Go Vulnerability Database
This repository contains code for hosting the Go Vulnerability Database. The actual reports can be found at x/vulndb.
Neither the code, nor the data, nor the existence of this repository is to be considered stable. See the Draft Design for details on this project.
Accessing the database
The Go vulnerability database is rooted at
https://storage.googleapis.com/go-vulndb and provides data as JSON. We
client.Client to read
data from the Go vulnerability database.
Do not rely on the contents of the x/vulndb repository. The YAML files in that repository are maintained using an internal format that is subject to change without warning.
The endpoints the table below are supported. For each path:
- $base is the path portion of a Go vulnerability database URL (
- $module is a module path
- $vuln is a Go vulnerabilitiy ID (for example,
|$base/index.json||List of module paths in the database mapped to its last modified timestamp (link).|
|$base/$module.json||List of vulnerability entries for that module (example).|
|$base/ID/index.json||List of all the vulnerability entries in the database|
|$base/ID/$vuln.json||An individual Go vulnerability report|
Note that these paths and format are provisional and likely to change until an approved proposal.
Some of these packages can probably be coalesced, but for now are easier to work on in a more segmented fashion.
osvprovides a package for generating OSV-style JSON vulnerability entries from a
clientcontains a client for accessing HTTP/fs based vulnerability databases, as well as a minimal caching implementation
cmd/dbdiffprovides a tool for comparing two different versions of the vulnerability database
cmd/gendbprovides a tool for converting YAML reports into JSON database
cmd/linterprovides a tool for linting individual reports
cmd/report2cveprovides a tool for converting YAML reports into JSON CVEs
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Package client provides an interface for accessing vulnerability databases, via either HTTP or local filesystem access.
|Package client provides an interface for accessing vulnerability databases, via either HTTP or local filesystem access.|
Command cvetriage is used to manage the processing and triaging of CVE data from the github.com/CVEProject/cvelist git repository.
|Command cvetriage is used to manage the processing and triaging of CVE data from the github.com/CVEProject/cvelist git repository.|
Command worker runs the vuln worker server.
|Command worker runs the vuln worker server.|
Package osv implements the OSV shared vulnerability format, as defined by https://github.com/ossf/osv-schema.
|Package osv implements the OSV shared vulnerability format, as defined by https://github.com/ossf/osv-schema.|
Package vlint contains functionality for linting reports in x/vulndb.
|Package vlint contains functionality for linting reports in x/vulndb.|
Package internal contains functionality for x/vuln.
|Package internal contains functionality for x/vuln.|
Package cveschema contains the schema for a CVE, as derived from https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.
|Package cveschema contains the schema for a CVE, as derived from https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema.|
Package derrors defines internal error values to categorize the different types error semantics supported by x/vuln.
|Package derrors defines internal error values to categorize the different types error semantics supported by x/vuln.|
Package gitrepo provides operations on git repos.
|Package gitrepo provides operations on git repos.|
Package report contains functionality for parsing and linting YAML reports in reports/.
|Package report contains functionality for parsing and linting YAML reports in reports/.|
Package log implements event handlers for logging.
|Package log implements event handlers for logging.|
Package store supports permanent data storage for the vuln worker.
|Package store supports permanent data storage for the vuln worker.|