commit 3a03dfb4c3c0b2ae22c25164278cf34de084f4e1
author Tatiana Bradley <tatianabradley@google.com> Fri Jan 13 16:22:48 2023 -0500
committer Gopher Robot <gobot@golang.org> Sat Jan 14 00:31:00 2023 +0000
tree 2379d0a4a95f08d6fbdc9528b59a00ef90594962
parent 4c0ad27b355592306e8d3c79af319021b627c28b

data/reports: fix GO-2020-0037.yaml

Add vulnerable_at and fix package name

Aliases: CVE-2019-25072, GHSA-3fm3-m23v-5r46

Updates golang/vulndb#37

Change-Id: I15428732073abd411b33ba6c5bb145d7a385dbac
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462136
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

data/cve/v5/GO-2020-0037.json

diff --git a/data/cve/v5/GO-2020-0037.json b/data/cve/v5/GO-2020-0037.json
index 7c1d9a1..e5da18c 100644
--- a/data/cve/v5/GO-2020-0037.json
+++ b/data/cve/v5/GO-2020-0037.json
@@ -18,9 +18,9 @@
       "affected": [
         {
           "vendor": "github.com/tendermint/tendermint",
-          "product": "github.com/tendermint/tendermint/rpc/client",
+          "product": "github.com/tendermint/tendermint/rpc/lib/client",
           "collectionURL": "https://pkg.go.dev",
-          "packageName": "github.com/tendermint/tendermint/rpc/client",
+          "packageName": "github.com/tendermint/tendermint/rpc/lib/client",
           "versions": [
             {
               "version": "0",
@@ -32,6 +32,12 @@
           "programRoutines": [
             {
               "name": "makeHTTPClient"
+            },
+            {
+              "name": "NewJSONRPCClient"
+            },
+            {
+              "name": "NewURIClient"
             }
           ],
           "defaultStatus": "unaffected"

data/osv/GO-2020-0037.json

diff --git a/data/osv/GO-2020-0037.json b/data/osv/GO-2020-0037.json
index b72d063..8f50bb2 100644
--- a/data/osv/GO-2020-0037.json
+++ b/data/osv/GO-2020-0037.json
@@ -32,8 +32,10 @@
       "ecosystem_specific": {
         "imports": [
           {
-            "path": "github.com/tendermint/tendermint/rpc/client",
+            "path": "github.com/tendermint/tendermint/rpc/lib/client",
             "symbols": [
+              "NewJSONRPCClient",
+              "NewURIClient",
               "makeHTTPClient"
             ]
           }

data/reports/GO-2020-0037.yaml

diff --git a/data/reports/GO-2020-0037.yaml b/data/reports/GO-2020-0037.yaml
index 35e18a8..a8731c3 100644
--- a/data/reports/GO-2020-0037.yaml
+++ b/data/reports/GO-2020-0037.yaml
@@ -2,10 +2,14 @@
   - module: github.com/tendermint/tendermint
     versions:
       - fixed: 0.31.1
+    vulnerable_at: 0.31.0
     packages:
-      - package: github.com/tendermint/tendermint/rpc/client
+      - package: github.com/tendermint/tendermint/rpc/lib/client
         symbols:
           - makeHTTPClient
+        derived_symbols:
+          - NewJSONRPCClient
+          - NewURIClient
 description: |
     Due to support of Gzip compression in request bodies, as well
     as a lack of limiting response body sizes, a malicious server