commit | 5b3cf6b6950d92c359117d458c81b57f998118ca | [log] [tgz] |
---|---|---|
author | Julie Qiu <julie@golang.org> | Mon Dec 20 16:26:47 2021 -0500 |
committer | Julie Qiu <julie@golang.org> | Mon Dec 20 22:08:22 2021 +0000 |
tree | f06704489a48d1b54c2f96d7f44ebaf789f78d24 | |
parent | 604036612d810cc25b26ff77e49cce7f67b03cd2 [diff] |
cmd,internal: add tools and worker code golang.org/x/vuln/srv is moved to this repository. Originally, the motivation for creating x/vuln was to split the YAML reports and Go code into two separate repositories. However, this resulted in a few issues: 1. The structure of the YAML reports is tightly coupled with the structs in internal/report, and changing one without the other would result in errors when linting the reports. 2. The vlint package itself needed to be exported, even though the only consumer was the test in x/vulndb. 3. The deploy/build.yaml script depends on cmd/gendb@latest, so updating that command could easily break the script (for example, submitting CL 373004 without changing the reference in deploy/build.yaml). Additionally, the original location of this code was x/vuln, which contained two types of packages. (1) Packages meant for consumption by other clients (for example, x/vuln/client), and (2) Internal packages that were only meant for use to spin up the worker. The internal packages resulted in many dependencies since they pulled in GCP, which we don't want clients of the vulncheck library to have to pull in. This problem was originally solved by creating a nested module inside x/vuln, but nicer separation that would also solve the issues above is the following: * x/vuln: contains Go code meant to be imported by others * x/vulndb: contains internal code only used to maintain the vulndb For golang/go#50247 Change-Id: I74a7b7f9b8fc5b0ad48a45fc3156f93c08aa9955 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/373495 Trust: Julie Qiu <julie@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
This repository contains the reports for the Go Vulnerability Database.
If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.
We are not accepting new vulnerability reports at this time. We will update this README.md once we are ready to receive reports.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.