all: use the proxy for report linting
Check the proxy to determine valid versions and canonical module
import paths. This should provent rogue database entries that
do not cleanly apply to real go.mod files.
Change-Id: Iea1b531fe5bed7a0825102c6ac877a515f24c0f5
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1032616
Reviewed-by: Roland Shoemaker <bracewell@google.com>
diff --git a/osv/json.go b/osv/json.go
index d9fa66e..acf5eb5 100644
--- a/osv/json.go
+++ b/osv/json.go
@@ -118,10 +118,14 @@
}
func Generate(id string, url string, r report.Report) []Entry {
+ importPath := r.Module
+ if r.Package != "" {
+ importPath = r.Package
+ }
entry := Entry{
ID: id,
Package: Package{
- Name: r.Package,
+ Name: importPath,
Ecosystem: GoEcosystem,
},
Summary: "", // TODO: think if we want to populate this in reports
diff --git a/osv/json_test.go b/osv/json_test.go
index 650964f..18cd2bf 100644
--- a/osv/json_test.go
+++ b/osv/json_test.go
@@ -10,14 +10,16 @@
func TestGenerate(t *testing.T) {
r := report.Report{
- Package: "example.com/vulnerable/v2",
+ Module: "example.com/vulnerable/v2",
AdditionalPackages: []struct {
+ Module string
Package string
Symbols []string
Versions []report.VersionRange
}{
{
- Package: "example.com/vulnerable",
+ Module: "vanity.host/vulnerable",
+ Package: "vanity.host/vulnerable/package",
Symbols: []string{"b", "A.b"},
Versions: []report.VersionRange{
{Fixed: "v2.1.1"},
@@ -93,7 +95,7 @@
ID: "GO-1991-0001",
Package: Package{
- Name: "example.com/vulnerable",
+ Name: "vanity.host/vulnerable/package",
Ecosystem: "go",
},
Details: "It's a real bad one, I'll tell you that",
diff --git a/report/lint.go b/report/lint.go
new file mode 100644
index 0000000..9e86ee8
--- /dev/null
+++ b/report/lint.go
@@ -0,0 +1,206 @@
+package report
+
+import (
+ "errors"
+ "fmt"
+ "io"
+ "net/http"
+ "regexp"
+ "strings"
+
+ "golang.org/x/mod/modfile"
+ "golang.org/x/mod/module"
+ "golang.org/x/mod/semver"
+)
+
+// TODO: getting things from the proxy should all be cached so we
+// aren't re-requesting the same stuff over and over.
+
+const proxyURL = "https://proxy.golang.org"
+
+func getModVersions(module string) (map[string]bool, error) {
+ resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, module))
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ b, err := io.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ versions := map[string]bool{}
+ for _, v := range strings.Split(string(b), "\n") {
+ versions[v] = true
+ }
+ return versions, nil
+}
+
+func getCanonicalModName(module string, version string) (string, error) {
+ resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, module, version))
+ if err != nil {
+ return "", err
+ }
+ defer resp.Body.Close()
+ b, err := io.ReadAll(resp.Body)
+ if err != nil {
+ return "", err
+ }
+ m, err := modfile.ParseLax("go.mod", b, nil)
+ if err != nil {
+ return "", err
+ }
+ if m.Module == nil {
+ return "", fmt.Errorf("unable to retrieve module information for %s", module)
+ }
+ return m.Module.Mod.Path, nil
+}
+
+var pseudoVersionRE = regexp.MustCompile(`^v[0-9]+\.(0\.0-|\d+\.\d+-([^+]*\.)?0\.)\d{14}-[A-Za-z0-9]+(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$`)
+
+// isPseudoVersion reports whether v is a pseudo-version.
+// NOTE: this is taken from cmd/go/internal/modfetch/pseudo.go but
+// uses regexp instead of the internal lazyregex package.
+func isPseudoVersion(v string) bool {
+ return strings.Count(v, "-") >= 2 && semver.IsValid(v) && pseudoVersionRE.MatchString(v)
+}
+
+func versionExists(version string, versions map[string]bool) error {
+ // TODO: for now, just skip pseudo-versions. at some point we should verify that
+ // it is a likely pseudo-version, i.e. one that could feasibly exist given the
+ // actual versions that we know about.
