Skip to content

x/vulndb: refactor links to more closely match OSV #53990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
neild opened this issue Jul 21, 2022 · 1 comment
Closed

x/vulndb: refactor links to more closely match OSV #53990

neild opened this issue Jul 21, 2022 · 1 comment
Assignees
@neild
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@neild
Copy link
Contributor

neild commented Jul 21, 2022

Right now, vulndb reports include a Links field:

type Links struct {
  PR      string   `yaml:",omitempty"`
  Commit  string   `yaml:",omitempty"`
  Context []string `yaml:",omitempty"`
}

This has a few problems:

  • It assumes there's at most one PR and one commit associated with a report. This isn't always the case.
  • The PR and Commit fields suggest that we might want links to both a PR and a commit, which isn't really necessary. For a fix to std, for example, the CL is generally the canonical reference for a change and there's no point in linking the commit on go.googlesource.com as well.
  • The "Context" field has less precision than OSV, which has a number of types of reference. (ADVISORY, ARTICLE, FIX, ...)

Let's refactor it.

type ReferenceType string // "ADVISORY", "ARTICLE", etc.

type Reference struct {
  Type ReferenceType
  URL  string
}

type Report struct {
  References []*Reference
}

This aligns with OSV, lets us link to multiple fix CLs, and drops the distinction between "PR" and "commit".

This also gives us the "ADVISORY" type from OSV's references, which we can use for linking to a canonical security advisory for a vulnerability when one exists.
@neild neild added the vulndb label Jul 21, 2022
@neild neild self-assigned this Jul 21, 2022
@gopherbot gopherbot added this to the Unreleased milestone Jul 21, 2022
@neild
Copy link
Contributor Author

neild commented Aug 31, 2022

https://go.dev/cl/426035

@neild neild closed this as completed Aug 31, 2022
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
@golang golang locked and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@neild neild

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@neild @julieqiu @gopherbot