Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: import paths do not uniquely identify packages #50005

Open
julieqiu opened this issue Dec 6, 2021 · 0 comments
Open

x/vulndb: import paths do not uniquely identify packages #50005

julieqiu opened this issue Dec 6, 2021 · 0 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021

The DB is constructed assuming that package import paths are unique. But it's possible to have two different packages with the same import path, even at the same version. Example:

https://pkg.go.dev/github.com/hashicorp/vault@v1.0.1/api
https://pkg.go.dev/github.com/hashicorp/vault/api@v1.0.1

Moved from golang/vulndb#5.
@gopherbot gopherbot added this to the Unreleased milestone Dec 6, 2021
@julieqiu julieqiu mentioned this issue Dec 6, 2021
Closed
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 6, 2021
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 22, 2021
@julieqiu julieqiu changed the title x/vuln: import paths do not uniquely identify packages x/vulndb: import paths do not uniquely identify packages Jan 5, 2022
@julieqiu julieqiu removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 5, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@toothrot @julieqiu @gopherbot