all: switch from toml to yaml
Change-Id: I9fb36a246d0d532e44a28903998b9750cf794a85
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1055925
Reviewed-by: Roland Shoemaker <bracewell@google.com>
diff --git a/cmd/gendb/main.go b/cmd/gendb/main.go
index 5c02064..9eff053 100644
--- a/cmd/gendb/main.go
+++ b/cmd/gendb/main.go
@@ -14,9 +14,9 @@
"reflect"
"strings"
- "github.com/BurntSushi/toml"
"golang.org/x/vulndb/osv"
"golang.org/x/vulndb/report"
+ "gopkg.in/yaml.v2"
)
func fail(why string) {
@@ -52,7 +52,7 @@
jsonVulns := map[string][]osv.Entry{}
for _, f := range tomlFiles {
- if !strings.HasSuffix(f.Name(), ".toml") {
+ if !strings.HasSuffix(f.Name(), ".yaml") {
continue
}
content, err := ioutil.ReadFile(filepath.Join(*tomlDir, f.Name()))
@@ -60,7 +60,7 @@
fail(fmt.Sprintf("can't read %q: %s", f.Name(), err))
}
var vuln report.Report
- err = toml.Unmarshal(content, &vuln)
+ err = yaml.Unmarshal(content, &vuln)
if err != nil {
fail(fmt.Sprintf("unable to unmarshal %q: %s", f.Name(), err))
}
diff --git a/cmd/genhtml/main.go b/cmd/genhtml/main.go
index 6fac8cf..c078b3b 100644
--- a/cmd/genhtml/main.go
+++ b/cmd/genhtml/main.go
@@ -14,8 +14,8 @@
"sort"
"strings"
- "github.com/BurntSushi/toml"
"golang.org/x/vulndb/report"
+ "gopkg.in/yaml.v2"
)
var indexTemplate = template.Must(template.New("index").Parse(`<html>
@@ -194,7 +194,7 @@
fail(fmt.Sprintf("can't read %q: %s", f.Name(), err))
}
var vuln report.Report
- err = toml.Unmarshal(content, &vuln)
+ err = yaml.Unmarshal(content, &vuln)
if err != nil {
fail(fmt.Sprintf("unable to unmarshal %q: %s", f.Name(), err))
}
diff --git a/cmd/linter/main.go b/cmd/linter/main.go
index 9982c0b..15130bc 100644
--- a/cmd/linter/main.go
+++ b/cmd/linter/main.go
@@ -10,8 +10,7 @@
"os"
"golang.org/x/vulndb/report"
-
- "github.com/BurntSushi/toml"
+ "gopkg.in/yaml.v2"
)
func main() {
@@ -27,7 +26,7 @@
}
var vuln report.Report
- err = toml.Unmarshal(content, &vuln)
+ err = yaml.Unmarshal(content, &vuln)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to parse %q: %s\n", os.Args[1], err)
os.Exit(1)
diff --git a/cmd/report2cve/main.go b/cmd/report2cve/main.go
index 7ae09e4..66b8f18 100644
--- a/cmd/report2cve/main.go
+++ b/cmd/report2cve/main.go
@@ -11,8 +11,8 @@
"os"
"strings"
- "github.com/BurntSushi/toml"
"golang.org/x/vulndb/report"
+ "gopkg.in/yaml.v2"
)
// Affects
@@ -224,7 +224,7 @@
}
var r report.Report
- if err = toml.Unmarshal(b, &r); err != nil {
+ if err = yaml.Unmarshal(b, &r); err != nil {
fmt.Fprintf(os.Stderr, "failed to parse %q: %s\n", reportPath, err)
os.Exit(1)
}
diff --git a/go.mod b/go.mod
index f068a01..277ce16 100644
--- a/go.mod
+++ b/go.mod
@@ -6,4 +6,5 @@
github.com/BurntSushi/toml v0.3.1
github.com/google/go-cmp v0.5.4
golang.org/x/mod v0.4.1
+ gopkg.in/yaml.v2 v2.4.0
)
diff --git a/go.sum b/go.sum
index 5269ef6..da7aa5a 100644
--- a/go.sum
+++ b/go.sum
@@ -17,3 +17,7 @@
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
diff --git a/report/report.go b/report/report.go
index e8217fd..57cd733 100644
--- a/report/report.go
+++ b/report/report.go
@@ -7,49 +7,49 @@
import "time"
type VersionRange struct {
- Introduced string
- Fixed string
+ Introduced string `yaml:",omitempty"`
+ Fixed string `yaml:",omitempty"`
}
type Report struct {
- Module string
- Package string
+ Module string `yaml:",omitempty"`
+ Package string `yaml:",omitempty"`
// TODO: could also be GoToolchain, but we might want
// this for other things?
//
// could we also automate this by just looking for
// things prefixed with cmd/go?
- DoNotExport bool `json:"do_not_export"`
+ DoNotExport bool `yaml:"do_not_export,omitempty"`
// TODO: how does this interact with Versions etc?
- Stdlib bool `json:"stdlib"`
+ Stdlib bool `yaml:",omitempty"`
// TODO: the most common usage of additional package should
// really be replaced with 'aliases', we'll still need
// additional packages for some cases, but it's too heavy
// for most
AdditionalPackages []struct {
- Module string
- Package string
- Symbols []string
- Versions []VersionRange
- } `toml:"additional_packages"`
- Versions []VersionRange
- Description string
- Published time.Time
- LastModified *time.Time `toml:"last_modified"`
- Withdrawn *time.Time
- CVE string
- Credit string
- Symbols []string
- OS []string
- Arch []string
+ Module string `yaml:",omitempty"`
+ Package string `yaml:",omitempty"`
+ Symbols []string `yaml:",omitempty"`
+ Versions []VersionRange `yaml:",omitempty"`
+ } `yaml:"additional_packages,omitempty"`
+ Versions []VersionRange `yaml:",omitempty"`
+ Description string `yaml:",omitempty"`
+ Published time.Time `yaml:",omitempty"`
+ LastModified *time.Time `yaml:"last_modified,omitempty"`
+ Withdrawn *time.Time `yaml:",omitempty"`
+ CVE string `yaml:",omitempty"`
+ Credit string `yaml:",omitempty"`
+ Symbols []string `yaml:",omitempty"`
+ OS []string `yaml:",omitempty"`
+ Arch []string `yaml:",omitempty"`
Links struct {
- PR string
- Commit string
- Context []string
- }
+ PR string `yaml:",omitempty"`
+ Commit string `yaml:",omitempty"`
+ Context []string `yaml:",omitempty"`
+ } `yaml:",omitempty"`
CVEMetadata *struct {
- ID string
- CWE string
- Description string
- } `toml:"cve_metadata"`
+ ID string `yaml:",omitempty"`
+ CWE string `yaml:",omitempty"`
+ Description string `yaml:",omitempty"`
+ } `yaml:"cve_metadata,omitempty"`
}
diff --git a/reports/GO-2020-0001.toml b/reports/GO-2020-0001.toml
deleted file mode 100644
index a8a692a..0000000
--- a/reports/GO-2020-0001.toml
+++ /dev/null
@@ -1,31 +0,0 @@
-module = "github.com/gin-gonic/gin"
-
-description = """
-The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
-(included in the [`Default`][] engine) allows attackers to inject arbitrary log
-entries by manipulating the request path.
-"""
-
-credit = "@thinkerou <thinkerou@gmail.com>"
-
-# Better static analysis: LoggerWithConfig called with nil conf.Formatter.
-# Test symbol inclusion by making a gin handler without Default or Logger.
-symbols = ["defaultLogFormatter"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-# v1.5.1 doesn't exist? not sure how `go mod` is picking this pseudoversion
-fixed = "v1.6.0"
-
-[links]
-pr = "https://github.com/gin-gonic/gin/pull/2237"
-commit = "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
-
-[cve_metadata]
-id = "CVE-9999-0001"
-description = """
-Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
-allows remote attackers to inject arbitary log lines.
-"""
-cwe = "CWE-20: Improper Input Validation"
diff --git a/reports/GO-2020-0001.yaml b/reports/GO-2020-0001.yaml
new file mode 100644
index 0000000..24a47d0
--- /dev/null
+++ b/reports/GO-2020-0001.yaml
@@ -0,0 +1,20 @@
+module: github.com/gin-gonic/gin
+versions:
+- fixed: v1.6.0
+description: |
+ The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
+ (included in the [`Default`][] engine) allows attackers to inject arbitrary log
+ entries by manipulating the request path.
+published: 2021-04-14T12:00:00Z
+credit: '@thinkerou <thinkerou@gmail.com>'
+symbols:
+- defaultLogFormatter
+links:
+ pr: https://github.com/gin-gonic/gin/pull/2237
+ commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
+cve_metadata:
+ id: CVE-9999-0001
+ cwe: 'CWE-20: Improper Input Validation'
+ description: |
+ Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
+ allows remote attackers to inject arbitary log lines.
diff --git a/reports/GO-2020-0002.toml b/reports/GO-2020-0002.toml
deleted file mode 100644
index 2742265..0000000
--- a/reports/GO-2020-0002.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/proglottis/gpgme"
-
-cve = "CVE-2020-8945"
-
-description = """
-The [`Data`][], [`Context`][], or [`Key`][] finalizers might run during or
-before GPGME operations, releasing the C structures as they are still in use,
-leading to crashes and potentially code execution through a use-after-free.
-"""
-
-credit = "Ulrich Obergfell <uobergfe@redhat.com>"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.1.1"
-
-[links]
-pr = "https://github.com/proglottis/gpgme/pull/23"
-commit = "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
diff --git a/reports/GO-2020-0002.yaml b/reports/GO-2020-0002.yaml
new file mode 100644
index 0000000..74641dc
--- /dev/null
+++ b/reports/GO-2020-0002.yaml
@@ -0,0 +1,13 @@
+module: github.com/proglottis/gpgme
+versions:
+- fixed: v0.1.1
+description: |
+ The [`Data`][], [`Context`][], or [`Key`][] finalizers might run during or
+ before GPGME operations, releasing the C structures as they are still in use,
+ leading to crashes and potentially code execution through a use-after-free.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8945
+credit: Ulrich Obergfell <uobergfe@redhat.com>
+links:
+ pr: https://github.com/proglottis/gpgme/pull/23
+ commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
diff --git a/reports/GO-2020-0003.toml b/reports/GO-2020-0003.toml
deleted file mode 100644
index c60d881..0000000
--- a/reports/GO-2020-0003.toml
+++ /dev/null
@@ -1,28 +0,0 @@
-module = "github.com/revel/revel"
-
-description = """
-If the application accepts
-[slice parameters](https://revel.github.io/manual/parameters.html#slices), an
-attacker can cause the application to allocate large amounts of memory and
-crash by manipulating the request query.
-"""
-
-credit = "@SYM01"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.0"
-
-[links]
-commit = "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605"
-pr = "https://github.com/revel/revel/pull/1427"
-context = ["https://github.com/revel/revel/issues/1424"]
-
-[cve_metadata]
-id = "CVE-9999-0002"
-description = """
-Unsanitized input in the query parser in github.com/revel/revel before v1.0.0
-allows remote attackers to cause resource exhaustion via memory allocation.
-"""
-cwe = "CWE-400: Uncontrolled Resource Consumption"
\ No newline at end of file
diff --git a/reports/GO-2020-0003.yaml b/reports/GO-2020-0003.yaml
new file mode 100644
index 0000000..08db0bb
--- /dev/null
+++ b/reports/GO-2020-0003.yaml
@@ -0,0 +1,21 @@
+module: github.com/revel/revel
+versions:
+- fixed: v1.0.0
+description: |
+ If the application accepts
+ [slice parameters](https://revel.github.io/manual/parameters.html#slices), an
+ attacker can cause the application to allocate large amounts of memory and
+ crash by manipulating the request query.
+published: 2021-04-14T12:00:00Z
+credit: '@SYM01'
+links:
+ pr: https://github.com/revel/revel/pull/1427
+ commit: https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605
+ context:
+ - https://github.com/revel/revel/issues/1424
+cve_metadata:
+ id: CVE-9999-0002
+ cwe: 'CWE-400: Uncontrolled Resource Consumption'
+ description: |
+ Unsanitized input in the query parser in github.com/revel/revel before v1.0.0
+ allows remote attackers to cause resource exhaustion via memory allocation.
diff --git a/reports/GO-2020-0004.toml b/reports/GO-2020-0004.toml
deleted file mode 100644
index 34f0509..0000000
--- a/reports/GO-2020-0004.toml
+++ /dev/null
@@ -1,33 +0,0 @@
-module = "github.com/nanobox-io/golang-nanoauth"
-
-description = """
-If any of the `ListenAndServe` functions are called with an empty token,
-token authentication is disabled globally for all listeners.
-
-Also, a minor timing side channel was present allowing attackers with
-very low latency and able to make a lot of requests to potentially
-recover the token.
-"""
-
-credit = "@bouk"
-
-symbols = ["Auth.ServerHTTP", "Auth.ListenAndServeTLS", "Auth.ListenAndServe"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = "v0.0.0-20160722212129-ac0cc4484ad4"
-fixed = "v0.0.0-20200131131040-063a3fb69896"
-
-[links]
-pr = "https://github.com/nanobox-io/golang-nanoauth/pull/5"
-commit = "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
-
-[cve_metadata]
-id = "CVE-9999-0003"
-description = """
-Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
-v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
-is called with an empty token.
-"""
-cwe = "CWE-305: Authentication Bypass by Primary Weakness"
\ No newline at end of file
diff --git a/reports/GO-2020-0004.yaml b/reports/GO-2020-0004.yaml
new file mode 100644
index 0000000..2779510
--- /dev/null
+++ b/reports/GO-2020-0004.yaml
@@ -0,0 +1,27 @@
+module: github.com/nanobox-io/golang-nanoauth
+versions:
+- introduced: v0.0.0-20160722212129-ac0cc4484ad4
+ fixed: v0.0.0-20200131131040-063a3fb69896
+description: |
+ If any of the `ListenAndServe` functions are called with an empty token,
+ token authentication is disabled globally for all listeners.
+
+ Also, a minor timing side channel was present allowing attackers with
+ very low latency and able to make a lot of requests to potentially
+ recover the token.
+published: 2021-04-14T12:00:00Z
+credit: '@bouk'
+symbols:
+- Auth.ServerHTTP
+- Auth.ListenAndServeTLS
+- Auth.ListenAndServe
+links:
+ pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
+ commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
+cve_metadata:
+ id: CVE-9999-0003
+ cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
+ description: |
+ Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
+ v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
+ is called with an empty token.
diff --git a/reports/GO-2020-0005.toml b/reports/GO-2020-0005.toml
deleted file mode 100644
index 3500b5a..0000000
--- a/reports/GO-2020-0005.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "go.etcd.io/etcd"
-package = "go.etcd.io/etcd/wal"
-
-description = """
-Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
-out of bounds reads, or creation of arbitarily sized slices, which may be used as
-a DoS vector.
-"""
-
-cve = "CVE-2020-15106"
-
-credit = "Trail of Bits"
-
-symbols = ["WAL.ReadAll", "decoder.decodeRecord"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
-
-[links]
-pr = "https://github.com/etcd-io/etcd/pull/11793"
-commit = "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07"
-context = ["https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf"]
\ No newline at end of file
diff --git a/reports/GO-2020-0005.yaml b/reports/GO-2020-0005.yaml
new file mode 100644
index 0000000..693f201
--- /dev/null
+++ b/reports/GO-2020-0005.yaml
@@ -0,0 +1,19 @@
+module: go.etcd.io/etcd
+package: go.etcd.io/etcd/wal
+versions:
+- fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
+description: |
+ Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
+ out of bounds reads, or creation of arbitarily sized slices, which may be used as
+ a DoS vector.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15106
+credit: Trail of Bits
+symbols:
+- WAL.ReadAll
+- decoder.decodeRecord
+links:
+ pr: https://github.com/etcd-io/etcd/pull/11793
+ commit: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
+ context:
+ - https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf
diff --git a/reports/GO-2020-0006.toml b/reports/GO-2020-0006.toml
deleted file mode 100644
index 033c873..0000000
--- a/reports/GO-2020-0006.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/miekg/dns"
-
-description = """
-An attacker may prevent TCP connections to a [`Server`][] by opening
-a connection and leaving it idle, until the connection is closed by
-the server no other connections will be accepted.
-"""
-
-cve = "CVE-2017-15133"
-
-credit = "Pedro Sampaio"
-
-symbols = ["Server.serveTCP"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.4-0.20180125103619-43913f2f4fbd"
-
-[links]
-pr = "https://github.com/miekg/dns/pull/631"
-commit = "https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e"
diff --git a/reports/GO-2020-0006.yaml b/reports/GO-2020-0006.yaml
new file mode 100644
index 0000000..11aa4e0
--- /dev/null
+++ b/reports/GO-2020-0006.yaml
@@ -0,0 +1,15 @@
+module: github.com/miekg/dns
+versions:
+- fixed: v1.0.4-0.20180125103619-43913f2f4fbd
+description: |
+ An attacker may prevent TCP connections to a [`Server`][] by opening
+ a connection and leaving it idle, until the connection is closed by
+ the server no other connections will be accepted.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2017-15133
+credit: Pedro Sampaio
+symbols:
+- Server.serveTCP
+links:
+ pr: https://github.com/miekg/dns/pull/631
+ commit: https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e
diff --git a/reports/GO-2020-0007.toml b/reports/GO-2020-0007.toml
deleted file mode 100644
index c512cfe..0000000
--- a/reports/GO-2020-0007.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/seccomp/libseccomp-golang"
-
-description = """
-Filters containing rules with multiple syscall arguments are improperly
-constructed, such that all arguments are required to match rather than
-any of the arguments (AND is used rather than OR). These filters can be
-bypassed by only specifying a subset of the arguments due to this
-behavior.
-"""
-
-cve = "CVE-2017-18367"
-
-credit = "@ihac"
-
-symbols = ["ScmpFilter.addRuleGeneric"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.9.1-0.20170424173420-06e7a29f36a3"
-
-[links]
-commit = "https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e"
\ No newline at end of file
diff --git a/reports/GO-2020-0007.yaml b/reports/GO-2020-0007.yaml
new file mode 100644
index 0000000..44cd982
--- /dev/null
+++ b/reports/GO-2020-0007.yaml
@@ -0,0 +1,16 @@
+module: github.com/seccomp/libseccomp-golang
+versions:
+- fixed: v0.9.1-0.20170424173420-06e7a29f36a3
+description: |
+ Filters containing rules with multiple syscall arguments are improperly
+ constructed, such that all arguments are required to match rather than
+ any of the arguments (AND is used rather than OR). These filters can be
+ bypassed by only specifying a subset of the arguments due to this
+ behavior.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2017-18367
+credit: '@ihac'
+symbols:
+- ScmpFilter.addRuleGeneric
+links:
+ commit: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
diff --git a/reports/GO-2020-0008.toml b/reports/GO-2020-0008.toml
deleted file mode 100644
index 2af3801..0000000
--- a/reports/GO-2020-0008.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/miekg/dns"
-
-description = """
-DNS message transaction IDs are generated using [`math/rand`] which
-makes them relatively predictable. This reduces the complexity
-of response spoofing attacks against DNS clients.
-"""
-
-cve = "CVE-2019-19794"
-
-symbols = ["id"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.25-0.20191211073109-8ebf2e419df7"
-
-[links]
-pr = "https://github.com/miekg/dns/pull/1044"
-commit = "https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33"
-context = [
- "https://github.com/miekg/dns/issues/1037",
- "https://github.com/miekg/dns/issues/1043"
-]
\ No newline at end of file
diff --git a/reports/GO-2020-0008.yaml b/reports/GO-2020-0008.yaml
new file mode 100644
index 0000000..f2000b3
--- /dev/null
+++ b/reports/GO-2020-0008.yaml
@@ -0,0 +1,17 @@
+module: github.com/miekg/dns
+versions:
+- fixed: v1.1.25-0.20191211073109-8ebf2e419df7
+description: |
+ DNS message transaction IDs are generated using [`math/rand`] which
+ makes them relatively predictable. This reduces the complexity
+ of response spoofing attacks against DNS clients.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-19794
+symbols:
+- id
+links:
+ pr: https://github.com/miekg/dns/pull/1044
+ commit: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
+ context:
+ - https://github.com/miekg/dns/issues/1037
+ - https://github.com/miekg/dns/issues/1043
diff --git a/reports/GO-2020-0009.toml b/reports/GO-2020-0009.toml
deleted file mode 100644
index 1134475..0000000
--- a/reports/GO-2020-0009.toml
+++ /dev/null
@@ -1,43 +0,0 @@
-module = "github.com/square/go-jose"
-package = "github.com/square/go-jose/cipher"
-
-arch = [
- "386",
- "arm",
- "armbe",
- "amd64p32",
- "mips",
- "mipsle",
- "mips64p32",
- "mips64p32le",
- "ppc",
- "riscv",
- "s390",
- "sparc"
-]
-
-description = """
-On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
-with HMAC such that they can control how large the input buffer is when computing
-the HMAC authentication tag. This can can allow a manipulated ciphertext to be
-verified as authentic, opening the door for padding oracle attacks.
-"""
-
-cve = "CVE-2016-9123"
-
-credit = "Quan Nguyen from Google's Information Security Engineering Team"
-
-symbols = ["cbcAEAD.computeAuthTag"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20160903044734-789a4c4bd4c1"
-
-[[additional_packages]]
-module = "github.com/square/go-jose"
-symbols = ["JsonWebEncryption.Decrypt", "JsonWebEncryption.DecryptMulti"]
-
-[links]
-commit = "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96"
-context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]
\ No newline at end of file
diff --git a/reports/GO-2020-0009.yaml b/reports/GO-2020-0009.yaml
new file mode 100644
index 0000000..9e8fa99
--- /dev/null
+++ b/reports/GO-2020-0009.yaml
@@ -0,0 +1,36 @@
+module: github.com/square/go-jose
+package: github.com/square/go-jose/cipher
+additional_packages:
+- module: github.com/square/go-jose
+ symbols:
+ - JsonWebEncryption.Decrypt
+ - JsonWebEncryption.DecryptMulti
+versions:
+- fixed: v0.0.0-20160903044734-789a4c4bd4c1
+description: |
+ On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
+ with HMAC such that they can control how large the input buffer is when computing
+ the HMAC authentication tag. This can can allow a manipulated ciphertext to be
+ verified as authentic, opening the door for padding oracle attacks.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2016-9123
+credit: Quan Nguyen from Google's Information Security Engineering Team
+symbols:
+- cbcAEAD.computeAuthTag
+arch:
+- "386"
+- arm
+- armbe
+- amd64p32
+- mips
+- mipsle
+- mips64p32
+- mips64p32le
+- ppc
+- riscv
+- s390
+- sparc
+links:
+ commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
+ context:
+ - https://www.openwall.com/lists/oss-security/2016/11/03/1
diff --git a/reports/GO-2020-0010.toml b/reports/GO-2020-0010.toml
deleted file mode 100644
index 176957c..0000000
--- a/reports/GO-2020-0010.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-module = "github.com/square/go-jose"
-package = "github.com/square/go-jose/cipher"
-
-description = """
-When using ECDH-ES an attacker can mount an invalid curve attack during
-decryption as the supplied public key is not checked to be on the same
-curve as the recievers private key.
-"""
-
-cve = "CVE-2016-9121"
-
-credit = "Quan Nguyen from Google's Information Security Engineering Team"
-
-symbols = ["DeriveECDHES", "ecDecrypterSigner.decryptKey", "rawJsonWebKey.ecPublicKey"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20160831185616-c7581939a365"
-
-[[additional_packages]]
-module = "github.com/square/go-jose"
-symbols = ["JsonWebEncryption.Decrypt"]
-
-[links]
-commit = "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507"
-context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]
\ No newline at end of file
diff --git a/reports/GO-2020-0010.yaml b/reports/GO-2020-0010.yaml
new file mode 100644
index 0000000..df3b42f
--- /dev/null
+++ b/reports/GO-2020-0010.yaml
@@ -0,0 +1,23 @@
+module: github.com/square/go-jose
+package: github.com/square/go-jose/cipher
+additional_packages:
+- module: github.com/square/go-jose
+ symbols:
+ - JsonWebEncryption.Decrypt
+versions:
+- fixed: v0.0.0-20160831185616-c7581939a365
+description: |
+ When using ECDH-ES an attacker can mount an invalid curve attack during
+ decryption as the supplied public key is not checked to be on the same
+ curve as the recievers private key.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2016-9121
+credit: Quan Nguyen from Google's Information Security Engineering Team
+symbols:
+- DeriveECDHES
+- ecDecrypterSigner.decryptKey
+- rawJsonWebKey.ecPublicKey
+links:
+ commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
+ context:
+ - https://www.openwall.com/lists/oss-security/2016/11/03/1
diff --git a/reports/GO-2020-0011.toml b/reports/GO-2020-0011.toml
deleted file mode 100644
index ccfc9bf..0000000
--- a/reports/GO-2020-0011.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/square/go-jose"
-
-description = """
-When decrypting JsonWebEncryption objects with multiple recipients
-or JsonWebSignature objects with multiple signatures the Decrypt
-and Verify methods do not indicate which recipient or signature was
-valid. This may lead a caller to rely on protected headers from an
-invalid recipient or signature.
-"""
-
-cve = "CVE-2016-9122"
-
-credit = "Quan Nguyen from Google's Information Security Engineering Team"
-
-symbols = ["JsonWebEncryption.Decrypt", "JsonWebSignature.Verify"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20160922232413-2c5656adca99"
-
-[links]
-commit = "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
-context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]
\ No newline at end of file
diff --git a/reports/GO-2020-0011.yaml b/reports/GO-2020-0011.yaml
new file mode 100644
index 0000000..3a51c22
--- /dev/null
+++ b/reports/GO-2020-0011.yaml
@@ -0,0 +1,19 @@
+module: github.com/square/go-jose
+versions:
+- fixed: v0.0.0-20160922232413-2c5656adca99
+description: |
+ When decrypting JsonWebEncryption objects with multiple recipients
+ or JsonWebSignature objects with multiple signatures the Decrypt
+ and Verify methods do not indicate which recipient or signature was
+ valid. This may lead a caller to rely on protected headers from an
+ invalid recipient or signature.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2016-9122
+credit: Quan Nguyen from Google's Information Security Engineering Team
+symbols:
+- JsonWebEncryption.Decrypt
+- JsonWebSignature.Verify
+links:
+ commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
+ context:
+ - https://www.openwall.com/lists/oss-security/2016/11/03/1
diff --git a/reports/GO-2020-0012.toml b/reports/GO-2020-0012.toml
deleted file mode 100644
index bca86d3..0000000
--- a/reports/GO-2020-0012.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "golang.org/x/crypto"
-package = "golang.org/x/crypto/ssh"
-
-description = """
-An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
-key, such that the library will panic when trying to verify a signature
-with it.
-"""
-
-cve = "CVE-2020-9283"
-
-credit = "Alex Gaynor, Fish in a Barrel"
-
-symbols = ["parseED25519", "ed25519PublicKey.Verify", "parseSKEd25519", "skEd25519PublicKey.Verify", "NewPublicKey"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20200220183623-bac4c82f6975"
-
-[links]
-pr = "https://go-review.googlesource.com/c/crypto/+/220357"
-commit = "https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236"
-context = ["https://groups.google.com/g/golang-announce/c/3L45YRc91SY"]
\ No newline at end of file
diff --git a/reports/GO-2020-0012.yaml b/reports/GO-2020-0012.yaml
new file mode 100644
index 0000000..e0f6a07
--- /dev/null
+++ b/reports/GO-2020-0012.yaml
@@ -0,0 +1,22 @@
+module: golang.org/x/crypto
+package: golang.org/x/crypto/ssh
+versions:
+- fixed: v0.0.0-20200220183623-bac4c82f6975
+description: |
+ An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
+ key, such that the library will panic when trying to verify a signature
+ with it.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-9283
+credit: Alex Gaynor, Fish in a Barrel
+symbols:
+- parseED25519
+- ed25519PublicKey.Verify
+- parseSKEd25519
+- skEd25519PublicKey.Verify
+- NewPublicKey
+links:
+ pr: https://go-review.googlesource.com/c/crypto/+/220357
+ commit: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
+ context:
+ - https://groups.google.com/g/golang-announce/c/3L45YRc91SY
diff --git a/reports/GO-2020-0013.toml b/reports/GO-2020-0013.toml
deleted file mode 100644
index 33abc6b..0000000
--- a/reports/GO-2020-0013.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-module = "golang.org/x/crypto"
-package = "golang.org/x/crypto/ssh"
-
-description = """
-By default host key verification is disabled which allows for
-man-in-the-middle attacks against SSH clients if
-[`ClientConfig.HostKeyCallback`] is not set.
-"""
-
-cve = "CVE-2017-3204"
-
-credit = "Phil Pennock"
-
-symbols = ["NewClientConn"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20170330155735-e4e2799dd7aa"
-
-[links]
-pr = "https://go-review.googlesource.com/38701"
-commit = "https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991"
-context = [
- "https://github.com/golang/go/issues/19767",
- "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"
-]
\ No newline at end of file
diff --git a/reports/GO-2020-0013.yaml b/reports/GO-2020-0013.yaml
new file mode 100644
index 0000000..35f908e
--- /dev/null
+++ b/reports/GO-2020-0013.yaml
@@ -0,0 +1,19 @@
+module: golang.org/x/crypto
+package: golang.org/x/crypto/ssh
+versions:
+- fixed: v0.0.0-20170330155735-e4e2799dd7aa
+description: |
+ By default host key verification is disabled which allows for
+ man-in-the-middle attacks against SSH clients if
+ [`ClientConfig.HostKeyCallback`] is not set.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2017-3204
+credit: Phil Pennock
+symbols:
+- NewClientConn
+links:
+ pr: https://go-review.googlesource.com/38701
+ commit: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
+ context:
+ - https://github.com/golang/go/issues/19767
+ - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
diff --git a/reports/GO-2020-0014.toml b/reports/GO-2020-0014.toml
deleted file mode 100644
index 2d96722..0000000
--- a/reports/GO-2020-0014.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "golang.org/x/net"
-package = "golang.org/x/net/html"
-
-description = """
-[`html.Parse`] does not properly handle "select" tags, which can lead
-to an infinite loop.
-"""
-cve = "CVE-2018-17846"
-
-credit = "@tr3ee"
-
-symbols = ["inSelectIM", "inSelectInTableIM"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20190125091013-d26f9f9a57f3"
-
-[links]
-pr = "https://go-review.googlesource.com/c/137275"
-commit = "https://github.com/golang/net/commit/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf"
-context = ["https://github.com/golang/go/issues/27842"]
\ No newline at end of file
diff --git a/reports/GO-2020-0014.yaml b/reports/GO-2020-0014.yaml
new file mode 100644
index 0000000..fa06314
--- /dev/null
+++ b/reports/GO-2020-0014.yaml
@@ -0,0 +1,18 @@
+module: golang.org/x/net
+package: golang.org/x/net/html
+versions:
+- fixed: v0.0.0-20190125091013-d26f9f9a57f3
+description: |
+ [`html.Parse`] does not properly handle "select" tags, which can lead
+ to an infinite loop.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-17846
+credit: '@tr3ee'
+symbols:
+- inSelectIM
+- inSelectInTableIM
+links:
+ pr: https://go-review.googlesource.com/c/137275
+ commit: https://github.com/golang/net/commit/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
+ context:
+ - https://github.com/golang/go/issues/27842
diff --git a/reports/GO-2020-0015.toml b/reports/GO-2020-0015.toml
deleted file mode 100644
index d630e56..0000000
--- a/reports/GO-2020-0015.toml
+++ /dev/null
@@ -1,35 +0,0 @@
-module = "golang.org/x/text"
-package = "golang.org/x/text/encoding/unicode"
-
-description = """
-An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
-[`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
-the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
-"""
-
-cve = "CVE-2020-14040"
-
-# This was reported by two people, once publicly and once
-# to the security team. Perhaps this should be an array
-# to capture multiple reporters?
-credit = "@abacabadabacaba" # also Anton Gyllenberg
-
-symbols = ["utf16Decoder.Transform"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.3.3"
-
-[[additional_packages]]
-module = "golang.org/x/text"
-package = "golang.org/x/text/transform"
-symbols = ["Transform"]
-
-[links]
-pr = "https://go-review.googlesource.com/c/text/+/238238"
-commit = "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
-context = [
- "https://github.com/golang/go/issues/39491",
- "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
-]
\ No newline at end of file
diff --git a/reports/GO-2020-0015.yaml b/reports/GO-2020-0015.yaml
new file mode 100644
index 0000000..442621d
--- /dev/null
+++ b/reports/GO-2020-0015.yaml
@@ -0,0 +1,24 @@
+module: golang.org/x/text
+package: golang.org/x/text/encoding/unicode
+additional_packages:
+- module: golang.org/x/text
+ package: golang.org/x/text/transform
+ symbols:
+ - Transform
+versions:
+- fixed: v0.3.3
+description: |
+ An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
+ [`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
+ the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-14040
+credit: '@abacabadabacaba and Anton Gyllenberg'
+symbols:
+- utf16Decoder.Transform
+links:
+ pr: https://go-review.googlesource.com/c/text/+/238238
+ commit: https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
+ context:
+ - https://github.com/golang/go/issues/39491
+ - https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0
diff --git a/reports/GO-2020-0016.toml b/reports/GO-2020-0016.toml
deleted file mode 100644
index 4fd51b6..0000000
--- a/reports/GO-2020-0016.toml
+++ /dev/null
@@ -1,30 +0,0 @@
-module = "github.com/ulikunitz/xz"
-
-description = """
-An attacker can construct a series of bytes such that calling
-[`Reader.Read`] on the bytes could cause an infinite loop.
-"""
-
-credit = "@0xdecaf"
-
-symbols = ["readUvarint"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.8"
-
-[links]
-commit = "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
-context = [
- "https://github.com/ulikunitz/xz/issues/35",
- "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
-]
-
-[cve_metadata]
-id = "CVE-9999-0004"
-description = """
-Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
-to cause denial of service via maliciously crafted input.
-"""
-cwe = "CWE-190: Integer Overflow or Wraparound"
diff --git a/reports/GO-2020-0016.yaml b/reports/GO-2020-0016.yaml
new file mode 100644
index 0000000..bfdbf7d
--- /dev/null
+++ b/reports/GO-2020-0016.yaml
@@ -0,0 +1,21 @@
+module: github.com/ulikunitz/xz
+versions:
+- fixed: v0.5.8
+description: |
+ An attacker can construct a series of bytes such that calling
+ [`Reader.Read`] on the bytes could cause an infinite loop.
+published: 2021-04-14T12:00:00Z
+credit: '@0xdecaf'
+symbols:
+- readUvarint
+links:
+ commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
+ context:
+ - https://github.com/ulikunitz/xz/issues/35
+ - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
+cve_metadata:
+ id: CVE-9999-0004
+ cwe: 'CWE-190: Integer Overflow or Wraparound'
+ description: |
+ Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
+ to cause denial of service via maliciously crafted input.
diff --git a/reports/GO-2020-0017.toml b/reports/GO-2020-0017.toml
deleted file mode 100644
index 2e91a82..0000000
--- a/reports/GO-2020-0017.toml
+++ /dev/null
@@ -1,29 +0,0 @@
-module = "github.com/dgrijalva/jwt-go"
-
-description = """
-If a JWT contains an audience claim with an array of strings, rather
-than a single string, and `MapClaims.VerifyAudience` is called with
-`req` set to `false` then audience verification will be bypassed,
-allowing an invalid set of audiences to be provided.
-"""
-
-cve = "CVE-2020-26160"
-
-credit = "@christopher-wong"
-
-symbols = ["MapClaims.VerifyAudience"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = "v0.0.0-20150717181359-44718f8a89b0"
-
-[[additional_packages]]
-module = "github.com/dgrijalva/jwt-go/v4"
-symbols = ["MapClaims.VerifyAudience"]
-[[additional_packages.versions]]
-fixed = "v4.0.0-preview1"
-
-[links]
-commit = "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
-context = ["https://github.com/dgrijalva/jwt-go/issues/422"]
diff --git a/reports/GO-2020-0017.yaml b/reports/GO-2020-0017.yaml
new file mode 100644
index 0000000..fe66790
--- /dev/null
+++ b/reports/GO-2020-0017.yaml
@@ -0,0 +1,23 @@
+module: github.com/dgrijalva/jwt-go
+additional_packages:
+- module: github.com/dgrijalva/jwt-go/v4
+ symbols:
+ - MapClaims.VerifyAudience
+ versions:
+ - fixed: v4.0.0-preview1
+versions:
+- introduced: v0.0.0-20150717181359-44718f8a89b0
+description: |
+ If a JWT contains an audience claim with an array of strings, rather
+ than a single string, and `MapClaims.VerifyAudience` is called with
+ `req` set to `false` then audience verification will be bypassed,
+ allowing an invalid set of audiences to be provided.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-26160
+credit: '@christopher-wong'
+symbols:
+- MapClaims.VerifyAudience
+links:
+ commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
+ context:
+ - https://github.com/dgrijalva/jwt-go/issues/422
diff --git a/reports/GO-2020-0018.toml b/reports/GO-2020-0018.toml
deleted file mode 100644
index 7c0431b..0000000
--- a/reports/GO-2020-0018.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/satori/go.uuid"
-
-
-description = """
-UUIDs generated using [`NewV1`] and [`NewV4`] may not read the expected
-number of random bytes. These UUIDs may contain a significantly smaller
-amount of entropy than expected, possibly leading to collisions.
-"""
-
-credit = "@josselin-c"
-
-symbols = ["NewV4", "rfc4122Generator.getClockSequence", "rfc4122Generator.getHardwareAddr"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.2.1-0.20181016170032-d91630c85102"
-
-[links]
-pr = "https://github.com/satori/go.uuid/pull/75"
-commit = "https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45"
-context = ["https://github.com/satori/go.uuid/issues/73"]
\ No newline at end of file
diff --git a/reports/GO-2020-0018.yaml b/reports/GO-2020-0018.yaml
new file mode 100644
index 0000000..dfe1ebd
--- /dev/null
+++ b/reports/GO-2020-0018.yaml
@@ -0,0 +1,18 @@
+module: github.com/satori/go.uuid
+versions:
+- fixed: v1.2.1-0.20181016170032-d91630c85102
+description: |
+ UUIDs generated using [`NewV1`] and [`NewV4`] may not read the expected
+ number of random bytes. These UUIDs may contain a significantly smaller
+ amount of entropy than expected, possibly leading to collisions.
+published: 2021-04-14T12:00:00Z
+credit: '@josselin-c'
+symbols:
+- NewV4
+- rfc4122Generator.getClockSequence
+- rfc4122Generator.getHardwareAddr
+links:
+ pr: https://github.com/satori/go.uuid/pull/75
+ commit: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45
+ context:
+ - https://github.com/satori/go.uuid/issues/73
diff --git a/reports/GO-2020-0019.toml b/reports/GO-2020-0019.toml
deleted file mode 100644
index a72c7ee..0000000
--- a/reports/GO-2020-0019.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/gorilla/websocket"
-
-description = """
-An attacker can craft malicious WebSocket frames that cause an integer
-overflow in a variable which tracks the number of bytes remaining. This
-can cause the server or client to get stuck attempting to read frames
-in a loop.
-"""
-
-cve = "CVE-2020-27813"
-
-credit = "Max Justicz"
-
-symbols = ["Conn.advanceFrame", "messageReader.Read"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.4.1"
-
-[links]
-pr = "https://github.com/gorilla/websocket/pull/537"
-commit = "https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37"
\ No newline at end of file
diff --git a/reports/GO-2020-0019.yaml b/reports/GO-2020-0019.yaml
new file mode 100644
index 0000000..1ebdbbf
--- /dev/null
+++ b/reports/GO-2020-0019.yaml
@@ -0,0 +1,17 @@
+module: github.com/gorilla/websocket
+versions:
+- fixed: v1.4.1
+description: |
+ An attacker can craft malicious WebSocket frames that cause an integer
+ overflow in a variable which tracks the number of bytes remaining. This
+ can cause the server or client to get stuck attempting to read frames
+ in a loop.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-27813
+credit: Max Justicz
+symbols:
+- Conn.advanceFrame
+- messageReader.Read
+links:
+ pr: https://github.com/gorilla/websocket/pull/537
+ commit: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37
diff --git a/reports/GO-2020-0020.toml b/reports/GO-2020-0020.toml
deleted file mode 100644
index 399ec85..0000000
--- a/reports/GO-2020-0020.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-module = "github.com/gorilla/handlers"
-
-description = """
-Usage of the [`CORS`] handler may apply improper CORS headers, allowing
-the requester to explicitly control the value of the Access-Control-Allow-Origin
-header, which bypasses the expected behavior of the Same Origin Policy.
-"""
-
-credit = "Evan J Johnson"
-
-symbols = ["cors.ServeHTTP"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.3.0"
-
-[links]
-pr = "https://github.com/gorilla/handlers/pull/116"
-commit = "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
-
-[cve_metadata]
-id = "CVE-9999-0005"
-description = """
-
-"""
-cwe = ""
diff --git a/reports/GO-2020-0020.yaml b/reports/GO-2020-0020.yaml
new file mode 100644
index 0000000..53b255f
--- /dev/null
+++ b/reports/GO-2020-0020.yaml
@@ -0,0 +1,18 @@
+module: github.com/gorilla/handlers
+versions:
+- fixed: v1.3.0
+description: |
+ Usage of the [`CORS`] handler may apply improper CORS headers, allowing
+ the requester to explicitly control the value of the Access-Control-Allow-Origin
+ header, which bypasses the expected behavior of the Same Origin Policy.
+published: 2021-04-14T12:00:00Z
+credit: Evan J Johnson
+symbols:
+- cors.ServeHTTP
+links:
+ pr: https://github.com/gorilla/handlers/pull/116
+ commit: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
+cve_metadata:
+ id: CVE-9999-0005
+ description: |2+
+
diff --git a/reports/GO-2020-0021.toml b/reports/GO-2020-0021.toml
deleted file mode 100644
index 604b952..0000000
--- a/reports/GO-2020-0021.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/gogits/gogs"
-
-description = """
-Multiple methods are vulnerable to SQL injection attacks as unsanitized
-user input is used to construct SQL statements.
-"""
-
-cve = "CVE-2014-8681"
-
-credit = "Pascal Turbing and Jiahua (Joe) Chen"
-
-symbols = ["GetIssues", "SearchRepositoryByName", "SearchUserByName"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.8"
-
-[links]
-commit = "https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8"
-context = ["https://seclists.org/fulldisclosure/2014/Nov/31"]
\ No newline at end of file
diff --git a/reports/GO-2020-0021.yaml b/reports/GO-2020-0021.yaml
new file mode 100644
index 0000000..d2fdf00
--- /dev/null
+++ b/reports/GO-2020-0021.yaml
@@ -0,0 +1,17 @@
+module: github.com/gogits/gogs
+versions:
+- fixed: v0.5.8
+description: |
+ Multiple methods are vulnerable to SQL injection attacks as unsanitized
+ user input is used to construct SQL statements.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2014-8681
+credit: Pascal Turbing and Jiahua (Joe) Chen
+symbols:
+- GetIssues
+- SearchRepositoryByName
+- SearchUserByName
+links:
+ commit: https://github.com/gogs/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8
+ context:
+ - https://seclists.org/fulldisclosure/2014/Nov/31
diff --git a/reports/GO-2020-0022.toml b/reports/GO-2020-0022.toml
deleted file mode 100644
index e05889c..0000000
--- a/reports/GO-2020-0022.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/cloudflare/golz4"
-
-description = """
-LZ4 bindings used a deprecated C API that is vulnerable to
-memory corruption which could lead to arbitrary code execution
-if successfully exploited.
-"""
-
-credit = "Don A. Bailey"
-
-symbols = ["Uncompress"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20140711154735-199f5f787806"
-
-[links]
-commit = "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"
-context = ["https://github.com/cloudflare/golz4/issues/5"]
\ No newline at end of file
diff --git a/reports/GO-2020-0022.yaml b/reports/GO-2020-0022.yaml
new file mode 100644
index 0000000..ccf6212
--- /dev/null
+++ b/reports/GO-2020-0022.yaml
@@ -0,0 +1,15 @@
+module: github.com/cloudflare/golz4
+versions:
+- fixed: v0.0.0-20140711154735-199f5f787806
+description: |
+ LZ4 bindings used a deprecated C API that is vulnerable to
+ memory corruption which could lead to arbitrary code execution
+ if successfully exploited.
+published: 2021-04-14T12:00:00Z
+credit: Don A. Bailey
+symbols:
+- Uncompress
+links:
+ commit: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
+ context:
+ - https://github.com/cloudflare/golz4/issues/5
diff --git a/reports/GO-2020-0023.toml b/reports/GO-2020-0023.toml
deleted file mode 100644
index a1b3bf9..0000000
--- a/reports/GO-2020-0023.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/robbert229/jwt"
-
-description = """
-[`Validate`] used non-constant time string comparison to
-compare a provided HMAC against expected HMAC, providing
-a timing side-channel.
-"""
-
-symbols = ["Algorithm.validateSignature"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20170426191122-ca1404ee6e83"
-
-[links]
-commit = "https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654"
-context = ["https://github.com/robbert229/jwt/issues/12"]
\ No newline at end of file
diff --git a/reports/GO-2020-0023.yaml b/reports/GO-2020-0023.yaml
new file mode 100644
index 0000000..0f39fc2
--- /dev/null
+++ b/reports/GO-2020-0023.yaml
@@ -0,0 +1,14 @@
+module: github.com/robbert229/jwt
+versions:
+- fixed: v0.0.0-20170426191122-ca1404ee6e83
+description: |
+ [`Validate`] used non-constant time string comparison to
+ compare a provided HMAC against expected HMAC, providing
+ a timing side-channel.
+published: 2021-04-14T12:00:00Z
+symbols:
+- Algorithm.validateSignature
+links:
+ commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
+ context:
+ - https://github.com/robbert229/jwt/issues/12
diff --git a/reports/GO-2020-0024.toml b/reports/GO-2020-0024.toml
deleted file mode 100644
index 84d30c7..0000000
--- a/reports/GO-2020-0024.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/btcsuite/go-socks"
-package = "github.com/btcsuite/go-socks/socks"
-
-description = """
-The RemoteAddr and LocalAddr methods on the returned net.Conn may
-call themselves, leading to an infinite loop.
-"""
-
-symbols = ["proxiedConn.LocalAddr", "proxiedConn.RemoteAddr"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20130808000456-233bccbb1abe"
-
-[[additional_packages]]
-module = "github.com/btcsuitereleases/go-socks"
-package = "github.com/btcsuitereleases/go-socks/socks"
-symbols = ["proxiedConn.LocalAddr", "proxiedConn.RemoteAddr"]
-[[additional_packages.versions]]
-fixed = "v0.0.0-20130808000456-233bccbb1abe"
-
-[links]
-commit = "https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc"
\ No newline at end of file
diff --git a/reports/GO-2020-0024.yaml b/reports/GO-2020-0024.yaml
new file mode 100644
index 0000000..a96ebc0
--- /dev/null
+++ b/reports/GO-2020-0024.yaml
@@ -0,0 +1,21 @@
+module: github.com/btcsuite/go-socks
+package: github.com/btcsuite/go-socks/socks
+additional_packages:
+- module: github.com/btcsuitereleases/go-socks
+ package: github.com/btcsuitereleases/go-socks/socks
+ symbols:
+ - proxiedConn.LocalAddr
+ - proxiedConn.RemoteAddr
+ versions:
+ - fixed: v0.0.0-20130808000456-233bccbb1abe
+versions:
+- fixed: v0.0.0-20130808000456-233bccbb1abe
+description: |
+ The RemoteAddr and LocalAddr methods on the returned net.Conn may
+ call themselves, leading to an infinite loop.
+published: 2021-04-14T12:00:00Z
+symbols:
+- proxiedConn.LocalAddr
+- proxiedConn.RemoteAddr
+links:
+ commit: https://github.com/btcsuite/go-socks/commit/233bccbb1abe02f05750f7ace66f5bffdb13defc
diff --git a/reports/GO-2020-0025.toml b/reports/GO-2020-0025.toml
deleted file mode 100644
index 5f60b90..0000000
--- a/reports/GO-2020-0025.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/cloudfoundry/archiver"
-
-description = """
-Malicious Zip and Tar archives can be crafted that contain relative
-file paths, such that arbitary files outside of the target directory
-may be overwritten.
-"""
-
-symbols = ["tgzExtractor.Extract", "zipExtractor.Extract"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20180523222229-09b5706aa936"
-
-[[additional_packages]]
-module = "code.cloudfoundry.org/archiver"
-symbols = ["tgzExtractor.Extract", "zipExtractor.Extract"]
-[[versions]]
-fixed = "v0.0.0-20180523222229-09b5706aa936"
-
-[links]
-commit = "https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0025.yaml b/reports/GO-2020-0025.yaml
new file mode 100644
index 0000000..44055da
--- /dev/null
+++ b/reports/GO-2020-0025.yaml
@@ -0,0 +1,21 @@
+module: github.com/cloudfoundry/archiver
+additional_packages:
+- module: code.cloudfoundry.org/archiver
+ symbols:
+ - tgzExtractor.Extract
+ - zipExtractor.Extract
+versions:
+- fixed: v0.0.0-20180523222229-09b5706aa936
+- fixed: v0.0.0-20180523222229-09b5706aa936
+description: |
+ Malicious Zip and Tar archives can be crafted that contain relative
+ file paths, such that arbitary files outside of the target directory
+ may be overwritten.
+published: 2021-04-14T12:00:00Z
+symbols:
+- tgzExtractor.Extract
+- zipExtractor.Extract
+links:
+ commit: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0026.toml b/reports/GO-2020-0026.toml
deleted file mode 100644
index 3fe93a7..0000000
--- a/reports/GO-2020-0026.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/openshift/source-to-image"
-package = "github.com/openshift/source-to-image/pkg/tar"
-
-description = """
-Malicious Zip and Tar archives can be crafted that contain relative
-file paths, such that arbitary files outside of the target directory
-may be overwritten.
-"""
-
-cve = "CVE-2018-1103"
-
-symbols = ["stiTar.ExtractTarStreamFromTarReader", "stiTar.extractLink", "New"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.10-0.20180427153919-f5cbcbc5cc6f"
-
-[links]
-commit = "https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0026.yaml b/reports/GO-2020-0026.yaml
new file mode 100644
index 0000000..05245c4
--- /dev/null
+++ b/reports/GO-2020-0026.yaml
@@ -0,0 +1,18 @@
+module: github.com/openshift/source-to-image
+package: github.com/openshift/source-to-image/pkg/tar
+versions:
+- fixed: v1.1.10-0.20180427153919-f5cbcbc5cc6f
+description: |
+ Malicious Zip and Tar archives can be crafted that contain relative
+ file paths, such that arbitary files outside of the target directory
+ may be overwritten.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-1103
+symbols:
+- stiTar.ExtractTarStreamFromTarReader
+- stiTar.extractLink
+- New
+links:
+ commit: https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0027.toml b/reports/GO-2020-0027.toml
deleted file mode 100644
index cb3bf00..0000000
--- a/reports/GO-2020-0027.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-module = "github.com/google/fscrypt"
-package = "github.com/google/fscrypt/pam"
-
-description = """
-After dropping and then elevating process privileges euid, guid, and groups
-were not properly restored to their original values, allowing an unprivileged
-user to gain membership in the root group.
-"""
-
-cve = "CVE-2018-6558"
-
-symbols = ["NewHandle", "SetProcessPrivileges", "Handle.StopAsPamUser"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.2.4"
-
-[[additional_packages]]
-module = "github.com/google/fscrypt"
-package = "github.com/google/fscrypt/security"
-symbols = ["UserKeyringID"]
-
-[links]
-commit = "https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b"
-context = ["https://github.com/google/fscrypt/issues/77"]
\ No newline at end of file
diff --git a/reports/GO-2020-0027.yaml b/reports/GO-2020-0027.yaml
new file mode 100644
index 0000000..2dce8d2
--- /dev/null
+++ b/reports/GO-2020-0027.yaml
@@ -0,0 +1,23 @@
+module: github.com/google/fscrypt
+package: github.com/google/fscrypt/pam
+additional_packages:
+- module: github.com/google/fscrypt
+ package: github.com/google/fscrypt/security
+ symbols:
+ - UserKeyringID
+versions:
+- fixed: v0.2.4
+description: |
+ After dropping and then elevating process privileges euid, guid, and groups
+ were not properly restored to their original values, allowing an unprivileged
+ user to gain membership in the root group.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-6558
+symbols:
+- NewHandle
+- SetProcessPrivileges
+- Handle.StopAsPamUser
+links:
+ commit: https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91b
+ context:
+ - https://github.com/google/fscrypt/issues/77
diff --git a/reports/GO-2020-0028.toml b/reports/GO-2020-0028.toml
deleted file mode 100644
index 40ca6fa..0000000
--- a/reports/GO-2020-0028.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/miekg/dns"
-
-description = """
-An attacker can craft a malicious DNS zone file which will cause
-[`ParseZone`] to panic due to a nil pointer dereference.
-"""
-
-cve = "CVE-2018-17419"
-
-credit = "@tr3ee"
-
-symbols = ["setTA"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.10"
-
-[links]
-commit = "https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d"
-context = ["https://github.com/miekg/dns/issues/742"]
\ No newline at end of file
diff --git a/reports/GO-2020-0028.yaml b/reports/GO-2020-0028.yaml
new file mode 100644
index 0000000..b53be72
--- /dev/null
+++ b/reports/GO-2020-0028.yaml
@@ -0,0 +1,15 @@
+module: github.com/miekg/dns
+versions:
+- fixed: v1.0.10
+description: |
+ An attacker can craft a malicious DNS zone file which will cause
+ [`ParseZone`] to panic due to a nil pointer dereference.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-17419
+credit: '@tr3ee'
+symbols:
+- setTA
+links:
+ commit: https://github.com/miekg/dns/commit/501e858f679edecd4a38a86317ce50271014a80d
+ context:
+ - https://github.com/miekg/dns/issues/742
diff --git a/reports/GO-2020-0029.toml b/reports/GO-2020-0029.toml
deleted file mode 100644
index b832ad2..0000000
--- a/reports/GO-2020-0029.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/gin-gonic/gin"
-
-description = """
-An attacker can spoof their source IP address by setting the X-Forwarded-For
-HTTP header to an arbitrary value.
-"""
-
-credit = "@nl5887"
-
-symbols = ["Context.ClientIP"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20141229113116-0099840c98ae"
-
-[links]
-commit = "https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829"
\ No newline at end of file
diff --git a/reports/GO-2020-0029.yaml b/reports/GO-2020-0029.yaml
new file mode 100644
index 0000000..47b17d9
--- /dev/null
+++ b/reports/GO-2020-0029.yaml
@@ -0,0 +1,12 @@
+module: github.com/gin-gonic/gin
+versions:
+- fixed: v0.0.0-20141229113116-0099840c98ae
+description: |
+ An attacker can spoof their source IP address by setting the X-Forwarded-For
+ HTTP header to an arbitrary value.
+published: 2021-04-14T12:00:00Z
+credit: '@nl5887'
+symbols:
+- Context.ClientIP
+links:
+ commit: https://github.com/gin-gonic/gin/commit/0099840c98ae1473c5ff0f18bc93a8e13ceed829
diff --git a/reports/GO-2020-0030.toml b/reports/GO-2020-0030.toml
deleted file mode 100644
index 39793eb..0000000
--- a/reports/GO-2020-0030.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-module = "gorm.io/gorm"
-
-description = """
-Multiple methods are vulnerable to blind SQL injection attacks
-due to constructing SQL statements using unsantized user input.
-"""
-
-credit = "@wahyuhadi"
-
-symbols = ["Scope.buildCondition"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.2.0"
-
-[links]
-commit = "https://github.com/go-gorm/gorm/commit/836fb2c19d84dac7b0272958dfb9af7cf0d0ade4"
-context = ["https://github.com/go-gorm/gorm/issues/2517"]
\ No newline at end of file
diff --git a/reports/GO-2020-0030.yaml b/reports/GO-2020-0030.yaml
new file mode 100644
index 0000000..7a1eac8
--- /dev/null
+++ b/reports/GO-2020-0030.yaml
@@ -0,0 +1,14 @@
+module: gorm.io/gorm
+versions:
+- fixed: v0.2.0
+description: |
+ Multiple methods are vulnerable to blind SQL injection attacks
+ due to constructing SQL statements using unsantized user input.
+published: 2021-04-14T12:00:00Z
+credit: '@wahyuhadi'
+symbols:
+- Scope.buildCondition
+links:
+ commit: https://github.com/go-gorm/gorm/commit/836fb2c19d84dac7b0272958dfb9af7cf0d0ade4
+ context:
+ - https://github.com/go-gorm/gorm/issues/2517
diff --git a/reports/GO-2020-0031.toml b/reports/GO-2020-0031.toml
deleted file mode 100644
index c629c7d..0000000
--- a/reports/GO-2020-0031.toml
+++ /dev/null
@@ -1,17 +0,0 @@
-module = "github.com/proglottis/gpgme"
-
-description = """
-The C bindings for the GPGME contain a number of use-after-free issues
-which may lead to memory corruption and possible code execution.
-"""
-
-cve = "CVE-2020-8945"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.1.1"
-
-[links]
-commit = "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
-context = ["https://bugzilla.redhat.com/show_bug.cgi?id=1795838"]
\ No newline at end of file
diff --git a/reports/GO-2020-0031.yaml b/reports/GO-2020-0031.yaml
new file mode 100644
index 0000000..cfe5393
--- /dev/null
+++ b/reports/GO-2020-0031.yaml
@@ -0,0 +1,12 @@
+module: github.com/proglottis/gpgme
+versions:
+- fixed: v0.1.1
+description: |
+ The C bindings for the GPGME contain a number of use-after-free issues
+ which may lead to memory corruption and possible code execution.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8945
+links:
+ commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
+ context:
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1795838
diff --git a/reports/GO-2020-0032.toml b/reports/GO-2020-0032.toml
deleted file mode 100644
index e7c4e86..0000000
--- a/reports/GO-2020-0032.toml
+++ /dev/null
@@ -1,39 +0,0 @@
-module = "github.com/goadesign/goa"
-
-description = """
-[`Controller.FileHandler`] allows for directory traversal attacks due
-to usage of unsanitized user input.
-"""
-
-credit = "@christi3k"
-
-symbols = ["Controller.FileHandler"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.4.3"
-
-[[additional_packages]]
-module = "goa.design/goa"
-symbols = ["Controller.FileHandler"]
-[[additional_packages.versions]]
-fixed = "v1.4.3"
-
-[[additional_packages]]
-module = "goa.design/goa/v3"
-symbols = ["Controller.FileHandler"]
-[[additional_packages.versions]]
-fixed = "v3.0.9"
-
-[links]
-commit = "https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39"
-pr = "https://github.com/goadesign/goa/pull/2388"
-
-[cve_metadata]
-id = "CVE-9999-0012"
-description = """
-Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
-v1.4.3 allow remote attackers to read files outside of the intended directory.
-"""
-cwe = "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
diff --git a/reports/GO-2020-0032.yaml b/reports/GO-2020-0032.yaml
new file mode 100644
index 0000000..5c495d4
--- /dev/null
+++ b/reports/GO-2020-0032.yaml
@@ -0,0 +1,31 @@
+module: github.com/goadesign/goa
+additional_packages:
+- module: goa.design/goa
+ symbols:
+ - Controller.FileHandler
+ versions:
+ - fixed: v1.4.3
+- module: goa.design/goa/v3
+ symbols:
+ - Controller.FileHandler
+ versions:
+ - fixed: v3.0.9
+versions:
+- fixed: v1.4.3
+description: |
+ [`Controller.FileHandler`] allows for directory traversal attacks due
+ to usage of unsanitized user input.
+published: 2021-04-14T12:00:00Z
+credit: '@christi3k'
+symbols:
+- Controller.FileHandler
+links:
+ pr: https://github.com/goadesign/goa/pull/2388
+ commit: https://github.com/goadesign/goa/commit/70b5a199d0f813d74423993832c424e1fc73fb39
+cve_metadata:
+ id: CVE-9999-0012
+ cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
+ Traversal'')'
+ description: |
+ Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or
+ v1.4.3 allow remote attackers to read files outside of the intended directory.
diff --git a/reports/GO-2020-0033.toml b/reports/GO-2020-0033.toml
deleted file mode 100644
index 691bbc6..0000000
--- a/reports/GO-2020-0033.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "aahframe.work"
-
-description = """
-[`HTTPEngine.Handle`] allows for directory traversal attacks due
-to usage of unsanitized user input.
-"""
-
-credit = "@snyff"
-
-symbols = ["HTTPEngine.Handle"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.12.4"
-
-[links]
-commit = "https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec"
-pr = "https://github.com/go-aah/aah/pull/267"
-context = ["https://github.com/go-aah/aah/issues/266"]
\ No newline at end of file
diff --git a/reports/GO-2020-0033.yaml b/reports/GO-2020-0033.yaml
new file mode 100644
index 0000000..d6f3003
--- /dev/null
+++ b/reports/GO-2020-0033.yaml
@@ -0,0 +1,15 @@
+module: aahframe.work
+versions:
+- fixed: v0.12.4
+description: |
+ [`HTTPEngine.Handle`] allows for directory traversal attacks due
+ to usage of unsanitized user input.
+published: 2021-04-14T12:00:00Z
+credit: '@snyff'
+symbols:
+- HTTPEngine.Handle
+links:
+ pr: https://github.com/go-aah/aah/pull/267
+ commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
+ context:
+ - https://github.com/go-aah/aah/issues/266
diff --git a/reports/GO-2020-0034.toml b/reports/GO-2020-0034.toml
deleted file mode 100644
index e490aab..0000000
--- a/reports/GO-2020-0034.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/artdarek/go-unzip"
-
-description = """
-Malicious Zip archives can be crafted that contain relative file paths,
-such that arbitary files outside of the target directory may be overwritten.
-"""
-
-symbols = ["Unzip.Extract"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.0"
-
-[links]
-commit = "https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0"
-pr = "https://github.com/artdarek/go-unzip/pull/2"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0034.yaml b/reports/GO-2020-0034.yaml
new file mode 100644
index 0000000..5ae296c
--- /dev/null
+++ b/reports/GO-2020-0034.yaml
@@ -0,0 +1,14 @@
+module: github.com/artdarek/go-unzip
+versions:
+- fixed: v1.0.0
+description: |
+ Malicious Zip archives can be crafted that contain relative file paths,
+ such that arbitary files outside of the target directory may be overwritten.
+published: 2021-04-14T12:00:00Z
+symbols:
+- Unzip.Extract
+links:
+ pr: https://github.com/artdarek/go-unzip/pull/2
+ commit: https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0035.toml b/reports/GO-2020-0035.toml
deleted file mode 100644
index c104eee..0000000
--- a/reports/GO-2020-0035.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/yi-ge/unzip"
-
-description = """
-Malicious Zip archives can be crafted that contain relative file paths,
-such that arbitary files outside of the target directory may be overwritten.
-"""
-
-symbols = ["Unzip.Extract"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.3-0.20200308084313-2adbaa4891b9"
-
-[links]
-commit = "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73"
-pr = "https://github.com/yi-ge/unzip/pull/1"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0035.yaml b/reports/GO-2020-0035.yaml
new file mode 100644
index 0000000..df80b81
--- /dev/null
+++ b/reports/GO-2020-0035.yaml
@@ -0,0 +1,14 @@
+module: github.com/yi-ge/unzip
+versions:
+- fixed: v1.0.3-0.20200308084313-2adbaa4891b9
+description: |
+ Malicious Zip archives can be crafted that contain relative file paths,
+ such that arbitary files outside of the target directory may be overwritten.
+published: 2021-04-14T12:00:00Z
+symbols:
+- Unzip.Extract
+links:
+ pr: https://github.com/yi-ge/unzip/pull/1
+ commit: https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0036.toml b/reports/GO-2020-0036.toml
deleted file mode 100644
index 74a04c9..0000000
--- a/reports/GO-2020-0036.toml
+++ /dev/null
@@ -1,25 +0,0 @@
-module = "gopkg.in/yaml.v2"
-
-description = """
-An attacker can craft malicious YAML which will consume significant
-system resources when Unmarshalled.
-"""
-
-cve = "CVE-2019-11254"
-
-symbols = ["yaml_parser_fetch_more_tokens"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v2.2.8"
-
-# all of the incompatible version of github.com/go-yaml/yaml
-# are affected
-[[additional_packages]]
-module = "github.com/go-yaml/yaml"
-
-[links]
-commit = "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"
-pr = "https://github.com/go-yaml/yaml/pull/555"
-context = ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"]
\ No newline at end of file
diff --git a/reports/GO-2020-0036.yaml b/reports/GO-2020-0036.yaml
new file mode 100644
index 0000000..be61839
--- /dev/null
+++ b/reports/GO-2020-0036.yaml
@@ -0,0 +1,19 @@
+module: gopkg.in/yaml.v2
+additional_packages:
+# all of the incompatible versions of github.com/go-yaml/yaml
+# are affected
+- module: github.com/go-yaml/yaml
+versions:
+- fixed: v2.2.8
+description: |
+ An attacker can craft malicious YAML which will consume significant
+ system resources when Unmarshalled.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-11254
+symbols:
+- yaml_parser_fetch_more_tokens
+links:
+ pr: https://github.com/go-yaml/yaml/pull/555
+ commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
+ context:
+ - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
diff --git a/reports/GO-2020-0037.toml b/reports/GO-2020-0037.toml
deleted file mode 100644
index 6918a9a..0000000
--- a/reports/GO-2020-0037.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/tendermint/tendermint"
-package = "github.com/tendermint/tendermint/rpc/client"
-
-description = """
-A malicious server can exploit support for gzip compression to force
-the client to consume significant system resources, leading to crashes.
-"""
-
-credit = "@guagualvcha"
-
-symbols = ["makeHTTPClient"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.31.1"
-
-[links]
-commit = "https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613"
-pr = "https://github.com/tendermint/tendermint/pull/3430"
\ No newline at end of file
diff --git a/reports/GO-2020-0037.yaml b/reports/GO-2020-0037.yaml
new file mode 100644
index 0000000..d9c291e
--- /dev/null
+++ b/reports/GO-2020-0037.yaml
@@ -0,0 +1,13 @@
+module: github.com/tendermint/tendermint
+package: github.com/tendermint/tendermint/rpc/client
+versions:
+- fixed: v0.31.1
+description: "A malicious server can exploit support for gzip compression to force\nthe
+ client to consume significant system resources, leading to crashes. \n"
+published: 2021-04-14T12:00:00Z
+credit: '@guagualvcha'
+symbols:
+- makeHTTPClient
+links:
+ pr: https://github.com/tendermint/tendermint/pull/3430
+ commit: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
diff --git a/reports/GO-2020-0038.toml b/reports/GO-2020-0038.toml
deleted file mode 100644
index 09c13a1..0000000
--- a/reports/GO-2020-0038.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/pion/dtls"
-
-description = """
-An attacker can craft records that allow the processing of arbitrary
-unencrypted application data at any point after the initial handshake
-is completed.
-"""
-
-cve = "CVE-2019-20786"
-
-symbols = ["Conn.handleIncomingPacket"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.5.2"
-
-[links]
-commit = "https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0"
-pr = "https://github.com/pion/dtls/pull/128"
-context = ["https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf"]
\ No newline at end of file
diff --git a/reports/GO-2020-0038.yaml b/reports/GO-2020-0038.yaml
new file mode 100644
index 0000000..982e106
--- /dev/null
+++ b/reports/GO-2020-0038.yaml
@@ -0,0 +1,16 @@
+module: github.com/pion/dtls
+versions:
+- fixed: v1.5.2
+description: |
+ An attacker can craft records that allow the processing of arbitrary
+ unencrypted application data at any point after the initial handshake
+ is completed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-20786
+symbols:
+- Conn.handleIncomingPacket
+links:
+ pr: https://github.com/pion/dtls/pull/128
+ commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
+ context:
+ - https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
diff --git a/reports/GO-2020-0039.toml b/reports/GO-2020-0039.toml
deleted file mode 100644
index d1d1ff7..0000000
--- a/reports/GO-2020-0039.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "gopkg.in/macaron.v1"
-
-description = """
-An attacker can craft a malicious URL which will cause the server
-to redirect a user to a secondary URL.
-"""
-
-cve = "CVE-2020-12666"
-
-credit = "@ev0A"
-
-symbols = ["staticHandler"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.3.7"
-
-[links]
-commit = "https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245"
-pr = "https://github.com/go-macaron/macaron/pull/199"
-context = ["https://github.com/go-macaron/macaron/issues/198"]
\ No newline at end of file
diff --git a/reports/GO-2020-0039.yaml b/reports/GO-2020-0039.yaml
new file mode 100644
index 0000000..7a862b1
--- /dev/null
+++ b/reports/GO-2020-0039.yaml
@@ -0,0 +1,16 @@
+module: gopkg.in/macaron.v1
+versions:
+- fixed: v1.3.7
+description: |
+ An attacker can craft a malicious URL which will cause the server
+ to redirect a user to a secondary URL.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-12666
+credit: '@ev0A'
+symbols:
+- staticHandler
+links:
+ pr: https://github.com/go-macaron/macaron/pull/199
+ commit: https://github.com/go-macaron/macaron/commit/addc7461c3a90a040e79aa75bfd245107a210245
+ context:
+ - https://github.com/go-macaron/macaron/issues/198
diff --git a/reports/GO-2020-0040.toml b/reports/GO-2020-0040.toml
deleted file mode 100644
index 42cdddb..0000000
--- a/reports/GO-2020-0040.toml
+++ /dev/null
@@ -1,13 +0,0 @@
-module = "github.com/shiyanhui/dht"
-
-description = """
-A malicious peer can craft messages which will cause panics due to
-unchecked type assertions.
-"""
-
-credit = "@hMihaiDavid"
-
-published = "2021-04-14T12:00:00Z"
-
-[links]
-context = ["https://github.com/shiyanhui/dht/issues/57"]
\ No newline at end of file
diff --git a/reports/GO-2020-0040.yaml b/reports/GO-2020-0040.yaml
new file mode 100644
index 0000000..479b783
--- /dev/null
+++ b/reports/GO-2020-0040.yaml
@@ -0,0 +1,9 @@
+module: github.com/shiyanhui/dht
+description: |
+ A malicious peer can craft messages which will cause panics due to
+ unchecked type assertions.
+published: 2021-04-14T12:00:00Z
+credit: '@hMihaiDavid'
+links:
+ context:
+ - https://github.com/shiyanhui/dht/issues/57
diff --git a/reports/GO-2020-0041.toml b/reports/GO-2020-0041.toml
deleted file mode 100644
index 6d81b88..0000000
--- a/reports/GO-2020-0041.toml
+++ /dev/null
@@ -1,28 +0,0 @@
-module = "github.com/unknwon/cae"
-package = "github.com/unknwon/cae/tz"
-
-description = """
-Malicious Zip and Tar archives can be crafted that contain relative
-file paths, such that arbitary files outside of the target directory
-may be overwritten.
-"""
-
-cve = "CVE-2020-7668"
-
-symbols = ["TzArchive.syncFiles", "TzArchive.ExtractToFunc"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.1"
-
-[[additional_packages]]
-module = "github.com/unknwon/cae"
-package = "github.com/unknwon/cae/zip"
-symbols = ["ZipArchive.Open", "ZipArchive.ExtractToFunc"]
-[[additional_packages.versions]]
-fixed = "v1.0.1"
-
-[links]
-commit = "https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0041.yaml b/reports/GO-2020-0041.yaml
new file mode 100644
index 0000000..8bfa61a
--- /dev/null
+++ b/reports/GO-2020-0041.yaml
@@ -0,0 +1,25 @@
+module: github.com/unknwon/cae
+package: github.com/unknwon/cae/tz
+additional_packages:
+- module: github.com/unknwon/cae
+ package: github.com/unknwon/cae/zip
+ symbols:
+ - ZipArchive.Open
+ - ZipArchive.ExtractToFunc
+ versions:
+ - fixed: v1.0.1
+versions:
+- fixed: v1.0.1
+description: |
+ Malicious Zip and Tar archives can be crafted that contain relative
+ file paths, such that arbitary files outside of the target directory
+ may be overwritten.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-7668
+symbols:
+- TzArchive.syncFiles
+- TzArchive.ExtractToFunc
+links:
+ commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0042.toml b/reports/GO-2020-0042.toml
deleted file mode 100644
index fa9bc32..0000000
--- a/reports/GO-2020-0042.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/sassoftware/go-rpmutils"
-package = "github.com/sassoftware/go-rpmutils/cpio"
-
-description = """
-Malicious RPM archives can be crafted that contain relative
-file paths, such that arbitary files outside of the target directory
-may be overwritten.
-"""
-
-cve = "CVE-2020-7667"
-
-symbols = ["Extract"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.1.0"
-
-[links]
-commit = "https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0"
-context = ["https://snyk.io/research/zip-slip-vulnerability"]
\ No newline at end of file
diff --git a/reports/GO-2020-0042.yaml b/reports/GO-2020-0042.yaml
new file mode 100644
index 0000000..acebe80
--- /dev/null
+++ b/reports/GO-2020-0042.yaml
@@ -0,0 +1,16 @@
+module: github.com/sassoftware/go-rpmutils
+package: github.com/sassoftware/go-rpmutils/cpio
+versions:
+- fixed: v0.1.0
+description: |
+ Malicious RPM archives can be crafted that contain relative
+ file paths, such that arbitary files outside of the target directory
+ may be overwritten.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-7667
+symbols:
+- Extract
+links:
+ commit: https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
+ context:
+ - https://snyk.io/research/zip-slip-vulnerability
diff --git a/reports/GO-2020-0043.toml b/reports/GO-2020-0043.toml
deleted file mode 100644
index eea6cb8..0000000
--- a/reports/GO-2020-0043.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/mholt/caddy"
-package = "github.com/mholt/caddy/caddyhttp/httpserver"
-
-description = """
-Where the server is listening for multiple SNI names an attacker can
-complete a TLS handshake for a host name that does not require TLS
-client authentication and then send HTTP requests for a host name that
-does require TLS client authentication, thereby bypassing those checks.
-"""
-
-cve = "CVE-2018-21246"
-
-symbols = ["httpContext.MakeServers", "Server.serveHTTP", "assertConfigsCompatible"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.10.13"
-
-[links]
-commit = "https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3"
-pr = "https://github.com/caddyserver/caddy/pull/2099"
-context = ["https://bugs.gentoo.org/715214"]
\ No newline at end of file
diff --git a/reports/GO-2020-0043.yaml b/reports/GO-2020-0043.yaml
new file mode 100644
index 0000000..84a5467
--- /dev/null
+++ b/reports/GO-2020-0043.yaml
@@ -0,0 +1,20 @@
+module: github.com/mholt/caddy
+package: github.com/mholt/caddy/caddyhttp/httpserver
+versions:
+- fixed: v0.10.13
+description: |
+ Where the server is listening for multiple SNI names an attacker can
+ complete a TLS handshake for a host name that does not require TLS
+ client authentication and then send HTTP requests for a host name that
+ does require TLS client authentication, thereby bypassing those checks.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-21246
+symbols:
+- httpContext.MakeServers
+- Server.serveHTTP
+- assertConfigsCompatible
+links:
+ pr: https://github.com/caddyserver/caddy/pull/2099
+ commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
+ context:
+ - https://bugs.gentoo.org/715214
diff --git a/reports/GO-2020-0044.toml b/reports/GO-2020-0044.toml
deleted file mode 100644
index 88c44a3..0000000
--- a/reports/GO-2020-0044.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-module = "github.com/astaxie/beego"
-package = "github.com/astaxie/beego/session"
-
-description = """
-An attacker can craft a malicious URL which lead to XSS due to
-usage of unsantized user controlled URL parameters.
-"""
-
-credit = "@Kevil-hui"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.12.2"
-
-[links]
-commit = "https://github.com/beego/beego/commit/6eeea141d885c16c2a01349d57da62c6379a45a2"
-pr = "https://github.com/beego/beego/pull/4018"
-context = ["https://github.com/beego/beego/issues/3983"]
\ No newline at end of file
diff --git a/reports/GO-2020-0044.yaml b/reports/GO-2020-0044.yaml
new file mode 100644
index 0000000..ec6e0f6
--- /dev/null
+++ b/reports/GO-2020-0044.yaml
@@ -0,0 +1,14 @@
+module: github.com/astaxie/beego
+package: github.com/astaxie/beego/session
+versions:
+- fixed: v1.12.2
+description: |
+ An attacker can craft a malicious URL which lead to XSS due to
+ usage of unsantized user controlled URL parameters.
+published: 2021-04-14T12:00:00Z
+credit: '@Kevil-hui'
+links:
+ pr: https://github.com/beego/beego/pull/4018
+ commit: https://github.com/beego/beego/commit/6eeea141d885c16c2a01349d57da62c6379a45a2
+ context:
+ - https://github.com/beego/beego/issues/3983
diff --git a/reports/GO-2020-0045.toml b/reports/GO-2020-0045.toml
deleted file mode 100644
index f63ba87..0000000
--- a/reports/GO-2020-0045.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/dinever/golf"
-
-description = """
-CSRF tokens are generated using math/rand, making predicting their values
-relatively trivial.
-"""
-
-credit = "@elithrar"
-
-symbols = ["randomBytes"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.3.0"
-
-[links]
-commit = "https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe"
-pr = "https://github.com/dinever/golf/pull/24"
-context = ["https://github.com/dinever/golf/issues/20"]
\ No newline at end of file
diff --git a/reports/GO-2020-0045.yaml b/reports/GO-2020-0045.yaml
new file mode 100644
index 0000000..5b8d21f
--- /dev/null
+++ b/reports/GO-2020-0045.yaml
@@ -0,0 +1,15 @@
+module: github.com/dinever/golf
+versions:
+- fixed: v0.3.0
+description: |
+ CSRF tokens are generated using math/rand, making predicting their values
+ relatively trivial.
+published: 2021-04-14T12:00:00Z
+credit: '@elithrar'
+symbols:
+- randomBytes
+links:
+ pr: https://github.com/dinever/golf/pull/24
+ commit: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
+ context:
+ - https://github.com/dinever/golf/issues/20
diff --git a/reports/GO-2020-0046.toml b/reports/GO-2020-0046.toml
deleted file mode 100644
index d2c6e03..0000000
--- a/reports/GO-2020-0046.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-module = "github.com/russellhaering/goxmldsig"
-
-description = """
-An attacker can craft a malformed XML Digital Signature which when
-validated causes a panic due to nil pointer deference.
-"""
-
-cve = "CVE-2020-7711"
-
-credit = "@stevenjohnstone"
-
-symbols = ["ValidationContext.validateSignature"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.0"
-
-[[additional_packages]]
-module = "github.com/russellhaering/gosaml2"
-symbols = ["SAMLServiceProvider.validateAssertionSignatures"]
-[[additional_packages.versions]]
-fixed = "v0.6.0"
-
-[links]
-context = ["https://github.com/russellhaering/goxmldsig/issues/48", "https://github.com/russellhaering/gosaml2/issues/59"]
\ No newline at end of file
diff --git a/reports/GO-2020-0046.yaml b/reports/GO-2020-0046.yaml
new file mode 100644
index 0000000..943e6e2
--- /dev/null
+++ b/reports/GO-2020-0046.yaml
@@ -0,0 +1,21 @@
+module: github.com/russellhaering/goxmldsig
+additional_packages:
+- module: github.com/russellhaering/gosaml2
+ symbols:
+ - SAMLServiceProvider.validateAssertionSignatures
+ versions:
+ - fixed: v0.6.0
+versions:
+- fixed: v1.1.0
+description: |
+ An attacker can craft a malformed XML Digital Signature which when
+ validated causes a panic due to nil pointer deference.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-7711
+credit: '@stevenjohnstone'
+symbols:
+- ValidationContext.validateSignature
+links:
+ context:
+ - https://github.com/russellhaering/goxmldsig/issues/48
+ - https://github.com/russellhaering/gosaml2/issues/59
diff --git a/reports/GO-2020-0047.toml b/reports/GO-2020-0047.toml
deleted file mode 100644
index 7bc59f6..0000000
--- a/reports/GO-2020-0047.toml
+++ /dev/null
@@ -1,14 +0,0 @@
-module = "github.com/RobotsAndPencils/go-saml"
-
-description = """
-XML Digital Signatures generated and validated using this package use
-SHA-1, as such an attacker may be able to craft input which cause
-hash collisions.
-"""
-
-symbols = ["AuthnRequest.Validate", "NewAuthnRequest", "NewSignedResponse"]
-
-published = "2021-04-14T12:00:00Z"
-
-[links]
-context = ["https://github.com/RobotsAndPencils/go-saml/pull/38"]
\ No newline at end of file
diff --git a/reports/GO-2020-0047.yaml b/reports/GO-2020-0047.yaml
new file mode 100644
index 0000000..c624d7d
--- /dev/null
+++ b/reports/GO-2020-0047.yaml
@@ -0,0 +1,13 @@
+module: github.com/RobotsAndPencils/go-saml
+description: |
+ XML Digital Signatures generated and validated using this package use
+ SHA-1, as such an attacker may be able to craft input which cause
+ hash collisions.
+published: 2021-04-14T12:00:00Z
+symbols:
+- AuthnRequest.Validate
+- NewAuthnRequest
+- NewSignedResponse
+links:
+ context:
+ - https://github.com/RobotsAndPencils/go-saml/pull/38
diff --git a/reports/GO-2020-0048.toml b/reports/GO-2020-0048.toml
deleted file mode 100644
index 61c13cf..0000000
--- a/reports/GO-2020-0048.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/antchfx/xmlquery"
-
-description = """
-[`LoadURL`] does not check the Content-Type of loaded resources,
-which can cause a panic due to nil pointer deference if the loaded
-resource is not XML.
-"""
-
-cve = "CVE-2020-25614"
-
-credit = "@dwisiswant0"
-
-symbols = ["LoadURL"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.3.1"
-
-[links]
-commit = "https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821"
-context = ["https://github.com/antchfx/xmlquery/issues/39"]
\ No newline at end of file
diff --git a/reports/GO-2020-0048.yaml b/reports/GO-2020-0048.yaml
new file mode 100644
index 0000000..c56e42d
--- /dev/null
+++ b/reports/GO-2020-0048.yaml
@@ -0,0 +1,16 @@
+module: github.com/antchfx/xmlquery
+versions:
+- fixed: v1.3.1
+description: |
+ [`LoadURL`] does not check the Content-Type of loaded resources,
+ which can cause a panic due to nil pointer deference if the loaded
+ resource is not XML.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-25614
+credit: '@dwisiswant0'
+symbols:
+- LoadURL
+links:
+ commit: https://github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821
+ context:
+ - https://github.com/antchfx/xmlquery/issues/39
diff --git a/reports/GO-2020-0049.toml b/reports/GO-2020-0049.toml
deleted file mode 100644
index 0abc8f1..0000000
--- a/reports/GO-2020-0049.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/justinas/nosurf"
-
-description = """
-[`VerifyToken`] can be bypassed if the expected token contains malformed Base64.
-"""
-
-credit = "@aeneasr"
-
-symbols = ["VerifyToken", "verifyToken"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.1"
-
-[links]
-commit = "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
-pr = "https://github.com/justinas/nosurf/pull/60"
\ No newline at end of file
diff --git a/reports/GO-2020-0049.yaml b/reports/GO-2020-0049.yaml
new file mode 100644
index 0000000..a065153
--- /dev/null
+++ b/reports/GO-2020-0049.yaml
@@ -0,0 +1,13 @@
+module: github.com/justinas/nosurf
+versions:
+- fixed: v1.1.1
+description: |
+ [`VerifyToken`] can be bypassed if the expected token contains malformed Base64.
+published: 2021-04-14T12:00:00Z
+credit: '@aeneasr'
+symbols:
+- VerifyToken
+- verifyToken
+links:
+ pr: https://github.com/justinas/nosurf/pull/60
+ commit: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
diff --git a/reports/GO-2020-0050.toml b/reports/GO-2020-0050.toml
deleted file mode 100644
index 6bf22be..0000000
--- a/reports/GO-2020-0050.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/russellhaering/goxmldsig"
-
-description = """
-An attacker can craft an XML file which will cause signature verification
-to be entirely bypassed.
-"""
-
-cve = "CVE-2020-15216"
-
-credit = "@jupenur"
-
-symbols = ["ValidationContext.findSignature"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.0"
-
-[links]
-commit = "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"
-context = ["https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"]
diff --git a/reports/GO-2020-0050.yaml b/reports/GO-2020-0050.yaml
new file mode 100644
index 0000000..6689fae
--- /dev/null
+++ b/reports/GO-2020-0050.yaml
@@ -0,0 +1,15 @@
+module: github.com/russellhaering/goxmldsig
+versions:
+- fixed: v1.1.0
+description: |
+ An attacker can craft an XML file which will cause signature verification
+ to be entirely bypassed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15216
+credit: '@jupenur'
+symbols:
+- ValidationContext.findSignature
+links:
+ commit: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
+ context:
+ - https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
diff --git a/reports/GO-2021-0051.toml b/reports/GO-2021-0051.toml
deleted file mode 100644
index e532c26..0000000
--- a/reports/GO-2021-0051.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/labstack/echo/v4"
-
-description = """
-On Windows the static route handler does not properly santize the
-request path, allowing for directory traversal.
-"""
-
-credit = "@little-cui (Apache ServiceComb)"
-
-symbols = ["common.static"]
-
-os = ["windows"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v4.1.18-0.20201215153152-4422e3b66b9f"
-
-[links]
-commit = "https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa"
-pr = "https://github.com/labstack/echo/pull/1718"
\ No newline at end of file
diff --git a/reports/GO-2021-0051.yaml b/reports/GO-2021-0051.yaml
new file mode 100644
index 0000000..79c8515
--- /dev/null
+++ b/reports/GO-2021-0051.yaml
@@ -0,0 +1,15 @@
+module: github.com/labstack/echo/v4
+versions:
+- fixed: v4.1.18-0.20201215153152-4422e3b66b9f
+description: |
+ On Windows the static route handler does not properly santize the
+ request path, allowing for directory traversal.
+published: 2021-04-14T12:00:00Z
+credit: '@little-cui (Apache ServiceComb)'
+symbols:
+- common.static
+os:
+- windows
+links:
+ pr: https://github.com/labstack/echo/pull/1718
+ commit: https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
diff --git a/reports/GO-2021-0052.toml b/reports/GO-2021-0052.toml
deleted file mode 100644
index ca3711f..0000000
--- a/reports/GO-2021-0052.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-module = "github.com/gin-gonic/gin"
-
-description = """
-When used without an internet facing proxy, an adversary can spoof
-their IP address by setting the X-Forwarded-For header.
-"""
-
-cve = "CVE-2020-28483"
-
-credit = "@sorenh"
-
-symbols = ["Context.ClientIP"]
-
-published = "2021-04-14T12:00:00Z"
-
-[links]
-pr = "https://github.com/gin-gonic/gin/pull/2632"
-context = ["https://github.com/gin-gonic/gin/pull/2474"]
\ No newline at end of file
diff --git a/reports/GO-2021-0052.yaml b/reports/GO-2021-0052.yaml
new file mode 100644
index 0000000..9e7f9e9
--- /dev/null
+++ b/reports/GO-2021-0052.yaml
@@ -0,0 +1,13 @@
+module: github.com/gin-gonic/gin
+description: |
+ When used without an internet facing proxy, an adversary can spoof
+ their IP address by setting the X-Forwarded-For header.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-28483
+credit: '@sorenh'
+symbols:
+- Context.ClientIP
+links:
+ pr: https://github.com/gin-gonic/gin/pull/2632
+ context:
+ - https://github.com/gin-gonic/gin/pull/2474
diff --git a/reports/GO-2021-0053.toml b/reports/GO-2021-0053.toml
deleted file mode 100644
index 5ca5fe6..0000000
--- a/reports/GO-2021-0053.toml
+++ /dev/null
@@ -1,16 +0,0 @@
-module = "github.com/gogo/protobuf"
-
-description = """
-Generated Unmarshal methods do not include proper index bounds validation,
-allowing a maliciously crafted message to cause an out-of-bounds panic.
-"""
-
-cve = "CVE-2021-3121"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.3.2"
-
-[links]
-commit = "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"
\ No newline at end of file
diff --git a/reports/GO-2021-0053.yaml b/reports/GO-2021-0053.yaml
new file mode 100644
index 0000000..d9a106d
--- /dev/null
+++ b/reports/GO-2021-0053.yaml
@@ -0,0 +1,10 @@
+module: github.com/gogo/protobuf
+versions:
+- fixed: v1.3.2
+description: |
+ Generated Unmarshal methods do not include proper index bounds validation,
+ allowing a maliciously crafted message to cause an out-of-bounds panic.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2021-3121
+links:
+ commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
diff --git a/reports/GO-2021-0054.toml b/reports/GO-2021-0054.toml
deleted file mode 100644
index ea8d93b..0000000
--- a/reports/GO-2021-0054.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/tidwall/gjson"
-
-description = """
-Maliciously crafted JSON messages can cause an out-of-bounds panic.
-"""
-
-cve = "CVE-2020-36067"
-
-credit = "@toptotu"
-
-symbols = ["unwrap"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.6.6"
-
-[links]
-commit = "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
-context = ["https://github.com/tidwall/gjson/issues/196"]
\ No newline at end of file
diff --git a/reports/GO-2021-0054.yaml b/reports/GO-2021-0054.yaml
new file mode 100644
index 0000000..7f8cfed
--- /dev/null
+++ b/reports/GO-2021-0054.yaml
@@ -0,0 +1,14 @@
+module: github.com/tidwall/gjson
+versions:
+- fixed: v1.6.6
+description: |
+ Maliciously crafted JSON messages can cause an out-of-bounds panic.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-36067
+credit: '@toptotu'
+symbols:
+- unwrap
+links:
+ commit: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
+ context:
+ - https://github.com/tidwall/gjson/issues/196
diff --git a/reports/GO-2021-0056.toml b/reports/GO-2021-0056.toml
deleted file mode 100644
index df6f317..0000000
--- a/reports/GO-2021-0056.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/dexidp/dex"
-package = "github.com/dexidp/dex/connector/saml"
-
-description = """
-An XML message can be maliciously crafted such that signature
-verification is bypassed.
-"""
-
-cve = "CVE-2020-15216"
-
-credit = "Juho Nurminen (Mattermost)"
-
-symbols = ["provider.HandlePOST"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20201214082111-324b1c886b40"
-
-[links]
-commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
-context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]
\ No newline at end of file
diff --git a/reports/GO-2021-0056.yaml b/reports/GO-2021-0056.yaml
new file mode 100644
index 0000000..c8ed3e3
--- /dev/null
+++ b/reports/GO-2021-0056.yaml
@@ -0,0 +1,16 @@
+module: github.com/dexidp/dex
+package: github.com/dexidp/dex/connector/saml
+versions:
+- fixed: v0.0.0-20201214082111-324b1c886b40
+description: |
+ An XML message can be maliciously crafted such that signature
+ verification is bypassed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15216
+credit: Juho Nurminen (Mattermost)
+symbols:
+- provider.HandlePOST
+links:
+ commit: https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
+ context:
+ - https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
diff --git a/reports/GO-2021-0057.toml b/reports/GO-2021-0057.toml
deleted file mode 100644
index 533835f..0000000
--- a/reports/GO-2021-0057.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/buger/jsonparser"
-
-description = """
-Malicious input can cause an out-of-bounds panic.
-"""
-
-cve = "CVE-2020-35381"
-
-credit = "@toptotu"
-
-symbols = ["searchKeys"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.1.1"
-
-[links]
-commit = "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42"
-pr = "https://github.com/buger/jsonparser/pull/221"
-context = ["https://github.com/buger/jsonparser/issues/219"]
\ No newline at end of file
diff --git a/reports/GO-2021-0057.yaml b/reports/GO-2021-0057.yaml
new file mode 100644
index 0000000..040e79b
--- /dev/null
+++ b/reports/GO-2021-0057.yaml
@@ -0,0 +1,15 @@
+module: github.com/buger/jsonparser
+versions:
+- fixed: v1.1.1
+description: |
+ Malicious input can cause an out-of-bounds panic.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-35381
+credit: '@toptotu'
+symbols:
+- searchKeys
+links:
+ pr: https://github.com/buger/jsonparser/pull/221
+ commit: https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42
+ context:
+ - https://github.com/buger/jsonparser/issues/219
diff --git a/reports/GO-2021-0058.toml b/reports/GO-2021-0058.toml
deleted file mode 100644
index 4de94f5..0000000
--- a/reports/GO-2021-0058.toml
+++ /dev/null
@@ -1,40 +0,0 @@
-module = "github.com/crewjam/saml"
-
-description = """
-An XML message can be maliciously crafted such that signature
-verification is bypassed.
-"""
-
-cve = "CVE-2020-27846"
-
-credit = ""
-
-symbols = [
- "IdpAuthnRequest.Validate",
- "ServiceProvider.ParseXMLResponse",
- "ServiceProvider.ValidateLogoutResponseForm",
- "ServiceProvider.ValidateLogoutResponseRedirect"
-]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.4.3"
-
-[[additional_packages]]
-module = "github.com/crewjam/saml"
-package = "github.com/crewjam/saml/samlidp"
-smybols = ["getSPMetadata"]
-[[additional_packages.versions]]
-fixed = "v0.4.3"
-
-[[additional_packages]]
-module = "github.com/crewjam/saml"
-package = "github.com/crewjam/saml/samlsp"
-smybols = ["ParseMetadata"]
-[[additional_packages.versions]]
-fixed = "v0.4.3"
-
-[links]
-commit = "https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053"
-context = ["https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9"]
\ No newline at end of file
diff --git a/reports/GO-2021-0058.yaml b/reports/GO-2021-0058.yaml
new file mode 100644
index 0000000..57361a8
--- /dev/null
+++ b/reports/GO-2021-0058.yaml
@@ -0,0 +1,26 @@
+module: github.com/crewjam/saml
+additional_packages:
+- module: github.com/crewjam/saml
+ package: github.com/crewjam/saml/samlidp
+ versions:
+ - fixed: v0.4.3
+- module: github.com/crewjam/saml
+ package: github.com/crewjam/saml/samlsp
+ versions:
+ - fixed: v0.4.3
+versions:
+- fixed: v0.4.3
+description: |
+ An XML message can be maliciously crafted such that signature
+ verification is bypassed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-27846
+symbols:
+- IdpAuthnRequest.Validate
+- ServiceProvider.ParseXMLResponse
+- ServiceProvider.ValidateLogoutResponseForm
+- ServiceProvider.ValidateLogoutResponseRedirect
+links:
+ commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
+ context:
+ - https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
diff --git a/reports/GO-2021-0059.toml b/reports/GO-2021-0059.toml
deleted file mode 100644
index 78f71ca..0000000
--- a/reports/GO-2021-0059.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/tidwall/gjson"
-
-description = """
-Maliciously crafted JSON messages can cause an out-of-bounds panic.
-"""
-
-cve = "CVE-2020-35380"
-
-credit = "@toptotu"
-
-symbols = ["sqaush"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.6.4"
-
-[links]
-commit = "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
-context = ["https://github.com/tidwall/gjson/issues/192"]
\ No newline at end of file
diff --git a/reports/GO-2021-0059.yaml b/reports/GO-2021-0059.yaml
new file mode 100644
index 0000000..3d56af4
--- /dev/null
+++ b/reports/GO-2021-0059.yaml
@@ -0,0 +1,14 @@
+module: github.com/tidwall/gjson
+versions:
+- fixed: v1.6.4
+description: |
+ Maliciously crafted JSON messages can cause an out-of-bounds panic.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-35380
+credit: '@toptotu'
+symbols:
+- sqaush
+links:
+ commit: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
+ context:
+ - https://github.com/tidwall/gjson/issues/192
diff --git a/reports/GO-2021-0060.toml b/reports/GO-2021-0060.toml
deleted file mode 100644
index 2a4481c..0000000
--- a/reports/GO-2021-0060.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/russellhaering/gosaml2"
-
-description = """
-An XML message can be maliciously crafted such that signature
-verification is bypassed.
-"""
-
-cve = "CVE-2020-29509"
-
-credit = "Juho Nurminen"
-
-symbols = ["parseResponse"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.6.0"
-
-[links]
-commit = "https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9"
-context = ["https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg"]
\ No newline at end of file
diff --git a/reports/GO-2021-0060.yaml b/reports/GO-2021-0060.yaml
new file mode 100644
index 0000000..d52a1e3
--- /dev/null
+++ b/reports/GO-2021-0060.yaml
@@ -0,0 +1,15 @@
+module: github.com/russellhaering/gosaml2
+versions:
+- fixed: v0.6.0
+description: |
+ An XML message can be maliciously crafted such that signature
+ verification is bypassed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-29509
+credit: Juho Nurminen
+symbols:
+- parseResponse
+links:
+ commit: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
+ context:
+ - https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
diff --git a/reports/GO-2021-0061.toml b/reports/GO-2021-0061.toml
deleted file mode 100644
index 58ae188..0000000
--- a/reports/GO-2021-0061.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "gopkg.in/yaml.v2"
-
-description = """
-A maliciously crafted input can cause resource exhaustion due to
-alias chasing.
-"""
-
-credit = "@simonferquel"
-
-symbols = ["decoder.unmarshal"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v2.2.3"
-
-# all of the incompatible version of github.com/go-yaml/yaml
-# are affected
-[[additional_packages]]
-module = "github.com/go-yaml/yaml"
-
-[links]
-commit = "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
-pr = "https://github.com/go-yaml/yaml/pull/375"
\ No newline at end of file
diff --git a/reports/GO-2021-0061.yaml b/reports/GO-2021-0061.yaml
new file mode 100644
index 0000000..3d7ee92
--- /dev/null
+++ b/reports/GO-2021-0061.yaml
@@ -0,0 +1,17 @@
+module: gopkg.in/yaml.v2
+additional_packages:
+# all of the incompatible versions of github.com/go-yaml/yaml
+# are affected
+- module: github.com/go-yaml/yaml
+versions:
+- fixed: v2.2.3
+description: |
+ A maliciously crafted input can cause resource exhaustion due to
+ alias chasing.
+published: 2021-04-14T12:00:00Z
+credit: '@simonferquel'
+symbols:
+- decoder.unmarshal
+links:
+ pr: https://github.com/go-yaml/yaml/pull/375
+ commit: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
diff --git a/reports/GO-2021-0062.toml b/reports/GO-2021-0062.toml
deleted file mode 100644
index ba24551..0000000
--- a/reports/GO-2021-0062.toml
+++ /dev/null
@@ -1,34 +0,0 @@
-module = "k8s.io/apiextensions-apiserver"
-package = "k8s.io/apiextensions-apiserver/pkg/apiserver"
-
-description = """
-A maliciously crafted YAML or JSON message can cause resource
-exhaustion.
-"""
-
-cve = "CVE-2019-11253"
-
-symbols = ["NewCustomResourceDefinitionHandler"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.17.0"
-
-[[additional_packages]]
-module = "k8s.io/kubernetes"
-package = "k8s.io/kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver"
-symbols = ["NewCustomResourceDefinitionHandler"]
-[[additional_packages.versions]]
-fixed = "v1.17.0-alpha.2"
-
-[links]
-commit = "https://github.com/kubernetes/apiextensions-apiserver/commit/9cfd100448d12f999fbf913ae5d4fef2fcd66871"
-pr = "https://github.com/kubernetes/kubernetes/pull/83261"
-context = [
- "https://github.com/kubernetes/kubernetes/issues/83253",
- "https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2"
-]
-
-# This is a really confusing one to classify becuase of how kubernetes
-# does their vendoring stuff.
\ No newline at end of file
diff --git a/reports/GO-2021-0062.yaml b/reports/GO-2021-0062.yaml
new file mode 100644
index 0000000..01755d4
--- /dev/null
+++ b/reports/GO-2021-0062.yaml
@@ -0,0 +1,24 @@
+module: k8s.io/apiextensions-apiserver
+package: k8s.io/apiextensions-apiserver/pkg/apiserver
+additional_packages:
+- module: k8s.io/kubernetes
+ package: k8s.io/kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver
+ symbols:
+ - NewCustomResourceDefinitionHandler
+ versions:
+ - fixed: v1.17.0-alpha.2
+versions:
+- fixed: v0.17.0
+description: |
+ A maliciously crafted YAML or JSON message can cause resource
+ exhaustion.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-11253
+symbols:
+- NewCustomResourceDefinitionHandler
+links:
+ pr: https://github.com/kubernetes/kubernetes/pull/83261
+ commit: https://github.com/kubernetes/apiextensions-apiserver/commit/9cfd100448d12f999fbf913ae5d4fef2fcd66871
+ context:
+ - https://github.com/kubernetes/kubernetes/issues/83253
+ - https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2
diff --git a/reports/GO-2021-0063.toml b/reports/GO-2021-0063.toml
deleted file mode 100644
index 53679da..0000000
--- a/reports/GO-2021-0063.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/ethereum/go-ethereum"
-package = "github.com/ethereum/go-ethereum/les"
-
-description = """
-A maliciously crafted RPC message can cause a panic due
-to a nil pointer dereference.
-"""
-
-cve = "CVE-2020-26264"
-
-credit = "@zsfelfoldi"
-
-symbols = ["serverHandler.handleMsg"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.9.25"
-
-[links]
-commit = "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
-pr = "https://github.com/ethereum/go-ethereum/pull/21896"
\ No newline at end of file
diff --git a/reports/GO-2021-0063.yaml b/reports/GO-2021-0063.yaml
new file mode 100644
index 0000000..4a2f051
--- /dev/null
+++ b/reports/GO-2021-0063.yaml
@@ -0,0 +1,15 @@
+module: github.com/ethereum/go-ethereum
+package: github.com/ethereum/go-ethereum/les
+versions:
+- fixed: v1.9.25
+description: |
+ A maliciously crafted RPC message can cause a panic due
+ to a nil pointer dereference.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-26264
+credit: '@zsfelfoldi'
+symbols:
+- serverHandler.handleMsg
+links:
+ pr: https://github.com/ethereum/go-ethereum/pull/21896
+ commit: https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
diff --git a/reports/GO-2021-0064.toml b/reports/GO-2021-0064.toml
deleted file mode 100644
index 6ca4884..0000000
--- a/reports/GO-2021-0064.toml
+++ /dev/null
@@ -1,33 +0,0 @@
-module = "k8s.io/client-go"
-package = "k8s.io/client-go/transport"
-
-description = """
-Authorization tokens may be inappropriately logged if the verbosity
-level is set to a debug level.
-"""
-
-cve = "CVE-2020-8565"
-
-credit = "@sfowl"
-
-symbols = ["requestInfo.toCurl"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.20.0-alpha.2"
-
-[[additional_packages]]
-module = "k8s.io/kubernetes"
-package = "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport"
-symbols = ["requestInfo.toCurl"]
-[[additional_packages.versions]]
-fixed = "v1.20.0-alpha.2"
-
-[links]
-commit = "https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419"
-pr = "https://github.com/kubernetes/kubernetes/pull/95316"
-context = ["https://github.com/kubernetes/kubernetes/issues/95623"]
-
-# This is a really confusing one to classify becuase of how kubernetes
-# does their vendoring stuff.
\ No newline at end of file
diff --git a/reports/GO-2021-0064.yaml b/reports/GO-2021-0064.yaml
new file mode 100644
index 0000000..ea56a61
--- /dev/null
+++ b/reports/GO-2021-0064.yaml
@@ -0,0 +1,24 @@
+module: k8s.io/client-go
+package: k8s.io/client-go/transport
+additional_packages:
+- module: k8s.io/kubernetes
+ package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
+ symbols:
+ - requestInfo.toCurl
+ versions:
+ - fixed: v1.20.0-alpha.2
+versions:
+- fixed: v0.20.0-alpha.2
+description: |
+ Authorization tokens may be inappropriately logged if the verbosity
+ level is set to a debug level.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8565
+credit: '@sfowl'
+symbols:
+- requestInfo.toCurl
+links:
+ pr: https://github.com/kubernetes/kubernetes/pull/95316
+ commit: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
+ context:
+ - https://github.com/kubernetes/kubernetes/issues/95623
diff --git a/reports/GO-2021-0065.toml b/reports/GO-2021-0065.toml
deleted file mode 100644
index 0099ca9..0000000
--- a/reports/GO-2021-0065.toml
+++ /dev/null
@@ -1,31 +0,0 @@
-module = "k8s.io/client-go"
-package = "k8s.io/client-go/transport"
-
-description = """
-Authorization tokens may be inappropriately logged if the verbosity
-level is set to a debug level.
-"""
-
-cve = "CVE-2019-11250"
-
-symbols = ["debuggingRoundTripper.RoundTrip"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.17.0"
-
-[[additional_packages]]
-module = "k8s.io/kubernetes"
-package = "k8s.io/kubernetes/staging/src/k8s.io/client-go/transport"
-symbols = ["debuggingRoundTripper.RoundTrip"]
-[[additional_packages.versions]]
-fixed = "v1.16.0-beta.1"
-
-[links]
-commit = "https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245"
-pr = "https://github.com/kubernetes/kubernetes/pull/81330"
-context = ["https://github.com/kubernetes/kubernetes/issues/81114"]
-
-# This is a really confusing one to classify becuase of how kubernetes
-# does their vendoring stuff.
\ No newline at end of file
diff --git a/reports/GO-2021-0065.yaml b/reports/GO-2021-0065.yaml
new file mode 100644
index 0000000..7da1f08
--- /dev/null
+++ b/reports/GO-2021-0065.yaml
@@ -0,0 +1,23 @@
+module: k8s.io/client-go
+package: k8s.io/client-go/transport
+additional_packages:
+- module: k8s.io/kubernetes
+ package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
+ symbols:
+ - debuggingRoundTripper.RoundTrip
+ versions:
+ - fixed: v1.16.0-beta.1
+versions:
+- fixed: v0.17.0
+description: |
+ Authorization tokens may be inappropriately logged if the verbosity
+ level is set to a debug level.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-11250
+symbols:
+- debuggingRoundTripper.RoundTrip
+links:
+ pr: https://github.com/kubernetes/kubernetes/pull/81330
+ commit: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
+ context:
+ - https://github.com/kubernetes/kubernetes/issues/81114
diff --git a/reports/GO-2021-0066.toml b/reports/GO-2021-0066.toml
deleted file mode 100644
index ef5f965..0000000
--- a/reports/GO-2021-0066.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-module = "k8s.io/kubernetes"
-package = "k8s.io/kubernetes/pkg/credentialprovider"
-
-description = """
-Attempting to read a malformed .dockercfg may cause secrets to be
-inappropriately logged.
-"""
-
-cve = "CVE-2020-8564"
-
-credit = "@sfowl"
-
-symbols = ["readDockerConfigFileFromBytes", "readDockerConfigJSONFileFromBytes"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.20.0-alpha.1"
-
-[links]
-commit = "https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634"
-pr = "https://github.com/kubernetes/kubernetes/pull/94712"
-context = ["https://github.com/kubernetes/kubernetes/issues/95622"]
-
-# This is a really confusing one to classify becuase of how kubernetes
-# does their vendoring stuff.
\ No newline at end of file
diff --git a/reports/GO-2021-0066.yaml b/reports/GO-2021-0066.yaml
new file mode 100644
index 0000000..50c39c1
--- /dev/null
+++ b/reports/GO-2021-0066.yaml
@@ -0,0 +1,18 @@
+module: k8s.io/kubernetes
+package: k8s.io/kubernetes/pkg/credentialprovider
+versions:
+- fixed: v1.20.0-alpha.1
+description: |
+ Attempting to read a malformed .dockercfg may cause secrets to be
+ inappropriately logged.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8564
+credit: '@sfowl'
+symbols:
+- readDockerConfigFileFromBytes
+- readDockerConfigJSONFileFromBytes
+links:
+ pr: https://github.com/kubernetes/kubernetes/pull/94712
+ commit: https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
+ context:
+ - https://github.com/kubernetes/kubernetes/issues/95622
diff --git a/reports/GO-2021-0067.toml b/reports/GO-2021-0067.toml
deleted file mode 100644
index fb877e4..0000000
--- a/reports/GO-2021-0067.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-package = "archive/zip"
-
-stdlib = true
-
-description = """
-Using Reader.Open on an archive containing a file with a path
-prefixed by "../" will cause a panic due to a stack overflow.
-"""
-
-cve = "CVE-2021-27919"
-
-symbols = ["toValidName"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = "go1.16"
-fixed = "go1.16.1"
-
-[links]
-commit = "https://github.com/golang/go/commit/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8"
-pr = "https://go-review.googlesource.com/c/go/+/300489"
-context = ["https://github.com/golang/go/issues/44916"]
\ No newline at end of file
diff --git a/reports/GO-2021-0067.yaml b/reports/GO-2021-0067.yaml
new file mode 100644
index 0000000..482a530
--- /dev/null
+++ b/reports/GO-2021-0067.yaml
@@ -0,0 +1,17 @@
+package: archive/zip
+stdlib: true
+versions:
+- introduced: go1.16
+ fixed: go1.16.1
+description: |
+ Using Reader.Open on an archive containing a file with a path
+ prefixed by "../" will cause a panic due to a stack overflow.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2021-27919
+symbols:
+- toValidName
+links:
+ pr: https://go-review.googlesource.com/c/go/+/300489
+ commit: https://github.com/golang/go/commit/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
+ context:
+ - https://github.com/golang/go/issues/44916
diff --git a/reports/GO-2021-0068.toml b/reports/GO-2021-0068.toml
deleted file mode 100644
index 9b9cfe6..0000000
--- a/reports/GO-2021-0068.toml
+++ /dev/null
@@ -1,33 +0,0 @@
-package = "cmd/go"
-
-stdlib = true
-do_not_export = true
-
-description = """
-The go command may execute arbitrary code at build time when using cgo on Windows.
-This can be triggered by running go get on a malicious module, or any other time
-the code is built.
-"""
-
-os = ["windows"]
-
-cve = "CVE-2021-3115"
-
-credit = "RyotaK"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "go1.14.14"
-
-[[versions]]
-fixed = "go1.15.7"
-
-[links]
-commit = "https://github.com/golang/go/commit/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0"
-pr = "https://golang.org/cl/284783"
-context = [
- "https://github.com/golang/go/issues/43783",
- "https://golang.org/cl/284780",
- "https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0068.yaml b/reports/GO-2021-0068.yaml
new file mode 100644
index 0000000..30385d3
--- /dev/null
+++ b/reports/GO-2021-0068.yaml
@@ -0,0 +1,22 @@
+package: cmd/go
+do_not_export: true
+stdlib: true
+versions:
+- fixed: go1.14.14
+- fixed: go1.15.7
+description: |
+ The go command may execute arbitrary code at build time when using cgo on Windows.
+ This can be triggered by running go get on a malicious module, or any other time
+ the code is built.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2021-3115
+credit: RyotaK
+os:
+- windows
+links:
+ pr: https://golang.org/cl/284783
+ commit: https://github.com/golang/go/commit/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
+ context:
+ - https://github.com/golang/go/issues/43783
+ - https://golang.org/cl/284780
+ - https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
diff --git a/reports/GO-2021-0069.toml b/reports/GO-2021-0069.toml
deleted file mode 100644
index f90dd04..0000000
--- a/reports/GO-2021-0069.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-package = "math/big"
-
-stdlib = true
-
-description = """
-A number of math/big.Int methods can panic when provided large inputs due
-to a flawed division method.
-"""
-
-cve = "CVE-2020-28362"
-
-symbols = ["nat.divRecursiveStep"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = "go1.14"
-fixed = "go1.14.12"
-
-[[versions]]
-introduced = "go1.15"
-fixed = "go1.15.5"
-
-[links]
-commit = "https://github.com/golang/go/commit/1e1fa5903b760c6714ba17e50bf850b01f49135c"
-pr = "https://go-review.googlesource.com/c/go/+/269657"
-context = ["https://github.com/golang/go/issues/42552"]
\ No newline at end of file
diff --git a/reports/GO-2021-0069.yaml b/reports/GO-2021-0069.yaml
new file mode 100644
index 0000000..88818de
--- /dev/null
+++ b/reports/GO-2021-0069.yaml
@@ -0,0 +1,19 @@
+package: math/big
+stdlib: true
+versions:
+- introduced: go1.14
+ fixed: go1.14.12
+- introduced: go1.15
+ fixed: go1.15.5
+description: |
+ A number of math/big.Int methods can panic when provided large inputs due
+ to a flawed division method.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-28362
+symbols:
+- nat.divRecursiveStep
+links:
+ pr: https://go-review.googlesource.com/c/go/+/269657
+ commit: https://github.com/golang/go/commit/1e1fa5903b760c6714ba17e50bf850b01f49135c
+ context:
+ - https://github.com/golang/go/issues/42552
diff --git a/reports/GO-2021-0070.toml b/reports/GO-2021-0070.toml
deleted file mode 100644
index b54a553..0000000
--- a/reports/GO-2021-0070.toml
+++ /dev/null
@@ -1,28 +0,0 @@
-module = "github.com/opencontainers/runc"
-package = "github.com/opencontainers/runc/libcontainer/user"
-
-description = """
-GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
-improperly interpred numeric UIDs as usernames. If the method is used without
-verify usernames are formatted as expected, it may allow a user to gain unexpected
-privileges.
-"""
-
-cve = "CVE-2016-3697"
-
-symbols = ["GetExecUser"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.1.0"
-
-[links]
-commit = "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
-pr = "https://github.com/opencontainers/runc/pull/708"
-context = [
- "https://github.com/docker/docker/issues/21436",
- "http://rhn.redhat.com/errata/RHSA-2016-1034.html",
- "http://rhn.redhat.com/errata/RHSA-2016-2634.html",
- "https://security.gentoo.org/glsa/201612-28"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0070.yaml b/reports/GO-2021-0070.yaml
new file mode 100644
index 0000000..0b4e1d9
--- /dev/null
+++ b/reports/GO-2021-0070.yaml
@@ -0,0 +1,21 @@
+module: github.com/opencontainers/runc
+package: github.com/opencontainers/runc/libcontainer/user
+versions:
+- fixed: v0.1.0
+description: |
+ GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
+ improperly interpred numeric UIDs as usernames. If the method is used without
+ verify usernames are formatted as expected, it may allow a user to gain unexpected
+ privileges.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2016-3697
+symbols:
+- GetExecUser
+links:
+ pr: https://github.com/opencontainers/runc/pull/708
+ commit: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
+ context:
+ - https://github.com/docker/docker/issues/21436
+ - http://rhn.redhat.com/errata/RHSA-2016-1034.html
+ - http://rhn.redhat.com/errata/RHSA-2016-2634.html
+ - https://security.gentoo.org/glsa/201612-28
diff --git a/reports/GO-2021-0071.toml b/reports/GO-2021-0071.toml
deleted file mode 100644
index 38551c9..0000000
--- a/reports/GO-2021-0071.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/lxc/lxd"
-package = "github.com/lxc/lxd/shared"
-
-description = """
-A race between chown and chmod operations during a container filesystem shift
-may allow a user who can modify the filesystem to chmod an arbitary path of
-their choice, rather than the expected path.
-"""
-
-cve = "CVE-2015-1340"
-
-credit = "Seth Arnold"
-
-symbols = ["IdmapSet.doUidshiftIntoContainer"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20151004155856-19c6961cc101"
-
-[links]
-commit = "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
-pr = "https://github.com/lxc/lxd/pull/1189"
-context = ["https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"]
\ No newline at end of file
diff --git a/reports/GO-2021-0071.yaml b/reports/GO-2021-0071.yaml
new file mode 100644
index 0000000..52705d5
--- /dev/null
+++ b/reports/GO-2021-0071.yaml
@@ -0,0 +1,18 @@
+module: github.com/lxc/lxd
+package: github.com/lxc/lxd/shared
+versions:
+- fixed: v0.0.0-20151004155856-19c6961cc101
+description: |
+ A race between chown and chmod operations during a container filesystem shift
+ may allow a user who can modify the filesystem to chmod an arbitary path of
+ their choice, rather than the expected path.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2015-1340
+credit: Seth Arnold
+symbols:
+- IdmapSet.doUidshiftIntoContainer
+links:
+ pr: https://github.com/lxc/lxd/pull/1189
+ commit: https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
+ context:
+ - https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270
diff --git a/reports/GO-2021-0072.toml b/reports/GO-2021-0072.toml
deleted file mode 100644
index 7347115..0000000
--- a/reports/GO-2021-0072.toml
+++ /dev/null
@@ -1,32 +0,0 @@
-module = "github.com/docker/distribution"
-package = "github.com/docker/distribution/registry/handlers"
-
-description = """
-Various storage methods do not impose limits on how much content is accepted
-from user requests, allowing a malicious user to force the caller to allocate
-an arbitary amount of memory.
-"""
-
-cve = "CVE-2017-11468"
-
-symbols = ["copyFullPayload"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v2.7.0-rc.0+incompatible"
-
-[[additional_packages]]
-module = "github.com/docker/distribution"
-package = "github.com/docker/distribution/registry/storage"
-symbols = ["blobStore.Get"]
-[[additional_packages.versions]]
-fixed = "v2.7.0-rc.0+incompatible"
-
-[links]
-commit = "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
-pr = "https://github.com/distribution/distribution/pull/2340"
-context = [
- "https://access.redhat.com/errata/RHSA-2017:2603",
- "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0072.yaml b/reports/GO-2021-0072.yaml
new file mode 100644
index 0000000..054bde5
--- /dev/null
+++ b/reports/GO-2021-0072.yaml
@@ -0,0 +1,25 @@
+module: github.com/docker/distribution
+package: github.com/docker/distribution/registry/handlers
+additional_packages:
+- module: github.com/docker/distribution
+ package: github.com/docker/distribution/registry/storage
+ symbols:
+ - blobStore.Get
+ versions:
+ - fixed: v2.7.0-rc.0+incompatible
+versions:
+- fixed: v2.7.0-rc.0+incompatible
+description: |
+ Various storage methods do not impose limits on how much content is accepted
+ from user requests, allowing a malicious user to force the caller to allocate
+ an arbitary amount of memory.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2017-11468
+symbols:
+- copyFullPayload
+links:
+ pr: https://github.com/distribution/distribution/pull/2340
+ commit: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
+ context:
+ - https://access.redhat.com/errata/RHSA-2017:2603
+ - http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html
diff --git a/reports/GO-2021-0073.toml b/reports/GO-2021-0073.toml
deleted file mode 100644
index d733e2c..0000000
--- a/reports/GO-2021-0073.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-module = "github.com/git-lfs/git-lfs"
-package = "github.com/git-lfs/git-lfs/lfsapi"
-
-description = """
-Arbitary command execution can be triggered by improperly
-sanitized SSH URLs in LFS configuration files. This can be
-triggered by cloning a malicious repoistory.
-"""
-
-cve = "CVE-2017-17831"
-
-symbols = ["sshGetLFSExeAndArgs"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"
-
-[links]
-commit = "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
-pr = "https://github.com/git-lfs/git-lfs/pull/2241"
-context = [
- "http://blog.recurity-labs.com/2017-08-10/scm-vulns",
- "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
- "http://www.securityfocus.com/bid/102926"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0073.yaml b/reports/GO-2021-0073.yaml
new file mode 100644
index 0000000..2c2038c
--- /dev/null
+++ b/reports/GO-2021-0073.yaml
@@ -0,0 +1,19 @@
+module: github.com/git-lfs/git-lfs
+package: github.com/git-lfs/git-lfs/lfsapi
+versions:
+- fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
+description: |
+ Arbitary command execution can be triggered by improperly
+ sanitized SSH URLs in LFS configuration files. This can be
+ triggered by cloning a malicious repoistory.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2017-17831
+symbols:
+- sshGetLFSExeAndArgs
+links:
+ pr: https://github.com/git-lfs/git-lfs/pull/2241
+ commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
+ context:
+ - http://blog.recurity-labs.com/2017-08-10/scm-vulns
+ - https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
+ - http://www.securityfocus.com/bid/102926
diff --git a/reports/GO-2021-0075.toml b/reports/GO-2021-0075.toml
deleted file mode 100644
index 4615ee5..0000000
--- a/reports/GO-2021-0075.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/ethereum/go-ethereum"
-package = "github.com/ethereum/go-ethereum/les"
-
-description = """
-Due to improper argument validation in RPC messages, a maliciously crafted
-message can cause a panic, leading to denial of service.
-"""
-
-cve = "CVE-2018-12018"
-
-symbols = ["protocolManager.handleMsg"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.8.11"
-
-[links]
-commit = "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
-pr = "https://github.com/ethereum/go-ethereum/pull/16891"
-context = ["https://peckshield.com/2018/06/27/EPoD/"]
\ No newline at end of file
diff --git a/reports/GO-2021-0075.yaml b/reports/GO-2021-0075.yaml
new file mode 100644
index 0000000..1e04f0f
--- /dev/null
+++ b/reports/GO-2021-0075.yaml
@@ -0,0 +1,16 @@
+module: github.com/ethereum/go-ethereum
+package: github.com/ethereum/go-ethereum/les
+versions:
+- fixed: v1.8.11
+description: |
+ Due to improper argument validation in RPC messages, a maliciously crafted
+ message can cause a panic, leading to denial of service.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-12018
+symbols:
+- protocolManager.handleMsg
+links:
+ pr: https://github.com/ethereum/go-ethereum/pull/16891
+ commit: https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4
+ context:
+ - https://peckshield.com/2018/06/27/EPoD/
diff --git a/reports/GO-2021-0076.toml b/reports/GO-2021-0076.toml
deleted file mode 100644
index 47450d0..0000000
--- a/reports/GO-2021-0076.toml
+++ /dev/null
@@ -1,20 +0,0 @@
-module = "github.com/evanphx/json-patch"
-
-description = """
-A malicious JSON patch can cause a panic due to an out-of-bounds
-write attempt. This can be used as a denial of service vector if
-exposed to arbitary user input.
-"""
-
-cve = "CVE-2018-14632"
-
-symbols = ["partialArray.add"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.2"
-
-[links]
-commit = "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
-pr = "https://github.com/evanphx/json-patch/pull/57"
\ No newline at end of file
diff --git a/reports/GO-2021-0076.yaml b/reports/GO-2021-0076.yaml
new file mode 100644
index 0000000..69358ef
--- /dev/null
+++ b/reports/GO-2021-0076.yaml
@@ -0,0 +1,14 @@
+module: github.com/evanphx/json-patch
+versions:
+- fixed: v0.5.2
+description: |
+ A malicious JSON patch can cause a panic due to an out-of-bounds
+ write attempt. This can be used as a denial of service vector if
+ exposed to arbitary user input.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-14632
+symbols:
+- partialArray.add
+links:
+ pr: https://github.com/evanphx/json-patch/pull/57
+ commit: https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03
diff --git a/reports/GO-2021-0077.toml b/reports/GO-2021-0077.toml
deleted file mode 100644
index 822ec68..0000000
--- a/reports/GO-2021-0077.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "go.etcd.io/etcd"
-package = "go.etcd.io/etcd/auth"
-
-description = """
-A user can use a valid client certificate that contains a CommonName that matches a
-valid RBAC username to authenticate themselves as that user, despite lacking the
-required credentials. This may allow authentication bypass, but requires a certificate
-that is issued by a CA trusted by the server.
-"""
-
-cve = "CVE-2018-16886"
-
-symbols = ["authStore.AuthInfoFromTLS"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.0-alpha.5.0.20190108173120-83c051b701d3"
-
-[links]
-commit = "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
-pr = "https://github.com/etcd-io/etcd/pull/10366"
\ No newline at end of file
diff --git a/reports/GO-2021-0077.yaml b/reports/GO-2021-0077.yaml
new file mode 100644
index 0000000..e2c1702
--- /dev/null
+++ b/reports/GO-2021-0077.yaml
@@ -0,0 +1,16 @@
+module: go.etcd.io/etcd
+package: go.etcd.io/etcd/auth
+versions:
+- fixed: v0.5.0-alpha.5.0.20190108173120-83c051b701d3
+description: |
+ A user can use a valid client certificate that contains a CommonName that matches a
+ valid RBAC username to authenticate themselves as that user, despite lacking the
+ required credentials. This may allow authentication bypass, but requires a certificate
+ that is issued by a CA trusted by the server.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-16886
+symbols:
+- authStore.AuthInfoFromTLS
+links:
+ pr: https://github.com/etcd-io/etcd/pull/10366
+ commit: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
diff --git a/reports/GO-2021-0078.toml b/reports/GO-2021-0078.toml
deleted file mode 100644
index 14068a2..0000000
--- a/reports/GO-2021-0078.toml
+++ /dev/null
@@ -1,28 +0,0 @@
-module = "golang.org/x/net"
-package = "golang.org/x/net/html"
-
-description = """
-The HTML parser does not properly handle "in frameset" insertion mode, and can be made
-to panic when operating on malformed HTML that contains <template> tags. If operating
-on user input, this may be a vector for a denial of service attack.
-"""
-
-cve = "CVE-2018-17075"
-
-credit = "Kunpei Sakai"
-
-symbols = ["inBodyIM", "inFramesetIM"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20180816102801-aaf60122140d"
-
-[links]
-commit = "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
-pr = "https://go-review.googlesource.com/123776"
-context = [
- "https://github.com/golang/go/issues/27016",
- "https://bugs.chromium.org/p/chromium/issues/detail?id=829668",
- "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0078.yaml b/reports/GO-2021-0078.yaml
new file mode 100644
index 0000000..b74b787
--- /dev/null
+++ b/reports/GO-2021-0078.yaml
@@ -0,0 +1,21 @@
+module: golang.org/x/net
+package: golang.org/x/net/html
+versions:
+- fixed: v0.0.0-20180816102801-aaf60122140d
+description: |
+ The HTML parser does not properly handle "in frameset" insertion mode, and can be made
+ to panic when operating on malformed HTML that contains <template> tags. If operating
+ on user input, this may be a vector for a denial of service attack.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-17075
+credit: Kunpei Sakai
+symbols:
+- inBodyIM
+- inFramesetIM
+links:
+ pr: https://go-review.googlesource.com/123776
+ commit: https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50
+ context:
+ - https://github.com/golang/go/issues/27016
+ - https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+ - https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906
diff --git a/reports/GO-2021-0079.toml b/reports/GO-2021-0079.toml
deleted file mode 100644
index 6ac634b..0000000
--- a/reports/GO-2021-0079.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/bytom/bytom"
-package = "github.com/bytom/bytom/p2p/discover"
-
-description = """
-A malformed query can cause an out-of-bounds panic due to improper
-validation of arguments. If processing queries from untrusted
-parties, this may be used as a vector for denial of service
-attacks.
-"""
-
-cve = "CVE-2018-18206"
-
-credit = "@yahtoo"
-
-symbols = ["Network.checkTopicRegister"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
-
-[links]
-commit = "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
-pr = "https://github.com/Bytom/bytom/pull/1307"
\ No newline at end of file
diff --git a/reports/GO-2021-0079.yaml b/reports/GO-2021-0079.yaml
new file mode 100644
index 0000000..2f095dc
--- /dev/null
+++ b/reports/GO-2021-0079.yaml
@@ -0,0 +1,17 @@
+module: github.com/bytom/bytom
+package: github.com/bytom/bytom/p2p/discover
+versions:
+- fixed: v1.0.4-0.20180831054840-1ac3c8ac4f2b
+description: |
+ A malformed query can cause an out-of-bounds panic due to improper
+ validation of arguments. If processing queries from untrusted
+ parties, this may be used as a vector for denial of service
+ attacks.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2018-18206
+credit: '@yahtoo'
+symbols:
+- Network.checkTopicRegister
+links:
+ pr: https://github.com/Bytom/bytom/pull/1307
+ commit: https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42
diff --git a/reports/GO-2021-0081.toml b/reports/GO-2021-0081.toml
deleted file mode 100644
index ce0d87b..0000000
--- a/reports/GO-2021-0081.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-module = "github.com/containers/image"
-package = "github.com/containers/image/docker"
-
-description = """
-The HTTP client used to connect to the container registry authorization
-service explicitly disables TLS verification, allowing an attacker that
-is able to MITM the connection to steal credentials.
-"""
-
-cve = "CVE-2019-10214"
-
-symbols = ["dockerClient.getBearerToken"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = ""
-fixed = "v2.0.2-0.20190802080134-634605d06e73+incompatible"
-
-[links]
-commit = "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf"
-pr = "https://github.com/containers/image/pull/669"
-context = [
- "https://github.com/containers/image/issues/654",
- "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0081.yaml b/reports/GO-2021-0081.yaml
new file mode 100644
index 0000000..d7ebb2e
--- /dev/null
+++ b/reports/GO-2021-0081.yaml
@@ -0,0 +1,18 @@
+module: github.com/containers/image
+package: github.com/containers/image/docker
+versions:
+- fixed: v2.0.2-0.20190802080134-634605d06e73+incompatible
+description: |
+ The HTTP client used to connect to the container registry authorization
+ service explicitly disables TLS verification, allowing an attacker that
+ is able to MITM the connection to steal credentials.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-10214
+symbols:
+- dockerClient.getBearerToken
+links:
+ pr: https://github.com/containers/image/pull/669
+ commit: https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
+ context:
+ - https://github.com/containers/image/issues/654
+ - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
diff --git a/reports/GO-2021-0082.toml b/reports/GO-2021-0082.toml
deleted file mode 100644
index 9f72dc2..0000000
--- a/reports/GO-2021-0082.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/facebook/fbthrift"
-package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
-
-description = """
-Thirft Servers preallocate memory for the declared size of messages before
-checking the actual size of the message. This allows a malicious user to
-send messages that declare that they are significantly larger than they
-actually are, allowing them to force the server to allocate significant
-amounts of memory. This can be used as a denial of service vector.
-"""
-
-cve = "CVE-2019-11939"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.31.1-0.20200311080807-483ed864d69f"
-
-[links]
-commit = "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
-context = ["https://www.facebook.com/security/advisories/cve-2019-11939"]
\ No newline at end of file
diff --git a/reports/GO-2021-0082.yaml b/reports/GO-2021-0082.yaml
new file mode 100644
index 0000000..659bf0c
--- /dev/null
+++ b/reports/GO-2021-0082.yaml
@@ -0,0 +1,16 @@
+module: github.com/facebook/fbthrift
+package: github.com/facebook/fbthrift/thrift/lib/go/thrift
+versions:
+- fixed: v0.31.1-0.20200311080807-483ed864d69f
+description: |
+ Thirft Servers preallocate memory for the declared size of messages before
+ checking the actual size of the message. This allows a malicious user to
+ send messages that declare that they are significantly larger than they
+ actually are, allowing them to force the server to allocate significant
+ amounts of memory. This can be used as a denial of service vector.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-11939
+links:
+ commit: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
+ context:
+ - https://www.facebook.com/security/advisories/cve-2019-11939
diff --git a/reports/GO-2021-0083.toml b/reports/GO-2021-0083.toml
deleted file mode 100644
index cd65f50..0000000
--- a/reports/GO-2021-0083.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-module = "github.com/hybridgroup/gobot"
-package = "github.com/hybridgroup/gobot/platforms/mqtt"
-
-description = """
-TLS certificate verification is skipped when connecting to a MQTT server.
-This allows an attacker who can MITM the connection to read, or forge,
-messages passed between the client and server.
-"""
-
-cve = "CVE-2019-12496"
-
-symbols = ["Adaptor.newTLSConfig"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.12.1-0.20190521122906-c1aa4f867846"
-
-[links]
-commit = "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
-context = ["https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"]
\ No newline at end of file
diff --git a/reports/GO-2021-0083.yaml b/reports/GO-2021-0083.yaml
new file mode 100644
index 0000000..486b8f1
--- /dev/null
+++ b/reports/GO-2021-0083.yaml
@@ -0,0 +1,16 @@
+module: github.com/hybridgroup/gobot
+package: github.com/hybridgroup/gobot/platforms/mqtt
+versions:
+- fixed: v1.12.1-0.20190521122906-c1aa4f867846
+description: |
+ TLS certificate verification is skipped when connecting to a MQTT server.
+ This allows an attacker who can MITM the connection to read, or forge,
+ messages passed between the client and server.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-12496
+symbols:
+- Adaptor.newTLSConfig
+links:
+ commit: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
+ context:
+ - https://github.com/hybridgroup/gobot/releases/tag/v1.13.0
diff --git a/reports/GO-2021-0084.toml b/reports/GO-2021-0084.toml
deleted file mode 100644
index f2af68b..0000000
--- a/reports/GO-2021-0084.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/astaxie/beego"
-package = "github.com/astaxie/beego/session"
-
-description = """
-Session data is stored using permissive permissions, allowing local users
-with filesystem access to read arbitary data.
-"""
-
-cve = "CVE-2019-16354"
-
-credit = "@nicowaisman"
-
-symbols = ["FileProvider.SessionRead", "FileProvider.SessionRegenerate"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.12.2-0.20200613154013-bac2b31afecc"
-
-[links]
-commit = "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1"
-pr = "https://github.com/beego/beego/pull/3975"
-context = ["https://github.com/beego/beego/issues/3763"]
\ No newline at end of file
diff --git a/reports/GO-2021-0084.yaml b/reports/GO-2021-0084.yaml
new file mode 100644
index 0000000..799f6b6
--- /dev/null
+++ b/reports/GO-2021-0084.yaml
@@ -0,0 +1,18 @@
+module: github.com/astaxie/beego
+package: github.com/astaxie/beego/session
+versions:
+- fixed: v1.12.2-0.20200613154013-bac2b31afecc
+description: |
+ Session data is stored using permissive permissions, allowing local users
+ with filesystem access to read arbitary data.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-16354
+credit: '@nicowaisman'
+symbols:
+- FileProvider.SessionRead
+- FileProvider.SessionRegenerate
+links:
+ pr: https://github.com/beego/beego/pull/3975
+ commit: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
+ context:
+ - https://github.com/beego/beego/issues/3763
diff --git a/reports/GO-2021-0085.toml b/reports/GO-2021-0085.toml
deleted file mode 100644
index 9f5fd79..0000000
--- a/reports/GO-2021-0085.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-module = "github.com/opencontainers/runc"
-package = "github.com/opencontainers/runc/libcontainer"
-
-description = """
-AppArmor restrictions may be bypassed due to improper validation of mount
-targets, allowing a malicious image to mount volumes over e.g. /proc.
-"""
-
-cve = "CVE-2019-16884"
-
-credit = "Leopold Schabel"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.0-rc8.0.20190930145003-cad42f6e0932"
-
-[[additional_packages]]
-module = "github.com/opencontainers/selinux"
-package = "github.com/opencontainers/selinux/go-selinux"
-[[additional_packages.versions]]
-fixed = "v1.3.1-0.20190929122143-5215b1806f52"
-
-[links]
-commit = "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"
-pr = "https://github.com/opencontainers/runc/pull/2130"
-context = ["https://github.com/opencontainers/runc/issues/2128"]
\ No newline at end of file
diff --git a/reports/GO-2021-0085.yaml b/reports/GO-2021-0085.yaml
new file mode 100644
index 0000000..67fb3a3
--- /dev/null
+++ b/reports/GO-2021-0085.yaml
@@ -0,0 +1,20 @@
+module: github.com/opencontainers/runc
+package: github.com/opencontainers/runc/libcontainer
+additional_packages:
+- module: github.com/opencontainers/selinux
+ package: github.com/opencontainers/selinux/go-selinux
+ versions:
+ - fixed: v1.3.1-0.20190929122143-5215b1806f52
+versions:
+- fixed: v1.0.0-rc8.0.20190930145003-cad42f6e0932
+description: |
+ AppArmor restrictions may be bypassed due to improper validation of mount
+ targets, allowing a malicious image to mount volumes over e.g. /proc.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-16884
+credit: Leopold Schabel
+links:
+ pr: https://github.com/opencontainers/runc/pull/2130
+ commit: https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4
+ context:
+ - https://github.com/opencontainers/runc/issues/2128
diff --git a/reports/GO-2021-0086.toml b/reports/GO-2021-0086.toml
deleted file mode 100644
index 66719fc..0000000
--- a/reports/GO-2021-0086.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-module = "github.com/documize/community"
-package = "github.com/documize/community/domain/section/markdown"
-
-description = """
-HTML content in mardkwon is not santized during rendering, possibly allowing
-XSS if used to render untrusted user input.
-"""
-
-cve = "CVE-2019-19619"
-
-symbols = ["Provider.Render"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.76.3-0.20191119114751-a4384210d4d0"
-
-[links]
-commit = "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3"
\ No newline at end of file
diff --git a/reports/GO-2021-0086.yaml b/reports/GO-2021-0086.yaml
new file mode 100644
index 0000000..a2a1034
--- /dev/null
+++ b/reports/GO-2021-0086.yaml
@@ -0,0 +1,13 @@
+module: github.com/documize/community
+package: github.com/documize/community/domain/section/markdown
+versions:
+- fixed: v1.76.3-0.20191119114751-a4384210d4d0
+description: |
+ HTML content in mardkwon is not santized during rendering, possibly allowing
+ XSS if used to render untrusted user input.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-19619
+symbols:
+- Provider.Render
+links:
+ commit: https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3
diff --git a/reports/GO-2021-0087.toml b/reports/GO-2021-0087.toml
deleted file mode 100644
index 8521585..0000000
--- a/reports/GO-2021-0087.toml
+++ /dev/null
@@ -1,25 +0,0 @@
-module = "github.com/opencontainers/runc"
-package = "github.com/opencontainers/runc/libcontainer"
-
-description = """
-A race while mounting volumes allows a possible symlink-exchange
-attack, allowing a user whom can start multiple containers with
-custom volume mount configurations to escape the container.
