[vulndb] internal/report,data/osv: add explanation of non-Go versions
2 views
Skip to first unread message
Tatiana Bradley (Gerrit)
Jul 2, 2024, 5:23:03 PM (yesterday) Jul 2
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Tatiana Bradley has uploaded the change for review![]( "Open in Gerrit")
Commit message
internal/report,data/osv: add explanation of non-Go versions
For unreviewed reports with "non_go_versions", add an explanation
that the versions list may not match external advisories to the
"details" section of the OSV.
In the future, this should be part of the pkgsite UI instead of
embedded in the OSV directly, but it is causing enough confusion that
it seems worth it to clarify this sooner rather than later.
(As pkgsite changes can take more time to develop and test).
Change-Id: Id1409182f7fdef37c0a781d6e2ba06b1fc57c080
Change diff
diff --git a/data/osv/GO-2024-2428.json b/data/osv/GO-2024-2428.json
index 4cd7509..6d4b284 100644
--- a/data/osv/GO-2024-2428.json
+++ b/data/osv/GO-2024-2428.json
@@ -8,7 +8,7 @@
"GHSA-fp9f-44c2-cw27"
],
"summary": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx",
- "details": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx",
+ "details": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2430.json b/data/osv/GO-2024-2430.json
index e26bc05..1751db9 100644
--- a/data/osv/GO-2024-2430.json
+++ b/data/osv/GO-2024-2430.json
@@ -8,7 +8,7 @@
"GHSA-qc6v-g3xw-grmx"
],
"summary": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs",
- "details": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs",
+ "details": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2431.json b/data/osv/GO-2024-2431.json
index 9141359..e38a5c6 100644
--- a/data/osv/GO-2024-2431.json
+++ b/data/osv/GO-2024-2431.json
@@ -8,7 +8,7 @@
"GHSA-4248-p65p-hcrm"
],
"summary": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs",
- "details": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs",
+ "details": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2432.json b/data/osv/GO-2024-2432.json
index 5a563e9..919b243 100644
--- a/data/osv/GO-2024-2432.json
+++ b/data/osv/GO-2024-2432.json
@@ -8,7 +8,7 @@
"GHSA-8579-7p32-f398"
],
"summary": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs",
- "details": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs",
+ "details": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2433.json b/data/osv/GO-2024-2433.json
index a53496d..4c6004a 100644
--- a/data/osv/GO-2024-2433.json
+++ b/data/osv/GO-2024-2433.json
@@ -8,7 +8,7 @@
"GHSA-8h2x-gr2c-c275"
],
"summary": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs",
- "details": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs",
+ "details": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2434.json b/data/osv/GO-2024-2434.json
index a3dfa5e..7974f11 100644
--- a/data/osv/GO-2024-2434.json
+++ b/data/osv/GO-2024-2434.json
@@ -8,7 +8,7 @@
"GHSA-vwch-g97w-hfg2"
],
"summary": "CubeFS leaks users key in logs in github.com/cubefs/cubefs",
- "details": "CubeFS leaks users key in logs in github.com/cubefs/cubefs",
+ "details": "CubeFS leaks users key in logs in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2442.json b/data/osv/GO-2024-2442.json
index 29fa0eb..dc2d410 100644
--- a/data/osv/GO-2024-2442.json
+++ b/data/osv/GO-2024-2442.json
@@ -7,7 +7,7 @@
"GHSA-76cc-p55w-63g3"
],
"summary": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport",
- "details": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport",
+ "details": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2444.json b/data/osv/GO-2024-2444.json
index 23766cb..45f5952 100644
--- a/data/osv/GO-2024-2444.json
+++ b/data/osv/GO-2024-2444.json
@@ -8,7 +8,7 @@
"GHSA-9w97-9rqx-8v4j"
],
"summary": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server",
- "details": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2445.json b/data/osv/GO-2024-2445.json
index 2af57fe..1c1cea3 100644
--- a/data/osv/GO-2024-2445.json
+++ b/data/osv/GO-2024-2445.json
@@ -7,7 +7,7 @@
"GHSA-c9v7-wmwj-vf6x"
],
"summary": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport",
- "details": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport",
+ "details": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2446.json b/data/osv/GO-2024-2446.json
index 0754220..7f6666d 100644
--- a/data/osv/GO-2024-2446.json
+++ b/data/osv/GO-2024-2446.json
@@ -8,7 +8,7 @@
"GHSA-h3gq-j7p9-x3p4"
],
"summary": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server",
- "details": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2447.json b/data/osv/GO-2024-2447.json
index d300340..f7b486b 100644
--- a/data/osv/GO-2024-2447.json
+++ b/data/osv/GO-2024-2447.json
@@ -7,7 +7,7 @@
"GHSA-hw4x-mcx5-9q36"
],
"summary": "Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport",
- "details": "Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport",
+ "details": "Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2448.json b/data/osv/GO-2024-2448.json
index 5b6123f..a616fc6 100644
--- a/data/osv/GO-2024-2448.json
+++ b/data/osv/GO-2024-2448.json
@@ -8,7 +8,7 @@
"GHSA-q7rx-w656-fwmv"
],
"summary": "Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server",
- "details": "Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server",
+ "details": "Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2449.json b/data/osv/GO-2024-2449.json
