Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: include module names #50006

Closed
julieqiu opened this issue Dec 6, 2021 · 1 comment
Closed

x/vulndb: include module names #50006

julieqiu opened this issue Dec 6, 2021 · 1 comment
Assignees
@tatianab
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021

Moved from golang/vulndb#1:

Hi, thank you for the great database!

Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

module: github.com/bytom/bytom
package: github.com/bytom/bytom/p2p/discover

https://github.com/golang/vulndb/blob/e0c00fae09e687ec6febda47ae3bc7552fc7b988/reports/GO-2021-0079.yaml#L1

On the other hand, the API doesn't include it.

$ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .

[
  {
    "ID": "GO-2021-0079",
    "Published": "2021-04-14T12:00:00Z",
    "Modified": "2021-04-14T12:00:00Z",
    "Withdrawn": null,
    "Aliases": [
      "CVE-2018-18206"
    ],
    "Package": {
      "Name": "github.com/bytom/bytom/p2p/discover",
      "Ecosystem": "go"
    },
    "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
    "Affects": {
      "Ranges": [
        {
          "Type": 2,
          "Introduced": "",
          "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
        }
      ]
    },
    "References": [
      {
        "Type": "code review",
        "URL": "https://github.com/Bytom/bytom/pull/1307"
      },
      {
        "Type": "fix",
        "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
      }
    ],
    "Extra": {
      "Go": {
        "Symbols": [
          "Network.checkTopicRegister"
        ],
        "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
      }
    }
  }
]

Is it possible to include it?
@gopherbot gopherbot added this to the Unreleased milestone Dec 6, 2021
@julieqiu julieqiu mentioned this issue Dec 6, 2021
Closed
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 6, 2021
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 22, 2021
@julieqiu julieqiu changed the title x/vuln: include module names x/vulndb: include module names Jan 5, 2022
@julieqiu julieqiu removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 5, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
@tatianab
Copy link

Complete

@golang golang locked and limited conversation to collaborators Oct 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tatianab tatianab

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: Done
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@toothrot @julieqiu @tatianab @gopherbot