Google Git
Sign in
go / vulndb / a33350d7c9eade154432599fd35e3e539afc1641
commita33350d7c9eade154432599fd35e3e539afc1641[log] [tgz]
authorTatiana Bradley <tatianabradley@google.com>Mon Nov 27 15:29:15 2023 -0500
committerTatiana Bradley <tatianabradley@google.com>Mon Nov 27 21:15:22 2023 +0000
tree2a924003e4cbcfc22b46190f3c79bfa5d55bb047
parentedf27d220c6e9607478c3e3402a10dd0b4838e01 [diff]
internal/report: fix bug in CVE5 generation

Fixes a bug in which incorrect version ranges were sometimes generated
when converting reports to CVE5. The bug happens when operating on a report
with no fixed version.

The problem is that the CVE JSON 5.0 format only allows version ranges
of the form "versions X to Y are affected", "versions X to Y are NOT affected"
or "version X is affected".

It does not directly allow the statement "version X and above are affected" - this must be expressed as "version 0 through X are unaffected, all others are affected". This change allows that to be expressed.

This bug became clear when we published GO-2023-2328. The CVE for that report
is also re-generated as a part of this change.

Change-Id: I0c61168581d65b13850d3a763a3300c04594b84c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545295
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
3 files changed
tree: 2a924003e4cbcfc22b46190f3c79bfa5d55bb047
  1. .github/
  2. cmd/
  3. data/
  4. deploy/
  5. devtools/
  6. doc/
  7. internal/
  8. terraform/
  9. webconfig/
  10. .gitignore
  11. all_test.go
  12. checks.bash
  13. CONTRIBUTING.md
  14. go.mod
  15. go.sum
  16. LICENSE
  17. PATENTS
  18. README.md
  19. tools_test.go
README.md

The Go Vulnerability Database

Go Reference

This repository contains the infrastructure and internal reports to create the Go Vulnerability Database.

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Reporting a vulnerability or feedback

Click here to report a public vulnerability in the Go ecosystem, or give feedback about the project.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY-4.0 license. See go.dev/security/vuln/database for information on how to access these entries.