Google Git
Sign in
go / vulndb / 5f89dfe2565b766a01b526fd3c649ca3b4cd3eeb^! / .
commit5f89dfe2565b766a01b526fd3c649ca3b4cd3eeb[log] [tgz]
authorJonathan Amsterdam <jba@google.com>Mon Mar 13 11:46:24 2023 -0400
committerJonathan Amsterdam <jba@google.com>Mon Mar 13 17:17:09 2023 +0000
tree38e7d87a5ca44adf3cf124fbc76195cdb1c955fe
parentf8d13cbc56c43209e5293524d575687cffcf4aec [diff]
doc: additions

- triage.md: Mention that you must be at repo root to run some
  vulnreport commands, and fix a heading level.

- format.md: document vulnerable_at, and add some more information
  about credit.

Change-Id: I3194b70fbc8ff15cf4a8b9b938b27a1034862b43
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475918
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/doc/format.md b/doc/format.md
index c7efc45..4b40003 100644
--- a/doc/format.md
+++ b/doc/format.md

@@ -128,6 +128,11 @@
 If this field is omitted, it is assumed that every version since the
 `introduced` version is vulnerable.
 
+## `vulnerable_at`
+
+The version (see above for format) at which the vulnerable symbols
+were obtained. Ideally, this is the version just prior to the fix.
+
 ## `description`
 
 type `string`
@@ -188,8 +193,10 @@
 golang.org/x, etc.). Use the text from the golang-announce email
 when available.
 
-For third-party reports, if `vulnreport create` finds CVE or GHSA metadata,
-use that. Otherwise, it's okay to leave this blank.
+For third-party reports, if `vulnreport create` finds CVE or GHSA metadata, use
+that. Also, look for a "Credits" heading on the GHSA report linked from the
+GitHub issue. Otherwise, it's okay to leave this blank.
+
 
 ## `references`
 

diff --git a/doc/triage.md b/doc/triage.md
index 635df28..e8955de 100644
--- a/doc/triage.md
+++ b/doc/triage.md

@@ -96,14 +96,15 @@
 
 ### If the report is labeled `NeedsReport`
 
-1. Run `vulnreport create <GitHub issue number>`.
+1. From the repo root, run `vulnreport create <GitHub issue number>`.
    vulnreport will create a YAML report template for the CVE or GHSA at the
    specified GitHub issue number. This command works for both regular reports
    and excluded reports. It also accepts multiple Github issue numbers (space
    separated), and Github issue ranges (e.g., `1000-1010`).
 2. Edit the report file template.
-3. Run `vulnreport commit [<report file> | <Github issue number>]`. This will
-   lint the report, add exported symbols, convert the YAML to OSV, and commit
+3. From the repo root, run `vulnreport commit [<report file> | <Github issue number>]`.
+   (Example: `vulnreport commit 1623`.)
+   This will lint the report, add exported symbols, convert the YAML to OSV, and commit
    the new files with a standard commit message. Commits are to the local git
    repository. The `vulnreport commit` command also accepts multiple
    space-separated files/issue numbers, and will create a separate commit for
@@ -154,7 +155,7 @@
 
 5. Mail the commit.
 
-### Standard Library Reports
+## Standard Library Reports
 
 When adding a vulnerability report about the standard library, ensure that the
 references section follows this format: