data/reports: review 2 reports - data/reports/GO-2025-3262.yaml - data/reports/GO-2025-3510.yaml Updates golang/vulndb#3262 Fixes golang/vulndb#3739 Updates golang/vulndb#3510 Fixes golang/vulndb#3738 Change-Id: I3ff188a711ef0c7b009bb7ffcd8aaa66b969c6c9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/680957 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

commit: 555afef8c68628637b6352774db0e15d828079b8 [log] [tgz]
author: Neal Patel <nealpatel@google.com> Wed Jun 11 12:50:37 2025 -0400
committer: Neal Patel <nealpatel@google.com> Wed Jun 11 10:46:02 2025 -0700
tree: d179eacd83ba8a6574ac95db1b280a0bc0aff0c2
parent: fe7963032b5590a6dd83777a7768262393a02335 [diff]
diff --git a/data/osv/GO-2024-3262.json b/data/osv/GO-2024-3262.json
index b53a1de..92343c5 100644
--- a/data/osv/GO-2024-3262.json
+++ b/data/osv/GO-2024-3262.json

@@ -21,6 +21,9 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "1.9.2"
             }
           ]
         }
@@ -34,10 +37,6 @@
       "url": "https://github.com/advisories/GHSA-2w5v-x29g-jw7j"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10975"
-    },
-    {
       "type": "FIX",
       "url": "https://github.com/hashicorp/nomad/commit/30849c518e16647a4f698e5f5cc82bef2bf40e4d"
     },
@@ -48,6 +47,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3262",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
\ No newline at end of file

diff --git a/data/osv/GO-2025-3510.json b/data/osv/GO-2025-3510.json
index 195c1f8..000920c 100644
--- a/data/osv/GO-2025-3510.json
+++ b/data/osv/GO-2025-3510.json

@@ -7,8 +7,8 @@
     "CVE-2025-1296",
     "GHSA-c3q9-q986-vrwh"
   ],
-  "summary": "Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs in github.com/hashicorp/nomad",
-  "details": "Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs in github.com/hashicorp/nomad",
+  "summary": "Unintentional exposure of the workload identity token and client secret in logs in github.com/hashicorp/nomad",
+  "details": "Unintentional exposure of the workload identity token and client secret in logs in github.com/hashicorp/nomad",
   "affected": [
     {
       "package": {
@@ -21,6 +21,9 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "1.9.7"
             }
           ]
         }
@@ -34,10 +37,6 @@
       "url": "https://github.com/advisories/GHSA-c3q9-q986-vrwh"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1296"
-    },
-    {
       "type": "FIX",
       "url": "https://github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3"
     },
@@ -48,6 +47,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2025-3510",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
\ No newline at end of file

diff --git a/data/reports/GO-2024-3262.yaml b/data/reports/GO-2024-3262.yaml
index a0f201a..423117e 100644
--- a/data/reports/GO-2024-3262.yaml
+++ b/data/reports/GO-2024-3262.yaml

@@ -1,20 +1,21 @@
 id: GO-2024-3262
 modules:
     - module: github.com/hashicorp/nomad
-      unsupported_versions:
-        - last_affected: 1.9.1
-      vulnerable_at: 1.9.2
-summary: Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad
+      versions:
+        - fixed: 1.9.2
+      vulnerable_at: 1.9.1
+summary: |-
+    Hashicorp Nomad Incorrect Authorization vulnerability in
+    github.com/hashicorp/nomad
 cves:
     - CVE-2024-10975
 ghsas:
     - GHSA-2w5v-x29g-jw7j
 references:
     - advisory: https://github.com/advisories/GHSA-2w5v-x29g-jw7j
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10975
     - fix: https://github.com/hashicorp/nomad/commit/30849c518e16647a4f698e5f5cc82bef2bf40e4d
     - web: https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission
 source:
     id: GHSA-2w5v-x29g-jw7j
     created: 2024-11-08T12:15:08.376448-05:00
-review_status: UNREVIEWED
+review_status: REVIEWED

diff --git a/data/reports/GO-2025-3510.yaml b/data/reports/GO-2025-3510.yaml
index dccdba5..21a0e00 100644
--- a/data/reports/GO-2025-3510.yaml
+++ b/data/reports/GO-2025-3510.yaml

@@ -1,22 +1,21 @@
 id: GO-2025-3510
 modules:
     - module: github.com/hashicorp/nomad
-      unsupported_versions:
-        - last_affected: 1.9.6
-      vulnerable_at: 1.9.7
+      versions:
+        - fixed: 1.9.7
+      vulnerable_at: 1.9.6
 summary: |-
-    Nomad is vulnerable to unintentional exposure of the workload identity token and
-    client secret token in audit logs in github.com/hashicorp/nomad
+    Unintentional exposure of the workload identity token and client secret in logs
+    in github.com/hashicorp/nomad
 cves:
     - CVE-2025-1296
 ghsas:
     - GHSA-c3q9-q986-vrwh
 references:
     - advisory: https://github.com/advisories/GHSA-c3q9-q986-vrwh
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1296
     - fix: https://github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3
     - web: https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737
 source:
     id: GHSA-c3q9-q986-vrwh
     created: 2025-03-12T13:11:55.821545-04:00
-review_status: UNREVIEWED
+review_status: REVIEWED
commit	555afef8c68628637b6352774db0e15d828079b8	[log] [tgz]
author	Neal Patel <nealpatel@google.com>	Wed Jun 11 12:50:37 2025 -0400
committer	Neal Patel <nealpatel@google.com>	Wed Jun 11 10:46:02 2025 -0700
tree	d179eacd83ba8a6574ac95db1b280a0bc0aff0c2
parent	fe7963032b5590a6dd83777a7768262393a02335 [diff]