commit | b6297cc869ac107977d2b45c7b1155d70c10e359 | [log] [tgz] |
---|---|---|
author | Damien Neil <dneil@google.com> | Tue May 10 15:41:21 2022 -0700 |
committer | Damien Neil <dneil@google.com> | Wed Jun 15 18:24:57 2022 +0000 |
tree | 6dabb95c879b11c5dc722d5679d7edbf3441adfa | |
parent | 8889080d6d39a6d93804592f3f7228b12f009a51 [diff] |
cmd/vulnreport: automatically fetch modules in symbol checks The "vulnreport fix" command loads affected modules to add exported symbols. (Eventually, this command should also validate the listed symbols exist in the module, but it doesn't do that right now.) Running fix requires some manual effort on the user's part. From the triage documentation: mkdir /tmp/mymod cd /tmp/mymod go mod init go get github.com/my/mod@<version-before-fixed> go run <path to /cmd/vulnreport> fix Automate this. Detemining the "version-before-fixed" is programmatically is difficult. Rather than trying to do so, add a "vulnerable_at" field to reports which specifies a known-vulnerable version to use. Placing this in the report also makes whatever work fix does more reproducable, since we have an audit trail of what version was used. Change-Id: Ie76d582a1f5192597f411b60eb407c2c014a9d35 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/412395 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
This repository contains the reports for the Go Vulnerability Database.
If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.
We are not accepting new vulnerability reports at this time. We will update this README.md once we are ready to receive reports.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.