x/vulndb: figure out operations on the last vulnerable version of a package #52837
Assignees
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
Comments
heschi
added
the
NeedsFix
|
This was done in https://go.dev/cl/412395, by adding an explicit |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Some operations on a vulndb report should be performed on a vulnerable version of a package. For example, if we want to verify that the symbols in
Report.Symbolsexist in the package, we should consult a vulnerable version of the package rather than a fixed one, because those symbols may have been removed as part of the fix.Since checking every vulnerable version will be prohibitively expensive in most cases, we will usually want to pick a single one. A reasonable choice is probably the last vulnerable version.
Given a module path and a list of vulnerable versions from the report, finding the "last vulnerable version" is something that could be automated, but is also surprisingly tricky. Perhaps we should put an explicit known-vulnerable version in the vulndb report for tooling to operate on.
The text was updated successfully, but these errors were encountered: