Skip to content

x/vuln: Package files not found for modules containing capital letters #56996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
peterebden opened this issue Nov 30, 2022 · 3 comments
Closed

x/vuln: Package files not found for modules containing capital letters #56996

peterebden opened this issue Nov 30, 2022 · 3 comments
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@peterebden
Copy link

peterebden commented Nov 30, 2022
edited
Loading

What version of Go are you using (go version)?

N/A

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

What operating system and processor architecture are you using (go env)?

N/A

What did you do?

Part of our internal vulnerability process occasionally downloads vulnerabilities from the Go vuln DB. At present it fetches the entire set (since it's relatively small and we rarely need to re-download it this hasn't been a problem).

What did you expect to see?

All modules referred to in the index have corresponding module files that are retrievable from the API.

What did you see instead?

The following URLs return 404s:
https://vuln.go.dev/github.com/AndrewBurian/powermux.json
https://vuln.go.dev/github.com/Masterminds/goutils.json
https://vuln.go.dev/github.com/Masterminds/vcs.json
https://vuln.go.dev/github.com/RobotsAndPencils/go-saml.json

It seems to be only those four which are failing (e.g. github.com/antchfx/xmlquery downloads fine).
I surmise there may be a problem involving the module path containing capital letters since these four are the only modules in the index with them.
@peterebden peterebden added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 30, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 30, 2022
@seankhliao
Copy link
Member

It uses exclamation encoding for caps in the same way as the GOPROXY protocol, see https://go.dev/ref/mod#goproxy-protocol

Ex: https://vuln.go.dev/github.com/!andrew!burian/powermux.json

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Nov 30, 2022
@peterebden
Copy link
Author

Great, thanks for explaining that!

Would it be possible to update the documentation on https://go.dev/security/vuln/database to mention this? I am happy to send a PR although would appreciate a pointer on where that lives.

@seankhliao
Copy link
Member

That's should be this line

To avoid various character set issues, the $module element is encoded using module.EncodePath.

@golang golang locked and limited conversation to collaborators Nov 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@peterebden @gopherbot @seankhliao