This document explains how we handle vulnerability issue triage in the x/vulndb issue tracker.
All vulnerabilities in the Go vulnerability database are currently stored as a YAML file in the data/reports or data/excluded directory.
Each vulnerability is given an ID with the format GO-YYYY-NNNN.
For a detailed explanation of the report format, see doc/format.md.
Any issue must be in one of the following states. Maintainers of the Go vulndb move issues from one state to another. The intent behind these explicit states is to describe the (minimum) next steps required to bring the issue to resolution.
Issues are intended to move between these states:
+-------------+ | | via CL +-------------->| NeedsReport +----------+ | | | | | +-------------+ | +---------+----------+ v | | Closed NeedsTriage -->| NeedsInvestigation | | (optional) | +------------+ ^ +----------+---------+ | | | | | excluded: | | | | REASON | +---------+ +--------------->| | via CL +------------+
The issue has been filed by the vulndb worker
The issue will have the title:
x/vulndb: potential Go vuln in <module/package>: <CVE ID and or GHSA ID>
To transition from this state, someone must:
excluded: REASON, and make a CL
NeedsReport, and make a CL
NeedsInvestigation, and CC people who might be best to investigate the issue and provide further context.
excluded: REASONwhere REASON is one of the possible excluded reasons.
If an issue is labeled with
excluded: REASON, you can add a new report to the database by following these steps:
Make sure the issue is assigned to you.
Clone the x/vulndb repository:
git clone https://go.googlesource.com/vulndb
go install ./cmd/vulnreport to install the vulnreport tool.
You will need a GitHub access token with scope
repo: public_repo (follow instructions for “personal access token (classic)”).
Store the token in a file, e.g.,
~/.github-token, and run:
export VULN_GITHUB_ACCESS_TOKEN=`cat ~/.github-token` (you can also store this command in a
~/.bashrc file or similar).
vulnreport create <GitHub issue number>. vulnreport will create a YAML report template for the CVE or GHSA at the specified GitHub issue number. This command works for both regular reports and excluded reports. It also accepts multiple Github issue numbers (space separated), and Github issue ranges (e.g.,
vulnreport commit [<report file> | <GitHub issue number>]. (Example:
vulnreport commit 1623.) This will lint the report, add exported symbols, convert the YAML to OSV, and commit the new files with a standard commit message. Commits are to the local git repository. The
vulnreport commitcommand also accepts multiple space-separated files/issue numbers, and will create a separate commit for each report.
vulnreport fix <GitHub issue number>before re-mailing to update the OSV and perform other useful actions.
vulnreport create-excluded. vulnreport will batch create YAML reports for all issues with the
excluded: REASONlabel. If there is an error creating any given report, the skipped issue number will be printed to stdout and that issue will have to be created manually with
vulnreport create <Github issue number>. (see steps 2-4 above for more information). Additionally,
create-excludedwill automatically create a single commit for all successful reports.
Sometimes an issue describes a vulnerability that we already have a report for. The worker doesn't (yet) detect this automatically, so it is a good idea to grep the
/data directory of this repo for the module path and read the report to see if the vulns are the same.
If the issue is indeed a duplicate:
Apply the label
duplicate to the issue.
Find the duplicate issue (say it is #NNN) in the issue tracker, and on the current issue, write the comment “Duplicate of #NNN”. (No period after the number.)
Find the corresponding report yaml file (say GO-YYYY-NNNN.yaml) in
data/reports, and add the duplicate IDs to the
ghsas section, as appropriate. (If the duplicate IDs are already present, close the GH issue.)
vulnreport -up commit NNN to update generated files and create a commit. Edit the generated commit message so that it includes the words “add aliases”.
Mail the commit.
When adding a vulnerability report about the standard library, ensure that the references section follows this format:
references: - report: https://go.dev/issue/<#> - fix: https://go.dev/cl/<#> - web: https://groups.google.com/g/golang-announce/c/<XXX>/<YYY>
You can find these links in the golang-announce@ email for the security release fixing this vulnerability.
Report: The Github issue will be listed in the golang-announce@ email.
Fix: The PR will be a go.dev/cl/<#> link, found as a gopherbot comment on the issue for the vulnerability.
Web: The golang-announce email link.
Occasionally, we will receive new information about a Go vulnerability and want to update the existing report.
In that case, reopen the issue for the report to discuss the change, rather than create a new issue.
This section describes frequent issues that come up when triaging vulndb reports.
vulnreport fix fails with an error message like
/firstname.lastname@example.org/foo.go:1:2: could not import C (no metadata for C)
a frequent cause is the local machine missing
C library headers causing typechecking of cgo packages to fail. The easiest workaround is to use a machine with the development headers installed or to install them.
Commonly missing packages include: