data/reports: apply vulnreport fix to populate SkipFix
Adding todos for SkipFix fields where needed.
Change-Id: I224e8f9b1cc7a02136c3f9608296dc4378f65cc9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464017
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/reports/GO-2020-0007.yaml b/data/reports/GO-2020-0007.yaml
index 0432f45..255194d 100644
--- a/data/reports/GO-2020-0007.yaml
+++ b/data/reports/GO-2020-0007.yaml
@@ -11,6 +11,7 @@
- ScmpFilter.AddRuleConditional
- ScmpFilter.AddRuleConditionalExact
- ScmpFilter.AddRuleExact
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Filters containing rules with multiple syscall arguments are improperly
constructed, such that all arguments are required to match rather than
diff --git a/data/reports/GO-2020-0017.yaml b/data/reports/GO-2020-0017.yaml
index b7d248e..8ab4d84 100644
--- a/data/reports/GO-2020-0017.yaml
+++ b/data/reports/GO-2020-0017.yaml
@@ -14,6 +14,7 @@
- package: github.com/dgrijalva/jwt-go/v4
symbols:
- MapClaims.VerifyAudience
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
If a JWT contains an audience claim with an array of strings, rather
than a single string, and MapClaims.VerifyAudience is called with
diff --git a/data/reports/GO-2020-0021.yaml b/data/reports/GO-2020-0021.yaml
index d7adf4a..4e52e8d 100644
--- a/data/reports/GO-2020-0021.yaml
+++ b/data/reports/GO-2020-0021.yaml
@@ -8,6 +8,7 @@
- GetIssues
- SearchRepositoryByName
- SearchUserByName
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper santization of user input, a number of methods are
vulnerable to SQL injection if used with user input that has not
diff --git a/data/reports/GO-2020-0027.yaml b/data/reports/GO-2020-0027.yaml
index 8cb2e1f..0df8eca 100644
--- a/data/reports/GO-2020-0027.yaml
+++ b/data/reports/GO-2020-0027.yaml
@@ -8,9 +8,11 @@
- NewHandle
- SetProcessPrivileges
- Handle.StopAsPamUser
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: github.com/google/fscrypt/security
symbols:
- UserKeyringID
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
After dropping and then elevating process privileges euid, guid, and groups
are not properly restored to their original values, allowing an unprivileged
diff --git a/data/reports/GO-2020-0032.yaml b/data/reports/GO-2020-0032.yaml
index 823b8ea..bef8dab 100644
--- a/data/reports/GO-2020-0032.yaml
+++ b/data/reports/GO-2020-0032.yaml
@@ -6,6 +6,7 @@
- package: github.com/goadesign/goa
symbols:
- Controller.FileHandler
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: goa.design/goa
versions:
- fixed: 1.4.3
@@ -13,6 +14,7 @@
- package: goa.design/goa
symbols:
- Controller.FileHandler
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: goa.design/goa/v3
versions:
- fixed: 3.0.9
@@ -20,6 +22,7 @@
- package: goa.design/goa/v3
symbols:
- Controller.FileHandler
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper santization of user input, Controller.FileHandler allows
for directory traversal, allowing an attacker to read files outside of
diff --git a/data/reports/GO-2020-0039.yaml b/data/reports/GO-2020-0039.yaml
index 7401d78..8efb959 100644
--- a/data/reports/GO-2020-0039.yaml
+++ b/data/reports/GO-2020-0039.yaml
@@ -12,6 +12,7 @@
- Macaron.Run
- Macaron.ServeHTTP
- Router.ServeHTTP
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper request santization, a specifically crafted URL
can cause the static file handler to redirect to an attacker chosen
diff --git a/data/reports/GO-2020-0043.yaml b/data/reports/GO-2020-0043.yaml
index a1e25e6..382fc4f 100644
--- a/data/reports/GO-2020-0043.yaml
+++ b/data/reports/GO-2020-0043.yaml
@@ -8,6 +8,7 @@
- httpContext.MakeServers
- Server.serveHTTP
- assertConfigsCompatible
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper TLS verification when serving traffic for multiple
SNIs, an attacker may bypass TLS client authentication by indicating
diff --git a/data/reports/GO-2021-0064.yaml b/data/reports/GO-2021-0064.yaml
index ce2549f..27cc799 100644
--- a/data/reports/GO-2021-0064.yaml
+++ b/data/reports/GO-2021-0064.yaml
@@ -20,6 +20,7 @@
- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/data/reports/GO-2021-0065.yaml b/data/reports/GO-2021-0065.yaml
index 4448bb4..578e1d5 100644
--- a/data/reports/GO-2021-0065.yaml
+++ b/data/reports/GO-2021-0065.yaml
@@ -19,6 +19,7 @@
- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- debuggingRoundTripper.RoundTrip
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Authorization tokens may be inappropriately logged if the verbosity
level is set to a debug level.
diff --git a/data/reports/GO-2021-0066.yaml b/data/reports/GO-2021-0066.yaml
index f42e189..f8ae00b 100644
--- a/data/reports/GO-2021-0066.yaml
+++ b/data/reports/GO-2021-0066.yaml
@@ -7,6 +7,7 @@
symbols:
- readDockerConfigFileFromBytes
- readDockerConfigJSONFileFromBytes
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Attempting to read a malformed .dockercfg may cause secrets to be
inappropriately logged.
diff --git a/data/reports/GO-2021-0067.yaml b/data/reports/GO-2021-0067.yaml
index 3726162..1859b6c 100644
--- a/data/reports/GO-2021-0067.yaml
+++ b/data/reports/GO-2021-0067.yaml
@@ -7,6 +7,7 @@
- package: archive/zip
symbols:
- toValidName
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Using Reader.Open on an archive containing a file with a path
prefixed by "../" will cause a panic due to a stack overflow.
diff --git a/data/reports/GO-2021-0068.yaml b/data/reports/GO-2021-0068.yaml
index 49a4c14..b648368 100644
--- a/data/reports/GO-2021-0068.yaml
+++ b/data/reports/GO-2021-0068.yaml
@@ -9,6 +9,7 @@
- package: cmd/go
goos:
- windows
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
diff --git a/data/reports/GO-2021-0069.yaml b/data/reports/GO-2021-0069.yaml
index 4cd1543..9eb71e5 100644
--- a/data/reports/GO-2021-0069.yaml
+++ b/data/reports/GO-2021-0069.yaml
@@ -9,6 +9,7 @@
- package: math/big
symbols:
- nat.divRecursiveStep
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A number of math/big.Int methods can panic when provided large inputs due
to a flawed division method.
diff --git a/data/reports/GO-2021-0071.yaml b/data/reports/GO-2021-0071.yaml
index ff464ca..87de487 100644
--- a/data/reports/GO-2021-0071.yaml
+++ b/data/reports/GO-2021-0071.yaml
@@ -6,6 +6,7 @@
- package: github.com/lxc/lxd/shared
symbols:
- IdmapSet.doUidshiftIntoContainer
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A race between chown and chmod operations during a container
filesystem shift may allow a user who can modify the filesystem to
diff --git a/data/reports/GO-2021-0075.yaml b/data/reports/GO-2021-0075.yaml
index 2cefa1d..10179f4 100644
--- a/data/reports/GO-2021-0075.yaml
+++ b/data/reports/GO-2021-0075.yaml
@@ -6,6 +6,7 @@
- package: github.com/ethereum/go-ethereum/les
symbols:
- ProtocolManager.handleMsg
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper argument validation in RPC messages, a maliciously crafted
message can cause a panic, leading to denial of service.
diff --git a/data/reports/GO-2021-0079.yaml b/data/reports/GO-2021-0079.yaml
index 7e3da5e..9bbb2f9 100644
--- a/data/reports/GO-2021-0079.yaml
+++ b/data/reports/GO-2021-0079.yaml
@@ -6,6 +6,7 @@
- package: github.com/bytom/bytom/p2p/discover
symbols:
- Network.checkTopicRegister
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A malformed query can cause an out-of-bounds panic due to improper
validation of arguments. If processing queries from untrusted
diff --git a/data/reports/GO-2021-0086.yaml b/data/reports/GO-2021-0086.yaml
index 18fbbd4..8c18b0a 100644
--- a/data/reports/GO-2021-0086.yaml
+++ b/data/reports/GO-2021-0086.yaml
@@ -6,6 +6,7 @@
- package: github.com/documize/community/domain/section/markdown
symbols:
- Provider.Render
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
HTML content in markdown is not santized during rendering, possibly allowing
XSS if used to render untrusted user input.
diff --git a/data/reports/GO-2021-0087.yaml b/data/reports/GO-2021-0087.yaml
index 3cf7640..326e01b 100644
--- a/data/reports/GO-2021-0087.yaml
+++ b/data/reports/GO-2021-0087.yaml
@@ -6,6 +6,7 @@
- package: github.com/opencontainers/runc/libcontainer
symbols:
- mountToRootfs
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A race while mounting volumes allows a possible symlink-exchange
attack, allowing a user whom can start multiple containers with
diff --git a/data/reports/GO-2021-0088.yaml b/data/reports/GO-2021-0088.yaml
index d492c55..c02b124 100644
--- a/data/reports/GO-2021-0088.yaml
+++ b/data/reports/GO-2021-0088.yaml
@@ -6,6 +6,7 @@
- package: github.com/facebook/fbthrift/thrift/lib/go/thrift
symbols:
- Skip
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Skip ignores unknown fields, rather than failing. A malicious user can craft small
messages with unknown fields which can take significant resources to parse. If a
diff --git a/data/reports/GO-2021-0090.yaml b/data/reports/GO-2021-0090.yaml
index a2c4a76..f627157 100644
--- a/data/reports/GO-2021-0090.yaml
+++ b/data/reports/GO-2021-0090.yaml
@@ -9,6 +9,7 @@
- VoteSet.MakeCommit
derived_symbols:
- MakeCommit
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Proposed commits may contain signatures for blocks not contained
within the commit. Instead of skipping these signatures, they
diff --git a/data/reports/GO-2021-0094.yaml b/data/reports/GO-2021-0094.yaml
index 21f5855..cbb6ba9 100644
--- a/data/reports/GO-2021-0094.yaml
+++ b/data/reports/GO-2021-0094.yaml
@@ -6,6 +6,7 @@
- package: github.com/hashicorp/go-slug
symbols:
- Unpack
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
diff --git a/data/reports/GO-2021-0095.yaml b/data/reports/GO-2021-0095.yaml
index 3415dc6..ad0d2e1 100644
--- a/data/reports/GO-2021-0095.yaml
+++ b/data/reports/GO-2021-0095.yaml
@@ -6,6 +6,7 @@
- package: github.com/google/go-tpm/tpm
symbols:
- CreateWrapKey
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
diff --git a/data/reports/GO-2021-0096.yaml b/data/reports/GO-2021-0096.yaml
index 1d9331f..f607827 100644
--- a/data/reports/GO-2021-0096.yaml
+++ b/data/reports/GO-2021-0096.yaml
@@ -4,6 +4,7 @@
- fixed: 0.1.1
packages:
- package: github.com/proglottis/gpgme
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper setting of finalizers, memory passed to C may be freed before it is used,
leading to crashes due to memory corruption or possible code execution.
diff --git a/data/reports/GO-2021-0097.yaml b/data/reports/GO-2021-0097.yaml
index 5fa28e4..1677581 100644
--- a/data/reports/GO-2021-0097.yaml
+++ b/data/reports/GO-2021-0097.yaml
@@ -9,6 +9,7 @@
- readAPICFrame
- readTextWithDescrFrame
- readAtomData
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper bounds checking, a number of methods can trigger a panic due to attempted
out-of-bounds reads. If the package is used to parse user supplied input, this may be
diff --git a/data/reports/GO-2021-0098.yaml b/data/reports/GO-2021-0098.yaml
index 938c163..82e4adf 100644
--- a/data/reports/GO-2021-0098.yaml
+++ b/data/reports/GO-2021-0098.yaml
@@ -8,22 +8,26 @@
- windows
symbols:
- PipeCommand
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: github.com/git-lfs/git-lfs/creds
goos:
- windows
symbols:
- AskPassCredentialHelper.getFromProgram
- commandCredentialHelper.Approve
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: github.com/git-lfs/git-lfs/lfs
goos:
- windows
symbols:
- pipeExtensions
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: github.com/git-lfs/git-lfs/lfshttp
goos:
- windows
symbols:
- sshAuthClient.Resolve
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
result in arbitrary code execution when cloning or operating on untrusted Git repositories.
diff --git a/data/reports/GO-2021-0099.yaml b/data/reports/GO-2021-0099.yaml
index f0d824c..c294f2c 100644
--- a/data/reports/GO-2021-0099.yaml
+++ b/data/reports/GO-2021-0099.yaml
@@ -8,6 +8,7 @@
- extractTarDirectory
derived_symbols:
- fileWriter.Commit
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
content store may result in directory traversal during archive extraction, allowing a
diff --git a/data/reports/GO-2021-0100.yaml b/data/reports/GO-2021-0100.yaml
index 80aa05c..24341b8 100644
--- a/data/reports/GO-2021-0100.yaml
+++ b/data/reports/GO-2021-0100.yaml
@@ -20,6 +20,7 @@
- Untar
- UntarPath
- UntarUncompressed
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
diff --git a/data/reports/GO-2021-0101.yaml b/data/reports/GO-2021-0101.yaml
index a93fed3..01c7b02 100644
--- a/data/reports/GO-2021-0101.yaml
+++ b/data/reports/GO-2021-0101.yaml
@@ -54,6 +54,7 @@
- TStandardClient.Call
- TStandardClient.Recv
- tApplicationException.Read
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If
this package is used to parse untrusted input, this may be used as a vector for a denial of
diff --git a/data/reports/GO-2021-0102.yaml b/data/reports/GO-2021-0102.yaml
index 7dcc58b..e4a820c 100644
--- a/data/reports/GO-2021-0102.yaml
+++ b/data/reports/GO-2021-0102.yaml
@@ -6,6 +6,7 @@
- package: code.cloudfoundry.org/gorouter/common/secure
symbols:
- AesGCM.Decrypt
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: github.com/cloudfoundry/gorouter
versions:
- fixed: 0.0.0-20191101214924-b1b5c44e050f
@@ -13,6 +14,7 @@
- package: github.com/cloudfoundry/gorouter/common/secure
symbols:
- AesGCM.Decrypt
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect
nonce size. If this package is used to decrypt user supplied messages without checking the size of
diff --git a/data/reports/GO-2021-0103.yaml b/data/reports/GO-2021-0103.yaml
index 1fdaa4d..135a165 100644
--- a/data/reports/GO-2021-0103.yaml
+++ b/data/reports/GO-2021-0103.yaml
@@ -14,6 +14,7 @@
- Int.MulMod
- Int.SDiv
- Int.SMod
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper bounds checking, certain mathmatical operations can cause a panic via an
out of bounds read. If this package is used to process untrusted user inputs, this may be used
diff --git a/data/reports/GO-2021-0104.yaml b/data/reports/GO-2021-0104.yaml
index 86072d1..2570488 100644
--- a/data/reports/GO-2021-0104.yaml
+++ b/data/reports/GO-2021-0104.yaml
@@ -15,6 +15,7 @@
- PeerConnection.SetRemoteDescription
- operations.Done
- operations.Enqueue
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper error handling, DTLS connections were not killed when certificate verification
failed, causing users who did not check the connection state to continue to use the connection.
diff --git a/data/reports/GO-2021-0105.yaml b/data/reports/GO-2021-0105.yaml
index 369743d..3b52efc 100644
--- a/data/reports/GO-2021-0105.yaml
+++ b/data/reports/GO-2021-0105.yaml
@@ -7,6 +7,7 @@
- package: github.com/ethereum/go-ethereum/core
symbols:
- StateDB.createObject
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to an incorrect state calculation, a specific set of
transactions could cause a consensus disagreement,
diff --git a/data/reports/GO-2021-0106.yaml b/data/reports/GO-2021-0106.yaml
index 93000a9..0120027 100644
--- a/data/reports/GO-2021-0106.yaml
+++ b/data/reports/GO-2021-0106.yaml
@@ -6,6 +6,7 @@
- package: github.com/whyrusleeping/tar-utils
symbols:
- Extractor.outputPath
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper path santization, archives containing relative file
paths can cause files to be written (or overwritten) outside of the
diff --git a/data/reports/GO-2021-0108.yaml b/data/reports/GO-2021-0108.yaml
index bbed588..ecad293 100644
--- a/data/reports/GO-2021-0108.yaml
+++ b/data/reports/GO-2021-0108.yaml
@@ -6,6 +6,7 @@
- package: github.com/gofiber/fiber
symbols:
- Ctx.Attachment
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Due to improper input sanitization, a maliciously constructed filename
could cause a file download to use an attacker controlled filename, as well
diff --git a/data/reports/GO-2021-0110.yaml b/data/reports/GO-2021-0110.yaml
index db8d5c8..ca08573 100644
--- a/data/reports/GO-2021-0110.yaml
+++ b/data/reports/GO-2021-0110.yaml
@@ -9,6 +9,7 @@
derived_symbols:
- Fosite.NewAccessRequest
- Fosite.NewRevocationRequest
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
replayed.
diff --git a/data/reports/GO-2021-0154.yaml b/data/reports/GO-2021-0154.yaml
index 1b31a0b..8da0c65 100644
--- a/data/reports/GO-2021-0154.yaml
+++ b/data/reports/GO-2021-0154.yaml
@@ -8,6 +8,7 @@
symbols:
- checkForResumption
- decryptTicket
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
diff --git a/data/reports/GO-2021-0159.yaml b/data/reports/GO-2021-0159.yaml
index 53b962d..811b355 100644
--- a/data/reports/GO-2021-0159.yaml
+++ b/data/reports/GO-2021-0159.yaml
@@ -14,6 +14,7 @@
- readTransfer
- transferWriter.shouldSendContentLength
- validHeaderFieldByte
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
HTTP headers were not properly parsed, which allows remote attackers to
conduct HTTP request smuggling attacks via a request that contains
diff --git a/data/reports/GO-2021-0160.yaml b/data/reports/GO-2021-0160.yaml
index 548b7e5..4688f78 100644
--- a/data/reports/GO-2021-0160.yaml
+++ b/data/reports/GO-2021-0160.yaml
@@ -8,6 +8,7 @@
symbols:
- nat.expNNMontgomery
- nat.montgomery
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Int.Exp Montgomery mishandled carry propagation and produced an incorrect
output, which makes it easier for attackers to obtain private RSA keys via
diff --git a/data/reports/GO-2021-0163.yaml b/data/reports/GO-2021-0163.yaml
index 8b6c7b5..20326db 100644
--- a/data/reports/GO-2021-0163.yaml
+++ b/data/reports/GO-2021-0163.yaml
@@ -8,6 +8,7 @@
- package: syscall
symbols:
- LoadLibrary
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Untrusted search path vulnerability on Windows related to LoadLibrary allows
local users to gain privileges via a malicious DLL in the current working
diff --git a/data/reports/GO-2021-0172.yaml b/data/reports/GO-2021-0172.yaml
index 72e12ef..4727ffa 100644
--- a/data/reports/GO-2021-0172.yaml
+++ b/data/reports/GO-2021-0172.yaml
@@ -8,6 +8,7 @@
- package: mime/multipart
symbols:
- Reader.readForm
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
When parsing large multipart/form-data, an attacker can
cause a HTTP server to open a large number of file
diff --git a/data/reports/GO-2021-0178.yaml b/data/reports/GO-2021-0178.yaml
index 7e275b5..30ed87d 100644
--- a/data/reports/GO-2021-0178.yaml
+++ b/data/reports/GO-2021-0178.yaml
@@ -9,6 +9,7 @@
- package: net/smtp
symbols:
- plainAuth.Start
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
SMTP clients using net/smtp can use the PLAIN authentication scheme on
network connections not secured with TLS, exposing passwords to
diff --git a/data/reports/GO-2021-0223.yaml b/data/reports/GO-2021-0223.yaml
index b41867a..53e6433 100644
--- a/data/reports/GO-2021-0223.yaml
+++ b/data/reports/GO-2021-0223.yaml
@@ -10,6 +10,7 @@
- windows
symbols:
- Certificate.systemVerify
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify
does not check the EKU requirements specified in VerifyOptions.KeyUsages.
diff --git a/data/reports/GO-2021-0224.yaml b/data/reports/GO-2021-0224.yaml
index 0d5f5a7..c6a2f93 100644
--- a/data/reports/GO-2021-0224.yaml
+++ b/data/reports/GO-2021-0224.yaml
@@ -8,6 +8,7 @@
- package: net/http
symbols:
- expectContinueReader.Read
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
HTTP servers where the Handler concurrently reads the request
body and writes a response can encounter a data race and crash.
diff --git a/data/reports/GO-2021-0226.yaml b/data/reports/GO-2021-0226.yaml
index 192e549..13f1420 100644
--- a/data/reports/GO-2021-0226.yaml
+++ b/data/reports/GO-2021-0226.yaml
@@ -10,11 +10,13 @@
- response.Write
- response.WriteHeader
- response.writeCGIHeader
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: net/http/fcgi
symbols:
- response.Write
- response.WriteHeader
- response.writeCGIHeader
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
When a Handler does not explicitly set the Content-Type header, the the
package would default to “text/html”, which could cause a Cross-Site Scripting
diff --git a/data/reports/GO-2021-0227.yaml b/data/reports/GO-2021-0227.yaml
index 45c2140..a2d77bd 100644
--- a/data/reports/GO-2021-0227.yaml
+++ b/data/reports/GO-2021-0227.yaml
@@ -6,6 +6,7 @@
- package: golang.org/x/crypto/ssh
symbols:
- connection.serverAuthenticate
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Clients can cause a panic in SSH servers. An attacker can craft
an authentication request message for the “gssapi-with-mic” method
diff --git a/data/reports/GO-2021-0234.yaml b/data/reports/GO-2021-0234.yaml
index 3a3b46f..669414c 100644
--- a/data/reports/GO-2021-0234.yaml
+++ b/data/reports/GO-2021-0234.yaml
@@ -8,6 +8,7 @@
- package: encoding/xml
symbols:
- Decoder.Token
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
diff --git a/data/reports/GO-2021-0235.yaml b/data/reports/GO-2021-0235.yaml
index aee6918..91e33ff 100644
--- a/data/reports/GO-2021-0235.yaml
+++ b/data/reports/GO-2021-0235.yaml
@@ -8,6 +8,7 @@
- package: crypto/elliptic
symbols:
- p224Contract
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
diff --git a/data/reports/GO-2021-0239.yaml b/data/reports/GO-2021-0239.yaml
index 70d8f6d..ed61fb8 100644
--- a/data/reports/GO-2021-0239.yaml
+++ b/data/reports/GO-2021-0239.yaml
@@ -12,6 +12,7 @@
- Resolver.LookupMX
- Resolver.LookupNS
- Resolver.LookupSRV
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions and their respective methods on the Resolver type may
diff --git a/data/reports/GO-2021-0240.yaml b/data/reports/GO-2021-0240.yaml
index 1df7db0..1ba106e 100644
--- a/data/reports/GO-2021-0240.yaml
+++ b/data/reports/GO-2021-0240.yaml
@@ -8,6 +8,7 @@
- package: archive/zip
symbols:
- Reader.init
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
NewReader and OpenReader can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large
diff --git a/data/reports/GO-2021-0241.yaml b/data/reports/GO-2021-0241.yaml
index a2a2955..ad605a6 100644
--- a/data/reports/GO-2021-0241.yaml
+++ b/data/reports/GO-2021-0241.yaml
@@ -8,6 +8,7 @@
- package: net/http/httputil
symbols:
- ReverseProxy.ServeHTTP
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
ReverseProxy can be made to forward certain hop-by-hop headers,
including Connection. If the target of the ReverseProxy is
diff --git a/data/reports/GO-2021-0242.yaml b/data/reports/GO-2021-0242.yaml
index 8b0e007..afd596f 100644
--- a/data/reports/GO-2021-0242.yaml
+++ b/data/reports/GO-2021-0242.yaml
@@ -8,6 +8,7 @@
- package: math/big
symbols:
- Rat.SetString
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Rat.SetString and Rat.UnmarshalText may cause a panic or an
unrecoverable fatal error if passed inputs with very large
diff --git a/data/reports/GO-2021-0243.yaml b/data/reports/GO-2021-0243.yaml
index 6f5725c..18c08a0 100644
--- a/data/reports/GO-2021-0243.yaml
+++ b/data/reports/GO-2021-0243.yaml
@@ -8,6 +8,7 @@
- package: crypto/tls
symbols:
- rsaKeyAgreement.generateClientKeyExchange
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
crypto/tls clients can panic when provided a certificate of the
wrong type for the negotiated parameters. net/http clients
diff --git a/data/reports/GO-2021-0245.yaml b/data/reports/GO-2021-0245.yaml
index 9109180..ad6fb18 100644
--- a/data/reports/GO-2021-0245.yaml
+++ b/data/reports/GO-2021-0245.yaml
@@ -8,6 +8,7 @@
- package: net/http/httputil
symbols:
- ReverseProxy.ServeHTTP
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
ReverseProxy can panic after encountering a problem copying
a proxied response body.
diff --git a/data/reports/GO-2021-0263.yaml b/data/reports/GO-2021-0263.yaml
index a205406..5e8cc60 100644
--- a/data/reports/GO-2021-0263.yaml
+++ b/data/reports/GO-2021-0263.yaml
@@ -8,6 +8,7 @@
- package: debug/macho
symbols:
- NewFile
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Calling File.ImportedSymbols on a loaded file which contains an invalid
dynamic symbol table command can cause a panic, in particular if the encoded
diff --git a/data/reports/GO-2021-0264.yaml b/data/reports/GO-2021-0264.yaml
index 08f832b..a79c2b7 100644
--- a/data/reports/GO-2021-0264.yaml
+++ b/data/reports/GO-2021-0264.yaml
@@ -9,6 +9,7 @@
symbols:
- split
- Reader.Open
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Previously, opening a zip with (*Reader).Open could result in a panic if the
zip contained a file whose name was exclusively made up of slash characters or
diff --git a/data/reports/GO-2021-0317.yaml b/data/reports/GO-2021-0317.yaml
index be042b6..d5d1bad 100644
--- a/data/reports/GO-2021-0317.yaml
+++ b/data/reports/GO-2021-0317.yaml
@@ -8,6 +8,7 @@
- package: math/big
symbols:
- Rat.SetString
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
published: 2022-05-23T22:15:42Z
diff --git a/data/reports/GO-2021-0319.yaml b/data/reports/GO-2021-0319.yaml
index 75945b9..7d3a61e 100644
--- a/data/reports/GO-2021-0319.yaml
+++ b/data/reports/GO-2021-0319.yaml
@@ -10,6 +10,7 @@
- CurveParams.IsOnCurve
- p384PointFromAffine
- p521PointFromAffine
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
diff --git a/data/reports/GO-2021-0347.yaml b/data/reports/GO-2021-0347.yaml
index d6feda4..942e689 100644
--- a/data/reports/GO-2021-0347.yaml
+++ b/data/reports/GO-2021-0347.yaml
@@ -8,6 +8,7 @@
- package: regexp
symbols:
- regexp.Compile
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
diff --git a/data/reports/GO-2022-0166.yaml b/data/reports/GO-2022-0166.yaml
index 62f79fe..044a7b3 100644
--- a/data/reports/GO-2022-0166.yaml
+++ b/data/reports/GO-2022-0166.yaml
@@ -8,6 +8,7 @@
- package: crypto/dsa
symbols:
- Verify
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The Verify function in crypto/dsa passed certain parameters unchecked to
the underlying big integer library, possibly leading to extremely
diff --git a/data/reports/GO-2022-0171.yaml b/data/reports/GO-2022-0171.yaml
index bc492e5..4ff69b8 100644
--- a/data/reports/GO-2022-0171.yaml
+++ b/data/reports/GO-2022-0171.yaml
@@ -11,6 +11,7 @@
symbols:
- FetchPEMRoots
- execSecurityRoots
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
On Darwin, user's trust preferences for root certificates were not honored.
If the user had a root certificate loaded in their Keychain that was
diff --git a/data/reports/GO-2022-0212.yaml b/data/reports/GO-2022-0212.yaml
index 4bab00c..b1c2ae6 100644
--- a/data/reports/GO-2022-0212.yaml
+++ b/data/reports/GO-2022-0212.yaml
@@ -8,6 +8,7 @@
- package: net/textproto
symbols:
- Reader.ReadMimeHeader
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
diff --git a/data/reports/GO-2022-0213.yaml b/data/reports/GO-2022-0213.yaml
index 643ccbd..1cdd75b 100644
--- a/data/reports/GO-2022-0213.yaml
+++ b/data/reports/GO-2022-0213.yaml
@@ -8,6 +8,7 @@
- package: crypto/dsa
symbols:
- Verify
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Invalid DSA public keys can cause a panic in dsa.Verify. In particular,
using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
diff --git a/data/reports/GO-2022-0217.yaml b/data/reports/GO-2022-0217.yaml
index 114ddfd..aff57a2 100644
--- a/data/reports/GO-2022-0217.yaml
+++ b/data/reports/GO-2022-0217.yaml
@@ -8,6 +8,7 @@
- package: crypto/elliptic
symbols:
- curve.doubleJacobian
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and
P-384 elliptic curves may let an attacker craft inputs that consume
diff --git a/data/reports/GO-2022-0220.yaml b/data/reports/GO-2022-0220.yaml
index 0e57321..784e44f 100644
--- a/data/reports/GO-2022-0220.yaml
+++ b/data/reports/GO-2022-0220.yaml
@@ -12,11 +12,13 @@
- loadOptionalSyscalls
- osinit
- syscall_loadsystemlibrary
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: syscall
goos:
- windows
symbols:
- LoadDLL
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Go on Windows misused certain LoadLibrary functionality, leading to DLL
injection.
diff --git a/data/reports/GO-2022-0247.yaml b/data/reports/GO-2022-0247.yaml
index b94b8fa..3bbb55a 100644
--- a/data/reports/GO-2022-0247.yaml
+++ b/data/reports/GO-2022-0247.yaml
@@ -12,6 +12,7 @@
- wasm
symbols:
- Link.address
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: misc/wasm
goos:
- js
@@ -19,6 +20,7 @@
- wasm
symbols:
- run
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be
diff --git a/data/reports/GO-2022-0273.yaml b/data/reports/GO-2022-0273.yaml
index ff17001..c78788c 100644
--- a/data/reports/GO-2022-0273.yaml
+++ b/data/reports/GO-2022-0273.yaml
@@ -9,6 +9,7 @@
symbols:
- NewReader
- OpenReader
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
The NewReader and OpenReader functions in archive/zip can cause a panic or
an unrecoverable fatal error when reading an archive that claims to contain
diff --git a/data/reports/GO-2022-0289.yaml b/data/reports/GO-2022-0289.yaml
index 23a900f..2b5f792 100644
--- a/data/reports/GO-2022-0289.yaml
+++ b/data/reports/GO-2022-0289.yaml
@@ -8,6 +8,7 @@
- package: syscall
symbols:
- ForkExec
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
When a Go program running on a Unix system is out of file descriptors and
calls syscall.ForkExec (including indirectly by using the os/exec package),
diff --git a/data/reports/GO-2022-0477.yaml b/data/reports/GO-2022-0477.yaml
index fe781d4..b3281d5 100644
--- a/data/reports/GO-2022-0477.yaml
+++ b/data/reports/GO-2022-0477.yaml
@@ -10,6 +10,7 @@
- windows
symbols:
- Read
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
On Windows, rand.Read will hang indefinitely if passed a buffer larger than
1 << 32 - 1 bytes.
diff --git a/data/reports/GO-2022-0536.yaml b/data/reports/GO-2022-0536.yaml
index eca3500..3993e21 100644
--- a/data/reports/GO-2022-0536.yaml
+++ b/data/reports/GO-2022-0536.yaml
@@ -20,6 +20,7 @@
- serverConn.serve
- serverConn.writeFrame
- serverConn.scheduleFrameWrite
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially
leading to a denial of service.
diff --git a/data/reports/GO-2022-0569.yaml b/data/reports/GO-2022-0569.yaml
index f8ef10b..41b699f 100644
--- a/data/reports/GO-2022-0569.yaml
+++ b/data/reports/GO-2022-0569.yaml
@@ -6,6 +6,7 @@
- package: github.com/beego/beego
symbols:
- Tree.Match
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: github.com/beego/beego/v2
versions:
- introduced: 2.0.0
diff --git a/data/reports/GO-2022-0572.yaml b/data/reports/GO-2022-0572.yaml
index 5d61fdf..30b474e 100644
--- a/data/reports/GO-2022-0572.yaml
+++ b/data/reports/GO-2022-0572.yaml
@@ -4,6 +4,7 @@
- package: github.com/beego/beego
symbols:
- Tree.Match
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: github.com/beego/beego/v2
versions:
- introduced: 2.0.0
diff --git a/data/reports/GO-2022-0586.yaml b/data/reports/GO-2022-0586.yaml
index 9911a9d..228973a 100644
--- a/data/reports/GO-2022-0586.yaml
+++ b/data/reports/GO-2022-0586.yaml
@@ -5,12 +5,14 @@
fixed: 1.6.1
packages:
- package: github.com/hashicorp/go-getter
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- module: github.com/hashicorp/go-getter/v2
versions:
- introduced: 2.0.2
fixed: 2.1.0
packages:
- package: github.com/hashicorp/go-getter/v2
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Malicious HTTP responses can cause a number of misbehaviors,
including overwriting local files, resource exhaustion, and panics.
diff --git a/data/reports/GO-2022-0701.yaml b/data/reports/GO-2022-0701.yaml
index 5be5dea..fd02c2e 100644
--- a/data/reports/GO-2022-0701.yaml
+++ b/data/reports/GO-2022-0701.yaml
@@ -6,22 +6,28 @@
- package: k8s.io/kubernetes/pkg/api/rest
symbols:
- BeforeCreate
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: k8s.io/kubernetes/pkg/registry/generic/etcd
symbols:
- NamespaceKeyFunc
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: k8s.io/kubernetes/pkg/storage
symbols:
- NamespaceKeyFunc
- NoNamespaceKeyFunc
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: k8s.io/kubernetes/pkg/registry/namespace/etcd
symbols:
- NewREST
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: k8s.io/kubernetes/pkg/registry/node/etcd
symbols:
- NewREST
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
- package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd
symbols:
- NewREST
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
Crafted object type names can cause directory traversal in Kubernetes.
diff --git a/data/reports/GO-2022-1175.yaml b/data/reports/GO-2022-1175.yaml
index a808bd7..d89fd53 100644
--- a/data/reports/GO-2022-1175.yaml
+++ b/data/reports/GO-2022-1175.yaml
@@ -10,6 +10,7 @@
symbols:
- validateAlertmanagerConfig
- validateGlobalConfig
+ skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
description: |
A malicious actor could remotely read local files by submitting to the
Alertmanager Set Configuration API maliciously crafted inputs. Only users