x/vulndb: add fix version to reports when it becomes available #56334
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
If a vulnerability in a new report still does not have a fix, how do we include the fix information when and if it becomes available?
For std vulnerabilities this seems to be less of a problem since fixes have to go through the Go team.
For third party vulnerabilities, the story is less clear. Few options:
have a specific supression tag. This tag would not indicate that we should not report vulnerability, yet it will serve as a designation for which reports might need more info. We can then automatically and periodically go through such reports and, if they have a link to a GH issue, see if the issue is closed. If so, manually add the fix information.
perhaps we can hook to changes to Github advisories and if those changes mention fix info, we can add that info to the respective report.
The text was updated successfully, but these errors were encountered: