Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: consider allowing cve and cve_metadata in reports #61184

Closed
tatianab opened this issue Jul 5, 2023 · 1 comment
Closed

x/vulndb: consider allowing cve and cve_metadata in reports #61184

tatianab opened this issue Jul 5, 2023 · 1 comment
Assignees
@tatianab
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@tatianab
Copy link

tatianab commented Jul 5, 2023

We currently have a lint check that enforces that only one of cve and cve_metadata is populated. This is based on the assumption that if a CVE was already assigned to a vuln, then the Go CNA would not have assigned a CVE. However, it is possible for the Go CNA to assign a CVE and for a third party to later assign an (essentially duplicate) CVE to the same vuln. We haven't yet seen this happen, but if it does we should account for it.
@tatianab tatianab added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jul 5, 2023
@tatianab tatianab self-assigned this Jul 5, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jul 5, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/534239 mentions this issue: internal/report: allow reports to have both cves and cve_metadata

gopherbot pushed a commit to golang/vulndb that referenced this issue Oct 10, 2023
@tatianab
internal/report: allow reports to have both cves and cve_metadata

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
d2dd606 
Allow YAML reports to populate both "cves" and "cve_metadata". This is
needed for GO-2023-2102.

For golang/go#61184

Change-Id: I920eb2a0cffc0007cca31a52bd1edfe8ee1dd40d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/534239
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
@golang golang locked and limited conversation to collaborators Nov 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tatianab tatianab

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
2 participants
@tatianab @gopherbot