[website] _content/doc/security/vuln: add section on non-Go versions
0 views
Skip to first unread message
Tatiana Bradley (Gerrit)
3:38 PM (6 hours ago) 3:38 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Tatiana Bradley has uploaded the change for review![]( "Open in Gerrit")
Commit message
_content/doc/security/vuln: add section on non-Go versions
Add a section explaining how our tooling handles versions
that are not recognized by the Go module proxy.
Change-Id: Iee0f201c75e04993569ceff52f9808ca9246e997
Change diff
diff --git a/_content/doc/security/vuln/database.md b/_content/doc/security/vuln/database.md
index 6b0767f..64d7558 100644
--- a/_content/doc/security/vuln/database.md
+++ b/_content/doc/security/vuln/database.md
@@ -211,6 +211,26 @@
For information on other fields in the schema, refer to the [OSV spec](https://ossf.github.io/osv-schema).
+## Note on Versions
+
+Our tooling attempts to automatically map modules and versions in
+ource advisories to canonical Go modules and versions, in accordance with
+standard [Go module version numbering](https://go.dev/doc/modules/version-numbers).
+Tools like `govulncheck` only work correctly with standard Go module versions.
+
+In some cases, such as when a Go project uses its own versioning system,
+this mapping can fail.
+
+If the mapping fails, the Go vulnerability database report may conservatively
+list all versions as affected. This is to avoid the false-negatives that
+would occur if we published unrecognized version ranges. (These unrecognized
+versions are still listed in the text description of the report for informational
+purposes.)
+
+If you notice false-positives in `govulncheck` due to this issue, please
+[suggest an edit](https://github.com/golang/vulndb/issues/new?assignees=&labels=Needs+Triage%2CSuggested+Edit&template=suggest_edit.yaml&title=x%2Fvulndb%3A+suggestion+regarding+GO-2024-2965&report=GO-XXXX-YYYY) to the vulnerability report and we
+will review it.
+
## Examples
All vulnerabilities in the Go vulnerability database use the OSV schema
Change information
Files:
- M _content/doc/security/vuln/database.md
Change size: S
Delta: 1 file changed, 20 insertions(+), 0 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
3:38 PM (6 hours ago) 3:38 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Tatiana Bradley
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #2 to this change.
Related details
Attention is currently required from:
- Tatiana Bradley
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
3:40 PM (6 hours ago) 3:40 PM
to goph...@pubsubhelper.golang.org, Damien Neil, Maceo Thompson, Zvonimir Pavlinovic, Tim King, Roland Shoemaker, Ian Cottrell, Go LUCI, golang-co...@googlegroups.com
Attention needed from Ian Cottrell, Roland Shoemaker, Tatiana Bradley and Tim King
Tatiana Bradley voted Commit-Queue+1![]( "Open in Gerrit")
Attention is currently required from:
- Ian Cottrell
- Roland Shoemaker
- Tatiana Bradley
- Tim King
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
3:41 PM (6 hours ago) 3:41 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ian Cottrell, Roland Shoemaker, Tatiana Bradley and Tim King
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #3 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
Related details
Attention is currently required from:
- Ian Cottrell
- Roland Shoemaker
- Tatiana Bradley
- Tim King
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
3:42 PM (6 hours ago) 3:42 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ian Cottrell, Roland Shoemaker, Tatiana Bradley and Tim King
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #4 to this change.
Related details
Attention is currently required from:
- Ian Cottrell
- Roland Shoemaker
- Tatiana Bradley
- Tim King
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tim King (Gerrit)
7:09 PM (2 hours ago) 7:09 PM
to Tatiana Bradley, goph...@pubsubhelper.golang.org, Go LUCI, Damien Neil, Maceo Thompson, Zvonimir Pavlinovic, Roland Shoemaker, Ian Cottrell, golang-co...@googlegroups.com
Attention needed from Ian Cottrell, Roland Shoemaker and Tatiana Bradley
Tim King added 8 comments![]( "Open in Gerrit")
File _content/doc/security/vuln/database.md
Line 217, Patchset 4 (Latest):
source advisories to canonical Go modules and versions, in accordance with
standard [Go module version numbering](/doc/modules/version-numbers).Tim King . unresolved
Maybe shorten 'Go module version numbers'.
Line 219, Patchset 4 (Latest):
Tools like `govulncheck` only work correctly with standard Go module versions.Tim King . unresolved
'only work correctly' is a bit strong.
How about 'are designed to work with'?
Line 219, Patchset 4 (Latest):
Tools like `govulncheck` only work correctly with standard Go module versions.Tim King . unresolved
Maybe say a bit of how it is used 'to decide when a module contains a vulnerability or if it does not as it has been fixed'. (That is not a great sentence though. Please edit.)
Line 221, Patchset 4 (Latest):
In some cases, such as when a Go project uses its own versioning system,Tim King . unresolved
uber-nit: 'scheme'
Line 225, Patchset 4 (Latest):
list all versions as affected. This is to avoid the false-negatives thatTim King . unresolved
Suggestion: 'This ensures that tools do not fail to report vulnerabilities due to unrecognized version ranges (e.g. false-negatives). Conservatively listing all versions as affected may cause tools to report a fixed version of a module as containing the vulnerability incorrectly (e.g. a false-positive).'
Line 225, Patchset 4 (Latest):
list all versions as affected. This is to avoid the false-negatives thatTim King . unresolved
'all Go versions as affected'
Line 226, Patchset 4 (Latest):
would occur if we published unrecognized version ranges. (These unrecognized
versions are still listed in the text description of the report for informational
purposes.)Tim King . unresolved
I wouldn't promise this. Maybe drop this sentence?
Line 230, Patchset 4 (Latest):
If you notice false-positives in `govulncheck` due to this issue, pleaseTim King . unresolved
Any FP is enough of a reason to report. Suggestion: 'If you believe that `govulncheck` is incorrectly reporting an issue, please ...'.
Related details
Attention is currently required from:
- Ian Cottrell
- Roland Shoemaker
- Tatiana Bradley
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages