Google Git
Sign in
go / vuln / 41b1fc70d0a6d78d8e64b014f85c81345cbc35d3
commit41b1fc70d0a6d78d8e64b014f85c81345cbc35d3[log] [tgz]
authorZvonimir Pavlinovic <zpavlinovic@google.com>Tue Sep 13 17:28:50 2022 -0700
committerZvonimir Pavlinovic <zpavlinovic@google.com>Mon Sep 19 15:53:16 2022 +0000
treec71f98d013bc119ffd114ba89db7d99c054c49bc
parent485fff3f2c84d78d2c259d17fbf0d8bb3625ea0b [diff]
vulncheck: filter affected related but different modules

Consider a report that has vulnerability info for two modules, m1 and
m2. An example is GO-2022-0969.yaml. If m1 appears in the program, a
vuln client can load vulnerability info for m1 that can also contain
info on the related module m2. The vuln client in this repository is an
example of this behavior.

This can create problems. If both m1 and m2 are imported by the program
at versions at which the vulnerabilities are present, this can result in
incorrectly computed latest fix: computing a latest fix for m1 would
also consider latest fix for m2.

The current solution is to filter out affected data for m2 from info on
vulns of m1. This is simple and should not affect correctness: if m2 is
used by the current program, the same vulnerability report will be
loaded for m2. This is what vuln client of this repo does.

Change-Id: I752bb96d0b01751c68052f85d8e192bbde37312e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/430684
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
10 files changed
tree: c71f98d013bc119ffd114ba89db7d99c054c49bc
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  10. checks.bash
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. PATENTS
  16. README.md
  17. tools_test.go
README.md

Go Vulnerability Management

Go Reference

This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.