doc: additions
- triage.md: Mention that you must be at repo root to run some
vulnreport commands, and fix a heading level.
- format.md: document vulnerable_at, and add some more information
about credit.
Change-Id: I3194b70fbc8ff15cf4a8b9b938b27a1034862b43
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475918
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/doc/format.md b/doc/format.md
index c7efc45..4b40003 100644
--- a/doc/format.md
+++ b/doc/format.md
@@ -128,6 +128,11 @@
If this field is omitted, it is assumed that every version since the
`introduced` version is vulnerable.
+## `vulnerable_at`
+
+The version (see above for format) at which the vulnerable symbols
+were obtained. Ideally, this is the version just prior to the fix.
+
## `description`
type `string`
@@ -188,8 +193,10 @@
golang.org/x, etc.). Use the text from the golang-announce email
when available.
-For third-party reports, if `vulnreport create` finds CVE or GHSA metadata,
-use that. Otherwise, it's okay to leave this blank.
+For third-party reports, if `vulnreport create` finds CVE or GHSA metadata, use
+that. Also, look for a "Credits" heading on the GHSA report linked from the
+GitHub issue. Otherwise, it's okay to leave this blank.
+
## `references`
diff --git a/doc/triage.md b/doc/triage.md
index 635df28..e8955de 100644
--- a/doc/triage.md
+++ b/doc/triage.md
@@ -96,14 +96,15 @@
### If the report is labeled `NeedsReport`
-1. Run `vulnreport create <GitHub issue number>`.
+1. From the repo root, run `vulnreport create <GitHub issue number>`.
vulnreport will create a YAML report template for the CVE or GHSA at the
specified GitHub issue number. This command works for both regular reports
and excluded reports. It also accepts multiple Github issue numbers (space
separated), and Github issue ranges (e.g., `1000-1010`).
2. Edit the report file template.
-3. Run `vulnreport commit [<report file> | <Github issue number>]`. This will
- lint the report, add exported symbols, convert the YAML to OSV, and commit
+3. From the repo root, run `vulnreport commit [<report file> | <Github issue number>]`.
+ (Example: `vulnreport commit 1623`.)
+ This will lint the report, add exported symbols, convert the YAML to OSV, and commit
the new files with a standard commit message. Commits are to the local git
repository. The `vulnreport commit` command also accepts multiple
space-separated files/issue numbers, and will create a separate commit for
@@ -154,7 +155,7 @@
5. Mail the commit.
-### Standard Library Reports
+## Standard Library Reports
When adding a vulnerability report about the standard library, ensure that the
references section follows this format: