Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in go.etcd.io/etcd #5

Closed
jba opened this issue Apr 30, 2021 · 7 comments
Closed

x/vulndb: potential Go vuln in go.etcd.io/etcd #5

jba opened this issue Apr 30, 2021 · 7 comments
Assignees

Comments

@jba
Copy link
Contributor

jba commented Apr 30, 2021

Now used to track GO-2020-0005.


old description:

The DB is constructed assuming that package import paths are unique. But it's possible to have two different packages with the same import path, even at the same version. Example:

https://pkg.go.dev/github.com/hashicorp/vault@v1.0.1/api
https://pkg.go.dev/github.com/hashicorp/vault/api@v1.0.1

@pombredanne
Copy link

pombredanne commented Jun 4, 2021

@jba what should be the "canonical" form? ... It would be important to get these right in https://github.com/package-url

@jba
Copy link
Contributor Author

jba commented Jun 4, 2021

In pkg.go.dev we use the form you see above, where the version attaches to the module path. That is Go-specific, though.

@julieqiu
Copy link
Member

julieqiu commented Dec 6, 2021

Moved to the Go issue tracker: golang/go#50005.

The x/vulndb issue tracker is currently only meant for use by the Go security team for tracking CVEs that should be included in the Go vulnerability database.

@julieqiu julieqiu closed this as completed Dec 6, 2021
gopherbot pushed a commit that referenced this issue Oct 21, 2022
For #5

Change-Id: I2d5ac25521088fc330c09a1881d30b349f962eef
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/444759
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/444759 mentions this issue: data/reports: add aliases and vulnerable_at for GO-2020-0005.yaml

@tatianab
Copy link
Contributor

Review for appropriate use of alias vs related

@tatianab tatianab self-assigned this Aug 20, 2024
@pombredanne
Copy link

@tatianab you wrote:

Review for appropriate use of alias vs related

Can you elaborate what you mean?

@tatianab
Copy link
Contributor

Hi, I took over this issue to track work on GO-2020-0005, the original issue is now tracked in golang/go#50005.

(The comment I made refers to a clarification in the OSV spec of the meaning of alias vs related ossf/osv-schema#193. It is just a reminder for me to go back and review all our reports that list 2 or more CVEs as an alias).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants