GithubHelp home page GithubHelp logo

golang / vulndb Goto Github PK

View Code? Open in Web Editor NEW
555.0 38.0 55.0 17.99 MB

[mirror] The Go Vulnerability Database

License: Other

Go 97.29% Shell 1.09% Dockerfile 0.17% CSS 0.08% HCL 0.76% HTML 0.62%

vulndb's Introduction

The Go Vulnerability Database

Go Reference

This repository contains the infrastructure and internal reports to create the Go Vulnerability Database.

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Reporting a vulnerability or feedback

Click here to report a public vulnerability in the Go ecosystem, or give feedback about the project.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY-4.0 license. See go.dev/security/vuln/database for information on how to access these entries.

vulndb's People

Contributors

aaqaishtyaq avatar alexandear avatar ariathaker avatar cuishuang avatar dmitshur avatar filosottile avatar gopherbot avatar heschi avatar ianthehat avatar jamalc avatar jba avatar josieang avatar julieqiu avatar knqyf263 avatar neild avatar rolandshoemaker avatar rsc avatar seankhliao avatar tatianab avatar timothy-king avatar vrnvu avatar zpavlinovic avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

doytsujin mewbak knqyf263 j5s chen-keinan digitegal dedsec-9 lightwang123 terrorizer1980 derekhjray josieang deepanjalkumar pombredanne classicvalues egis-ai ekmixon langligelang yjuns silentsoul04 techsd amotmot atlasnq isabella232 gurleenfarrington westonsteimel catandcoder coder-s-cat 1nter5e0 readloud icontee qinsheng99 vrnvu siashish qpc-github weitoming alphamystic sarvex peiqi0 jintaizhe seanpm2001 rashikarl x-oss-byte stephane484 vulnerable-code gitworkflows jmok-veracode-github ethicalsecurity-agency tuananh ivin0022 jefferyq2 platform-pre-prod pavi2912

vulndb's Issues

Add support to severity and cvss metrics in json and report

Hi,
thank you for this amazing project
It looks like severity and CVSS metrics are missing from JSON and report.
example:

---
module: github.com/gin-gonic/gin
versions:
- fixed: v1.6.0
description: |
  The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
  (included in the [`Default`][] engine) allows attackers to inject arbitrary log
  entries by manipulating the request path.
published: '2021-04-14T12:00:00.000Z'
credit: "@thinkerou <[email protected]>"
symbols:
- defaultLogFormatter
links:
  pr: https://github.com/gin-gonic/gin/pull/2237
  commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
cve_metadata:
  id: CVE-9999-0001
  cwe: 'CWE-20: Improper Input Validation'
  description: |
    Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
    allows remote attackers to inject arbitary log lines.
  cvss:
    version: v2
    score: '4.0'
    vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

I have created PR with support for both the severity field on JSON and CVSS data on the report (if exist at that time)
please confirm its satisfied the needs for it and review my PR : 6#

Include module names

Hi, thank you for the great database!

Looks like the current JSON API is missing module names. For example, the following YAML file includes the module name as well as the package name.

module: github.com/bytom/bytom
package: github.com/bytom/bytom/p2p/discover

vulndb/reports/GO-2021-0079.yaml

Line 1 in e0c00fa

module: github.com/bytom/bytom

On the other hand, the API doesn't include it.

$ curl https://storage.googleapis.com/go-vulndb/github.com/bytom/bytom/p2p/discover.json | jq .

[
  {
    "ID": "GO-2021-0079",
    "Published": "2021-04-14T12:00:00Z",
    "Modified": "2021-04-14T12:00:00Z",
    "Withdrawn": null,
    "Aliases": [
      "CVE-2018-18206"
    ],
    "Package": {
      "Name": "github.com/bytom/bytom/p2p/discover",
      "Ecosystem": "go"
    },
    "Details": "A malformed query can cause an out-of-bounds panic due to improper\nvalidation of arguments. If processing queries from untrusted\nparties, this may be used as a vector for denial of service\nattacks.\n",
    "Affects": {
      "Ranges": [
        {
          "Type": 2,
          "Introduced": "",
          "Fixed": "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
        }
      ]
    },
    "References": [
      {
        "Type": "code review",
        "URL": "https://github.com/Bytom/bytom/pull/1307"
      },
      {
        "Type": "fix",
        "URL": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
      }
    ],
    "Extra": {
      "Go": {
        "Symbols": [
          "Network.checkTopicRegister"
        ],
        "URL": "https://go.googlesource.com/vulndb/+/refs/heads/main/reports/GO-2021-0079.toml"
      }
    }
  }
]

Is it possible to include it?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.