This document is a quick guide our new (evolving) process for handling vulnerability issue triage in the x/vulndb issue tracker.
Other useful docs:
Assign any unlabeled, unassigned issues on the tracker to yourself.
If you haven't already, follow the one-time-setup process.
Sync the vulndb repo, re-install vulnreport and switch to a fresh branch, e.g.:
$ cd vulndb $ git sync $ go install ./cmd/vulnreport $ git checkout -b reports
Auto-triage the outstanding issues by running
$ vulnreport triage
See vulnreport triage
for more info and options for this command.
duplicate
, quickly double-check if the label is correct (it usually is).duplicate
label, delete the duplicate comment, and ensure the triaged
label is present.For all reports marked possibly not Go
, determine if the label is correct by investigating the report to see if the vulnerability affects Go code.
possibly not Go
label with the excluded:NOT_GO_CODE
label.possibly not Go
label and ensure the triaged
label is present.Once labeled, you can create excluded reports for these using the vulnreport create-excluded
command (See triage guide for usage).
All remaining open issues marked triaged
now need standard reports.
Issues marked triaged
(but not high priority
or possible duplicate
) need an UNREVIEWED report. Issues marked triaged
and high priority
need a REVIEWED report.
$ vulnreport -user=<github_username> create
vulnreport lint NNN
to check if the errors are fixed). If there are no errors, do not edit the report.$ vulnreport -status=UNREVIEWED -batch=20 commit
For each REVIEWED report: a. Fill in all the TODOs using doc/format.md as a guide. b. Fix the report and add derived files:
$ vulnreport fix NNN
c. If fix
fails, edit the report until it succeeds. d. Commit the report:
$ vulnreport commit NNN
Mail the CLs and add a team member as a reviewer.
Clone the x/vulndb repository: git clone https://go.googlesource.com/vulndb
.
Get a GitHub access token with scope repo: public_repo
(follow instructions for “personal access token (classic)”).
Store the token in a file, e.g., ~/.github-token
, and run: export VULN_GITHUB_ACCESS_TOKEN=`cat ~/.github-token`
(you can also store this command in a ~/.bashrc
file or similar).
From the repo root, run go install ./cmd/vulnreport
to install the latest version of vulnreport tool.