commit | a33350d7c9eade154432599fd35e3e539afc1641 | [log] [tgz] |
---|---|---|
author | Tatiana Bradley <tatianabradley@google.com> | Mon Nov 27 15:29:15 2023 -0500 |
committer | Tatiana Bradley <tatianabradley@google.com> | Mon Nov 27 21:15:22 2023 +0000 |
tree | 2a924003e4cbcfc22b46190f3c79bfa5d55bb047 | |
parent | edf27d220c6e9607478c3e3402a10dd0b4838e01 [diff] |
internal/report: fix bug in CVE5 generation Fixes a bug in which incorrect version ranges were sometimes generated when converting reports to CVE5. The bug happens when operating on a report with no fixed version. The problem is that the CVE JSON 5.0 format only allows version ranges of the form "versions X to Y are affected", "versions X to Y are NOT affected" or "version X is affected". It does not directly allow the statement "version X and above are affected" - this must be expressed as "version 0 through X are unaffected, all others are affected". This change allows that to be expressed. This bug became clear when we published GO-2023-2328. The CVE for that report is also re-generated as a part of this change. Change-Id: I0c61168581d65b13850d3a763a3300c04594b84c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545295 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
This repository contains the infrastructure and internal reports to create the Go Vulnerability Database.
Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.
Click here to report a public vulnerability in the Go ecosystem, or give feedback about the project.
The privacy policy for govulncheck
can be found at https://vuln.go.dev/privacy.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Database entries are distributed under the terms of the CC-BY-4.0 license. See go.dev/security/vuln/database for information on how to access these entries.