The Go vulnerability report format is used to generate JSON files served to the the vulnerability database.
This file format is meant for internal use only, and is subject to change without warning. See golang.org/x/vuln for information on the Go Vulnerability database API.
This page documents the internal YAML file format.
packagestype Package[]
required
Information on each package affected by the vulnerability.
moduletype string
required
The module path of the vulnerable module.
packagetype string
required (if different from module)
The import path of the vulnerable module.
symbolstype string[]
The symbols affected by this vulnerability.
If included, only programs which use these symbols will be marked as vulnerable. If omitted, any program which imports this module will be marked vulnerable.
These should be the symbols initially detected or identified in the CVE or other source.
derived_symbolstype string[]
Derived symbols that are calculated from symbols, such as by static analysis tools like govulncheck.
Potentially, the set of derived symbols can differ with the module version. We don't attempt to capture that level of detail. Most of the values of derived_symbols as of this writing were obtained from a module version that was just prior to the version that the report listed as fixed.
versionstype VersionRange[]
The version ranges in which the package is vulnerable.
If the vulnerability is fixed in multiple major versions, then there should be multiple versions entries.
If omitted, it is assumed that every version of the module is vulnerable.
Versions must be SemVer 2.0.0 versions, with no “v” or “go” prefix. Version ranges must not overlap.
introducedtype string
The version at which the vulnerability was introduced.
If this field is omitted, it is assumed that every version, from the initial commit, up to the fixed version is vulnerable.
fixedtype string
The version at which the vulnerability was fixed.
If this field is omitted, it is assumed that every version since the introduced version is vulnerable.
descriptiontype string
required
A textual description of the vulnerability and its impact. Should be wrapped to 80 columns.
cvestype string[]
The Common Vulnerabilities and Exposures (CVE) ID(s) for the vulnerability.
ghsastype string[]
The GitHub Security Advisory (GHSA) IDs for the vulnerability.
creditThe name of the person/organization that discovered/reported the vulnerability.
linkstype Links
Links to further information about the vulnerability.
committype string
A link to the commit which fixes the vulnerability.
prtype string
A link to the PR/CL which fixes the vulnerability.
contexttype string[]
Additional links which provide more context about the vulnerability, i.e. GitHub issues, vulnerability reports, etc.
packages: - module: github.com/example/module package: github.com/example/module/package symbols: - Type.MethodA - MethodB versions: # The vulnerability is present in all versions since version v0.2.0. - introduced: 0.2.0 # The vulnerability is present in all versions up to version v0.2.5. - fixed: 0.2.5 # Major versions must be explicitly specified - module: github.com/example/module/v2 symbols: - MethodB versions: - fixed: 2.5.0 - module: github.com/example/module/v3 symbols: - MethodB versions: - introduced: 3.0.1 description: | A description of the vulnerability present in this module. The description can contain newlines, and a limited set of markup. cves: - CVE-2021-3185 ghsas: - GHSA-1234-5678-9101 credit: - John Smith links: - commit: https://github.com/example/module/commit/aabbccdd - pr: https://github.com/example/module/pull/10 - context: - https://www.openwall.com/lists/oss-security/2016/11/03/1 - https://github.com/example/module/advisories/1
packages: - module: std package: a/package symbols: - pkg.ASymbol versions: - introduced: 1.14 fixed: 1.14.12 - introduced: 1.15 fixed: 1.15.5 description: | A description. cves: - CVE-2020-12345 links: pr: https://go.dev/cl/12345 commit: https://go.googlesource.com/go/+/12345678 context: - https://go.dev/issue/01010 - https://groups.google.com/g/golang-announce/c/123456