Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: include module names #50006

Closed
julieqiu opened this issue Dec 6, 2021 · 1 comment
Closed

x/vulndb: include module names #50006

julieqiu opened this issue Dec 6, 2021 · 1 comment
Assignees
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021

Moved from golang/vulndb#1:


Hi, thank you for the great database!

Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

module: github.com/bytom/bytom
package: github.com/bytom/bytom/p2p/discover

https://github.com/golang/vulndb/blob/e0c00fae09e687ec6febda47ae3bc7552fc7b988/reports/GO-2021-0079.yaml#L1

On the other hand, the API doesn't include it.

$ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .

[
  {
    "ID": "GO-2021-0079",
    "Published": "2021-04-14T12:00:00Z",
    "Modified": "2021-04-14T12:00:00Z",
    "Withdrawn": null,
    "Aliases": [
      "CVE-2018-18206"
    ],
    "Package": {
      "Name": "github.com/bytom/bytom/p2p/discover",
      "Ecosystem": "go"
    },
    "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
    "Affects": {
      "Ranges": [
        {
          "Type": 2,
          "Introduced": "",
          "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
        }
      ]
    },
    "References": [
      {
        "Type": "code review",
        "URL": "https://github.com/Bytom/bytom/pull/1307"
      },
      {
        "Type": "fix",
        "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
      }
    ],
    "Extra": {
      "Go": {
        "Symbols": [
          "Network.checkTopicRegister"
        ],
        "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
      }
    }
  }
]

Is it possible to include it?

@gopherbot gopherbot added this to the Unreleased milestone Dec 6, 2021
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 6, 2021
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 22, 2021
@julieqiu julieqiu changed the title x/vuln: include module names x/vulndb: include module names Jan 5, 2022
@julieqiu julieqiu removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 5, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
@tatianab
Copy link

Complete

@tatianab tatianab moved this to Done in Go Security Oct 12, 2022
@golang golang locked and limited conversation to collaborators Oct 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Status: Done
Development

No branches or pull requests

4 participants