cmd/vulnreport: automatically fetch modules in symbol checks

The "vulnreport fix" command loads affected modules to add exported
symbols. (Eventually, this command should also validate the listed
symbols exist in the module, but it doesn't do that right now.)

Running fix requires some manual effort on the user's part.
From the triage documentation:

  mkdir /tmp/mymod
  cd /tmp/mymod
  go mod init
  go get<version-before-fixed>
  go run <path to /cmd/vulnreport> fix

Automate this.

Detemining the "version-before-fixed" is programmatically is difficult.
Rather than trying to do so, add a "vulnerable_at" field to reports
which specifies a known-vulnerable version to use. Placing this in
the report also makes whatever work fix does more reproducable, since
we have an audit trail of what version was used.

Change-Id: Ie76d582a1f5192597f411b60eb407c2c014a9d35
Reviewed-by: Julie Qiu <>
Run-TryBot: Damien Neil <>
TryBot-Result: Gopher Robot <>
4 files changed
tree: 6dabb95c879b11c5dc722d5679d7edbf3441adfa
  1. .github/
  2. cmd/
  3. deploy/
  4. devtools/
  5. doc/
  6. internal/
  7. reports/
  8. terraform/
  9. webconfig/
  10. .gitignore
  11. all_test.go
  13. checks.bash
  16. go.mod
  17. go.sum
  21. tools_test.go

The Go Vulnerability Database

This repository contains the reports for the Go Vulnerability Database.

If you are interested accessing data from the Go Vulnerability Database, see x/vuln for information. This repository is only used for adding new vulnerabilities.

Reporting a vulnerability

We are not accepting new vulnerability reports at this time. We will update this once we are ready to receive reports.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY 4.0 license. See x/vuln for information on how to access these entries.