Google Git
Sign in
go / vulndb / 77ae2d0758476056c59f90d5dde6f9ce839750ab / . / .github / ISSUE_TEMPLATE / new_third_party_vuln.yml
blob: 6dd37147d291c5fc7afba2bcc6f2b853f79fd1c1 [file] [log] [blame]
# Copyright 2021 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
name: Tell us about a public vulnerability in the Go ecosystem
description: |
Report an existing, public vulnerability in a publicly importable package in the Go ecosystem that is not yet in our database.
title: "x/vulndb: potential Go vuln in <package>"
labels: ["Needs Triage","Direct External Report"]
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to file a vulnerability report!
This form creates a public issue on our issue tracker containing all the details you report. It is intended for PUBLIC vulnerabilities in publicly importable Go packages not maintained by the Go Team (i.e., anything outside the Go standard library, Go toolchain, and golang.org modules).
❗ To report undisclosed Go vulnerabilities, please follow our [security policy](https://go.dev/security/policy) instead.
For questions or concerns, do not hesitate to reach out to us directly at security@golang.org.
- type: textarea
id: description
attributes:
label: Description
description: A description of the vulnerability.
validations:
required: true
- type: textarea
id: affected
attributes:
label: Affected Modules, Packages, Versions and Symbols
description: |
The Go modules, packages, versions, and symbols this vulnerability affects.
Package versions should be in semver format, and should indicate when the vulnerability was introduced and when it was fixed, if known. If there are multiple fixed (or introduced) versions for the same package, list them all.
Symbols are functions, methods or structs that may trigger this vulnerability when used.
value: |
Module: github.com/example/module
Package: github.com/example/module/package
Versions:
- Introduced: 1.2.0
- Fixed: 1.2.4
Symbols:
- aFunction
- SomeType.AMethod
Module: github.com/example/module/v2
Package: github.com/example/module/v2/package
Versions:
- Fixed: 2.4.5
Symbols:
- anotherFunction
render: shell
validations:
required: true
- type: dropdown
id: has-cve
attributes:
label: Does this vulnerability already have an associated CVE ID?
description: |
A CVE ID is a unique identifier for a vulnerability (see https://cve.mitre.org).
The Go Security team will assign a CVE ID for the vulnerability if it does not already have one.
multiple: false
options:
- "Yes"
- "No"
- "I'm not sure"
validations:
required: true
- type: input
id: cve
attributes:
label: CVE ID
description: If you selected "Yes" in the previous question, please include the CVE ID below.
placeholder: CVE-20XX-NNNN
validations:
required: false
- type: input
id: credit
attributes:
label: Credit
description: |
[Optional] The name of the person or organization that discovered or fixed this vulnerability.
- type: input
id: cwe
attributes:
label: CWE ID
description: |
[Optional] The CWE ID that best describes the class of vulnerability.
See https://cwe.mitre.org/data/definitions/699.html for a list of common types.
- type: input
id: pr
attributes:
label: Pull Request
description: |
The pull request(s) that fixed this vulnerability, if known.
placeholder: https://github.com/example/pull/123
validations:
required: false
- type: input
id: commit
attributes:
label: Commit
description: |
The commit(s) that fixed this vulnerability, if known.
placeholder: https://github.com/example/commit/abcdef
validations:
required: false
- type: textarea
id: links
attributes:
label: References
description: Links to more information about the vulnerability (e.g., advisories, reports, issue tracker entries, etc).
placeholder: |
- https://github.com/example/issues/123
- https://github.com/advisories/GHSA-abcd-efgh-ijkl
validations:
required: false
- type: textarea
id: more
attributes:
label: Additional information
description: |
Anything else you'd like us to know about this vulnerability?
validations:
required: false