-
-"""
-
-cve = "CVE-2019-19921"
-
-credit = "Leopold Schabel"
-
-symbols = ["mountToRootfs"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.0.0-rc9.0.20200122160610-2fc03cc11c77"
-
-[links]
-commit = "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"
-pr = "https://github.com/opencontainers/runc/pull/2207"
-context = ["https://github.com/opencontainers/runc/issues/2197"]
\ No newline at end of file
diff --git a/reports/GO-2021-0087.yaml b/reports/GO-2021-0087.yaml
new file mode 100644
index 0000000..d4cc19b
--- /dev/null
+++ b/reports/GO-2021-0087.yaml
@@ -0,0 +1,19 @@
+module: github.com/opencontainers/runc
+package: github.com/opencontainers/runc/libcontainer
+versions:
+- fixed: v1.0.0-rc9.0.20200122160610-2fc03cc11c77
+description: |+
+ A race while mounting volumes allows a possible symlink-exchange
+ attack, allowing a user whom can start multiple containers with
+ custom volume mount configurations to escape the container.
+
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-19921
+credit: Leopold Schabel
+symbols:
+- mountToRootfs
+links:
+ pr: https://github.com/opencontainers/runc/pull/2207
+ commit: https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
+ context:
+ - https://github.com/opencontainers/runc/issues/2197
diff --git a/reports/GO-2021-0088.toml b/reports/GO-2021-0088.toml
deleted file mode 100644
index bfbcb5f..0000000
--- a/reports/GO-2021-0088.toml
+++ /dev/null
@@ -1,22 +0,0 @@
-module = "github.com/facebook/fbthrift"
-package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
-
-description = """
-Skip ignores unknown fields, rather than failing. A malicious user can craft small
-messages with unknown fields which can take significant resources to parse. If a
-server accepts messages from an untrusted user, it may be used as a denial of service
-vector.
-"""
-
-cve = "CVE-2019-3564"
-
-symbols = ["Skip"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.31.1-0.20190225164308-c461c1bd1a3e"
-
-[links]
-commit = "https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156"
-context = ["https://www.facebook.com/security/advisories/cve-2019-3564"]
\ No newline at end of file
diff --git a/reports/GO-2021-0088.yaml b/reports/GO-2021-0088.yaml
new file mode 100644
index 0000000..09fc2ca
--- /dev/null
+++ b/reports/GO-2021-0088.yaml
@@ -0,0 +1,17 @@
+module: github.com/facebook/fbthrift
+package: github.com/facebook/fbthrift/thrift/lib/go/thrift
+versions:
+- fixed: v0.31.1-0.20190225164308-c461c1bd1a3e
+description: |
+ Skip ignores unknown fields, rather than failing. A malicious user can craft small
+ messages with unknown fields which can take significant resources to parse. If a
+ server accepts messages from an untrusted user, it may be used as a denial of service
+ vector.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2019-3564
+symbols:
+- Skip
+links:
+ commit: https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156
+ context:
+ - https://www.facebook.com/security/advisories/cve-2019-3564
diff --git a/reports/GO-2021-0089.toml b/reports/GO-2021-0089.toml
deleted file mode 100644
index c77e87f..0000000
--- a/reports/GO-2021-0089.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/buger/jsonparser"
-
-description = """
-Parsing malformed JSON which contain opening brackets, but not closing brackes,
-leads to an infinite loop. If operating on untrusted user input this can be
-used as a denial of service vector.
-"""
-
-cve = "CVE-2020-10675"
-
-credit = "Cong Wang"
-
-symbols = ["findKeyStart"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20200321185410-91ac96899e49"
-
-[links]
-commit = "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
-pr = "https://github.com/buger/jsonparser/pull/192"
-context = ["https://github.com/buger/jsonparser/issues/188"]
\ No newline at end of file
diff --git a/reports/GO-2021-0089.yaml b/reports/GO-2021-0089.yaml
new file mode 100644
index 0000000..3df8f6c
--- /dev/null
+++ b/reports/GO-2021-0089.yaml
@@ -0,0 +1,17 @@
+module: github.com/buger/jsonparser
+versions:
+- fixed: v0.0.0-20200321185410-91ac96899e49
+description: |
+ Parsing malformed JSON which contain opening brackets, but not closing brackes,
+ leads to an infinite loop. If operating on untrusted user input this can be
+ used as a denial of service vector.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-10675
+credit: Cong Wang
+symbols:
+- findKeyStart
+links:
+ pr: https://github.com/buger/jsonparser/pull/192
+ commit: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
+ context:
+ - https://github.com/buger/jsonparser/issues/188
diff --git a/reports/GO-2021-0090.toml b/reports/GO-2021-0090.toml
deleted file mode 100644
index 071d6df..0000000
--- a/reports/GO-2021-0090.toml
+++ /dev/null
@@ -1,25 +0,0 @@
-module = "github.com/tendermint/tendermint"
-package = "github.com/tendermint/tendermint/types"
-
-description = """
-Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
-these signatures, they cause failure during verification. A malicious proposer can use this to force
-consensus failures.
-"""
-
-cve = "CVE-2020-15091"
-
-credit = "Neeraj Murarka"
-
-symbols = ["VoteSet.MakeCommit"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-introduced = "v0.33.0"
-fixed = "v0.34.0-dev1.0.20200702134149-480b995a3172"
-
-[links]
-commit = "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"
-pr = "https://github.com/tendermint/tendermint/pull/5426"
-context = ["https://github.com/tendermint/tendermint/issues/4926"]
\ No newline at end of file
diff --git a/reports/GO-2021-0090.yaml b/reports/GO-2021-0090.yaml
new file mode 100644
index 0000000..ac71b09
--- /dev/null
+++ b/reports/GO-2021-0090.yaml
@@ -0,0 +1,19 @@
+module: github.com/tendermint/tendermint
+package: github.com/tendermint/tendermint/types
+versions:
+- introduced: v0.33.0
+ fixed: v0.34.0-dev1.0.20200702134149-480b995a3172
+description: |
+ Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping
+ these signatures, they cause failure during verification. A malicious proposer can use this to force
+ consensus failures.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15091
+credit: Neeraj Murarka
+symbols:
+- VoteSet.MakeCommit
+links:
+ pr: https://github.com/tendermint/tendermint/pull/5426
+ commit: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
+ context:
+ - https://github.com/tendermint/tendermint/issues/4926
diff --git a/reports/GO-2021-0091.toml b/reports/GO-2021-0091.toml
deleted file mode 100644
index fee02b3..0000000
--- a/reports/GO-2021-0091.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/gofiber/fiber"
-
-description = """
-Due to improper input validation when uploading a file, a malicious user may
-force the server to return arbitary HTTP headers when the uploaded file
-is downloaded.
-"""
-
-cve = "CVE-2020-15111"
-
-credit = "Hasibul Hasan and Abdullah Shaleh"
-
-symbols = ["Ctx.Attachment"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.12.6-0.20200710202935-a8ad5454363f"
-
-[links]
-commit = "https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a"
-pr = "github.com/gofiber/fiber/pull/579"
-context = ["https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"]
\ No newline at end of file
diff --git a/reports/GO-2021-0091.yaml b/reports/GO-2021-0091.yaml
new file mode 100644
index 0000000..e23feab
--- /dev/null
+++ b/reports/GO-2021-0091.yaml
@@ -0,0 +1,17 @@
+module: github.com/gofiber/fiber
+versions:
+- fixed: v1.12.6-0.20200710202935-a8ad5454363f
+description: |
+ Due to improper input validation when uploading a file, a malicious user may
+ force the server to return arbitary HTTP headers when the uploaded file
+ is downloaded.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15111
+credit: Hasibul Hasan and Abdullah Shaleh
+symbols:
+- Ctx.Attachment
+links:
+ pr: github.com/gofiber/fiber/pull/579
+ commit: https://github.com/gofiber/fiber/commit/a8ad5454363f627c3f9469c56c5faaf1b943f06a
+ context:
+ - https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh
diff --git a/reports/GO-2021-0092.toml b/reports/GO-2021-0092.toml
deleted file mode 100644
index 7a97c6a..0000000
--- a/reports/GO-2021-0092.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-module = "github.com/ory/fosite"
-
-description = """
-Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
-replayed.
-"""
-
-cve = "CVE-2020-15222"
-
-symbols = ["Fosite.AuthenticateClient"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.31.0"
-
-[links]
-commit = "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
-context = ["https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"]
\ No newline at end of file
diff --git a/reports/GO-2021-0092.yaml b/reports/GO-2021-0092.yaml
new file mode 100644
index 0000000..295bede
--- /dev/null
+++ b/reports/GO-2021-0092.yaml
@@ -0,0 +1,14 @@
+module: github.com/ory/fosite
+versions:
+- fixed: v0.31.0
+description: |
+ Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be
+ replayed.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-15222
+symbols:
+- Fosite.AuthenticateClient
+links:
+ commit: https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
+ context:
+ - https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43
diff --git a/reports/GO-2021-0094.toml b/reports/GO-2021-0094.toml
deleted file mode 100644
index e969547..0000000
--- a/reports/GO-2021-0094.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/hashicorp/go-slug"
-
-description = """
-Protections against directory traversal during archive extraction can be
-bypassed by chaining multiple symbolic links within the archive. This allows
-a malicious attacker to cause files to be created outside of the target
-directory. Additionally if the attacker is able to read extracted files
-they may create symbolic links to arbitary files on the system which the
-unpacker has permissions to read.
-"""
-
-cve = "CVE-2020-29529"
-
-symbols = ["Unpack"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.5.0"
-
-[links]
-commit = "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
-pr = "https://github.com/hashicorp/go-slug/pull/12"
-context = ["https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"]
\ No newline at end of file
diff --git a/reports/GO-2021-0094.yaml b/reports/GO-2021-0094.yaml
new file mode 100644
index 0000000..502b3e1
--- /dev/null
+++ b/reports/GO-2021-0094.yaml
@@ -0,0 +1,19 @@
+module: github.com/hashicorp/go-slug
+versions:
+- fixed: v0.5.0
+description: |
+ Protections against directory traversal during archive extraction can be
+ bypassed by chaining multiple symbolic links within the archive. This allows
+ a malicious attacker to cause files to be created outside of the target
+ directory. Additionally if the attacker is able to read extracted files
+ they may create symbolic links to arbitary files on the system which the
+ unpacker has permissions to read.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-29529
+symbols:
+- Unpack
+links:
+ pr: https://github.com/hashicorp/go-slug/pull/12
+ commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
+ context:
+ - https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
diff --git a/reports/GO-2021-0095.toml b/reports/GO-2021-0095.toml
deleted file mode 100644
index 630baca..0000000
--- a/reports/GO-2021-0095.toml
+++ /dev/null
@@ -1,24 +0,0 @@
-module = "github.com/google/go-tpm"
-package = "github.com/google/go-tpm/tpm"
-
-description = """
-Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
-is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
-allowing them to use the created key.
-"""
-
-cve = "CVE-2020-8918"
-
-credit = "Chris Fenner"
-
-symbols = ["CreateWrapKey"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.3.0"
-
-[links]
-commit = "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
-pr = "https://github.com/google/go-tpm/pull/195"
-context = ["https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"]
\ No newline at end of file
diff --git a/reports/GO-2021-0095.yaml b/reports/GO-2021-0095.yaml
new file mode 100644
index 0000000..8747ad8
--- /dev/null
+++ b/reports/GO-2021-0095.yaml
@@ -0,0 +1,18 @@
+module: github.com/google/go-tpm
+package: github.com/google/go-tpm/tpm
+versions:
+- fixed: v0.3.0
+description: |
+ Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport
+ is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted,
+ allowing them to use the created key.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8918
+credit: Chris Fenner
+symbols:
+- CreateWrapKey
+links:
+ pr: https://github.com/google/go-tpm/pull/195
+ commit: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
+ context:
+ - https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw
diff --git a/reports/GO-2021-0096.toml b/reports/GO-2021-0096.toml
deleted file mode 100644
index 28a1135..0000000
--- a/reports/GO-2021-0096.toml
+++ /dev/null
@@ -1,19 +0,0 @@
-module = "github.com/proglottis/gpgme"
-
-description = """
-Due to improper setting of finalizers, memory passed to C may be freed before it is used,
-leading to crashes due to memory corruption or possible code execution.
-"""
-
-cve = "CVE-2020-8945"
-
-credit = "Ulrich Obergfell"
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.1.1"
-
-[links]
-commit = "https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733"
-pr = "https://github.com/proglottis/gpgme/pull/23"
\ No newline at end of file
diff --git a/reports/GO-2021-0096.yaml b/reports/GO-2021-0096.yaml
new file mode 100644
index 0000000..5ea3747
--- /dev/null
+++ b/reports/GO-2021-0096.yaml
@@ -0,0 +1,12 @@
+module: github.com/proglottis/gpgme
+versions:
+- fixed: v0.1.1
+description: |
+ Due to improper setting of finalizers, memory passed to C may be freed before it is used,
+ leading to crashes due to memory corruption or possible code execution.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-8945
+credit: Ulrich Obergfell
+links:
+ pr: https://github.com/proglottis/gpgme/pull/23
+ commit: https://github.com/proglottis/gpgme/commit/92153bcb59bd2f511e502262c46c7bd660e21733
diff --git a/reports/GO-2021-0097.toml b/reports/GO-2021-0097.toml
deleted file mode 100644
index 0c20797..0000000
--- a/reports/GO-2021-0097.toml
+++ /dev/null
@@ -1,31 +0,0 @@
-module = "github.com/dhowden/tag"
-
-description = """
-Due to improper bounds checking a number of methods can trigger a panic due to attempted
-out-of-bounds reads. If the package is used to parse user supplied input this may be
-used as a vector for a denial of service attack.
-"""
-
-cve = "CVE-2020-29242"
-
-credit = "@Jayl1n"
-
-symbols = [
- "readPICFrame",
- "readAPICFrame",
- "readTextWithDescrFrame",
- "readAtomData"
-]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.0.0-20201120070457-d52dcb253c63"
-
-[links]
-commit = "https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96"
-context = [
- "https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e",
- "https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e",
- "https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d"
-]
\ No newline at end of file
diff --git a/reports/GO-2021-0097.yaml b/reports/GO-2021-0097.yaml
new file mode 100644
index 0000000..ad91013
--- /dev/null
+++ b/reports/GO-2021-0097.yaml
@@ -0,0 +1,21 @@
+module: github.com/dhowden/tag
+versions:
+- fixed: v0.0.0-20201120070457-d52dcb253c63
+description: |
+ Due to improper bounds checking a number of methods can trigger a panic due to attempted
+ out-of-bounds reads. If the package is used to parse user supplied input this may be
+ used as a vector for a denial of service attack.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2020-29242
+credit: '@Jayl1n'
+symbols:
+- readPICFrame
+- readAPICFrame
+- readTextWithDescrFrame
+- readAtomData
+links:
+ commit: https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96
+ context:
+ - https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e
+ - https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e
+ - https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d
diff --git a/reports/GO-2021-0098.toml b/reports/GO-2021-0098.toml
deleted file mode 100644
index 555e007..0000000
--- a/reports/GO-2021-0098.toml
+++ /dev/null
@@ -1,45 +0,0 @@
-module = "github.com/git-lfs/git-lfs"
-package = "github.com/git-lfs/git-lfs/commands"
-
-description = """
-Due to the standard library behavior of exec.LookPath on Windows a number of methods may
-result in arbitary code execution when cloning or operating on untrusted Git repositories.
-"""
-
-os = ["windows"]
-
-cve = "CVE-2021-21237"
-
-credit = "@Ry0taK"
-
-symbols = ["PipeCommand"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
-
-[[additional_packages]]
-module = "github.com/git-lfs/git-lfs"
-package = "github.com/git-lfs/git-lfs/creds"
-symbols = ["AskPassCredentialHelper.getFromProgram", "commandCredentialHelper.Approve"]
-[[additional_packages.versions]]
-fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
-
-[[additional_packages]]
-module = "github.com/git-lfs/git-lfs"
-package = "github.com/git-lfs/git-lfs/lfs"
-symbols = ["pipeExtensions"]
-[[additional_packages.versions]]
-fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
-
-[[additional_packages]]
-module = "github.com/git-lfs/git-lfs"
-package = "github.com/git-lfs/git-lfs/lfshttp"
-symbols = ["sshAuthClient.Resolve"]
-[[additional_packages.versions]]
-fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
-
-[links]
-commit = "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a"
-context = ["https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5"]
\ No newline at end of file
diff --git a/reports/GO-2021-0098.yaml b/reports/GO-2021-0098.yaml
new file mode 100644
index 0000000..d621cd4
--- /dev/null
+++ b/reports/GO-2021-0098.yaml
@@ -0,0 +1,38 @@
+module: github.com/git-lfs/git-lfs
+package: github.com/git-lfs/git-lfs/commands
+additional_packages:
+- module: github.com/git-lfs/git-lfs
+ package: github.com/git-lfs/git-lfs/creds
+ symbols:
+ - AskPassCredentialHelper.getFromProgram
+ - commandCredentialHelper.Approve
+ versions:
+ - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+- module: github.com/git-lfs/git-lfs
+ package: github.com/git-lfs/git-lfs/lfs
+ symbols:
+ - pipeExtensions
+ versions:
+ - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+- module: github.com/git-lfs/git-lfs
+ package: github.com/git-lfs/git-lfs/lfshttp
+ symbols:
+ - sshAuthClient.Resolve
+ versions:
+ - fixed: v1.5.1-0.20210113180018-fc664697ed2c
+versions:
+- fixed: v1.5.1-0.20210113180018-fc664697ed2c
+description: |
+ Due to the standard library behavior of exec.LookPath on Windows a number of methods may
+ result in arbitary code execution when cloning or operating on untrusted Git repositories.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2021-21237
+credit: '@Ry0taK'
+symbols:
+- PipeCommand
+os:
+- windows
+links:
+ commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
+ context:
+ - https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
diff --git a/reports/GO-2021-0099.toml b/reports/GO-2021-0099.toml
deleted file mode 100644
index f335cbc..0000000
--- a/reports/GO-2021-0099.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-module = "github.com/deislabs/oras"
-package = "github.com/deislabs/oras/pkg/content"
-
-description = """
-Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
-content store may result in directory traversal during archive extraction, allowing a
-malicious archive to write paths to arbitary paths that the process can write to.
-"""
-
-cve = "CVE-2021-21272"
-
-credit = "Chris Smowton"
-
-symbols = ["extractTarDirectory"]
-
-published = "2021-04-14T12:00:00Z"
-
-[[versions]]
-fixed = "v0.9.0"
-
-[links]
-commit = "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
-context = ["https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"]
\ No newline at end of file
diff --git a/reports/GO-2021-0099.yaml b/reports/GO-2021-0099.yaml
new file mode 100644
index 0000000..5b98aeb
--- /dev/null
+++ b/reports/GO-2021-0099.yaml
@@ -0,0 +1,17 @@
+module: github.com/deislabs/oras
+package: github.com/deislabs/oras/pkg/content
+versions:
+- fixed: v0.9.0
+description: |
+ Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
+ content store may result in directory traversal during archive extraction, allowing a
+ malicious archive to write paths to arbitary paths that the process can write to.
+published: 2021-04-14T12:00:00Z
+cve: CVE-2021-21272
+credit: Chris Smowton
+symbols:
+- extractTarDirectory
+links:
+ commit: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
+ context:
+ - https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