index 28218eb..8908c12 100644
--- a/data/osv/GO-2024-2449.json
+++ b/data/osv/GO-2024-2449.json
@@ -7,7 +7,7 @@
"GHSA-vfxf-76hv-v4w4"
],
"summary": "User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport",
- "details": "User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport",
+ "details": "User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2450.json b/data/osv/GO-2024-2450.json
index ab74364..0afa27c 100644
--- a/data/osv/GO-2024-2450.json
+++ b/data/osv/GO-2024-2450.json
@@ -8,7 +8,7 @@
"GHSA-w88v-pjr8-cmv2"
],
"summary": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server",
- "details": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2468.json b/data/osv/GO-2024-2468.json
index 54e341c..6ef17c4 100644
--- a/data/osv/GO-2024-2468.json
+++ b/data/osv/GO-2024-2468.json
@@ -8,7 +8,7 @@
"GHSA-cjqf-877p-7m3f"
],
"summary": "snapd Race Condition vulnerability in github.com/snapcore/snapd",
- "details": "snapd Race Condition vulnerability in github.com/snapcore/snapd",
+ "details": "snapd Race Condition vulnerability in github.com/snapcore/snapd.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2476.json b/data/osv/GO-2024-2476.json
index 4ffdd0a..100bb4c 100644
--- a/data/osv/GO-2024-2476.json
+++ b/data/osv/GO-2024-2476.json
@@ -8,7 +8,7 @@
"GHSA-gr79-9v6v-gc9r"
],
"summary": "Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex",
- "details": "Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex",
+ "details": "Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2479.json b/data/osv/GO-2024-2479.json
index b793b7b..1fbc21c 100644
--- a/data/osv/GO-2024-2479.json
+++ b/data/osv/GO-2024-2479.json
@@ -8,7 +8,7 @@
"GHSA-mrx3-gxjx-hjqj"
],
"summary": "Authentik vulnerable to PKCE downgrade attack in goauthentik.io",
- "details": "Authentik vulnerable to PKCE downgrade attack in goauthentik.io",
+ "details": "Authentik vulnerable to PKCE downgrade attack in goauthentik.io.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2480.json b/data/osv/GO-2024-2480.json
index 4665af1..90a4378 100644
--- a/data/osv/GO-2024-2480.json
+++ b/data/osv/GO-2024-2480.json
@@ -8,7 +8,7 @@
"GHSA-qcjq-7f7v-pvc8"
],
"summary": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI",
- "details": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI",
+ "details": "Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2481.json b/data/osv/GO-2024-2481.json
index ae0da47..c009efa 100644
--- a/data/osv/GO-2024-2481.json
+++ b/data/osv/GO-2024-2481.json
@@ -8,7 +8,7 @@
"GHSA-xvq9-4vpv-227m"
],
"summary": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI",
- "details": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI",
+ "details": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2495.json b/data/osv/GO-2024-2495.json
index 8cd2dbc..b658083 100644
--- a/data/osv/GO-2024-2495.json
+++ b/data/osv/GO-2024-2495.json
@@ -8,7 +8,7 @@
"GHSA-9xc9-xq7w-vpcr"
],
"summary": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center",
- "details": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center",
+ "details": "Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2496.json b/data/osv/GO-2024-2496.json
index e3e4fd2..b6a530e 100644
--- a/data/osv/GO-2024-2496.json
+++ b/data/osv/GO-2024-2496.json
@@ -8,7 +8,7 @@
"GHSA-r8xp-52mq-rmm8"
],
"summary": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center",
- "details": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center",
+ "details": "Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2513.json b/data/osv/GO-2024-2513.json
index 4e3eb74..127e4d0 100644
--- a/data/osv/GO-2024-2513.json
+++ b/data/osv/GO-2024-2513.json
@@ -8,7 +8,7 @@
"GHSA-3jq7-8ph8-63xm"
],
"summary": "Grafana information disclosure in github.com/grafana/grafana",
- "details": "Grafana information disclosure in github.com/grafana/grafana",
+ "details": "Grafana information disclosure in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2515.json b/data/osv/GO-2024-2515.json
index 98bd814..12fcb79 100644
--- a/data/osv/GO-2024-2515.json
+++ b/data/osv/GO-2024-2515.json
@@ -8,7 +8,7 @@
"GHSA-7m2x-qhrq-rp8h"
],
"summary": "Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana",
- "details": "Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana",
+ "details": "Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2516.json b/data/osv/GO-2024-2516.json
index 6d55e3e..fd013b6 100644
--- a/data/osv/GO-2024-2516.json
+++ b/data/osv/GO-2024-2516.json
@@ -8,7 +8,7 @@
"GHSA-9hv8-4frf-cprf"
],
"summary": "Grafana XSS via a column style in github.com/grafana/grafana",
- "details": "Grafana XSS via a column style in github.com/grafana/grafana",
+ "details": "Grafana XSS via a column style in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2517.json b/data/osv/GO-2024-2517.json
index f6a930f..7f92616 100644
--- a/data/osv/GO-2024-2517.json
+++ b/data/osv/GO-2024-2517.json
@@ -8,7 +8,7 @@
"GHSA-ccmg-w4xm-p28v"
],
"summary": "Grafana XSS in header column rename in github.com/grafana/grafana",
- "details": "Grafana XSS in header column rename in github.com/grafana/grafana",
+ "details": "Grafana XSS in header column rename in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2519.json b/data/osv/GO-2024-2519.json
index 80bf11c..16956a1 100644
--- a/data/osv/GO-2024-2519.json
+++ b/data/osv/GO-2024-2519.json
@@ -8,7 +8,7 @@
"GHSA-m25m-5778-fm22"
],
"summary": "Grafana world readable configuration files in github.com/grafana/grafana",
- "details": "Grafana world readable configuration files in github.com/grafana/grafana",
+ "details": "Grafana world readable configuration files in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2520.json b/data/osv/GO-2024-2520.json
index 1404cb5..304b16e 100644
--- a/data/osv/GO-2024-2520.json
+++ b/data/osv/GO-2024-2520.json
@@ -8,7 +8,7 @@
"GHSA-mvpr-q6rh-8vrp"
],
"summary": "Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana",
- "details": "Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana",
+ "details": "Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2521.json b/data/osv/GO-2024-2521.json
index d1cfc91..ab959f7 100644
--- a/data/osv/GO-2024-2521.json
+++ b/data/osv/GO-2024-2521.json
@@ -8,7 +8,7 @@
"GHSA-v2cv-wwxq-qq97"
],
"summary": "Moby Docker cp broken with debian containers in github.com/moby/moby",
- "details": "Moby Docker cp broken with debian containers in github.com/moby/moby",
+ "details": "Moby Docker cp broken with debian containers in github.com/moby/moby.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2523.json b/data/osv/GO-2024-2523.json
index 3bf9695..1f8c2b0 100644
--- a/data/osv/GO-2024-2523.json
+++ b/data/osv/GO-2024-2523.json
@@ -8,7 +8,7 @@
"GHSA-xr3x-62qw-vc4w"
],
"summary": "Grafana stored XSS in github.com/grafana/grafana",
- "details": "Grafana stored XSS in github.com/grafana/grafana",
+ "details": "Grafana stored XSS in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2527.json b/data/osv/GO-2024-2527.json
index b974fd6..b70fc68 100644
--- a/data/osv/GO-2024-2527.json
+++ b/data/osv/GO-2024-2527.json
@@ -8,7 +8,7 @@
"GHSA-5x4g-q5rc-36jp"
],
"summary": "WITHDRAWN: Etcd pkg Insecure ciphers are allowed by default in go.etcd.io/etcd/client/pkg/v3",
- "details": "(This report has been withdrawn with reason: \"too many false positives\").",
+ "details": "(This report has been withdrawn with reason: \"too many false positives\"). .\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2528.json b/data/osv/GO-2024-2528.json
index 852aeca..b1adcf4 100644
--- a/data/osv/GO-2024-2528.json
+++ b/data/osv/GO-2024-2528.json
@@ -7,7 +7,7 @@
"GHSA-j86v-2vjr-fg8f"
],
"summary": "Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd",
- "details": "Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd",
+ "details": "Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2529.json b/data/osv/GO-2024-2529.json
index 60b1961..734ab4d 100644
--- a/data/osv/GO-2024-2529.json
+++ b/data/osv/GO-2024-2529.json
@@ -7,7 +7,7 @@
"GHSA-pm3m-32r3-7mfh"
],
"summary": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd",
- "details": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd",
+ "details": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2530.json b/data/osv/GO-2024-2530.json
index 9ba6fda..dde9729 100644
--- a/data/osv/GO-2024-2530.json
+++ b/data/osv/GO-2024-2530.json
@@ -7,7 +7,7 @@
"GHSA-vjg6-93fv-qv64"
],
"summary": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd",
- "details": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd",
+ "details": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2535.json b/data/osv/GO-2024-2535.json
index a4e071f..50db364 100644
--- a/data/osv/GO-2024-2535.json
+++ b/data/osv/GO-2024-2535.json
@@ -8,7 +8,7 @@
"GHSA-c85r-fwc7-45vc"
],
"summary": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher",
- "details": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher",
+ "details": "Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2537.json b/data/osv/GO-2024-2537.json
index d754bb6..036cd10 100644
--- a/data/osv/GO-2024-2537.json
+++ b/data/osv/GO-2024-2537.json
@@ -8,7 +8,7 @@
"GHSA-xfj7-qf8w-2gcr"
],
"summary": "Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher",
- "details": "Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher",
+ "details": "Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2540.json b/data/osv/GO-2024-2540.json
index 70a6805..46388fa 100644
--- a/data/osv/GO-2024-2540.json
+++ b/data/osv/GO-2024-2540.json
@@ -8,7 +8,7 @@
"GHSA-qr8f-cjw7-838m"
],
"summary": "Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira",
- "details": "Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira",
+ "details": "Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2541.json b/data/osv/GO-2024-2541.json
index ed3b909..725575f 100644
--- a/data/osv/GO-2024-2541.json
+++ b/data/osv/GO-2024-2541.json
@@ -8,7 +8,7 @@
"GHSA-32h7-7j94-8fc2"
],
"summary": "Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server",
- "details": "Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server",
+ "details": "Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2556.json b/data/osv/GO-2024-2556.json
index a21e345..1aa6701 100644
--- a/data/osv/GO-2024-2556.json
+++ b/data/osv/GO-2024-2556.json
@@ -8,7 +8,7 @@
"GHSA-8r33-q5j5-rh7g"
],
"summary": "APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server",
- "details": "APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server",
+ "details": "APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2566.json b/data/osv/GO-2024-2566.json
index 72f09a5..ea73750 100644
--- a/data/osv/GO-2024-2566.json
+++ b/data/osv/GO-2024-2566.json
@@ -8,7 +8,7 @@
"GHSA-r833-w756-h5p2"
],
"summary": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server",
- "details": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2576.json b/data/osv/GO-2024-2576.json
index db598fe..ba7b849 100644
--- a/data/osv/GO-2024-2576.json
+++ b/data/osv/GO-2024-2576.json
@@ -8,7 +8,7 @@
"GHSA-84xv-jfrm-h4gm"
],
"summary": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library",
- "details": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library",
+ "details": "registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2582.json b/data/osv/GO-2024-2582.json
index 9846f82..6ae963e 100644
--- a/data/osv/GO-2024-2582.json
+++ b/data/osv/GO-2024-2582.json
@@ -8,7 +8,7 @@
"GHSA-q6h8-4j2v-pjg4"
],
"summary": "Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder",
- "details": "Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder",
+ "details": "Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2588.json b/data/osv/GO-2024-2588.json
index f8ba60e..2fc6fd0 100644
--- a/data/osv/GO-2024-2588.json
+++ b/data/osv/GO-2024-2588.json
@@ -8,7 +8,7 @@
"GHSA-3g35-v53r-gpxc"
],
"summary": "Mattermost race condition in github.com/mattermost/mattermost-server",
- "details": "Mattermost race condition in github.com/mattermost/mattermost-server",
+ "details": "Mattermost race condition in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2589.json b/data/osv/GO-2024-2589.json
index 58b0719..6f47345 100644
--- a/data/osv/GO-2024-2589.json
+++ b/data/osv/GO-2024-2589.json
@@ -8,7 +8,7 @@
"GHSA-6mx3-9qfh-77gj"
],
"summary": "Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server",
- "details": "Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server",
+ "details": "Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2590.json b/data/osv/GO-2024-2590.json
index c13ce91..588bf74 100644
--- a/data/osv/GO-2024-2590.json
+++ b/data/osv/GO-2024-2590.json
@@ -8,7 +8,7 @@
"GHSA-7v3v-984v-h74r"
],
"summary": "Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server",
- "details": "Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server",
+ "details": "Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2591.json b/data/osv/GO-2024-2591.json
index 58a7148..eb39cbd 100644
--- a/data/osv/GO-2024-2591.json
+++ b/data/osv/GO-2024-2591.json
@@ -8,7 +8,7 @@
"GHSA-fx48-xv6q-6gp3"
],
"summary": "Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server",
- "details": "Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server",
+ "details": "Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2592.json b/data/osv/GO-2024-2592.json
index d90a0d4..5f62969 100644
--- a/data/osv/GO-2024-2592.json
+++ b/data/osv/GO-2024-2592.json
@@ -8,7 +8,7 @@
"GHSA-hwjf-4667-gqwx"
],
"summary": "Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server",
- "details": "Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2593.json b/data/osv/GO-2024-2593.json
index 4d13e22..1ffa823 100644
--- a/data/osv/GO-2024-2593.json
+++ b/data/osv/GO-2024-2593.json
@@ -8,7 +8,7 @@
"GHSA-pfw6-5rx3-xh3c"
],
"summary": "Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server",
- "details": "Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2594.json b/data/osv/GO-2024-2594.json
index 2741e35..34ba2cf 100644
--- a/data/osv/GO-2024-2594.json
+++ b/data/osv/GO-2024-2594.json
@@ -8,7 +8,7 @@
"GHSA-vm9m-57jr-4pxh"
],
"summary": "Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server",
- "details": "Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2595.json b/data/osv/GO-2024-2595.json
index 5742055..c041f94 100644
--- a/data/osv/GO-2024-2595.json
+++ b/data/osv/GO-2024-2595.json
@@ -8,7 +8,7 @@
"GHSA-xgxj-j98c-59rv"
],
"summary": "Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server",
- "details": "Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2629.json b/data/osv/GO-2024-2629.json
index f6e420a..d5d7338 100644
--- a/data/osv/GO-2024-2629.json
+++ b/data/osv/GO-2024-2629.json
@@ -8,7 +8,7 @@
"GHSA-5mxf-42f5-j782"
],
"summary": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana",
- "details": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana",
+ "details": "Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2635.json b/data/osv/GO-2024-2635.json
index b0d7bf8..f978950 100644
--- a/data/osv/GO-2024-2635.json
+++ b/data/osv/GO-2024-2635.json
@@ -8,7 +8,7 @@
"GHSA-r4fm-g65h-cr54"
],
"summary": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server",
- "details": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server",
+ "details": "Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2637.json b/data/osv/GO-2024-2637.json
index c8a59f9..de0073f 100644
--- a/data/osv/GO-2024-2637.json
+++ b/data/osv/GO-2024-2637.json
@@ -8,7 +8,7 @@
"GHSA-mq4x-r2w3-j7mr"
],
"summary": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel",
- "details": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel",
+ "details": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2664.json b/data/osv/GO-2024-2664.json
index 80a229f..01c7703 100644
--- a/data/osv/GO-2024-2664.json
+++ b/data/osv/GO-2024-2664.json
@@ -8,7 +8,7 @@
"GHSA-gp8g-f42f-95q2"
],
"summary": "ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel",
- "details": "ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel",
+ "details": "ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2665.json b/data/osv/GO-2024-2665.json
index 7ea1368..718ed20 100644
--- a/data/osv/GO-2024-2665.json
+++ b/data/osv/GO-2024-2665.json
@@ -8,7 +8,7 @@
"GHSA-hr5w-cwwq-2v4m"
],
"summary": "ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel",
- "details": "ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel",
+ "details": "ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2695.json b/data/osv/GO-2024-2695.json
index 13f71d8..ae27b8d 100644
--- a/data/osv/GO-2024-2695.json
+++ b/data/osv/GO-2024-2695.json
@@ -8,7 +8,7 @@
"GHSA-mcw6-3256-64gg"
],
"summary": "Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server",
- "details": "Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2696.json b/data/osv/GO-2024-2696.json
index fbef4da..7c4cf46 100644
--- a/data/osv/GO-2024-2696.json
+++ b/data/osv/GO-2024-2696.json
@@ -8,7 +8,7 @@
"GHSA-wp43-vprh-c3w5"
],
"summary": "Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server",
- "details": "Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server",
+ "details": "Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2697.json b/data/osv/GO-2024-2697.json
index ab10280..56b6771 100644
--- a/data/osv/GO-2024-2697.json
+++ b/data/osv/GO-2024-2697.json
@@ -8,7 +8,7 @@
"GHSA-67rv-qpw2-6qrr"
],
"summary": "Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana",
- "details": "Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana",
+ "details": "Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2706.json b/data/osv/GO-2024-2706.json
index f938615..a77d024 100644
--- a/data/osv/GO-2024-2706.json
+++ b/data/osv/GO-2024-2706.json
@@ -8,7 +8,7 @@
"GHSA-w67v-ph4x-f48q"
],
"summary": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server",
- "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2707.json b/data/osv/GO-2024-2707.json
index d96ce81..30db483 100644
--- a/data/osv/GO-2024-2707.json
+++ b/data/osv/GO-2024-2707.json
@@ -8,7 +8,7 @@
"GHSA-xp9j-8p68-9q93"
],
"summary": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server",
- "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2717.json b/data/osv/GO-2024-2717.json
index fabe14f..5bb93d0 100644
--- a/data/osv/GO-2024-2717.json
+++ b/data/osv/GO-2024-2717.json
@@ -8,7 +8,7 @@
"GHSA-wx43-g55g-2jf4"
],
"summary": "LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI",
- "details": "LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI",
+ "details": "LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2734.json b/data/osv/GO-2024-2734.json
index be4eb4d..950a855 100644
--- a/data/osv/GO-2024-2734.json
+++ b/data/osv/GO-2024-2734.json
@@ -8,7 +8,7 @@
"GHSA-6m9h-2pr2-9j8f"
],
"summary": "1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel",
- "details": "1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel",
+ "details": "1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2750.json b/data/osv/GO-2024-2750.json
index 7f73ef9..8b1526a 100644
--- a/data/osv/GO-2024-2750.json
+++ b/data/osv/GO-2024-2750.json
@@ -8,7 +8,7 @@
"GHSA-2v35-wj4r-rcmv"
],
"summary": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure",
- "details": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "details": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2760.json b/data/osv/GO-2024-2760.json
index 78d4af7..ae2e5e9 100644
--- a/data/osv/GO-2024-2760.json
+++ b/data/osv/GO-2024-2760.json
@@ -8,7 +8,7 @@
"GHSA-28g7-896h-695v"
],
"summary": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher",
- "details": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher",
+ "details": "Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2768.json b/data/osv/GO-2024-2768.json
index 01f5122..e9926db 100644
--- a/data/osv/GO-2024-2768.json
+++ b/data/osv/GO-2024-2768.json
@@ -8,7 +8,7 @@
"GHSA-f9xf-jq4j-vqw4"
],
"summary": "Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher",
- "details": "Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher",
+ "details": "Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2771.json b/data/osv/GO-2024-2771.json
index 5a04ca8..4d4a898 100644
--- a/data/osv/GO-2024-2771.json
+++ b/data/osv/GO-2024-2771.json
@@ -8,7 +8,7 @@
"GHSA-gvh9-xgrq-r8hw"
],
"summary": "Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher",
- "details": "Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher",
+ "details": "Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2778.json b/data/osv/GO-2024-2778.json
index bde2160..50ac7e5 100644
--- a/data/osv/GO-2024-2778.json
+++ b/data/osv/GO-2024-2778.json
@@ -8,7 +8,7 @@
"GHSA-pvxj-25m6-7vqr"
],
"summary": "Rancher Privilege escalation vulnerability via malicious \"Connection\" header in github.com/rancher/rancher",
- "details": "Rancher Privilege escalation vulnerability via malicious \"Connection\" header in github.com/rancher/rancher",
+ "details": "Rancher Privilege escalation vulnerability via malicious \"Connection\" header in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2788.json b/data/osv/GO-2024-2788.json
index 749011b..bd84e85 100644
--- a/data/osv/GO-2024-2788.json
+++ b/data/osv/GO-2024-2788.json
@@ -8,7 +8,7 @@
"GHSA-7j7j-66cv-m239"
],
"summary": "ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel",
- "details": "ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel",
+ "details": "ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2801.json b/data/osv/GO-2024-2801.json
index 8971eb5..9c23fc6 100644
--- a/data/osv/GO-2024-2801.json
+++ b/data/osv/GO-2024-2801.json
@@ -8,7 +8,7 @@
"GHSA-6362-gv4m-53ww"
],
"summary": "Calico privilege escalation vulnerability in github.com/projectcalico/calico",
- "details": "Calico privilege escalation vulnerability in github.com/projectcalico/calico",
+ "details": "Calico privilege escalation vulnerability in github.com/projectcalico/calico.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2804.json b/data/osv/GO-2024-2804.json
index e503e19..dc376c5 100644
--- a/data/osv/GO-2024-2804.json
+++ b/data/osv/GO-2024-2804.json
@@ -8,7 +8,7 @@
"GHSA-q5qj-x2h5-3945"
],
"summary": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel",
- "details": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel",
+ "details": "Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2843.json b/data/osv/GO-2024-2843.json
index 1adc2fa..5447d73 100644
--- a/data/osv/GO-2024-2843.json
+++ b/data/osv/GO-2024-2843.json
@@ -8,7 +8,7 @@
"GHSA-2x6g-h2hg-rq84"
],
"summary": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana",
- "details": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana",
+ "details": "Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2844.json b/data/osv/GO-2024-2844.json
index a28e3ab..a5c719e 100644
--- a/data/osv/GO-2024-2844.json
+++ b/data/osv/GO-2024-2844.json
@@ -8,7 +8,7 @@
"GHSA-3p62-42x7-gxg5"
],
"summary": "Grafana User enumeration via forget password in github.com/grafana/grafana",
- "details": "Grafana User enumeration via forget password in github.com/grafana/grafana",
+ "details": "Grafana User enumeration via forget password in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2847.json b/data/osv/GO-2024-2847.json
index d1eb575..15f7849 100644
--- a/data/osv/GO-2024-2847.json
+++ b/data/osv/GO-2024-2847.json
@@ -8,7 +8,7 @@
"GHSA-ff5c-938w-8c9q"
],
"summary": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana",
- "details": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana",
+ "details": "Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2848.json b/data/osv/GO-2024-2848.json
index 8853cff..47962c1 100644
--- a/data/osv/GO-2024-2848.json
+++ b/data/osv/GO-2024-2848.json
@@ -8,7 +8,7 @@
"GHSA-gj7m-853r-289r"
],
"summary": "Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana",
- "details": "Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana",
+ "details": "Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2851.json b/data/osv/GO-2024-2851.json
index 308e529..bd1beb3 100644
--- a/data/osv/GO-2024-2851.json
+++ b/data/osv/GO-2024-2851.json
@@ -8,7 +8,7 @@
"GHSA-jv32-5578-pxjc"
],
"summary": "Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana",
- "details": "Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana",
+ "details": "Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2852.json b/data/osv/GO-2024-2852.json
index 7ce4db9..892c205 100644
--- a/data/osv/GO-2024-2852.json
+++ b/data/osv/GO-2024-2852.json
@@ -8,7 +8,7 @@
"GHSA-mx47-6497-3fv2"
],
"summary": "Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana",
- "details": "Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana",
+ "details": "Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2854.json b/data/osv/GO-2024-2854.json
index efd069d..7624331 100644
--- a/data/osv/GO-2024-2854.json
+++ b/data/osv/GO-2024-2854.json
@@ -8,7 +8,7 @@
"GHSA-p978-56hq-r492"
],
"summary": "Grafana folders admin only permission privilege escalation in github.com/grafana/grafana",
- "details": "Grafana folders admin only permission privilege escalation in github.com/grafana/grafana",
+ "details": "Grafana folders admin only permission privilege escalation in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2855.json b/data/osv/GO-2024-2855.json
index 2354433..0418ed1 100644
--- a/data/osv/GO-2024-2855.json
+++ b/data/osv/GO-2024-2855.json
@@ -8,7 +8,7 @@
"GHSA-rhxj-gh46-jvw8"
],
"summary": "Grafana Plugin signature bypass in github.com/grafana/grafana",
- "details": "Grafana Plugin signature bypass in github.com/grafana/grafana",
+ "details": "Grafana Plugin signature bypass in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2856.json b/data/osv/GO-2024-2856.json
index 8c16ae5..637a815 100644
--- a/data/osv/GO-2024-2856.json
+++ b/data/osv/GO-2024-2856.json
@@ -8,7 +8,7 @@
"GHSA-vqc4-mpj8-jxch"
],
"summary": "Grafana Race condition allowing privilege escalation in github.com/grafana/grafana",
- "details": "Grafana Race condition allowing privilege escalation in github.com/grafana/grafana",
+ "details": "Grafana Race condition allowing privilege escalation in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2857.json b/data/osv/GO-2024-2857.json
index ae875df..e107721 100644
--- a/data/osv/GO-2024-2857.json
+++ b/data/osv/GO-2024-2857.json
@@ -8,7 +8,7 @@
"GHSA-vw7q-p2qg-4m5f"
],
"summary": "Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana",
- "details": "Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana",
+ "details": "Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2858.json b/data/osv/GO-2024-2858.json
index d45627b..44b2d24 100644
--- a/data/osv/GO-2024-2858.json
+++ b/data/osv/GO-2024-2858.json
@@ -8,7 +8,7 @@
"GHSA-x744-mm8v-vpgr"
],
"summary": "Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana",
- "details": "Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana",
+ "details": "Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2867.json b/data/osv/GO-2024-2867.json
index 8144ae6..8f6c49a 100644
--- a/data/osv/GO-2024-2867.json
+++ b/data/osv/GO-2024-2867.json
@@ -8,7 +8,7 @@
"GHSA-4724-7jwc-3fpw"
],
"summary": "Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana",
- "details": "Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana",
+ "details": "Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2921.json b/data/osv/GO-2024-2921.json
index 73a5a02..c2af192 100644
--- a/data/osv/GO-2024-2921.json
+++ b/data/osv/GO-2024-2921.json
@@ -8,7 +8,7 @@
"GHSA-32cj-5wx4-gq8p"
],
"summary": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
- "details": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault",
+ "details": "HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2924.json b/data/osv/GO-2024-2924.json
index 24c4596..129b480 100644
--- a/data/osv/GO-2024-2924.json
+++ b/data/osv/GO-2024-2924.json
@@ -8,7 +8,7 @@
"GHSA-7jp9-vgmq-c8r5"
],
"summary": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome",
- "details": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome",
+ "details": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2929.json b/data/osv/GO-2024-2929.json
index c7d45f3..b1d504f 100644
--- a/data/osv/GO-2024-2929.json
+++ b/data/osv/GO-2024-2929.json
@@ -8,7 +8,7 @@
"GHSA-64jq-m7rq-768h"
],
"summary": "Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher",
- "details": "Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher",
+ "details": "Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2931.json b/data/osv/GO-2024-2931.json
index efae6a0..6e4aefe 100644
--- a/data/osv/GO-2024-2931.json
+++ b/data/osv/GO-2024-2931.json
@@ -8,7 +8,7 @@
"GHSA-9ghh-mmcq-8phc"
],
"summary": "Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher",
- "details": "Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher",
+ "details": "Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2932.json b/data/osv/GO-2024-2932.json
index ce5cbfe..49ed745 100644
--- a/data/osv/GO-2024-2932.json
+++ b/data/osv/GO-2024-2932.json
@@ -8,7 +8,7 @@
"GHSA-q6c7-56cq-g2wm"
],
"summary": "Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher",
- "details": "Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher",
+ "details": "Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/data/osv/GO-2024-2938.json b/data/osv/GO-2024-2938.json
index d55ca64..84d126c 100644
--- a/data/osv/GO-2024-2938.json
+++ b/data/osv/GO-2024-2938.json
@@ -8,7 +8,7 @@
"GHSA-cpcx-r2gq-x893"
],
"summary": "LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI",
- "details": "LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI",
+ "details": "LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI.\n\nNOTE: The source advisory for this report contains one or more versions that are not known to the Go module proxy. This most commonly occurs when a module uses its own versioning scheme.\n\nThis means that the versions list may not match the source report. If this is causing false-positive reports or other issues, please suggest an edit to the report with the correct versions.",
"affected": [
{
"package": {
diff --git a/internal/report/osv.go b/internal/report/osv.go
index b00f8cf..02bc569 100644
--- a/internal/report/osv.go
+++ b/internal/report/osv.go
@@ -31,6 +31,14 @@
SchemaVersion = "1.3.1"
)
+const nonGoExplanation = `NOTE: The source advisory for this report contains
+one or more versions that are not known to the Go module proxy.
+This most commonly occurs when a module uses its own versioning scheme.
+
+This means that the versions list may not match the source report.
+If this is causing false-positive reports or other issues,
+please suggest an edit to the report with the correct versions.`
+
// ToOSV creates an osv.Entry for a report.
// lastModified is the time the report should be considered to have
// been most recently modified.
@@ -47,14 +55,6 @@
withdrawn = &osv.Time{Time: *r.Withdrawn}
}
- // If the report has no description, use the summary for now.
- // TODO(https://go.dev/issues/61201): Remove this once pkgsite and
- // govulncheck can robustly display summaries in place of details.
- details := r.Description
- if details == "" {
- details = Description(r.Summary)
- }
-
entry := osv.Entry{
ID: r.ID,
Published: osv.Time{Time: r.Published},
@@ -62,7 +62,6 @@
Withdrawn: withdrawn,
Related: r.Related,
Summary: toParagraphs(r.Summary.String()),
- Details: toParagraphs(details.String()),
Credits: credits,
SchemaVersion: SchemaVersion,
DatabaseSpecific: &osv.DatabaseSpecific{
@@ -71,12 +70,16 @@
},
}
+ hasNonGoVersions := false
for _, m := range r.Modules {
affected, err := toAffected(m)
if err != nil {
return osv.Entry{}, err
}
entry.Affected = append(entry.Affected, affected)
+ if len(m.NonGoVersions) != 0 {
+ hasNonGoVersions = true
+ }
}
for _, ref := range r.References {
entry.References = append(entry.References, osv.Reference{
@@ -85,6 +88,23 @@
})
}
entry.Aliases = r.Aliases()
+
+ // If the report has no description, use the summary for now.
+ // TODO(https://go.dev/issues/61201): Remove this once pkgsite and
+ // govulncheck can robustly display summaries in place of details.
+ details := r.Description.String()
+ if details == "" {
+ details = r.Summary.String()
+ }
+ // Add an explanation about non-Go versions if applicable.
+ if hasNonGoVersions && !r.IsReviewed() {
+ if !strings.HasSuffix(details, ".") {
+ details = fmt.Sprintf("%s.", details)
+ }
+ details = fmt.Sprintf("%s\n\n%s", details, nonGoExplanation)
+ }
+ entry.Details = toParagraphs(details)
+
return entry, nil
}
Change information
Files:
- M data/osv/GO-2024-2428.json
- M data/osv/GO-2024-2430.json
- M data/osv/GO-2024-2431.json
- M data/osv/GO-2024-2432.json
- M data/osv/GO-2024-2433.json
- M data/osv/GO-2024-2434.json
- M data/osv/GO-2024-2442.json
- M data/osv/GO-2024-2444.json
- M data/osv/GO-2024-2445.json
- M data/osv/GO-2024-2446.json
- M data/osv/GO-2024-2447.json
- M data/osv/GO-2024-2448.json
- M data/osv/GO-2024-2449.json
- M data/osv/GO-2024-2450.json
- M data/osv/GO-2024-2468.json
- M data/osv/GO-2024-2476.json
- M data/osv/GO-2024-2479.json
- M data/osv/GO-2024-2480.json
- M data/osv/GO-2024-2481.json
- M data/osv/GO-2024-2495.json
- M data/osv/GO-2024-2496.json
- M data/osv/GO-2024-2513.json
- M data/osv/GO-2024-2515.json
- M data/osv/GO-2024-2516.json
- M data/osv/GO-2024-2517.json
- M data/osv/GO-2024-2519.json
- M data/osv/GO-2024-2520.json
- M data/osv/GO-2024-2521.json
- M data/osv/GO-2024-2523.json
- M data/osv/GO-2024-2527.json
- M data/osv/GO-2024-2528.json
- M data/osv/GO-2024-2529.json
- M data/osv/GO-2024-2530.json
- M data/osv/GO-2024-2535.json
- M data/osv/GO-2024-2537.json
- M data/osv/GO-2024-2540.json
- M data/osv/GO-2024-2541.json
- M data/osv/GO-2024-2556.json
- M data/osv/GO-2024-2566.json
- M data/osv/GO-2024-2576.json
- M data/osv/GO-2024-2582.json
- M data/osv/GO-2024-2588.json
- M data/osv/GO-2024-2589.json
- M data/osv/GO-2024-2590.json
- M data/osv/GO-2024-2591.json
- M data/osv/GO-2024-2592.json
- M data/osv/GO-2024-2593.json
- M data/osv/GO-2024-2594.json
- M data/osv/GO-2024-2595.json
- M data/osv/GO-2024-2629.json
- M data/osv/GO-2024-2635.json
- M data/osv/GO-2024-2637.json
- M data/osv/GO-2024-2664.json
- M data/osv/GO-2024-2665.json
- M data/osv/GO-2024-2695.json
- M data/osv/GO-2024-2696.json
- M data/osv/GO-2024-2697.json
- M data/osv/GO-2024-2706.json
- M data/osv/GO-2024-2707.json
- M data/osv/GO-2024-2717.json
- M data/osv/GO-2024-2734.json
- M data/osv/GO-2024-2750.json
- M data/osv/GO-2024-2760.json
- M data/osv/GO-2024-2768.json
- M data/osv/GO-2024-2771.json
- M data/osv/GO-2024-2778.json
- M data/osv/GO-2024-2788.json
- M data/osv/GO-2024-2801.json
- M data/osv/GO-2024-2804.json
- M data/osv/GO-2024-2843.json
- M data/osv/GO-2024-2844.json
- M data/osv/GO-2024-2847.json
- M data/osv/GO-2024-2848.json
- M data/osv/GO-2024-2851.json
- M data/osv/GO-2024-2852.json
- M data/osv/GO-2024-2854.json
- M data/osv/GO-2024-2855.json
- M data/osv/GO-2024-2856.json
- M data/osv/GO-2024-2857.json
- M data/osv/GO-2024-2858.json
- M data/osv/GO-2024-2867.json
- M data/osv/GO-2024-2921.json
- M data/osv/GO-2024-2924.json
- M data/osv/GO-2024-2929.json
- M data/osv/GO-2024-2931.json
- M data/osv/GO-2024-2932.json
- M data/osv/GO-2024-2938.json
- M internal/report/osv.go
Change size: M
Delta: 88 files changed, 116 insertions(+), 96 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
Jul 2, 2024, 5:25:27 PM (yesterday) Jul 2
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Tatiana Bradley
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #2 to this change.
Related details
Attention is currently required from:
- Tatiana Bradley
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
11:35 AM (10 hours ago) 11:35 AM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #5 to this change.
Following approvals got outdated and were removed:
- LUCI-Pass: LUCI-TryBot-Result+1 by Go LUCI
- TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Related details
Attention set is empty
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tatiana Bradley (Gerrit)
3:34 PM (6 hours ago) 3:34 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Tatiana Bradley uploaded new patchset![]( "Open in Gerrit")
Tatiana Bradley uploaded patch set #8 to this change.
Following approvals got outdated and were removed:
- LUCI-Pass: LUCI-TryBot-Result+1 by Go LUCI
- TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Related details
Attention set is empty
Submit Requirements:
Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
4:37 PM (5 hours ago) 4:37 PM
to Tatiana Bradley, goph...@pubsubhelper.golang.org, Go LUCI, Damien Neil, Maceo Thompson, Zvonimir Pavlinovic, Ian Cottrell, Tim King, golang-co...@googlegroups.com
Attention needed from Ian Cottrell, Tatiana Bradley and Tim King
Roland Shoemaker voted Code-Review+2![]( "Open in Gerrit")
| Code-Review | +2 |
Related details
Attention is currently required from:
- Ian Cottrell
- Tatiana Bradley
- Tim King
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Tim King (Gerrit)
7:10 PM (2 hours ago) 7:10 PM
to Tatiana Bradley, goph...@pubsubhelper.golang.org, Roland Shoemaker, Go LUCI, Damien Neil, Maceo Thompson, Zvonimir Pavlinovic, Ian Cottrell, golang-co...@googlegroups.com
Attention needed from Ian Cottrell and Tatiana Bradley
Tim King added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 8 (Latest):
Tim King . unresolved
Should these changes also be in the YAML files?
Related details
Attention is currently required from:
- Ian Cottrell
- Tatiana Bradley
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages