Skip to content

x/vulndb: populate "summary" OSV field #56443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tatianab opened this issue Oct 26, 2022 · 15 comments
Closed

x/vulndb: populate "summary" OSV field #56443

tatianab opened this issue Oct 26, 2022 · 15 comments
Assignees
@tatianab
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@tatianab
Copy link

This would require adding a corresponding notion in YAML (or perhaps pulling the first sentence from the description for the "summary"). Also need to think about how (if) these would be translated to CVE fields
@tatianab tatianab added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Oct 26, 2022
@gopherbot gopherbot added this to the Unreleased milestone Oct 26, 2022
@tatianab tatianab self-assigned this Oct 26, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Oct 26, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/454556 mentions this issue: osv: support more OSV fields

@hyangah
Copy link
Contributor

hyangah commented Mar 9, 2023
edited
Loading

Lack of "summary" makes the Go vulnerabilities coming from vuln.go.dev look less helpful in osv.dev and also, when using in IDEs or tools that seek for compact presentation.

For example, this is the current osv.dev Go vulnerability screenshot. Compare the advisory coming from GHSA and x/vulndb.
Screenshot 2023-03-09 at 12 21 48 PM

For stdlib module which contains many different unrelated packages, summary can be used to show the package names too (if vulndb continues to report all standard library packages under one stdlib module)
Screenshot 2023-03-09 at 12 26 12 PM

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/475336 mentions this issue: cmd/vulnreport, internal/report: add support for summary field in YAML

gopherbot pushed a commit to golang/vulndb that referenced this issue Mar 10, 2023
@tatianab
cmd/vulnreport, internal/report: add support for summary field in YAML
ed0fd57 
Adds a field, "summary", which corresponds to the OSV "summary" and
CVE "title" field. This field is pulled automatically from GHSAs in
"vulnreport create".

Currently, this field is not required and is not
populated in the OSV/CVE conversion. Introducing it now will make
it easier for us to begin publishing this field later, to reduce
the backfill burden.

For golang/go#56443

Change-Id: Ib93efad656daeac4b13a97d83d46952dbced14b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475336
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@tatianab tatianab changed the title x/vulndb: consider populating "related" and "summary" OSV fields x/vulndb: populate "summary" OSV fields May 8, 2023
@tatianab tatianab changed the title x/vulndb: populate "summary" OSV fields x/vulndb: populate "summary" OSV field May 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493595 mentions this issue: internal/report, data/reports: require summary field in YAML

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493635 mentions this issue: data/reports: add summary for some reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493602 mentions this issue: data/reports: add summary for some reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493605 mentions this issue: data/reports: add summary to some reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493918 mentions this issue: data/reports: add summaries for x/ repo vulns

gopherbot pushed a commit to golang/vulndb that referenced this issue May 10, 2023
@tatianab
internal/report, data/reports: require summary field in YAML
7c92a88 
Adds a lint check to require a non-empty summary field in YAML reports,
and backfills summary field for all old reports with a TODO. (This TODO
is OK because the summary field is not yet published to OSV.)

For golang/go#56443

Change-Id: I368d48ceca35ed74a0461550d5386ae7ff85be1a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/493595
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/494216 mentions this issue: data/reports: add summaries for stdlib vulns

gopherbot pushed a commit to golang/vulndb that referenced this issue May 11, 2023
@tatianab
data/reports: add summaries for x/ repo vulns
00566bd 
For golang/go#56443

Change-Id: I2b007a983da699bdac46408c0cd5ad6506e5ddb2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/493918
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 5, 2023
@tatianab
data/reports: add summaries for stdlib vulns
b4465ba 
For golang/go#56443

Change-Id: I62d838d34e2f9c47aacaf3ffb7639397a719a23f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494216
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500997 mentions this issue: data/reports: add summaries for third-party reports from 2022

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500996 mentions this issue: data/reports: add summaries for third-party reports from 2023

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500998 mentions this issue: data/reports: add summaries for third-party reports from 2021

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500999 mentions this issue: data/reports: add summaries for third-party reports from 2020

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501001 mentions this issue: data/reports: add summaries for cmd reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501203 mentions this issue: internal/{osv,report}, data: publish summaries to OSV

gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 7, 2023
@tatianab
data/reports: add summaries for third-party reports from 2023
765b42d 
For golang/go#56443

Change-Id: I2bc988cba374e1358a745b4a8e3348b338874167
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/500996
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 7, 2023
@tatianab
data/reports: add summaries for third-party reports from 2022
6a3b20c 
For golang/go#56443

Change-Id: I0d78bc5e13f6bf7434d1d4aee4486fbc3baa00e6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/500997
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 7, 2023
@tatianab
data/reports: add summaries for cmd reports
2ecf392 
For golang/go#56443

Change-Id: Id148f795d411fc573be7cc0b7b3c1005e291cced
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501001
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 7, 2023
@tatianab
data/reports: add summaries for third-party reports from 2021
30c2219 
For golang/go#56443

Change-Id: I0e5b4a9eb465be3dc53e7d083315ffb909bab73a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/500998
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 7, 2023
@tatianab
data/reports: add summaries for third-party reports from 2020
4d19624 
For golang/go#56443

Change-Id: I4b2b31a3d330c5bc49e6011ef96dca960beabac4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/500999
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
gopherbot pushed a commit to golang/vulndb that referenced this issue Jun 12, 2023
@tatianab
internal/{osv,report}, data: publish summaries to OSV
4d4a361 
Modify ToOSV to publish the summary from the YAML report to OSV, and
apply this change to each existing OSV report.

For golang/go#56443

Change-Id: Iee78fe75f42fe9a52c6e4023ee9ad8dfa5feba8d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501203
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
@tatianab tatianab closed this as completed Jul 5, 2023
@golang golang locked and limited conversation to collaborators Jul 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tatianab tatianab

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@hyangah @tatianab @gopherbot