Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collect Go vulnerabilities from golang/vulndb #749

Open
pombredanne opened this issue May 23, 2022 · 3 comments
Open

Collect Go vulnerabilities from golang/vulndb #749

pombredanne opened this issue May 23, 2022 · 3 comments
Labels
Data collection

Comments

@pombredanne
Copy link
Member

See https://github.com/golang/vulndb/blob/master/reports/
This is a follow up from #466
@TG1999 TG1999 added this to the v34.0.0 milestone Jan 13, 2023
@pombredanne
Copy link
Member Author

There are some issue wrt. Go which is why we did not enable imports from the various datasources that provide Go vulnerability data.

Problem

Go is problematic as when we scan there is no universal way to find when a go package names ends and when a subpath stats. Hence creating a PURL is difficult because it may need to access the whole set of know packages to find what is the namespace/name of a package.

Context

Go vulnerabilities provide two types of vulnerabilities:

  1. For Go system or "builtin" packages, there is a path and a Go SDK/runtime version and no package name
    For instance https://pkg.go.dev/vuln/GO-2023-2185

  2. For other packages, there is a package name and separately a file path(s?) and symbols
    For instance https://pkg.go.dev/vuln/GO-2023-2115

Some other data sources may conflate the package and paths like in Gitlab where we have a package with and without "subpath" for the same vulneraility:

Solution

For VulnerableCode, let's use the Go way for Go and we will not use path in a PURL namespace/name and not in a subpath.

Since at scan time, ScanCode and other tool may have a PURL with full paths instead, we will need to be smart about this in our API and UI code and have some special processing for Go.

In the future, we may need to evolve refinements of the PURL spec to always include paths in the name or never include it like today with subpath.

@pombredanne
Copy link
Member Author

Note that in the future we will need to store paths and symbols to support reachability #1313

@DennisClark DennisClark mentioned this issue Nov 14, 2023
Merged
@TG1999
Copy link
Contributor

TG1999 commented Nov 28, 2023
edited
Loading

For example:

  • This is a go package - github.com/go-jose/go-jose/v3

  • This is a purl - "pkg:golang/github.com/go-jose/go-jose/[email protected]"

  • type - "golang"

  • namespace - "github.com/go-jose/go-jose"

  • name - "v3"

  • version - "3.1.0"

keshav-space added a commit that referenced this issue Nov 30, 2023
@keshav-space
Use purl.name as package name for golang
669a37e 
See this: #749 (comment)

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit that referenced this issue Nov 30, 2023
@keshav-space
Use purl.name as package name for golang
8667d93 
See this: #749 (comment)

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit that referenced this issue Dec 21, 2023
@keshav-space
Use purl.name as package name for golang
cc7d145 
See this: #749 (comment)

Signed-off-by: Keshav Priyadarshi <[email protected]>
@TG1999 TG1999 removed this from the v34.0.0 milestone Jan 30, 2024
@mkurzman mkurzman mentioned this issue Aug 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Data collection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @TG1999