Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include module names #1

Closed
knqyf263 opened this issue Apr 26, 2021 · 5 comments · May be fixed by #2
Closed

Include module names #1

knqyf263 opened this issue Apr 26, 2021 · 5 comments · May be fixed by #2

Comments

@knqyf263
Copy link
Contributor

Hi, thank you for the great database!

Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

module: github.com/bytom/bytom
package: github.com/bytom/bytom/p2p/discover

module: github.com/bytom/bytom

On the other hand, the API doesn't include it.

$ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .

[
  {
    "ID": "GO-2021-0079",
    "Published": "2021-04-14T12:00:00Z",
    "Modified": "2021-04-14T12:00:00Z",
    "Withdrawn": null,
    "Aliases": [
      "CVE-2018-18206"
    ],
    "Package": {
      "Name": "github.com/bytom/bytom/p2p/discover",
      "Ecosystem": "go"
    },
    "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
    "Affects": {
      "Ranges": [
        {
          "Type": 2,
          "Introduced": "",
          "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
        }
      ]
    },
    "References": [
      {
        "Type": "code review",
        "URL": "https://github.com/Bytom/bytom/pull/1307"
      },
      {
        "Type": "fix",
        "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
      }
    ],
    "Extra": {
      "Go": {
        "Symbols": [
          "Network.checkTopicRegister"
        ],
        "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
      }
    }
  }
]

Is it possible to include it?

@knqyf263 knqyf263 mentioned this issue Apr 28, 2021
@josieang
Copy link
Contributor

josieang commented May 3, 2021

On another note, it seems that "github.com/bytom/bytom/p2p/discover" in the Package.Name field is just a directory, it's not a package or a module. Is the plan to allow vulnerabilities to be associated with directories?

@vearutop
Copy link

Maybe the idea is to check parent "directory" of a package until there is a module match or there is no parent.

@zpavlinovic
Copy link
Contributor

Design of vulnerabilities is coupled with the vulnerability db layout. So the module info is not available in the json file per se, but it can be read from the relative path at which the json file is located in the db.

For instance, given db located at $DBPATH, the module path for json file

$DBPATH/github.com/some/module/foo.json

is github.com/some/module/foo.

@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021

Moved to the Go issue tracker: golang/go#50006.

The x/vulndb issue tracker is currently only meant for use by the Go security team for tracking CVEs that should be included in the Go vulnerability database.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/460416 mentions this issue: data/reports: add GHSA to GO-2020-0001.yaml

gopherbot pushed a commit that referenced this issue Jan 3, 2023
Aliases: CVE-2020-36567, GHSA-6vm3-jj99-7229

Updates #1
Fixes #1209

Change-Id: I6d09a050d6a3d137de3dfff0b86e6320d226c0f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/460416
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
@golang golang deleted a comment from ulfatufo Jan 4, 2023
gopherbot pushed a commit that referenced this issue Jul 22, 2024
Fix a bug in which the "likely duplicate" label was applied
to all issues that have duplicates on the tracker. (For example,
if #1 and #2 both refer to GHSA-xxxx-yyyy-zzzz, only one of
these should be marked as a duplicate).

This also revealed some bugs in the fake in-memory implementation
of the GHSA API, which are now fixed.

Change-Id: Ifd98befdf3e23f1fc95df38533107de9c921b195
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/599456
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants