Google Git
Sign in
go / vuln / cc4c4f602ae125268e41741fa9829e554cacf230^! / .
commitcc4c4f602ae125268e41741fa9829e554cacf230[log] [tgz]
authorJulie Qiu <julie@golang.org>Wed May 25 10:03:03 2022 -0400
committerJulie Qiu <julieqiu@google.com>Wed May 25 14:20:57 2022 +0000
treefb0417d6a1f556a9bca842cfbecb49cc184320de
parentb36e3c1fa06a9eb6c8f6b0b4029d1d5a6f8f785e [diff]
osv: document EcosystemSpecific

Change-Id: I48b93b0bf9afb10045d0de0da7095946fef563aa
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/408315
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/osv/json.go b/osv/json.go
index 8964220..2289a13 100644
--- a/osv/json.go
+++ b/osv/json.go

@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 
 // Package osv implements the OSV shared vulnerability
-// format, as defined by https://github.com/ossf/osv-schema.
+// format, as defined by https://ossf.github.io/osv-schema.
 //
 // As this package is intended for use with the Go vulnerability
 // database, only the subset of features which are used by that
@@ -119,10 +119,33 @@
 	URL string `json:"url"`
 }
 
+// EcosystemSpecific contains additional information about the vulnerability
+// for the Go ecosystem.
 type EcosystemSpecific struct {
+	// Symbols is the collection of functions and methods names affected by
+	// this vulnerability. Methods are listed as <recv>.<method>.
+	//
+	// If included, only programs which use these symbols will be marked as
+	// vulnerable. If omitted, any program which imports this module will be
+	// marked vulnerable.
+	//
+	// These should be the symbols initially detected or identified in the CVE
+	// or other source.
 	Symbols []string `json:"symbols,omitempty"`
-	GOOS    []string `json:"goos,omitempty"`
-	GOARCH  []string `json:"goarch,omitempty"`
+
+	// GOOS is the execution operating system where the symbols appear, if
+	// known.
+	//
+	// At the moment, this information is not provided by the Go
+	// vulnerability database.
+	GOOS []string `json:"goos,omitempty"`
+
+	// GOARCH specifies the execution architecture where the symbols appear, if
+	// known.
+	//
+	// At the moment, this information is not provided by the Go
+	// vulnerability database.
+	GOARCH []string `json:"goarch,omitempty"`
 }
 
 // Entry represents a OSV style JSON vulnerability database