Handling Go Vulnerability Reports

This document explains how we handle vulnerability issue triage in the x/vulndb issue tracker.

Reports

All vulnerabilities in the Go vulnerability database are currently stored as a YAML file in the reports/ directory.

Each vulnerability is given an ID with the format GO-YYYY-NNNN.

The YYYY component corresponds to the year in which the vulnerability was published.
The NNNN component is a unique ID for that vulnerability, which is generated using the GitHub issue ID for that vulnerability.

For a detailed explanation of the report format, see doc/format.md.

Issue States

Any issue must be in one of the following states. Maintainers of the Go vulndb move issues from one state to another. The intent behind these explicit states is to describe the (minimum) next steps required to bring the issue to resolution.

Issues are intended to move between these states:

                                    +-------------+
                                    |             |   via CL
                      +------------>| NeedsReport +----------+
                      |             |             |          |
                      |             +-------------+          |
            +---------+--------+                             v
            |                  |                           Closed
 New   ---->|NeedsInvestigation|
            |    (optional)    |    +------------+           ^
            +----------+-------+    |            |           |
                       |            | NotGoVuln  +-----------+
                       +----------->|            |
                                    +------------+

New

The issue has been filed by the vulndb worker
The issue will have the title: x/vulndb: potential Go vuln in <module/package>: <CVE ID>
To transition from this state, someone must:
- Label the issue as NotGoVuln, and close the issue.
- Label the issue as NeedsReport, and make a CL
- Label the issue as NeedsInvestigation, and CC people who might be best to investigate the issue and provide further context.

Needs Investigation

The issue has the label NeedsInvestigation
This state is used by the triager when it is not clear to them how to proceed. Otherwise, an issue can move straight from New to one of the other states.
Someone (CC-ed) must examine the issue and confirm whether or not it is a Go vuln

Needs Report

The issue has been confirmed to be a Go vulnerability, an a report needs to be added to the vulndb for this CVE.
The issue has the label NeedsReport

Not Go Vuln

The issue has been confirmed to not be a Go vulnerability.
The issue is resolved and can be closed.
The NotGoVuln label should be applied at the time the issue is closed for tracking purposes (such as data on how to improve the automatic triager).

Adding a new report

If an issue is labeled with NeedsReport and is not assigned to anyone, you can add a new report to the database by following these steps:

Assign the issue to yourself.
Clone the x/vulndb repository: git clone https://go.googlesource.com/vulndb
Run go run ./cmd/vulnreport create <GitHub issue number>. (Note: You will need a GitHub access token).
Run go run ./cmd/vulnreport fix <report file> to add derived symbols to the report. You should first create an empty module and go get the vulnerable module at an unfixed version:
```
mkdir /tmp/mymod
cd /tmp/mymod
go mod init
go get github.com/my/mod@<version-before-fixed>
go run <path to /cmd/vulnreport> fix
```
Edit the template accordingly, and mail a CL with this commit message format:

x/vulndb: add <GO Vuln ID> for <CVE ID>

<description>

Fixes golang/vulndb#<GitHub Issue #>

vulnreport will download the github.com/CVEProject/cvelist repository and create a YAML report template for the CVE at the specified GitHub issue number.

Updating a report

Occasionally, we will receive new information about a Go vulnerability and want to update the existing report.

In that case, reopen the issue for the report to discuss the change, rather than create a new issue.