commit | 41b1fc70d0a6d78d8e64b014f85c81345cbc35d3 | [log] [tgz] |
---|---|---|
author | Zvonimir Pavlinovic <zpavlinovic@google.com> | Tue Sep 13 17:28:50 2022 -0700 |
committer | Zvonimir Pavlinovic <zpavlinovic@google.com> | Mon Sep 19 15:53:16 2022 +0000 |
tree | c71f98d013bc119ffd114ba89db7d99c054c49bc | |
parent | 485fff3f2c84d78d2c259d17fbf0d8bb3625ea0b [diff] |
vulncheck: filter affected related but different modules Consider a report that has vulnerability info for two modules, m1 and m2. An example is GO-2022-0969.yaml. If m1 appears in the program, a vuln client can load vulnerability info for m1 that can also contain info on the related module m2. The vuln client in this repository is an example of this behavior. This can create problems. If both m1 and m2 are imported by the program at versions at which the vulnerabilities are present, this can result in incorrectly computed latest fix: computing a latest fix for m1 would also consider latest fix for m2. The current solution is to filter out affected data for m2 from info on vulns of m1. This is simple and should not affect correctness: if m2 is used by the current program, the same vulnerability report will be loaded for m2. This is what vuln client of this repo does. Change-Id: I752bb96d0b01751c68052f85d8e192bbde37312e Reviewed-on: https://go-review.googlesource.com/c/vuln/+/430684 Reviewed-by: Jonathan Amsterdam <jba@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:
Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.
The privacy policy for govulncheck
can be found at https://vuln.go.dev/privacy.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.