Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/pkgsite: present the package paths in the vulnerability info shown in the versions tab #60579

Open
hyangah opened this issue Jun 2, 2023 · 2 comments
Open

x/pkgsite: present the package paths in the vulnerability info shown in the versions tab #60579

hyangah opened this issue Jun 2, 2023 · 2 comments
Labels
pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
pkgsite/backlog

Comments

@hyangah
Copy link
Contributor

hyangah commented Jun 2, 2023

https://pkg.go.dev/golang.org/x/text?tab=versions

A module may contain multiple packages. When browsing the module's version history,
the versions tab provides vulnerability info. However, it's hard to figure out whether
a vulnerability affects the entire module, or only a certain package.

For example, GO-2022-1059 affects golang.org/x/text/language, but visible from
pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability
affects only golang.org/x/text/language.
Screenshot 2023-06-02 at 12 45 37 PM

OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language,
I wonder if they are included in the osv entry.
@hyangah hyangah added the pkgsite label Jun 2, 2023
@gopherbot gopherbot added this to the Unreleased milestone Jun 2, 2023
@hyangah hyangah added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jun 2, 2023
@findleyr
Copy link
Contributor

Hmm, I'm not sure that this matches the scope of the versions tab. Listing packages may be distracting and/or misleading.

Aside: it would be nice if the vulnerability pages defined what it means for a package or symbol to be affected.

@suzmue suzmue modified the milestones: Unreleased, pkgsite/later Jun 29, 2023
@kleinkk76
Copy link

https://pkg.go.dev/golang.org/x/text?tab=versions

A module may contain multiple packages. When browsing the module's version history, the versions tab provides vulnerability info. However, it's hard to figure out whether a vulnerability affects the entire module, or only a certain package.

For example, GO-2022-1059 affects golang.org/x/text/language, but visible from pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability affects only golang.org/x/text/language. Screenshot 2023-06-02 at 12 45 37 PM

OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language, I wonder if they are included in the osv entry.
#60579 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
pkgsite/backlog
Development

No branches or pull requests
5 participants
@hyangah @suzmue @gopherbot @findleyr @kleinkk76