Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: check product data for module paths #49461

Open
julieqiu opened this issue Nov 8, 2021 · 2 comments
Open

x/vulndb: check product data for module paths #49461

julieqiu opened this issue Nov 8, 2021 · 2 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Nov 8, 2021
edited
Loading

For example, https://github.com/CVEProject/cvelist/blob/master/2020/7xxx/CVE-2020-7668.json lists the module path in its product data. It is not listed in the references section.

Also if there is a synk URL, we should check for the term GOLANG.
@julieqiu julieqiu added the x/vuln label Nov 8, 2021
@gopherbot gopherbot added this to the Unreleased milestone Nov 8, 2021
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 9, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/369745 mentions this issue: internal/worker: check product data for module paths

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/369746 mentions this issue: internal/worker: check synk.io URLs for GOLANG

gopherbot pushed a commit to golang/vuln that referenced this issue Dec 14, 2021
@julieqiu
internal/worker: check Go snyk.io URLs in cve triage
8abd10b 
The CVE triage logic now uses snyk.io Go URLs as a heuristics for
determining if a CVE is a Go vulnerability.

For golang/go#49461

Change-Id: I308023bddb744947f53311bbce31340c9dd6886d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/369746
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 22, 2021
@julieqiu julieqiu changed the title x/vuln: check product data for module paths x/vulndb: check product data for module paths Jan 5, 2022
@julieqiu julieqiu removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 5, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
internal/worker: check Go snyk.io URLs in cve triage
5fa89df 
The CVE triage logic now uses snyk.io Go URLs as a heuristics for
determining if a CVE is a Go vulnerability.

For golang/go#49461

Change-Id: I308023bddb744947f53311bbce31340c9dd6886d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/369746
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
internal/worker: check Go snyk.io URLs in cve triage

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
bbffd4c 
The CVE triage logic now uses snyk.io Go URLs as a heuristics for
determining if a CVE is a Go vulnerability.

For golang/go#49461

Change-Id: I308023bddb744947f53311bbce31340c9dd6886d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/369746
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
internal/worker: check Go snyk.io URLs in cve triage
281e98c 
The CVE triage logic now uses snyk.io Go URLs as a heuristics for
determining if a CVE is a Go vulnerability.

For golang/go#49461

Change-Id: I308023bddb744947f53311bbce31340c9dd6886d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/369746
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@cagedmantis @julieqiu @gopherbot