+ //
+ // pseudo-version check should take into account the canonical import path
+ // probably? (I think cmd/go/internal/modfetch/coderepo.go has something like
+ // this, check the error containing "has post-%v module path")
+ if isPseudoVersion(version) {
+ return nil
+ }
+ if !versions[version] {
+ return fmt.Errorf("proxy unaware of version")
+ }
+ return nil
+}
+
+func checkModVersions(path string, vr []VersionRange) error {
+ realVersions, err := getModVersions(path)
+ if err != nil {
+ return fmt.Errorf("unable to retrieve module versions from proxy: %s", err)
+ }
+ checkVersion := func(version string) error {
+ if !semver.IsValid(version) {
+ return errors.New("invalid module semver")
+ }
+ if err := module.Check(path, version); err != nil {
+ return err
+ }
+ if err := versionExists(version, realVersions); err != nil {
+ return err
+ }
+ canonicalPath, err := getCanonicalModName(path, version)
+ if err != nil {
+ return err
+ }
+ if canonicalPath != path {
+ return fmt.Errorf("invalid module path at version (canonical path is %s)", canonicalPath)
+ }
+ return nil
+ }
+ for _, version := range vr {
+ if version.Introduced != "" {
+ if err := checkVersion(version.Introduced); err != nil {
+ return fmt.Errorf("bad version.introduced %q: %s", version.Introduced, err)
+ }
+ }
+ if version.Fixed != "" {
+ if err := checkVersion(version.Fixed); err != nil {
+ return fmt.Errorf("bad version.fixed %q: %s", version.Fixed, err)
+ }
+ }
+ }
+ return nil
+}
+
+var cveRegex = regexp.MustCompile(`^CVE-\d{4}-\d{4,}$`)
+
+func (vuln *Report) Lint() error {
+ var importPath string
+ if !vuln.Stdlib {
+ if vuln.Module == "" {
+ return errors.New("missing module")
+ }
+ if vuln.Package == vuln.Module {
+ return errors.New("package is redundant and can be removed")
+ }
+ if vuln.Package != "" && !strings.HasPrefix(vuln.Package, vuln.Module) {
+ return errors.New("module must be a prefix of package")
+ }
+ if vuln.Package == "" {
+ importPath = vuln.Module
+ } else {
+ importPath = vuln.Package
+ }
+ if err := checkModVersions(vuln.Module, vuln.Versions); err != nil {
+ return err
+ }
+
+ if err := module.CheckImportPath(importPath); err != nil {
+ return err
+ }
+ } else if vuln.Package == "" {
+ return errors.New("missing package")
+ }
+
+ for _, additionalPackage := range vuln.AdditionalPackages {
+ var additionalImportPath string
+ if additionalPackage.Module == "" {
+ return errors.New("missing additional_package.module")
+ }
+ if additionalPackage.Package == additionalPackage.Module {
+ return errors.New("package is redundant and can be removed")
+ }
+ if additionalPackage.Package != "" && !strings.HasPrefix(additionalPackage.Package, additionalPackage.Module) {
+ return errors.New("additional_package.module must be a prefix of additional_package.package")
+ }
+ if additionalPackage.Package == "" {
+ additionalImportPath = additionalPackage.Module
+ } else {
+ additionalImportPath = additionalPackage.Package
+ }
+ if err := module.CheckImportPath(additionalImportPath); err != nil {
+ return err
+ }
+ if !vuln.Stdlib {
+ if err := checkModVersions(additionalPackage.Module, additionalPackage.Versions); err != nil {
+ return err
+ }
+ }
+ }
+
+ if vuln.Description == "" {
+ return errors.New("missing description")
+ }
+
+ sevs := map[string]bool{
+ "low": true,
+ "medium": true,
+ "high": true,
+ "critical": true,
+ }
+ // Could also just default to medium if not provided?
+ // Need to document what the default case is and what factors lower
+ // or raise the sev
+ if vuln.Severity != "" && !sevs[vuln.Severity] {
+ return fmt.Errorf("unknown severity %q", vuln.Severity)
+ }
+
+ if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {
+ // TODO: may just want to use one of these? :shrug:
+ return errors.New("only one of cve and cve_metadata.id should be present")
+ }
+
+ if vuln.CVE != "" && !cveRegex.MatchString(vuln.CVE) {
+ return fmt.Errorf("malformed CVE number: %s", vuln.CVE)
+ }
+
+ return nil
+}
diff --git a/report/report.go b/report/report.go
index 8839cd8..aa39392 100644
--- a/report/report.go
+++ b/report/report.go
@@ -1,20 +1,12 @@
package report
-import (
- "errors"
- "fmt"
- "regexp"
-
- "golang.org/x/mod/module"
- "golang.org/x/mod/semver"
-)
-
type VersionRange struct {
Introduced string
Fixed string
}
type Report struct {
+ Module string
Package string
// TODO: could also be GoToolchain, but we might want
// this for other things?
@@ -29,6 +21,7 @@
// additional packages for some cases, but it's too heavy
// for most
AdditionalPackages []struct {
+ Module string
Package string
Symbols []string
Versions []VersionRange
@@ -52,67 +45,3 @@
Description string
} `toml:"cve_metadata"`
}
-
-var cveRegex = regexp.MustCompile(`^CVE-\d{4}-\d{4,}$`)
-
-func (vuln *Report) Lint() error {
- if vuln.Package == "" {
- return errors.New("missing package")
- }
- if err := module.CheckImportPath(vuln.Package); err != nil {
- return err
- }
-
- for _, additionalPackage := range vuln.AdditionalPackages {
- if err := module.CheckImportPath(additionalPackage.Package); err != nil {
- return err
- }
- }
-
- for _, version := range vuln.Versions {
- if version.Introduced != "" {
- if !semver.IsValid(version.Introduced) {
- return fmt.Errorf("bad version.introduced")
- }
- if err := module.Check(vuln.Package, version.Introduced); err != nil {
- return err
- }
- }
- if version.Fixed != "" {
- if !semver.IsValid(version.Fixed) {
- return fmt.Errorf("bad version.fixed")
- }
- if err := module.Check(vuln.Package, version.Fixed); err != nil {
- return err
- }
- }
- }
-
- if vuln.Description == "" {
- return errors.New("missing description")
- }
-
- sevs := map[string]bool{
- "low": true,
- "medium": true,
- "high": true,
- "critical": true,
- }
- // Could also just default to medium if not provided?
- // Need to document what the default case is and what factors lower
- // or raise the sev
- if vuln.Severity != "" && !sevs[vuln.Severity] {
- return fmt.Errorf("unknown severity %q", vuln.Severity)
- }
-
- if vuln.CVE != "" && vuln.CVEMetadata != nil && vuln.CVEMetadata.ID != "" {
- // TODO: may just want to use one of these? :shrug:
- return errors.New("only one of cve and cve_metadata.id should be present")
- }
-
- if vuln.CVE != "" && !cveRegex.MatchString(vuln.CVE) {
- return fmt.Errorf("malformed CVE number: %s", vuln.CVE)
- }
-
- return nil
-}
diff --git a/reports/GO-2020-0001.toml b/reports/GO-2020-0001.toml
index 1885cb1..5b79643 100644
--- a/reports/GO-2020-0001.toml
+++ b/reports/GO-2020-0001.toml
@@ -1,4 +1,4 @@
-package = "github.com/gin-gonic/gin"
+module = "github.com/gin-gonic/gin"
description = """
The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
@@ -21,7 +21,7 @@
commit = "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
[cve_metadata]
-id = "CVE-XXX"
+id = "CVE-XXXX-0001"
description = """
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
allows remote attackers to inject arbitary log lines.
