Skip to content

x/vulndb: forbid overlapping version ranges in reports #52855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
neild opened this issue May 11, 2022 · 1 comment
Closed

x/vulndb: forbid overlapping version ranges in reports #52855

neild opened this issue May 11, 2022 · 1 comment
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@neild
Copy link
Contributor

neild commented May 11, 2022

The OSV spec forbids overlapping semver ranges:

Ranges listed with type SEMVER should not overlap: since SEMVER is a strict linear ordering, it is always possible to simplify to non-overlapping ranges.

Consider the case where a vulnerability was fixed in go1.14.14 and go1.15.7. We should record this as the ranges [0, 1.14.14) and [1.15.0,1.15.7). Currently, we have reports where this is instead recorded as [0, 1.14.14) and [0, 1.15.7).

We should add a vulnreport lint check, and maybe a fix to derive the starting point for the second range. (Alternatively, we could leave the report as-is and always try to derive the start point when generating OSV, but that seems less clear than being explicit.)
@gopherbot gopherbot added this to the Unreleased milestone May 11, 2022
@neild neild self-assigned this May 11, 2022
@neild neild added the vulndb label May 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/405575 mentions this issue: internal/report: disallow overlapping version ranges

@rsc rsc unassigned neild Jun 22, 2022
@julieqiu julieqiu removed this from Go Security Sep 8, 2022
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
@golang golang locked and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@neild @julieqiu @gopherbot