internal/report: attempt to auto-fix summaries
If there is no module path in a summary,
simply add it to the end, i.e., "<summary> in <module>".
This could result in non-grammatical
phrases so it's meant as a convenience for a human to fix up.
As a last resort, if there is no summary at all, add
the summary '<[alias] | "Vulnerability"> in <module_path>' as a
starting point.
Change-Id: I64810c7c77980654d7973dc605b256e6053c0254
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576998
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
index eed2254..e508bf8 100644
--- a/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-28r2-q6m8-9hpx.yaml
@@ -19,7 +19,7 @@
vulnerable_at: 2.0.2
summary: |-
HashiCorp go-getter unsafe downloads could lead to asymmetric resource
- exhaustion
+ exhaustion in github.com/hashicorp/go-getter
description: |-
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric
resource exhaustion could occur when go-getter processed malicious HTTP
@@ -39,4 +39,4 @@
- web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
- web: https://github.com/hashicorp/go-getter/releases
notes:
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/hashicorp/go-getter")'
+ - lint: 'summary: too long (found 115 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
index 8d97ded..d0b7fd2 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3hwm-922r-47hw.yaml
@@ -3,7 +3,7 @@
- module: atomys.codes/stud42
versions:
- fixed: 0.23.0
-summary: Stud42 vulnerable to denial of service
+summary: Stud42 vulnerable to denial of service in atomys.codes/stud42
description: |-
A security vulnerability has been identified in the GraphQL parser used by the
API of s42.app. An attacker can overload the parser and cause the API pod to
@@ -22,4 +22,3 @@
- web: https://github.com/42Atomys/stud42/commit/a70bfc72fba721917bf681d72a58093fb9deee17
notes:
- lint: 'modules[0] "atomys.codes/stud42": version 0.23.0 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "atomys.codes/stud42")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
index c8c1d90..4f901e4 100644
--- a/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-3wq5-3f56-v5xc.yaml
@@ -12,7 +12,7 @@
versions:
- introduced: 6.3.0
fixed: 7.1.6
-summary: Mattermost vulnerable to information disclosure
+summary: Mattermost vulnerable to information disclosure in github.com/mattermost/mattermost-server
description: |-
Mattermost allows an attacker to request a preview of an existing message when
creating a new message via the createPost API call, disclosing the contents of
@@ -27,4 +27,3 @@
notes:
- lint: 'modules[0] "github.com/mattermost/mattermost-server": 6 versions do not exist: 7.1.0, 7.1.6, 7.7.0, 7.7.2, 7.8.0, 7.8.1'
- lint: 'modules[1] "github.com/mattermost/mattermost-server/v6": version 7.1.6 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/mattermost/mattermost-server")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
index de356fe..d3f42e6 100644
--- a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -6,7 +6,7 @@
unsupported_versions:
- version: 4.0.2
type: last_affected
-summary: rttys SQL Injection vulnerability
+summary: rttys SQL Injection vulnerability in github.com/zhaojh329/rttys
description: |-
SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go,
allows attackers to execute arbitrary code.
@@ -21,4 +21,3 @@
- lint: 'modules[0] "github.com/zhaojh329/rttys": unsupported_versions: found 1 (want none)'
- lint: 'modules[0] "github.com/zhaojh329/rttys": version 4.0.0 does not exist'
- lint: 'summary: must begin with a capital letter'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/zhaojh329/rttys")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
index ed6a8a5..594b3fd 100644
--- a/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-5m6c-jp6f-2vcv.yaml
@@ -4,7 +4,7 @@
versions:
- introduced: 5.1.1
fixed: 6.0.0
-summary: Open Redirect in OAuth2 Proxy
+summary: Open Redirect in OAuth2 Proxy in github.com/oauth2-proxy/oauth2-proxy
description: |-
### Impact As users can provide a redirect address for the proxy to send the
authenticated user to at the end of the authentication flow. This is expected to
@@ -22,4 +22,3 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/oauth2-proxy/oauth2-proxy")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
index c4a7237..ff95b78 100644
--- a/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-627p-rr78-99rj.yaml
@@ -14,7 +14,7 @@
fixed: 6.4.1
summary: |-
GitLab auth uses full name instead of username as user ID, allowing
- impersonation
+ impersonation in github.com/concourse/concourse
description: |-
### Impact
@@ -70,4 +70,4 @@
- lint: 'description: possible markdown formatting (found `users`)'
- lint: 'modules[0] "github.com/concourse/concourse": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
- lint: 'modules[1] "github.com/concourse/dex": 4 versions do not exist: 6.3.0, 6.3.1, 6.4.0, 6.4.1'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")'
+ - lint: 'summary: too long (found 115 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
index bb19fbe..ce01fa5 100644
--- a/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-66p8-j459-rq63.yaml
@@ -8,7 +8,7 @@
vulnerable_at: 1.11.3
summary: |-
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in
- deletion of files and directories on the host system
+ deletion of files and directories on the host system in github.com/pterodactyl/wings
description: |-
### Impact
@@ -45,5 +45,4 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5))'
- lint: 'description: possible markdown formatting (found `GHSA-p8r3-83r8-jwj5`)'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
- - lint: 'summary: too long (found 131 characters, want <=100)'
+ - lint: 'summary: too long (found 163 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
index d30c13a..5998d15 100644
--- a/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-69v6-xc2j-r2jf.yaml
@@ -10,7 +10,7 @@
- fixed: 1.19.7
packages:
- package: github.com/ethereum/go-ethereum/core/vm
-summary: Shallow copy bug in geth
+summary: Shallow copy bug in geth in github.com/ethereum/go-ethereum
description: |-
### Impact This is a Consensus vulnerability, which can be used to cause a
chain-split where vulnerable nodes reject the canonical chain.
@@ -44,4 +44,3 @@
- lint: 'description: possible markdown formatting (found `dataCopy` (at `0x00...04`)'
- lint: 'modules[1] "github.com/ethereum/go-ethereum": packages[0] "github.com/ethereum/go-ethereum/core/vm": at least one of vulnerable_at and skip_fix must be set'
- lint: 'modules[1] "github.com/ethereum/go-ethereum": version 1.19.7 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/ethereum/go-ethereum")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
index bd4b88e..6efb3f5 100644
--- a/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-6qfg-8799-r575.yaml
@@ -16,7 +16,7 @@
vulnerable_at: 1.16.0-rc.2
packages:
- package: k8s.io/kubernetes/pkg/kubectl/cmd/cp
-summary: Symlink Attack
+summary: Symlink Attack in github.com/kubernetes/kubernetes
description: |-
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to
1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar
@@ -33,5 +33,3 @@
- report: https://github.com/kubernetes/kubernetes/issues/87773
- fix: https://github.com/kubernetes/kubernetes/pull/82143
- web: https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
-notes:
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/kubernetes/kubernetes")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
index 446b239..928da0a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-6rg3-8h8x-5xfv.yaml
@@ -7,7 +7,7 @@
vulnerable_at: 1.2.0
summary: |-
Unchecked hostname resolution could allow access to local network resources by
- users outside the local network
+ users outside the local network in github.com/pterodactyl/wings
description: |-
### Impact A newly implemented route allowing users to download files from
remote endpoints was not properly verifying the destination hostname for user
@@ -29,5 +29,4 @@
- advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
notes:
- lint: 'description: possible markdown formatting (found ### )'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pterodactyl/wings")'
- - lint: 'summary: too long (found 110 characters, want <=100)'
+ - lint: 'summary: too long (found 142 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
index f4c5d07..ff2b99b 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7943-82jg-wmw5.yaml
@@ -11,7 +11,7 @@
- introduced: 2.4.0
fixed: 2.4.5
vulnerable_at: 2.4.4
-summary: Argo CD certificate verification is skipped for connections to OIDC providers
+summary: Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
description: |-
### Impact
@@ -131,4 +131,4 @@
- lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
- lint: 'description: possible markdown formatting (found `--dex-server`)'
- lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.2.11 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/argoproj/argo-cd")'
+ - lint: 'summary: too long (found 108 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
index 9145d7b..394e749 100644
--- a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -8,7 +8,7 @@
type: last_affected
- version: 6.4.0-alpha1
type: last_affected
-summary: TiDB vulnerable to Use of Externally-Controlled Format String
+summary: TiDB vulnerable to Use of Externally-Controlled Format String in github.com/pingcap/tidb
description: |-
TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to
data source name injection. The database name for generating and inserting data
@@ -26,4 +26,3 @@
notes:
- lint: 'modules[0] "github.com/pingcap/tidb": unsupported_versions: found 2 (want none)'
- lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/pingcap/tidb")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
index 6980554..60516e9 100644
--- a/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-9689-rx4v-cqgc.yaml
@@ -9,7 +9,7 @@
fixed: 5.8.1
packages:
- package: github.com/concourse/concourse/skymarshal/skyserver
-summary: Open Redirect
+summary: Open Redirect in github.com/concourse/concourse
description: |-
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows
redirects to untrusted websites. A remote unauthenticated attacker could
@@ -27,4 +27,3 @@
notes:
- lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1'
- lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
index c437bce..1698df5 100644
--- a/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-cf7g-cm7q-rq7f.yaml
@@ -3,7 +3,7 @@
- module: github.com/drakkan/sftpgo
versions:
- fixed: 2.3.5
-summary: SFTPGo WebClient vulnerable to Cross-site Scripting
+summary: SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo
description: |-
### Impact Cross-site scripting (XSS) vulnerabilities have been reported to
affect SFTPGo WebClient. If exploited, this vulnerability allows remote
@@ -20,4 +20,3 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/drakkan/sftpgo")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
index 48efd1e..ba6591e 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g5gj-9ggf-9vmq.yaml
@@ -6,7 +6,7 @@
vulnerable_at: 1.3.0
packages:
- package: github.com/cloudflare/cfrpki/cmd/octorpki
-summary: Infinite certificate chain depth results in OctoRPKI running forever
+summary: Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki
description: |-
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to
create children in an ad-hoc fashion, thereby making tree traversal never end.
@@ -25,4 +25,3 @@
- web: https://www.debian.org/security/2022/dsa-5041
notes:
- lint: 'description: possible markdown formatting (found ## )'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
index 11c7bea..48880bc 100644
--- a/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-g9wh-3vrx-r7hg.yaml
@@ -4,7 +4,7 @@
versions:
- fixed: 1.4.0
vulnerable_at: 1.3.0
-summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository
+summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository in github.com/cloudflare/cfrpki
description: |-
OctoRPKI tries to load the entire contents of a repository in memory, and in the
case of a GZIP bomb, unzip it in memory, making it possible to create a
@@ -24,4 +24,4 @@
- web: https://www.debian.org/security/2022/dsa-5041
notes:
- lint: 'description: possible markdown formatting (found ## )'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")'
+ - lint: 'summary: too long (found 108 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
index 7b9c46e..9192823 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hjv9-hm2f-rpcj.yaml
@@ -8,7 +8,7 @@
fixed: 9.2.13
- introduced: 9.3.0
fixed: 9.3.8
-summary: Grafana vulnerable to Cross-site Scripting
+summary: Grafana vulnerable to Cross-site Scripting in github.com/grafana/grafana
description: |-
Grafana is an open-source platform for monitoring and observability. Starting
with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core
@@ -31,4 +31,3 @@
- web: https://security.netapp.com/advisory/ntap-20230413-0001/
notes:
- lint: 'modules[0] "github.com/grafana/grafana": 6 versions do not exist: 8.1.0, 8.5.21, 9.0.0, 9.2.13, 9.3.0, 9.3.8'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/grafana/grafana")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
index 0c505ed..6ad8b7c 100644
--- a/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-hv53-vf5m-8q94.yaml
@@ -3,7 +3,7 @@
- module: github.com/personnummer/go
versions:
- fixed: 3.0.1
-summary: personnummer/go vulnerable to Improper Input Validation
+summary: personnummer/go vulnerable to Improper Input Validation in github.com/personnummer/go
description: |-
This vulnerability was reported to the personnummer team in June 2020. The slow
response was due to locked ownership of some of the affected packages, which
@@ -57,4 +57,3 @@
- lint: 'description: possible markdown formatting (found [C#](https://github.com/advisories/GHSA-qv8q-v995-72gr))'
- lint: 'modules[0] "github.com/personnummer/go": version 3.0.1 does not exist'
- lint: 'summary: must begin with a capital letter'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/personnummer/go")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
index 186d7c7..bb52e2a 100644
--- a/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-jh36-q97c-9928.yaml
@@ -11,7 +11,7 @@
- introduced: 1.25.0
fixed: 1.25.4
vulnerable_at: 1.25.4-rc.0
-summary: Kubernetes vulnerable to validation bypass
+summary: Kubernetes vulnerable to validation bypass in k8s.io/kubernetes
description: |-
Users may have access to secure endpoints in the control plane network.
Kubernetes clusters are only affected if an untrusted user can modify Node
@@ -31,5 +31,3 @@
- web: https://github.com/kubernetes/kubernetes/issues/113757
- web: https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
- web: https://security.netapp.com/advisory/ntap-20230505-0007/
-notes:
- - lint: 'summary: must contain an affected module or package path (e.g. "k8s.io/kubernetes")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
index 4a1e781..afe2d09 100644
--- a/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml
@@ -12,7 +12,7 @@
vulnerable_at: 0.17.0
summary: |-
Mutagen list and monitor operations do not neutralize control characters in text
- controlled by remote endpoints
+ controlled by remote endpoints in github.com/mutagen-io/mutagen
description: |-
### Impact
@@ -61,5 +61,4 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
- lint: 'description: possible markdown formatting (found `list`)'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/mutagen-io/mutagen")'
- - lint: 'summary: too long (found 111 characters, want <=100)'
+ - lint: 'summary: too long (found 144 characters, want <=100)'
diff --git a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
index 0db660c..0f3f8fc 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pg5p-wwp8-97g8.yaml
@@ -13,7 +13,7 @@
- version: 1.10.0
type: last_affected
vulnerable_at: 1.13.1
-summary: Debug mode leaks confidential data in Cilium
+summary: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium
description: |-
### Impact
@@ -64,4 +64,3 @@
- lint: 'description: possible markdown formatting (found [Slack](https://docs.cilium.io/en/latest/community/community/#slack))'
- lint: 'modules[0] "github.com/cilium/cilium": unsupported_versions: found 1 (want none)'
- lint: 'modules[0] "github.com/cilium/cilium": versions: introduced and fixed versions must alternate'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cilium/cilium")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
index ee6b5bf..dfded10 100644
--- a/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-pmfr-63c2-jr5c.yaml
@@ -4,7 +4,7 @@
versions:
- introduced: 3.0.0+incompatible
fixed: 3.6.0
-summary: Execution Control List (ECL) Is Insecure in Singularity
+summary: Execution Control List (ECL) Is Insecure in Singularity in github.com/sylabs/singularity
description: |-
### Impact
@@ -71,4 +71,3 @@
- lint: 'description: possible markdown formatting (found [Singularity Slack Channel](https://bit.ly/2m0g3lX))'
- lint: 'description: possible markdown formatting (found `legacyinsecure`)'
- lint: 'modules[0] "github.com/sylabs/singularity": version 3.6.0 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/sylabs/singularity")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
index 84c56a2..88b9026 100644
--- a/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-vp35-85q5-9f25.yaml
@@ -4,7 +4,7 @@
versions:
- fixed: 20.10.20+incompatible
vulnerable_at: 20.10.19+incompatible
-summary: Container build can leak any path on the host into the container
+summary: Container build can leak any path on the host into the container in github.com/moby/moby
description: |-
### Description
@@ -112,4 +112,3 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [Open an issue](https://github.com/moby/moby/issues/new))'
- lint: 'description: possible markdown formatting (found `git+<protocol>://...`)'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/moby/moby")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
index 0938489..731914f 100644
--- a/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml
@@ -8,7 +8,7 @@
- fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
packages:
- package: github.com/git-lfs/git-lfs/lfsapi
-summary: GitHub Git LFS Improper Input Validation vulnerability
+summary: GitHub Git LFS Improper Input Validation vulnerability in github.com/git-lfs/git-lfs
description: |-
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary
commands via an ssh URL with an initial dash character in the hostname, located
@@ -32,4 +32,3 @@
- lint: 'modules[0] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
- lint: 'modules[1] "github.com/git-lfs/git-lfs": packages[0] "github.com/git-lfs/git-lfs/lfsapi": at least one of vulnerable_at and skip_fix must be set'
- lint: 'modules[1] "github.com/git-lfs/git-lfs": version 2.1.1-0.20170519163204-f913f5f9c7c6 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/git-lfs/git-lfs")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
index b2cf762..495bb23 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xmg8-99r8-jc2j.yaml
@@ -12,7 +12,7 @@
- introduced: 2.3.0
fixed: 2.3.4
vulnerable_at: 2.3.3
-summary: Login screen allows message spoofing if SSO is enabled
+summary: Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
description: |-
### Impact
@@ -74,4 +74,3 @@
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [discussions](https://github.com/argoproj/argo-cd/discussions))'
- lint: 'modules[0] "github.com/argoproj/argo-cd": version 2.1.15 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/argoproj/argo-cd")'
diff --git a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
index a025550..163d8e2 100644
--- a/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
+++ b/internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml
@@ -8,7 +8,7 @@
fixed: 2.4.3+incompatible
- introduced: 2.5.0+incompatible
fixed: 2.5.2+incompatible
-summary: Harbor fails to validate the user permissions when updating a robot account
+summary: Harbor fails to validate the user permissions when updating a robot account in github.com/goharbor/harbor
description: |-
### Impact Harbor fails to validate the user permissions when updating a robot
account that belongs to a project that the authenticated user doesn’t have
@@ -44,4 +44,4 @@
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'modules[0] "github.com/goharbor/harbor": version 1.0.0 does not exist'
- - lint: 'summary: must contain an affected module or package path (e.g. "github.com/goharbor/harbor")'
+ - lint: 'summary: too long (found 105 characters, want <=100)'
diff --git a/internal/report/fix.go b/internal/report/fix.go
index 2224161..389ee65 100644
--- a/internal/report/fix.go
+++ b/internal/report/fix.go
@@ -35,6 +35,28 @@
if r.CVEMetadata != nil {
fixLines(&r.CVEMetadata.Description)
}
+
+ r.fixSummary()
+}
+
+func (r *Report) fixSummary() {
+ summary := r.Summary.String()
+
+ // If there is no summary, create a basic one.
+ if summary == "" {
+ if aliases := r.Aliases(); len(aliases) != 0 {
+ summary = aliases[0]
+ } else {
+ summary = "Vulnerability"
+ }
+ }
+
+ // Add a path if one exists and is needed.
+ if paths := r.nonStdPaths(); len(paths) > 0 && !containsPath(summary, paths) {
+ summary = fmt.Sprintf("%s in %s", summary, paths[0])
+ }
+
+ r.Summary = Summary(summary)
}
func (r *Report) FixReferences() {
diff --git a/internal/report/fix_test.go b/internal/report/fix_test.go
index 8bde2d9..0ec118c 100644
--- a/internal/report/fix_test.go
+++ b/internal/report/fix_test.go
@@ -49,6 +49,7 @@
},
}
want := Report{
+ Summary: "Vulnerability in golang.org/x/vulndb",
Modules: []*Module{
{
Module: "std",
diff --git a/internal/report/ghsa_test.go b/internal/report/ghsa_test.go
index 4f06bfb..b3032f2 100644
--- a/internal/report/ghsa_test.go
+++ b/internal/report/ghsa_test.go
@@ -53,6 +53,7 @@
Package: "golang.org/x/tools/go/packages",
}},
}},
+ Summary: "C1 in golang.org/x/tools",
Description: "a description",
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
@@ -72,6 +73,7 @@
Package: "golang.org/x/tools/go/packages",
}},
}},
+ Summary: "C1 in golang.org/x/tools/go/packages",
Description: "a description",
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index 3c56e8a..01acaaf 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -299,6 +299,7 @@
- module: a.Module
packages:
- package: a.Module
+summary: ID1 in a.Module
cves:
- ID1
@@ -361,6 +362,7 @@
- fixed: 1.2.3
packages:
- package: aPackage
+summary: G1 in aPackage
ghsas:
- G1
