data/reports: fix GO-2020-0037.yaml
Add vulnerable_at and fix package name
Aliases: CVE-2019-25072, GHSA-3fm3-m23v-5r46
Updates golang/vulndb#37
Change-Id: I15428732073abd411b33ba6c5bb145d7a385dbac
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462136
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/cve/v5/GO-2020-0037.json b/data/cve/v5/GO-2020-0037.json
index 7c1d9a1..e5da18c 100644
--- a/data/cve/v5/GO-2020-0037.json
+++ b/data/cve/v5/GO-2020-0037.json
@@ -18,9 +18,9 @@
"affected": [
{
"vendor": "github.com/tendermint/tendermint",
- "product": "github.com/tendermint/tendermint/rpc/client",
+ "product": "github.com/tendermint/tendermint/rpc/lib/client",
"collectionURL": "https://pkg.go.dev",
- "packageName": "github.com/tendermint/tendermint/rpc/client",
+ "packageName": "github.com/tendermint/tendermint/rpc/lib/client",
"versions": [
{
"version": "0",
@@ -32,6 +32,12 @@
"programRoutines": [
{
"name": "makeHTTPClient"
+ },
+ {
+ "name": "NewJSONRPCClient"
+ },
+ {
+ "name": "NewURIClient"
}
],
"defaultStatus": "unaffected"
diff --git a/data/osv/GO-2020-0037.json b/data/osv/GO-2020-0037.json
index b72d063..8f50bb2 100644
--- a/data/osv/GO-2020-0037.json
+++ b/data/osv/GO-2020-0037.json
@@ -32,8 +32,10 @@
"ecosystem_specific": {
"imports": [
{
- "path": "github.com/tendermint/tendermint/rpc/client",
+ "path": "github.com/tendermint/tendermint/rpc/lib/client",
"symbols": [
+ "NewJSONRPCClient",
+ "NewURIClient",
"makeHTTPClient"
]
}
diff --git a/data/reports/GO-2020-0037.yaml b/data/reports/GO-2020-0037.yaml
index 35e18a8..a8731c3 100644
--- a/data/reports/GO-2020-0037.yaml
+++ b/data/reports/GO-2020-0037.yaml
@@ -2,10 +2,14 @@
- module: github.com/tendermint/tendermint
versions:
- fixed: 0.31.1
+ vulnerable_at: 0.31.0
packages:
- - package: github.com/tendermint/tendermint/rpc/client
+ - package: github.com/tendermint/tendermint/rpc/lib/client
symbols:
- makeHTTPClient
+ derived_symbols:
+ - NewJSONRPCClient
+ - NewURIClient
description: |
Due to support of Gzip compression in request bodies, as well
as a lack of limiting response body sizes, a malicious server