internal/report: refine lint checks for stdlib links

Permit the commit link for a standard library report to reference
any repo, allowing us to record a link to the
original fix for packages vendored into the stdlib.

Make the commit field optional. The pr and commit fields are
for informational purposes. It's sufficient to link to the
Gerrit CL; anyone who wants the specific commit can easily
get to it from there.

Improve fix while I'm in here to drop the redundant package
when package==module. (Lint checks for it, fix can fix it.)

Change-Id: I68473c674b82535da52a793b57343bd48fd5acf4
Reviewed-by: Jonathan Amsterdam <>
Run-TryBot: Damien Neil <>
TryBot-Result: Gopher Robot <>
2 files changed
tree: 414e0a384854152ab0d59495ebd42dd4e5106b3f
  1. .github/
  2. cmd/
  3. deploy/
  4. devtools/
  5. doc/
  6. internal/
  7. reports/
  8. terraform/
  9. webconfig/
  10. .gitignore
  11. all_test.go
  13. checks.bash
  16. go.mod
  17. go.sum
  21. tools_test.go

The Go Vulnerability Database

This repository contains the reports for the Go Vulnerability Database.

If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.

Reporting a vulnerability

We are not accepting new vulnerability reports at this time. We will update this once we are ready to receive reports.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.