Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: check CVE status to determine which link to include in report #54488

Closed
julieqiu opened this issue Aug 16, 2022 · 2 comments
Closed
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@julieqiu
Copy link
Member

julieqiu commented Aug 16, 2022

In general, we include links for nvd.nist.gov over cve.mitre.org in reports.

If a CVE isn't published yet, it might not appear on NIST. In that case, we should use the cve.mitre.org link.

Example: https://vuln.go.dev/ID/GO-2022-0391.json

@gopherbot gopherbot added this to the Unreleased milestone Aug 16, 2022
@gopherbot
Copy link

Change https://go.dev/cl/424001 mentions this issue: internal/report: add links for CVEMetadata

gopherbot pushed a commit to golang/vulndb that referenced this issue Aug 17, 2022
Links are currently not generated for reports where the CVE is set in
the CVEMetadata section. These are now added, but using cve.mitre.org
links, because the report may be in a RESERVED state and not have a link
on NIST.

In the future, we should check for the report state to determine which
link to include.

For golang/go#54488

Change-Id: I1bd00c9ec42f3ce35fbe9950e36058606853538a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/424001
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@julieqiu julieqiu self-assigned this Aug 17, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 6, 2022
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 8, 2022
@tatianab
Copy link

This is no longer relevant as we now link to cve.org in all cases.

@golang golang locked and limited conversation to collaborators Jan 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Status: Done
Development

No branches or pull requests

4 participants