diff --git a/reports/GO-2020-0002.toml b/reports/GO-2020-0002.toml
index 3623002..645013e 100644
--- a/reports/GO-2020-0002.toml
+++ b/reports/GO-2020-0002.toml
@@ -1,4 +1,4 @@
-package = "github.com/proglottis/gpgme"
+module = "github.com/proglottis/gpgme"
cve = "CVE-2020-8945"
diff --git a/reports/GO-2020-0003.toml b/reports/GO-2020-0003.toml
index 81ddcc1..ac8f71a 100644
--- a/reports/GO-2020-0003.toml
+++ b/reports/GO-2020-0003.toml
@@ -1,4 +1,4 @@
-package = "github.com/revel/revel"
+module = "github.com/revel/revel"
description = """
If the application accepts
diff --git a/reports/GO-2020-0004.toml b/reports/GO-2020-0004.toml
index 54a1992..09d38e3 100644
--- a/reports/GO-2020-0004.toml
+++ b/reports/GO-2020-0004.toml
@@ -1,4 +1,4 @@
-package = "github.com/nanobox-io/golang-nanoauth"
+module = "github.com/nanobox-io/golang-nanoauth"
description = """
If any of the `ListenAndServe` functions are called with an empty token,
diff --git a/reports/GO-2020-0005.toml b/reports/GO-2020-0005.toml
index bcdf9db..b17b4a6 100644
--- a/reports/GO-2020-0005.toml
+++ b/reports/GO-2020-0005.toml
@@ -1,4 +1,5 @@
-package = "github.com/etcd-io/etcd/wal"
+module = "go.etcd.io/etcd"
+package = "go.etcd.io/etcd/wal"
description = """
Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
diff --git a/reports/GO-2020-0006.toml b/reports/GO-2020-0006.toml
index cf12ce4..0d8c3a9 100644
--- a/reports/GO-2020-0006.toml
+++ b/reports/GO-2020-0006.toml
@@ -1,4 +1,4 @@
-package = "github.com/miekg/dns"
+module = "github.com/miekg/dns"
description = """
An attacker may prevent TCP connections to a [`Server`][] by opening
diff --git a/reports/GO-2020-0007.toml b/reports/GO-2020-0007.toml
index d44c60d..6ea9ec4 100644
--- a/reports/GO-2020-0007.toml
+++ b/reports/GO-2020-0007.toml
@@ -1,4 +1,4 @@
-package = "github.com/seccomp/libseccomp-golang"
+module = "github.com/seccomp/libseccomp-golang"
description = """
Filters containing rules with multiple syscall arguments are improperly
diff --git a/reports/GO-2020-0008.toml b/reports/GO-2020-0008.toml
index 0e23a88..2c9c0e0 100644
--- a/reports/GO-2020-0008.toml
+++ b/reports/GO-2020-0008.toml
@@ -1,4 +1,4 @@
-package = "github.com/miekg/dns"
+module = "github.com/miekg/dns"
description = """
DNS message transaction IDs are generated using [`math/rand`] which
diff --git a/reports/GO-2020-0009.toml b/reports/GO-2020-0009.toml
index dd55cb5..6d82d8c 100644
--- a/reports/GO-2020-0009.toml
+++ b/reports/GO-2020-0009.toml
@@ -1,3 +1,4 @@
+module = "github.com/square/go-jose"
package = "github.com/square/go-jose/cipher"
arch = [
@@ -32,7 +33,7 @@
fixed = "v0.0.0-20160903044734-789a4c4bd4c1"
[[additional_packages]]
-package = "github.com/square/go-jose"
+module = "github.com/square/go-jose"
symbols = ["JsonWebEncryption.Decrypt", "JsonWebEncryption.DecryptMulti"]
[links]
diff --git a/reports/GO-2020-0010.toml b/reports/GO-2020-0010.toml
index 2659efa..8ffc970 100644
--- a/reports/GO-2020-0010.toml
+++ b/reports/GO-2020-0010.toml
@@ -1,3 +1,4 @@
+module = "github.com/square/go-jose"
package = "github.com/square/go-jose/cipher"
description = """
@@ -16,7 +17,7 @@
fixed = "v0.0.0-20160831185616-c7581939a365"
[[additional_packages]]
-package = "github.com/square/go-jose"
+module = "github.com/square/go-jose"
symbols = ["JsonWebEncryption.Decrypt"]
[links]
diff --git a/reports/GO-2020-0011.toml b/reports/GO-2020-0011.toml
index 81ec824..8638953 100644
--- a/reports/GO-2020-0011.toml
+++ b/reports/GO-2020-0011.toml
@@ -1,4 +1,4 @@
-package = "github.com/square/go-jose"
+module = "github.com/square/go-jose"
description = """
When decrypting JsonWebEncryption objects with multiple recipients
diff --git a/reports/GO-2020-0012.toml b/reports/GO-2020-0012.toml
index 8ba1186..49c706f 100644
--- a/reports/GO-2020-0012.toml
+++ b/reports/GO-2020-0012.toml
@@ -1,3 +1,4 @@
+module = "golang.org/x/crypto"
package = "golang.org/x/crypto/ssh"
description = """
diff --git a/reports/GO-2020-0013.toml b/reports/GO-2020-0013.toml
index 2e85d72..b3741d4 100644
--- a/reports/GO-2020-0013.toml
+++ b/reports/GO-2020-0013.toml
@@ -1,3 +1,4 @@
+module = "golang.org/x/crypto"
package = "golang.org/x/crypto/ssh"
description = """
diff --git a/reports/GO-2020-0014.toml b/reports/GO-2020-0014.toml
index f07863c..89f4c78 100644
--- a/reports/GO-2020-0014.toml
+++ b/reports/GO-2020-0014.toml
@@ -1,3 +1,4 @@
+module = "golang.org/x/net"
package = "golang.org/x/net/html"
description = """
diff --git a/reports/GO-2020-0015.toml b/reports/GO-2020-0015.toml
index 24136bf..bf0170e 100644
--- a/reports/GO-2020-0015.toml
+++ b/reports/GO-2020-0015.toml
@@ -1,3 +1,4 @@
+module = "golang.org/x/text"
package = "golang.org/x/text/encoding/unicode"
description = """
@@ -19,6 +20,7 @@
fixed = "v0.3.3"
[[additional_packages]]
+module = "golang.org/x/text"
package = "golang.org/x/text/transform"
symbols = ["Transform"]
diff --git a/reports/GO-2020-0016.toml b/reports/GO-2020-0016.toml
index 487e91d..177c9ef 100644
--- a/reports/GO-2020-0016.toml
+++ b/reports/GO-2020-0016.toml
@@ -1,4 +1,4 @@
-package = "github.com/ulikunitz/xz"
+module = "github.com/ulikunitz/xz"
description = """
An attacker can construct a series of bytes such that calling
diff --git a/reports/GO-2020-0017.toml b/reports/GO-2020-0017.toml
index 66e5753..9010066 100644
--- a/reports/GO-2020-0017.toml
+++ b/reports/GO-2020-0017.toml
@@ -1,4 +1,4 @@
-package = "github.com/dgrijalva/jwt-go"
+module = "github.com/dgrijalva/jwt-go"
description = """
If a JWT contains an audience claim with an array of strings, rather
@@ -15,13 +15,12 @@
[[versions]]
introduced = "v0.0.0-20150717181359-44718f8a89b0"
-fixed = "v4.0.0-20190408214815-ec0a89a131e+incompatible"
[[additional_packages]]
-package = "github.com/dgrijalva/jwt-go/v4"
+module = "github.com/dgrijalva/jwt-go/v4"
symbols = ["MapClaims.VerifyAudience"]
[[additional_packages.versions]]
-fixed = "v4.0.0-20190408214815-ec0a89a131e3"
+fixed = "v4.0.0-preview1"
[links]
commit = "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
diff --git a/reports/GO-2020-0018.toml b/reports/GO-2020-0018.toml
index 871f02f..510d8d5 100644
--- a/reports/GO-2020-0018.toml
+++ b/reports/GO-2020-0018.toml
@@ -1,4 +1,5 @@
-package = "github.com/satori/go.uuid"
+module = "github.com/satori/go.uuid"
+
description = """
UUIDs generated using [`NewV1`] and [`NewV4`] may not read the expected
diff --git a/reports/GO-2020-0019.toml b/reports/GO-2020-0019.toml
index 7b7dfc1..bf92f87 100644
--- a/reports/GO-2020-0019.toml
+++ b/reports/GO-2020-0019.toml
@@ -1,4 +1,4 @@
-package = "github.com/gorilla/websocket"
+module = "github.com/gorilla/websocket"
description = """
An attacker can craft malicious WebSocket frames that cause an integer
diff --git a/reports/GO-2020-0020.toml b/reports/GO-2020-0020.toml
index dc6c2e1..eac3e21 100644
--- a/reports/GO-2020-0020.toml
+++ b/reports/GO-2020-0020.toml
@@ -1,4 +1,4 @@
-package = "github.com/gorilla/handlers"
+module = "github.com/gorilla/handlers"
description = """
Usage of the [`CORS`] handler may apply improper CORS headers, allowing
@@ -15,4 +15,11 @@
[links]
pr = "https://github.com/gorilla/handlers/pull/116"
-commit = "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
\ No newline at end of file
+commit = "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
+
+[cve_metadata]
+id = "CVE-XXXX-0005"
+description = """
+
+"""
+cwe = ""
diff --git a/reports/GO-2020-0021.toml b/reports/GO-2020-0021.toml
index 064a8b0..e6c148b 100644
--- a/reports/GO-2020-0021.toml
+++ b/reports/GO-2020-0021.toml
@@ -1,4 +1,4 @@
-package = "github.com/gogits/gogs"
+module = "github.com/gogits/gogs"
description = """
Multiple methods are vulnerable to SQL injection attacks as unsanitized
@@ -12,7 +12,6 @@
symbols = ["GetIssues", "SearchRepositoryByName", "SearchUserByName"]
[[versions]]
-introduced = "v0.3.1-9-g49dc57e"
fixed = "v0.5.8"
[links]
diff --git a/reports/GO-2020-0022.toml b/reports/GO-2020-0022.toml
index 3a9b4e8..ea5fa71 100644
--- a/reports/GO-2020-0022.toml
+++ b/reports/GO-2020-0022.toml
@@ -1,4 +1,4 @@
-package = "github.com/cloudflare/golz4"
+module = "github.com/cloudflare/golz4"
description = """
LZ4 bindings used a deprecated C API that is vulnerable to
diff --git a/reports/GO-2020-0023.toml b/reports/GO-2020-0023.toml
index feaee24..b1d637a 100644
--- a/reports/GO-2020-0023.toml
+++ b/reports/GO-2020-0023.toml
@@ -1,4 +1,4 @@
-package = "github.com/robbert229/jwt"
+module = "github.com/robbert229/jwt"
description = """
[`Validate`] used non-constant time string comparison to
diff --git a/reports/GO-2020-0024.toml b/reports/GO-2020-0024.toml
index 91e4649..14d244a 100644
--- a/reports/GO-2020-0024.toml
+++ b/reports/GO-2020-0024.toml
@@ -1,3 +1,4 @@
+module = "github.com/btcsuite/go-socks"
package = "github.com/btcsuite/go-socks/socks"
description = """
@@ -11,6 +12,7 @@
fixed = "v0.0.0-20130808000456-233bccbb1abe"
[[additional_packages]]
+module = "github.com/btcsuitereleases/go-socks"
