Google Git
Sign in
go / vulndb / b6297cc869ac107977d2b45c7b1155d70c10e359
commitb6297cc869ac107977d2b45c7b1155d70c10e359[log] [tgz]
authorDamien Neil <dneil@google.com>Tue May 10 15:41:21 2022 -0700
committerDamien Neil <dneil@google.com>Wed Jun 15 18:24:57 2022 +0000
tree6dabb95c879b11c5dc722d5679d7edbf3441adfa
parent8889080d6d39a6d93804592f3f7228b12f009a51 [diff]
cmd/vulnreport: automatically fetch modules in symbol checks

The "vulnreport fix" command loads affected modules to add exported
symbols. (Eventually, this command should also validate the listed
symbols exist in the module, but it doesn't do that right now.)

Running fix requires some manual effort on the user's part.
From the triage documentation:

  mkdir /tmp/mymod
  cd /tmp/mymod
  go mod init
  go get github.com/my/mod@<version-before-fixed>
  go run <path to /cmd/vulnreport> fix

Automate this.

Detemining the "version-before-fixed" is programmatically is difficult.
Rather than trying to do so, add a "vulnerable_at" field to reports
which specifies a known-vulnerable version to use. Placing this in
the report also makes whatever work fix does more reproducable, since
we have an audit trail of what version was used.

Change-Id: Ie76d582a1f5192597f411b60eb407c2c014a9d35
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/412395
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
4 files changed
tree: 6dabb95c879b11c5dc722d5679d7edbf3441adfa
  1. .github/
  2. cmd/
  3. deploy/
  4. devtools/
  5. doc/
  6. internal/
  7. reports/
  8. terraform/
  9. webconfig/
  10. .gitignore
  11. all_test.go
  12. AUTHORS
  13. checks.bash
  14. CONTRIBUTING.md
  15. CONTRIBUTORS
  16. go.mod
  17. go.sum
  18. LICENSE
  19. PATENTS
  20. README.md
  21. tools_test.go
README.md

The Go Vulnerability Database

This repository contains the reports for the Go Vulnerability Database.

If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.

Reporting a vulnerability

We are not accepting new vulnerability reports at this time. We will update this README.md once we are ready to receive reports.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.