x/vulndb: detect false positives based on imported by count #51944
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
Comments
mknyszek
added
the
NeedsInvestigation
|
Change https://go.dev/cl/402394 mentions this issue: |
gopherbot
pushed a commit
to golang/vulndb
that referenced
this issue
Apr 26, 2022
The worker now includes a link in the automated issue description to pkg.go.dev/?tab=importedby for the affected module, as a starting point in detecting false positive vulnerability reports. For golang/go#51944 Change-Id: I3caaaba69c07e7a3e24977cf5ea5e92559ce8628 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402394 Reviewed-by: Julie Qiu <julieqiu@google.com>
julieqiu
added
vulncheck or vulndb
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
One of the common sources of false positive reports is that a vulnerability is found in a Go module but is not importable. We could detect for this by checking the imported by count on pkg.go.dev.
For example, in the case of golang/vulndb#353, https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby shows 0 importers.
As a starting point, it would be helpful to add a link to pkg.go.dev/?tab=importedby in the automated issue.
The text was updated successfully, but these errors were encountered: