.com/go-vulndb/index.json)). |
-| $base/$module.json  | List of vulnerability entries for that module ([example](https://storage.googleapis.com/go-vulndb/golang.org/x/crypto.json)).             |
-| $base/ID/index.json | List of all the vulnerability entries in the database                                                                                     |
-| $base/ID/$vuln.json | An individual Go vulnerability report                                                                                                     |
-
-Note that these paths and format are provisional and likely to change until an
-approved proposal.
-
-## Packages
-
-Some of these packages can probably be coalesced, but for now are easier to work
-on in a more segmented fashion.
+The code in this repository is under active development and not to be
+considered stable.
 
 ## License
 

diff --git a/doc/vulndb.md b/doc/vulndb.md
new file mode 100644
index 0000000..ff3d976
--- /dev/null
+++ b/doc/vulndb.md

@@ -0,0 +1,29 @@
+# Go Vulnerability Database
+
+## Accessing the database
+
+The Go vulnerability database is rooted at
+`https://storage.googleapis.com/go-vulndb` and provides data as JSON. We
+recommend using
+[client.Client](https://pkg.go.dev/golang.org/x/vuln/client#Client) to read
+data from the Go vulnerability database.
+
+Do not rely on the contents of the x/vulndb repository. The YAML files in that
+repository are maintained using an internal format that is subject to change
+without warning.
+
+The endpoints the table below are supported. For each path:
+
+- $base is the path portion of a Go vulnerability database URL (`https://storage.googleapis.com/go-vulndb`).
+- $module is a module path
+- $vuln is a Go vulnerabilitiy ID (for example, `GO-2021-1234`)
+
+| Path                | Description                                                                                                                               |
+| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| $base/index.json    | List of module paths in the database mapped to its last modified timestamp ([link](https://storage.googleapis.com/go-vulndb/index.json)). |
+| $base/$module.json  | List of vulnerability entries for that module ([example](https://storage.googleapis.com/go-vulndb/golang.org/x/crypto.json)).             |
+| $base/ID/index.json | List of all the vulnerability entries in the database                                                                                     |
+| $base/ID/$vuln.json | An individual Go vulnerability report                                                                                                     |
+
+Note that these paths and format are provisional and likely to change until an
+approved proposal.