Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln/client: pseudo-module paths (stdlib, toolchain) need documentation #55875

Open
hyangah opened this issue Sep 26, 2022 · 4 comments
Open

x/vuln/client: pseudo-module paths (stdlib, toolchain) need documentation #55875

hyangah opened this issue Sep 26, 2022 · 4 comments
Labels
Documentation NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@hyangah
Copy link
Contributor

hyangah commented Sep 26, 2022

The client API has hidden assumptions about the special module names used to retrieve vulnerabilities in Go standard libraries and tool chains. https://github.com/golang/vuln/blob/cbe0a6944b8b222c8d3af76d422695d0d486627b/client/client.go#L301-L308

They need to be documented.

BTW I found the use of stdlib and toolchain is not very intuitive.
@hyangah hyangah added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 26, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 26, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 26, 2022
@dmitshur
Copy link
Contributor

CC @golang/vulndb.

@jba
Copy link
Contributor

jba commented Sep 26, 2022

I think this should be an internal detail. How does it leak to users?

@dmitshur dmitshur added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. and removed NeedsFix The path to resolution is known, but the work has not been done. labels Sep 26, 2022
@neild
Copy link
Contributor

neild commented Sep 26, 2022

https://go.dev/security/vuln/database documents the meaning of the OSV package field for Go vulnerabilities: The module path, except that the "std" and "cmd" modules use "stdlib" and "toolchain" instead.

I agree that this is confusing.

@hyangah
Copy link
Contributor Author

hyangah commented Sep 26, 2022

@jba In order to use Client.GetByModule or process osv.Package correctly when interacting with the vuln.golang.org, users need to understand these.

@neild How about copy/paste the same to the "Overview" section where "module path" is explained? Currently:

Each vulnerable module is represented by an individual JSON file which contains all of the vulnerabilities in that module. The path for each module file is simply the import path of the module. For example, vulnerabilities in golang.org/x/crypto are contained in the golang.org/x/crypto.json file. The per-module JSON files contain a slice of https://pkg.go.dev/golang.org/x/vuln/osv#Entry.

My personal preference is to have details necessary for writing code using the API is accessible directly from the pkg doc instead of a separate doc.

@julieqiu julieqiu removed the x/vuln label Sep 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@neild @dmitshur @hyangah @julieqiu @gopherbot @jba