package = "github.com/btcsuitereleases/go-socks/socks"
symbols = ["proxiedConn.LocalAddr", "proxiedConn.RemoteAddr"]
[[additional_packages.versions]]
diff --git a/reports/GO-2020-0025.toml b/reports/GO-2020-0025.toml
index 12c1415..cd0bb4f 100644
--- a/reports/GO-2020-0025.toml
+++ b/reports/GO-2020-0025.toml
@@ -1,4 +1,4 @@
-package = "github.com/cloudfoundry/archiver"
+module = "github.com/cloudfoundry/archiver"
description = """
Malicious Zip and Tar archives can be crafted that contain relative
@@ -12,7 +12,7 @@
fixed = "v0.0.0-20180523222229-09b5706aa936"
[[additional_packages]]
-package = "code.cloudfoundry.org/archiver"
+module = "code.cloudfoundry.org/archiver"
symbols = ["tgzExtractor.Extract", "zipExtractor.Extract"]
[[versions]]
fixed = "v0.0.0-20180523222229-09b5706aa936"
diff --git a/reports/GO-2020-0026.toml b/reports/GO-2020-0026.toml
index 3ff9545..8734566 100644
--- a/reports/GO-2020-0026.toml
+++ b/reports/GO-2020-0026.toml
@@ -1,3 +1,4 @@
+module = "github.com/openshift/source-to-image"
package = "github.com/openshift/source-to-image/pkg/tar"
description = """
diff --git a/reports/GO-2020-0027.toml b/reports/GO-2020-0027.toml
index 1d06e60..d10fdfa 100644
--- a/reports/GO-2020-0027.toml
+++ b/reports/GO-2020-0027.toml
@@ -1,3 +1,4 @@
+module = "github.com/google/fscrypt"
package = "github.com/google/fscrypt/pam"
description = """
@@ -14,6 +15,7 @@
fixed = "v0.2.4"
[[additional_packages]]
+module = "github.com/google/fscrypt"
package = "github.com/google/fscrypt/security"
symbols = ["UserKeyringID"]
diff --git a/reports/GO-2020-0028.toml b/reports/GO-2020-0028.toml
index 48d80ed..c7ef35e 100644
--- a/reports/GO-2020-0028.toml
+++ b/reports/GO-2020-0028.toml
@@ -1,4 +1,4 @@
-package = "github.com/miekg/dns"
+module = "github.com/miekg/dns"
description = """
An attacker can craft a malicious DNS zone file which will cause
diff --git a/reports/GO-2020-0029.toml b/reports/GO-2020-0029.toml
index df02fab..096eb2d 100644
--- a/reports/GO-2020-0029.toml
+++ b/reports/GO-2020-0029.toml
@@ -1,4 +1,4 @@
-package = "github.com/gin-gonic/gin"
+module = "github.com/gin-gonic/gin"
description = """
An attacker can spoof their source IP address by setting the X-Forwarded-For
@@ -10,7 +10,7 @@
symbols = ["Context.ClientIP"]
[[versions]]
-fixed = "v0.5.0"
+fixed = "v0.0.0-20141229113116-0099840c98ae"
[links]
commit = "https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829"
\ No newline at end of file
diff --git a/reports/GO-2020-0030.toml b/reports/GO-2020-0030.toml
index ece344f..4a6f391 100644
--- a/reports/GO-2020-0030.toml
+++ b/reports/GO-2020-0030.toml
@@ -1,4 +1,4 @@
-package = "github.com/go-gorm/gorm"
+module = "gorm.io/gorm"
description = """
Multiple methods are vulnerable to blind SQL injection attacks
@@ -12,10 +12,6 @@
[[versions]]
fixed = "v0.2.0"
-[[additional_packages]]
-package = "github.com/jinzhu/gorm"
-symbols = ["Scope.buildCondition"]
-
[links]
commit = "https://github.com/go-gorm/gorm/commit/836fb2c19d84dac7b0272958dfb9af7cf0d0ade4"
context = ["https://github.com/go-gorm/gorm/issues/2517"]
\ No newline at end of file
diff --git a/reports/GO-2020-0031.toml b/reports/GO-2020-0031.toml
index fede0ad..0c3a8bb 100644
--- a/reports/GO-2020-0031.toml
+++ b/reports/GO-2020-0031.toml
@@ -1,4 +1,4 @@
-package = "github.com/proglottis/gpgme"
+module = "github.com/proglottis/gpgme"
description = """
The C bindings for the GPGME contain a number of use-after-free issues
diff --git a/reports/GO-2020-0032.toml b/reports/GO-2020-0032.toml
index 5d141ee..2728a8c 100644
--- a/reports/GO-2020-0032.toml
+++ b/reports/GO-2020-0032.toml
@@ -1,4 +1,4 @@
-package = "github.com/goadesign/goa"
+module = "github.com/goadesign/goa"
description = """
[`Controller.FileHandler`] allows for directory traversal attacks due
@@ -13,13 +13,13 @@
fixed = "v1.4.3"
[[additional_packages]]
-package = "github.com/goadesign/goa/v2"
+module = "goa.design/goa"
symbols = ["Controller.FileHandler"]
[[additional_packages.versions]]
-fixed = "v2.0.10"
+fixed = "v1.4.3"
[[additional_packages]]
-package = "github.com/goadesign/goa/v3"
+module = "goa.design/goa/v3"
symbols = ["Controller.FileHandler"]
[[additional_packages.versions]]
fixed = "v3.0.9"
diff --git a/reports/GO-2020-0033.toml b/reports/GO-2020-0033.toml
index a55e0a0..ed52790 100644
--- a/reports/GO-2020-0033.toml
+++ b/reports/GO-2020-0033.toml
@@ -1,4 +1,4 @@
-package = "github.com/go-aah/aah"
+module = "aahframe.work"
description = """
[`HTTPEngine.Handle`] allows for directory traversal attacks due
diff --git a/reports/GO-2020-0034.toml b/reports/GO-2020-0034.toml
index c110c7b..87647bf 100644
--- a/reports/GO-2020-0034.toml
+++ b/reports/GO-2020-0034.toml
@@ -1,4 +1,4 @@
-package = "github.com/artdarek/go-unzip"
+module = "github.com/artdarek/go-unzip"
description = """
Malicious Zip archives can be crafted that contain relative file paths,
diff --git a/reports/GO-2020-0035.toml b/reports/GO-2020-0035.toml
index 34ee60c..2691849 100644
--- a/reports/GO-2020-0035.toml
+++ b/reports/GO-2020-0035.toml
@@ -1,4 +1,4 @@
-package = "github.com/yi-ge/unzip"
+module = "github.com/yi-ge/unzip"
description = """
Malicious Zip archives can be crafted that contain relative file paths,
diff --git a/reports/GO-2020-0036.toml b/reports/GO-2020-0036.toml
index a13c6c0..01c1861 100644
--- a/reports/GO-2020-0036.toml
+++ b/reports/GO-2020-0036.toml
@@ -1,4 +1,4 @@
-package = "gopkg.in/yaml.v2"
+module = "gopkg.in/yaml.v2"
description = """
An attacker can craft malicious YAML which will consume significant
@@ -12,12 +12,6 @@
[[versions]]
fixed = "v2.2.8"
-[[additional_packages]]
-package = "github.com/go-yaml/yaml"
-symbols = ["yaml_parser_fetch_more_tokens"]
-[[additional_packages.versions]]
-fixed = "v2.2.8"
-
[links]
commit = "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"
pr = "https://github.com/go-yaml/yaml/pull/555"
diff --git a/reports/GO-2020-0037.toml b/reports/GO-2020-0037.toml
index 64e1280..657c7d4 100644
--- a/reports/GO-2020-0037.toml
+++ b/reports/GO-2020-0037.toml
@@ -1,3 +1,4 @@
+module = "github.com/tendermint/tendermint"
package = "github.com/tendermint/tendermint/rpc/client"
description = """
diff --git a/reports/GO-2020-0038.toml b/reports/GO-2020-0038.toml
index c1e58ca..f2e86c8 100644
--- a/reports/GO-2020-0038.toml
+++ b/reports/GO-2020-0038.toml
@@ -1,4 +1,4 @@
-package = "github.com/pion/dtls"
+module = "github.com/pion/dtls"
description = """
An attacker can craft records that allow the processing of arbitrary
diff --git a/reports/GO-2020-0039.toml b/reports/GO-2020-0039.toml
index 9f4fb9a..00beb88 100644
--- a/reports/GO-2020-0039.toml
+++ b/reports/GO-2020-0039.toml
@@ -1,4 +1,4 @@
-package = "github.com/go-macaron/macaron"
+module = "gopkg.in/macaron.v1"
description = """
An attacker can craft a malicious URL which will cause the server
@@ -14,12 +14,6 @@
[[versions]]
fixed = "v1.3.7"
-[[additional_packages]]
-package = "gopkg.in/macaron.v1"
-symbols = ["staticHandler"]
-[[additional_packages.versions]]
-fixed = "v1.3.7"
-
[links]
commit = "https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245"
pr = "https://github.com/go-macaron/macaron/pull/199"
diff --git a/reports/GO-2020-0040.toml b/reports/GO-2020-0040.toml
index 8580311..0e4e0b6 100644
--- a/reports/GO-2020-0040.toml
+++ b/reports/GO-2020-0040.toml
@@ -1,4 +1,4 @@
-package = "github.com/shiyanhui/dht"
+module = "github.com/shiyanhui/dht"
description = """
A malicious peer can craft messages which will cause panics due to
diff --git a/reports/GO-2020-0041.toml b/reports/GO-2020-0041.toml
index 2a02d72..a4b5a28 100644
--- a/reports/GO-2020-0041.toml
+++ b/reports/GO-2020-0041.toml
@@ -1,3 +1,4 @@
+module = "github.com/unknwon/cae"
package = "github.com/unknwon/cae/tz"
description = """
@@ -14,6 +15,7 @@
fixed = "v1.0.1"
[[additional_packages]]
+module = "github.com/unknwon/cae"
package = "github.com/unknwon/cae/zip"
symbols = ["ZipArchive.Open", "ZipArchive.ExtractToFunc"]
[[additional_packages.versions]]
diff --git a/reports/GO-2020-0042.toml b/reports/GO-2020-0042.toml
index 88c9269..4e1149c 100644
--- a/reports/GO-2020-0042.toml
+++ b/reports/GO-2020-0042.toml
@@ -1,3 +1,4 @@
+module = "github.com/sassoftware/go-rpmutils"
package = "github.com/sassoftware/go-rpmutils/cpio"
description = """
diff --git a/reports/GO-2020-0043.toml b/reports/GO-2020-0043.toml
index d3c312c..dcebbc9 100644
--- a/reports/GO-2020-0043.toml
+++ b/reports/GO-2020-0043.toml
@@ -1,3 +1,4 @@
+module = "github.com/mholt/caddy"
package = "github.com/mholt/caddy/caddyhttp/httpserver"
description = """
@@ -14,12 +15,6 @@
[[versions]]
fixed = "v0.10.13"
-[[additional_packages]]
-package = "github.com/mholt/caddy/caddyhttp/httpserver"
-symbols = ["httpContext.MakeServers", "Server.serveHTTP", "assertConfigsCompatible"]
-[[additional_packages.versions]]
-fixed = "v0.10.13"
-
[links]
commit = "https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3"
pr = "https://github.com/caddyserver/caddy/pull/2099"
diff --git a/reports/GO-2020-0044.toml b/reports/GO-2020-0044.toml
index f4f4747..2245a3f 100644
--- a/reports/GO-2020-0044.toml
+++ b/reports/GO-2020-0044.toml
@@ -1,4 +1,5 @@
-package = "github.com/beego/beego/session"
+module = "github.com/astaxie/beego"
+package = "github.com/astaxie/beego/session"
description = """
An attacker can craft a malicious URL which lead to XSS due to
diff --git a/reports/GO-2020-0045.toml b/reports/GO-2020-0045.toml
index e7a2e6e..a59341b 100644
--- a/reports/GO-2020-0045.toml
+++ b/reports/GO-2020-0045.toml
@@ -1,4 +1,4 @@
-package = "github.com/dinever/golf"
+module = "github.com/dinever/golf"
description = """
CSRF tokens are generated using math/rand, making predicting their values
diff --git a/reports/GO-2020-0046.toml b/reports/GO-2020-0046.toml
index 9783732..d49ebb9 100644
--- a/reports/GO-2020-0046.toml
+++ b/reports/GO-2020-0046.toml
@@ -1,4 +1,4 @@
-package = "github.com/russellhaering/goxmldsig"
+module = "github.com/russellhaering/goxmldsig"
description = """
An attacker can craft a malformed XML Digital Signature which when
@@ -15,7 +15,7 @@
fixed = "v1.1.0"
[[additional_packages]]
-package = "github.com/russellhaering/gosaml2"
+module = "github.com/russellhaering/gosaml2"
symbols = ["SAMLServiceProvider.validateAssertionSignatures"]
[[additional_packages.versions]]
fixed = "v0.6.0"
diff --git a/reports/GO-2020-0047.toml b/reports/GO-2020-0047.toml
index ac6adbe..2bb9d41 100644
--- a/reports/GO-2020-0047.toml
+++ b/reports/GO-2020-0047.toml
@@ -1,4 +1,4 @@
-package = "github.com/RobotsAndPencils/go-saml"
+module = "github.com/RobotsAndPencils/go-saml"
description = """
XML Digital Signatures generated and validated using this package use
diff --git a/reports/GO-2020-0048.toml b/reports/GO-2020-0048.toml
index b6a9834..c043f23 100644
--- a/reports/GO-2020-0048.toml
+++ b/reports/GO-2020-0048.toml
@@ -1,4 +1,4 @@
-package = "github.com/antchfx/xmlquery"
+module = "github.com/antchfx/xmlquery"
description = """
[`LoadURL`] does not check the Content-Type of loaded resources,
diff --git a/reports/GO-2020-0049.toml b/reports/GO-2020-0049.toml
index 93d877b..4c34816 100644
--- a/reports/GO-2020-0049.toml
+++ b/reports/GO-2020-0049.toml
@@ -1,4 +1,4 @@
-package = "github.com/justinas/nosurf"
+module = "github.com/justinas/nosurf"
description = """
[`VerifyToken`] can be bypassed if the expected token contains malformed Base64.
diff --git a/reports/GO-2020-0050.toml b/reports/GO-2020-0050.toml
index ce396a0..ed17357 100644
--- a/reports/GO-2020-0050.toml
+++ b/reports/GO-2020-0050.toml
@@ -1,4 +1,4 @@
-package = "github.com/russellhaering/goxmldsig"
+module = "github.com/russellhaering/goxmldsig"
description = """
An attacker can craft an XML file which will cause signature verification
diff --git a/reports/GO-2021-0051.toml b/reports/GO-2021-0051.toml
index 65f36b9..813cbb9 100644
--- a/reports/GO-2021-0051.toml
+++ b/reports/GO-2021-0051.toml
@@ -1,4 +1,4 @@
-package = "github.com/labstack/echo/v4"
+module = "github.com/labstack/echo/v4"
description = """
On Windows the static route handler does not properly santize the
diff --git a/reports/GO-2021-0052.toml b/reports/GO-2021-0052.toml
index a40528c..36e56f8 100644
--- a/reports/GO-2021-0052.toml
+++ b/reports/GO-2021-0052.toml
@@ -1,4 +1,4 @@
-package = "github.com/gin-gonic/gin"
+module = "github.com/gin-gonic/gin"
description = """
When used without an internet facing proxy, an adversary can spoof
diff --git a/reports/GO-2021-0053.toml b/reports/GO-2021-0053.toml
index 0e9038f..0afeafd 100644
--- a/reports/GO-2021-0053.toml
+++ b/reports/GO-2021-0053.toml
@@ -1,4 +1,4 @@
-package = "github.com/gogo/protobuf"
+module = "github.com/gogo/protobuf"
description = """
Generated Unmarshal methods do not include proper index bounds validation,
diff --git a/reports/GO-2021-0054.toml b/reports/GO-2021-0054.toml
index 666ab5a..c43c1b2 100644
--- a/reports/GO-2021-0054.toml
+++ b/reports/GO-2021-0054.toml
@@ -1,4 +1,4 @@
-package = "github.com/tidwall/gjson"
+module = "github.com/tidwall/gjson"
description = """
Maliciously crafted JSON messages can cause an out-of-bounds panic.
diff --git a/reports/GO-2021-0055.toml b/reports/GO-2021-0055.toml
deleted file mode 100644
index 5eecc81..0000000
--- a/reports/GO-2021-0055.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-package = "github.com/dexidp/dex/connector/saml/v2"
-
-description = """
-An XML message can be maliciously crafted such that signature
-verification is bypassed.
-"""
-
-cve = "CVE-2020-15216"
-
-credit = "Juho Nurminen (Mattermost)"
-
-symbols = ["provider.HandlePOST"]
-
-[[versions]]
-fixed = "v2.27.0"
-
-[links]
-commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
-context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]
\ No newline at end of file
diff --git a/reports/GO-2021-0056.toml b/reports/GO-2021-0056.toml
index 6eef503..19192df 100644
--- a/reports/GO-2021-0056.toml
+++ b/reports/GO-2021-0056.toml
@@ -1,4 +1,4 @@
-package = "github.com/russellhaering/goxmldsig"
+module = "github.com/russellhaering/goxmldsig"
description = """
An XML message can be maliciously crafted such that signature
diff --git a/reports/GO-2021-0057.toml b/reports/GO-2021-0057.toml
index 8621e7d..65f0dd4 100644
--- a/reports/GO-2021-0057.toml
+++ b/reports/GO-2021-0057.toml
@@ -1,4 +1,4 @@
-package = "github.com/buger/jsonparser"
+module = "github.com/buger/jsonparser"
description = """
Malicious input can cause an out-of-bounds panic.
diff --git a/reports/GO-2021-0058.toml b/reports/GO-2021-0058.toml
index cf32623..fe1a648 100644
--- a/reports/GO-2021-0058.toml
+++ b/reports/GO-2021-0058.toml
@@ -1,4 +1,4 @@
-package = "github.com/crewjam/saml"
+module = "github.com/crewjam/saml"
description = """
An XML message can be maliciously crafted such that signature
@@ -20,12 +20,14 @@
fixed = "v0.4.3"
[[additional_packages]]
+module = "github.com/crewjam/saml"
package = "github.com/crewjam/saml/samlidp"
smybols = ["getSPMetadata"]
[[additional_packages.versions]]
fixed = "v0.4.3"
[[additional_packages]]
+module = "github.com/crewjam/saml"
package = "github.com/crewjam/saml/samlsp"
smybols = ["ParseMetadata"]
[[additional_packages.versions]]
diff --git a/reports/GO-2021-0059.toml b/reports/GO-2021-0059.toml
index cdd9707..9a76db8 100644
--- a/reports/GO-2021-0059.toml
+++ b/reports/GO-2021-0059.toml
@@ -1,4 +1,4 @@
-package = "github.com/tidwall/gjson"
+module = "github.com/tidwall/gjson"
description = """
Maliciously crafted JSON messages can cause an out-of-bounds panic.
diff --git a/reports/GO-2021-0060.toml b/reports/GO-2021-0060.toml
index 15bb121..1c3f9a2 100644
--- a/reports/GO-2021-0060.toml
+++ b/reports/GO-2021-0060.toml
@@ -1,4 +1,4 @@
-package = "github.com/russellhaering/gosaml2"
+module = "github.com/russellhaering/gosaml2"
description = """
An XML message can be maliciously crafted such that signature
diff --git a/reports/GO-2021-0061.toml b/reports/GO-2021-0061.toml
index 9fb3059..5f8c518 100644
--- a/reports/GO-2021-0061.toml
+++ b/reports/GO-2021-0061.toml
@@ -1,4 +1,4 @@
-package = "gopkg.in/yaml.v2"
+module = "gopkg.in/yaml.v2"
description = """
A maliciously crafted input can cause resource exhaustion due to
@@ -12,12 +12,6 @@
[[versions]]
fixed = "v2.2.3"
-[[additional_packages]]
-package = "github.com/go-yaml/yaml"
-symbols = ["decoder.unmarshal"]
-[[additional_packages.versions]]
-fixed = "v2.2.3"
-
[links]
commit = "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
pr = "https://github.com/go-yaml/yaml/pull/375"
\ No newline at end of file
diff --git a/reports/GO-2021-0062.toml b/reports/GO-2021-0062.toml
index 1cc20c8..0901cd4 100644
--- a/reports/GO-2021-0062.toml
+++ b/reports/GO-2021-0062.toml
@@ -1,3 +1,4 @@
+module = "k8s.io/apiextensions-apiserver"
package = "k8s.io/apiextensions-apiserver/pkg/apiserver"
description = """
@@ -13,6 +14,7 @@
fixed = "v0.17.0"
[[additional_packages]]
+module = "k8s.io/kubernetes"
package = "k8s.io/kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver"
symbols = ["NewCustomResourceDefinitionHandler"]
[[additional_packages.versions]]
diff --git a/reports/GO-2021-0063.toml b/reports/GO-2021-0063.toml
index b8db91f..15e9e71 100644
--- a/reports/GO-2021-0063.toml
+++ b/reports/GO-2021-0063.toml
@@ -1,3 +1,4 @@
+module = "github.com/ethereum/go-ethereum"
package = "github.com/ethereum/go-ethereum/les"
description = """
diff --git a/reports/GO-2021-0064.toml b/reports/GO-2021-0064.toml
index 14d3a86..a15bb2f 100644
--- a/reports/GO-2021-0064.toml
+++ b/reports/GO-2021-0064.toml
@@ -1,3 +1,4 @@
+module = "k8s.io/client-go"
package = "k8s.io/client-go/transport"
description = """
@@ -15,6 +16,7 @@
fixed = "v0.20.0-alpha.2"
[[additional_packages]]
+module = "k8s.io/kubernetes"
package = "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport"
symbols = ["requestInfo.toCurl"]
[[additional_packages.versions]]
diff --git a/reports/GO-2021-0065.toml b/reports/GO-2021-0065.toml
index 1708a5d..007e78b 100644
--- a/reports/GO-2021-0065.toml
+++ b/reports/GO-2021-0065.toml
@@ -1,3 +1,4 @@
+module = "k8s.io/client-go"
package = "k8s.io/client-go/transport"
description = """
@@ -13,6 +14,7 @@
fixed = "v0.17.0"
[[additional_packages]]
+module = "k8s.io/kubernetes"
package = "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport"
symbols = ["debuggingRoundTripper.RoundTrip"]
[[additional_packages.versions]]
diff --git a/reports/GO-2021-0066.toml b/reports/GO-2021-0066.toml
index 5e4a330..d31c7d8 100644
--- a/reports/GO-2021-0066.toml
+++ b/reports/GO-2021-0066.toml
@@ -1,3 +1,4 @@
+module = "k8s.io/kubernetes"
package = "k8s.io/kubernetes/pkg/credentialprovider"
description = """
