Go Vulnerability Database Quickstart

This document is a quick guide our new (evolving) process for handling vulnerability issue triage in the x/vulndb issue tracker.

Other useful docs:

Quickstart

Triage

  1. Assign any unlabeled, unassigned issues on the tracker to yourself.

  2. If you haven't already, follow the one-time-setup process.

  3. Sync the vulndb repo, re-install vulnreport and switch to a fresh branch, e.g.:

    $ cd vulndb
    $ git sync
    $ go install ./cmd/vulnreport
    $ git checkout -b reports
    
  4. Auto-triage the outstanding issues by running

    $ vulnreport triage
    

    See vulnreport triage for more info and options for this command.

Check for duplicates and not Go code

  1. For all reports marked possible duplicate, determine if the label is correct.
  • If correct: replace the possible duplicate label with the duplicate label, add a comment exactly of the form “Duplicate of #NNN” where #NNN is number of the issue this is a duplicate of, and close the issue.
  • If incorrect: remove the possible duplicate label and ensure the triaged label is present.
  1. For all reports marked possibly not Go, determine if the label is correct by investigating the report to see if the vulnerability affects Go code.

    • If correct: replace the possibly not Go label with the excluded:NOT_GO_CODE label.
    • If incorrect: remove the possibly not Go label and ensure the triaged label is present.

    Once labeled, you can create excluded reports for these using the vulnreport create-excluded command (See triage guide for usage).

Add reports

All remaining open issues marked triaged now need standard reports.

Issues marked triaged (but not high priority or possible duplicate) need an UNREVIEWED report. Issues marked triaged and high priority need a REVIEWED report.

  1. Batch create all reports assigned to you:
  $ vulnreport -user=<github_username> create
  1. Check for UNREVIEWED reports with lint errors, and edit these reports to fix the errors. (Run vulnreport lint NNN to check if the errors are fixed). If there are no errors, do not edit the report.
  2. Batch fix and commit the UNREVIEWED reports:
  $ vulnreport -status=UNREVIEWED -batch=20 commit
  1. For each REVIEWED report: a. Fill in all the TODOs using doc/format.md as a guide. b. Fix the report and add derived files:

    $ vulnreport fix NNN
    

    c. If fix fails, edit the report until it succeeds. d. Commit the report:

    $ vulnreport commit NNN
    
  2. Mail the CLs and add a team member as a reviewer.

One-time setup

  1. Clone the x/vulndb repository: git clone https://go.googlesource.com/vulndb.

  2. Get a GitHub access token with scope repo: public_repo (follow instructions for “personal access token (classic)”).

    Store the token in a file, e.g., ~/.github-token, and run: export VULN_GITHUB_ACCESS_TOKEN=`cat ~/.github-token` (you can also store this command in a ~/.bashrc file or similar).

  3. From the repo root, run go install ./cmd/vulnreport to install the latest version of vulnreport tool.