From ae474702175d912e46b08ecb71fd48a29fa6b4c2 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Fri, 17 May 2024 14:06:48 -0400 Subject: [PATCH] _content/doc/security/vuln: document the review_status field for vulns Adds documentation explaining how to interpret the new ecosystem_specific.review_status field. Change-Id: I537c3ab9e205b7a5c840fd4b01197ed152f8ccc1 Reviewed-on: https://go-review.googlesource.com/c/website/+/586495 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- _content/doc/security/vuln/database.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/_content/doc/security/vuln/database.md b/_content/doc/security/vuln/database.md index 88d8b31da9..6b0767f24c 100644 --- a/_content/doc/security/vuln/database.md +++ b/_content/doc/security/vuln/database.md @@ -189,11 +189,26 @@ array will have these two fields: - **goos**: a string array with the execution operating system where the symbols appear, if known - **goarch**: a string array with the architecture where the symbols appear, if known -### database_specific.url +### database_specific + +The `database_specific` field contains custom fields specific to the Go vulnerability database. + +#### database_specific.url The `database_specific.url` field is a string representing the fully-qualified URL of the Go vulnerability report, e.g, "https://pkg.go.dev/vuln/GO-2023-1621". +#### database_specific.review_status + +The `database_specific.review_status` field is a string representing the review +status of the vulnerability report. If not present, the report should be +considered `REVIEWED`. The possible values are: + +- `UNREVIEWED`: The report was automatically generated based on another source, such as +a CVE or GHSA. Its data may be limited and has not been verified by the Go team. +- `REVIEWED`: The report originated from the Go team, or was generated based on an external source. +A member of the Go team has reviewed the report, and where appropriate, added additional data. + For information on other fields in the schema, refer to the [OSV spec](https://ossf.github.io/osv-schema). ## Examples