vuln

module
Version: v0.0.0-...-ed6f3d7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2021 License: BSD-3-Clause

README

Go Vulnerability Database

Go Reference

This repository contains code for hosting the Go Vulnerability Database. The actual reports can be found at x/vulndb.

Neither the code, nor the data, nor the existence of this repository is to be considered stable. See the Draft Design for details on this project.

Accessing the database

The Go vulnerability database is rooted at https://storage.googleapis.com/go-vulndb and provides data as JSON. We recommend using client.Client to read data from the Go vulnerability database.

Do not rely on the contents of the x/vulndb repository. The YAML files in that repository are maintained using an internal format that is subject to change without warning.

The endpoints the table below are supported. For each path:

  • $base is the path portion of a Go vulnerability database URL (https://storage.googleapis.com/go-vulndb).
  • $module is a module path
  • $vuln is a Go vulnerabilitiy ID (for example, GO-2021-1234)
Path Description
$base/index.json List of module paths in the database mapped to its last modified timestamp (link).
$base/$module.json List of vulnerability entries for that module (example).
$base/ID/index.json List of all the vulnerability entries in the database
$base/ID/$vuln.json An individual Go vulnerability report

Note that these paths and format are provisional and likely to change until an approved proposal.

Packages

Some of these packages can probably be coalesced, but for now are easier to work on in a more segmented fashion.

  • osv provides a package for generating OSV-style JSON vulnerability entries from a report.Report
  • client contains a client for accessing HTTP/fs based vulnerability databases, as well as a minimal caching implementation
  • cmd/dbdiff provides a tool for comparing two different versions of the vulnerability database
  • cmd/gendb provides a tool for converting YAML reports into JSON database
  • cmd/linter provides a tool for linting individual reports
  • cmd/report2cve provides a tool for converting YAML reports into JSON CVEs

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://storage.googleapis.com/go-vulndb/ are distributed under the terms of the CC-BY 4.0 license.

Directories

Path Synopsis
Package client provides an interface for accessing vulnerability databases, via either HTTP or local filesystem access.
Package client provides an interface for accessing vulnerability databases, via either HTTP or local filesystem access.
cmd
cvetriage
Command cvetriage is used to manage the processing and triaging of CVE data from the github.com/CVEProject/cvelist git repository.
Command cvetriage is used to manage the processing and triaging of CVE data from the github.com/CVEProject/cvelist git repository.
worker
Command worker runs the vuln worker server.
Command worker runs the vuln worker server.
Package osv implements the OSV shared vulnerability format, as defined by https://github.com/ossf/osv-schema.
Package osv implements the OSV shared vulnerability format, as defined by https://github.com/ossf/osv-schema.
Package vlint contains functionality for linting reports in x/vulndb.
Package vlint contains functionality for linting reports in x/vulndb.
Package internal contains functionality for x/vuln.
Package internal contains functionality for x/vuln.
cveschema
Package cveschema contains the schema for a CVE, as derived from https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
Package cveschema contains the schema for a CVE, as derived from https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
derrors
Package derrors defines internal error values to categorize the different types error semantics supported by x/vuln.
Package derrors defines internal error values to categorize the different types error semantics supported by x/vuln.
gitrepo
Package gitrepo provides operations on git repos.
Package gitrepo provides operations on git repos.
report
Package report contains functionality for parsing and linting YAML reports in reports/.
Package report contains functionality for parsing and linting YAML reports in reports/.
worker/log
Package log implements event handlers for logging.
Package log implements event handlers for logging.
worker/store
Package store supports permanent data storage for the vuln worker.
Package store supports permanent data storage for the vuln worker.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL