The Go vulnerability report format is used to generate JSON files served the the vulnerability database.
This file format is meant for internal use only, and is subject to change without warning. See golang.org/x/vuln for information on the Go Vulnerability database API.
This document explains data within the internal YAML file format.
required: module
contains the module path of the vulnerable module.
required: package
contains the import path of the vulnerable module.
required: description
contains a textual description of the vulnerability and its impact.
cves
contains all of the CVE numbers for the vulnerability that this report pertains to.
credit
contains credit for the person/organization that discovered/reported the vulnerability.
symbols
contains an array of vulnerable symbols. If included, only programs which use these symbols will be marked as vulnerable. If omitted, any program which imports this module will be marked vulnerable.
The versions
sections of the YAML contain information about when the vulnerability was introduced, and when it was fixed. If the vulnerability is fixed in multiple major versions, then the YAML should contain multiple versions
sections. If omitted, it is assumed that every version of the module is vulnerable.
introduced
contains the version at which the vulnerability was introduced. If this field is omitted it is assumed that every version, from the initial commit, up to the fixed
version is vulnerable.
fixed
contains the version at which the vulnerability was fixed. If this field is omitted it is assumed that every version since the introduced
version is vulnerable.
The additional_packages
sections of the YAML contain information about additional packages impacted by the vulnerability. These may be other submodules which independently implement the same vulnerability, or alternate module names for the same module.
package
contains the import path of the additionally vulnerable module.
symbols
contains an array of vulnerable symbols. If included only programs which use these symbols will be marked as vulnerable. If omitted any program which imports this module will be marked vulnerable.
The additional_packages.versions
sections contain version ranges for each additional package, following the same semantics as the versions
section.
The links
section of the YAML contains further information about the vulnerability.
commit
contains a link to the commit which fixes the vulnerability.
pr
contains a link to the PR/CL which fixes the vulnerability.
context
contains an array of additional links which provide additional context about the vulnerability, i.e. GitHub issues, vulnerability reports, etc.
module: github.com/example/module package: github.com/example/module description: | A description of the vulnerability present in this module. The description can contain newlines, and a limited set of markup. cves: - CVE-2021-3185 credit: - John Smith symbols: - Type.MethodA - MethodB versions: # The vulnerability is present in all versions since version v0.2.0. - introduced: v0.2.0 # The vulnerability is present in all versions up to version v0.2.5. - fixed: v0.2.5. additional_packages: # Major versions must be explicitly specified - module: github.com/example/module/v2 symbols: - MethodB versions: - fixed: v2.5.0 - module: github.com/example/module/v3 symbols: - MethodB versions: - introduced: v3.0.1 links: - commit: https://github.com/example/module/commit/aabbccdd - pr: https://github.com/example/module/pull/10 - context: - https://www.openwall.com/lists/oss-security/2016/11/03/1 - https://github.com/example/module/advisories/1