| # Copyright 2021 The Go Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style |
| # license that can be found in the LICENSE file. |
| |
| name: Tell us about a public vulnerability in the Go ecosystem |
| description: | |
| Report an existing, public vulnerability in a publicly importable package in the Go ecosystem that is not yet in our database. |
| title: "x/vulndb: potential Go vuln in <package>" |
| labels: ["Needs Triage","Direct External Report"] |
| body: |
| - type: markdown |
| attributes: |
| value: | |
| Thanks for taking the time to help us maintain the Go vulnerability |
| database! |
| |
| Filling out this form creates a **public** issue on the x/vulndb issue tracker containing all the details you report. |
| |
| This issue tracker is used solely to track the work of adding/updating the Go vulnerability database, not to track the work of fixing or mitigating vulnerabilities. |
| |
| It is intended only for PUBLIC vulnerabilities in publicly importable Go packages not maintained by the Go Team (i.e., anything outside the Go standard library, Go toolchain, and golang.org modules). |
| |
| ❗ Please report new issues directly to project maintainers following their security policy **before** creating an issue here. |
| |
| ❗ To report undisclosed Go standard library or toolchain vulnerabilities, please follow our [security policy](https://go.dev/security/policy) instead. |
| |
| For questions or concerns, do not hesitate to reach out to us directly at security@golang.org. |
| - type: checkboxes |
| attributes: |
| label: Acknowledgement |
| options: |
| - label: The maintainer(s) of the affected project have already been made aware of this vulnerability. |
| required: true |
| - type: textarea |
| id: description |
| attributes: |
| label: Description |
| description: A description of the vulnerability. |
| validations: |
| required: true |
| - type: textarea |
| id: affected |
| attributes: |
| label: Affected Modules, Packages, Versions and Symbols |
| description: | |
| The Go modules, packages, versions, and symbols this vulnerability affects. |
| |
| Package versions should be in semver format, and should indicate when the vulnerability was introduced and when it was fixed, if known. If there are multiple fixed (or introduced) versions for the same package, list them all. |
| |
| Symbols are functions, methods or structs that may trigger this vulnerability when used. |
| value: | |
| Module: github.com/example/module |
| Package: github.com/example/module/package |
| Versions: |
| - Introduced: 1.2.0 |
| - Fixed: 1.2.4 |
| Symbols: |
| - aFunction |
| - SomeType.AMethod |
| |
| Module: github.com/example/module/v2 |
| Package: github.com/example/module/v2/package |
| Versions: |
| - Fixed: 2.4.5 |
| Symbols: |
| - anotherFunction |
| render: shell |
| validations: |
| required: true |
| - type: input |
| id: cve |
| attributes: |
| label: CVE/GHSA ID |
| description: List any CVE or GHSA IDs already associated with this vulnerability. |
| placeholder: CVE-20XX-NNNN, GHSA-xxxx-yyyy-zzzz |
| validations: |
| required: false |
| - type: input |
| id: pr |
| attributes: |
| label: Fix Commit or Pull Request |
| description: | |
| The pull request(s) or commit(s) that fixed this vulnerability, if known. |
| placeholder: https://github.com/example/pull/123 |
| validations: |
| required: false |
| - type: textarea |
| id: links |
| attributes: |
| label: References |
| description: Links to more information about the vulnerability (e.g., advisories, reports, issue tracker entries, etc). |
| placeholder: | |
| - https://github.com/example/issues/123 |
| - https://github.com/advisories/GHSA-abcd-efgh-ijkl |
| validations: |
| required: false |
| - type: textarea |
| id: more |
| attributes: |
| label: Additional information |
| description: | |
| Anything else you'd like us to know about this vulnerability? |
| validations: |
| required: false |
