Skip to content

x/vuln: add credit field to OSV reports #55956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
julieqiu opened this issue Sep 29, 2022 · 7 comments
Closed

x/vuln: add credit field to OSV reports #55956

julieqiu opened this issue Sep 29, 2022 · 7 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

We currently store the credit field in our YAML reports, but they are not surfaced in the OSV reports.

For example, see https://github.com/golang/vulndb/blob/master/data/reports/GO-2021-0172.yaml#L19 vs https://vuln.go.dev/ID/GO-2021-0172.json.
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 29, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 29, 2022
@julieqiu julieqiu added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 29, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Sep 29, 2022
@aaqaishtyaq
Copy link

Hey @julieqiu, If no one is assigned on this issue, Can I pick this up?

From the first look, It seems I need to add Credit here in osv.Entry and pass Credit during GenerateOSVEntry here.

Anything I missed?

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/435976 mentions this issue: internal/database: add credit in the osv report

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/437096 mentions this issue: osv: add credit field

@aaqaishtyaq
Copy link

Added the CL for the change, Let me know if I missed something.

Thank you!

gopherbot pushed a commit to golang/vuln that referenced this issue Oct 19, 2022
@aaqaishtyaq
osv: add credits field

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
41df7bd 
credits (array of Credit) for dicovering a vulnerability is part of the `yaml`
report, But does not appear in the OSV `json` file.

This change will enable adding `credits` in the OSV report at vulndb.

For golang/go#55956

Change-Id: I9e857c71de46930494cd353493e626511b05de76
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/437096
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
@tatianab
Copy link

Thanks for your contribution, Aaqa!

@tatianab tatianab mentioned this issue Oct 21, 2022
Closed
@aaqaishtyaq
Copy link

Thank you @tatianab for helping me throughout the review process.

@productofgrace1
Copy link

** Yeah attack it was never able to make it in**

softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
osv: add credits field

Verified

This commit was signed with the committer’s verified signature. The key has expired.
Ma27 Maximilian Bosch
GPG key ID: 091DBF4D1FC46B8E
Expired
Verified
Learn about vigilant mode
0295749 
credits (array of Credit) for dicovering a vulnerability is part of the `yaml`
report, But does not appear in the OSV `json` file.

This change will enable adding `credits` in the OSV report at vulndb.

For golang/go#55956

Change-Id: I9e857c71de46930494cd353493e626511b05de76
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/437096
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
osv: add credits field
e996876 
credits (array of Credit) for dicovering a vulnerability is part of the `yaml`
report, But does not appear in the OSV `json` file.

This change will enable adding `credits` in the OSV report at vulndb.

For golang/go#55956

Change-Id: I9e857c71de46930494cd353493e626511b05de76
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/437096
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
osv: add credits field
19b4de3 
credits (array of Credit) for dicovering a vulnerability is part of the `yaml`
report, But does not appear in the OSV `json` file.

This change will enable adding `credits` in the OSV report at vulndb.

For golang/go#55956

Change-Id: I9e857c71de46930494cd353493e626511b05de76
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/437096
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
@golang golang locked and limited conversation to collaborators Oct 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@julieqiu @tatianab @gopherbot @aaqaishtyaq @productofgrace1