| # Copyright 2021 The Go Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style |
| # license that can be found in the LICENSE file. |
| |
| name: Tell us about a public vulnerability in the Go Ecosystem |
| description: | |
| Report an existing, public vulnerability in a publicly importable package in the Go ecosystem that is not yet in our database. |
| title: "x/vulndb: potential Go vuln in <package>" |
| labels: "Needs Triage,Direct External Report" |
| body: |
| - type: markdown |
| attributes: |
| value: | |
| Thanks for taking the time to file a vulnerability report! |
| |
| Use this form only for PUBLIC vulnerabilities in publicly importable Go packages not maintained by the Go Team (i.e., anything outside the Go standard library, Go toolchain, and golang.org modules). |
| |
| ❗ To report undisclosed Go vulnerabilities, please follow our [security policy](https://go.dev/security/policy) instead. |
| |
| For questions or concerns, do not hesitate to reach out to us directly at security@golang.org. |
| - type: textarea |
| id: description |
| attributes: |
| label: Description |
| description: A description of the vulnerability. |
| validations: |
| required: true |
| - type: textarea |
| id: affected |
| attributes: |
| label: Affected Modules, Packages, Versions and Symbols |
| description: | |
| The Go modules, packages, versions, and symbols this vulnerability affects. |
| |
| Package versions should be in semver format, and should indicate when the vulnerability was introduced and when it was fixed, if known. |
| |
| Symbols are functions, methods or structs that may trigger this vulnerability when used. |
| value: | |
| Module: github.com/example/module |
| Package: github.com/example/module/package |
| Versions: |
| - Introduced: 1.2.0 |
| - Fixed: 1.2.4 |
| Symbols: |
| - aFunction |
| - SomeType.AMethod |
| |
| Module: github.com/example/module |
| Package: github.com/example/module/v2/package |
| Versions: |
| - Fixed: 2.4.5 |
| Symbols: |
| - anotherFunction |
| render: shell |
| validations: |
| required: true |
| - type: dropdown |
| id: has-cve |
| attributes: |
| label: Does this vulnerability already have an associated CVE ID? |
| description: | |
| A CVE ID is a unique identifier for a vulnerability (see https://cve.mitre.org). |
| The Go Security team will assign a CVE ID for the vulnerability if it does not already have one. |
| multiple: false |
| options: |
| - "Yes" |
| - "No" |
| - "I'm not sure" |
| validations: |
| required: true |
| - type: input |
| id: cve |
| attributes: |
| label: CVE ID |
| description: If you selected "Yes" in the previous question, please include the CVE ID below. |
| placeholder: CVE-20XX-NNNN |
| validations: |
| required: false |
| - type: input |
| id: credit |
| attributes: |
| label: Credit |
| description: | |
| [Optional] The name of the person or organization that discovered or fixed this vulnerability. |
| - type: input |
| id: cwe |
| attributes: |
| label: CWE ID |
| description: | |
| [Optional] The CWE ID that best describes the class of vulnerability. |
| See https://cwe.mitre.org/data/definitions/699.html for a list of common types. |
| - type: input |
| id: pr |
| attributes: |
| label: Pull Request |
| description: | |
| The pull request(s) that fixed this vulnerability, if known. |
| placeholder: https://github.com/example/pull/123 |
| validations: |
| required: false |
| - type: input |
| id: commit |
| attributes: |
| label: Commit |
| description: | |
| The commit(s) that fixed this vulnerability, if known. |
| placeholder: https://github.com/example/commit/abcdef |
| validations: |
| required: false |
| - type: textarea |
| id: links |
| attributes: |
| label: References |
| description: Links to more information about the vulnerability (e.g., advisories, reports, issue tracker entries, etc). |
| placeholder: | |
| - https://github.com/example/issues/123 |
| - https://github.com/advisories/GHSA-abcd-efgh-ijkl |
| validations: |
| required: false |
| - type: textarea |
| id: more |
| attributes: |
| label: Additional information |
| description: | |
| Anything else you'd like us to know about this vulnerability? |
| validations: |
| required: false |