The main section of the TOML contains high level information about the vulnerability
package = "github.com/example/module"
required package
contains the import path of the vulnerable module.
description = """ A remote attacker can craft a message which causes a panic via nil pointer dereference if the field [`Config.Parser`] is not initialized. """
required description
contains a textual description of the vulnerability and its impact. This field can contain a subset of markdown markup, used to link to godoc documentation for methods/types in the vulnerable module (and/or other modules).
cve = "CVE-000-000"
optional cve
contains a CVE number for the vulnerability, if one has been assigned.
credit = "A. Reporter"
optional credit
contains credit for the person/organization that discovered/reported the vulnerability.
symbols = ["Parser.Parse"]
optional symbols
contains an array of vulnerable symbols. If included only programs which use these symbols will be marked as vulnerable. If omitted any program which imports this module will be marked vulnerable.
[[versions]]
The versions
sections of the TOML contain information about when the vulnerability was introduced, and when it was fixed. If the vulnerability is fixed in multiple major versions, then the TOML should contain multiple versions
sections. If omitted it is assumed that every version of the module is vulnerable.
introduced = "v0.0.1"
optional introduced
contains the pseudo-version at which the vulnerability was introduced. If this field is omitted it is assumed that every version, from the initial commit, up to the fixed
version is vulnerable.
fixed = "v4.0.0-20190408214815-ec0a89a131e3"
optional fixed
contains the pseudo-version at which the vulnerability was fixed. If this field is omitted it is assumed that every version since the introduced
version is vulnerable.
[[additional_packages]]
The additional_packages
sections of the TOML contain information about additional packages impacted by the vulnerability. These may be other submodules which independently implement the same vulnerability, or alternate module names for the same module.
package = "gopkg.in/vuln-mod"
optional package
contains the import path of the additionally vulnerable module.
symbols = ["Parser.Parse"]
optional symbols
contains an array of vulnerable symbols. If included only programs which use these symbols will be marked as vulnerable. If omitted any program which imports this module will be marked vulnerable.
[[additional_packages.versions]]
The additional_packages.versions
sections contain version ranges for each additional package, following the same semantics as the versions
section.
[links]
The links
section of the TOML contains further information about the vulnerability.
commit = "https://github.com/example/module/commit/abcd"
optional* commit
contains a link to the commit which fixes the vulnerability.
pr = "https://github.com/example/module/pulls/123"
optional pr
contains a link to the PR/CL which fixes the vulnerability.
context = ["https://github.com/example/module/issues/50"]
optional context
contains an array of additional links which provide additional context about the vulnerability, i.e. GitHub issues, vulnerability reports, etc.
package = "github.com/example/module" description = """A description of the vulnerability present in this module. The description can contain newlines, and a limited set of markup. """ cve = "CVE-2021-3185" credit = "John Smith" symbols = ["Type.MethodA", "MethodB"] [[versions]] # The vulnerability is present in all versions up to # version v0.2.0 fixed = "v0.2.0" [[versions]] # The vulnerability is present in all versions since # version v0.2.5 introduced = "v0.2.5 [[additional_packages]] # Major versions must be explicitly specified package = "github.com/example/module/v2" symbols = ["MethodB"] [[additional_packages.versions]] fixed = "v2.5.0" [[additional_packages]] package = "github.com/example/module/v3" symbols = ["MethodB"] [[additional_packages.versions]] introduced = "v3.0.1" [links] commit = "https://github.com/example/module/commit/aabbccdd" pr = "https://github.com/example/module/pull/10" context = [ "https://www.openwall.com/lists/oss-security/2016/11/03/1", "https://github.com/example/module/advisories/1" ]