Zakaria/LearnGO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

whatcanGOwrong

Browse Source
This commit is contained in:
dadgam3er
2024-09-19 21:38:24 -04:00
commit d0ae4d841d
17908 changed files with 4096831 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/client.go
+347
View File
@@ -0,0 +1,347 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package client provides an interface for accessing vulnerability
// databases, via either HTTP or local filesystem access.
//
// The protocol is described at https://go.dev/security/vuln/database.
package client
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"os"
"path/filepath"
"sort"
"strings"
"time"
"golang.org/x/sync/errgroup"
"golang.org/x/vuln/internal/derrors"
"golang.org/x/vuln/internal/osv"
isem "golang.org/x/vuln/internal/semver"
"golang.org/x/vuln/internal/web"
)
// A Client for reading vulnerability databases.
type Client struct {
source
}
type Options struct {
HTTPClient *http.Client
}
// NewClient returns a client that reads the vulnerability database
// in source (an "http" or "file" prefixed URL).
//
// It supports databases following the API described
// in https://go.dev/security/vuln/database#api.
func NewClient(source string, opts *Options) (_ *Client, err error) {
source = strings.TrimRight(source, "/")
uri, err := url.Parse(source)
if err != nil {
return nil, err
}
switch uri.Scheme {
case "http", "https":
return newHTTPClient(uri, opts)
case "file":
return newLocalClient(uri)
default:
return nil, fmt.Errorf("source %q has unsupported scheme", uri)
}
}
var errUnknownSchema = errors.New("unrecognized vulndb format; see https://go.dev/security/vuln/database#api for accepted schema")
func newHTTPClient(uri *url.URL, opts *Options) (*Client, error) {
source := uri.String()
// v1 returns true if the source likely follows the V1 schema.
v1 := func() bool {
return source == "https://vuln.go.dev" ||
endpointExistsHTTP(source, "index/modules.json.gz")
}
if v1() {
return &Client{source: newHTTPSource(uri.String(), opts)}, nil
}
return nil, errUnknownSchema
}
func endpointExistsHTTP(source, endpoint string) bool {
r, err := http.Head(source + "/" + endpoint)
return err == nil && r.StatusCode == http.StatusOK
}
func newLocalClient(uri *url.URL) (*Client, error) {
dir, err := toDir(uri)
if err != nil {
return nil, err
}
// Check if the DB likely follows the v1 schema by
// looking for the "index/modules.json" endpoint.
if endpointExistsDir(dir, modulesEndpoint+".json") {
return &Client{source: newLocalSource(dir)}, nil
}
// If the DB doesn't follow the v1 schema,
// attempt to intepret it as a flat list of OSV files.
// This is currently a "hidden" feature, so don't output the
// specific error if this fails.
src, err := newHybridSource(dir)
if err != nil {
return nil, errUnknownSchema
}
return &Client{source: src}, nil
}
func toDir(uri *url.URL) (string, error) {
dir, err := web.URLToFilePath(uri)
if err != nil {
return "", err
}
fi, err := os.Stat(dir)
if err != nil {
return "", err
}
if !fi.IsDir() {
return "", fmt.Errorf("%s is not a directory", dir)
}
return dir, nil
}
func endpointExistsDir(dir, endpoint string) bool {
_, err := os.Stat(filepath.Join(dir, endpoint))
return err == nil
}
func NewInMemoryClient(entries []*osv.Entry) (*Client, error) {
s, err := newInMemorySource(entries)
if err != nil {
return nil, err
}
return &Client{source: s}, nil
}
func (c *Client) LastModifiedTime(ctx context.Context) (_ time.Time, err error) {
derrors.Wrap(&err, "LastModifiedTime()")
b, err := c.source.get(ctx, dbEndpoint)
if err != nil {
return time.Time{}, err
}
var dbMeta dbMeta
if err := json.Unmarshal(b, &dbMeta); err != nil {
return time.Time{}, err
}
return dbMeta.Modified, nil
}
type ModuleRequest struct {
// The module path to filter on.
// This must be set (if empty, ByModule errors).
Path string
// (Optional) If set, only return vulnerabilities affected
// at this version.
Version string
}
type ModuleResponse struct {
Path string
Version string
Entries []*osv.Entry
}
// ByModules returns a list of responses
// containing the OSV entries corresponding to each request.
//
// The order of the requests is preserved, and each request has
// a response even if there are no entries (in which case the Entries
// field is nil).
func (c *Client) ByModules(ctx context.Context, reqs []*ModuleRequest) (_ []*ModuleResponse, err error) {
derrors.Wrap(&err, "ByModules(%v)", reqs)
metas, err := c.moduleMetas(ctx, reqs)
if err != nil {
return nil, err
}
resps := make([]*ModuleResponse, len(reqs))
g, gctx := errgroup.WithContext(ctx)
g.SetLimit(10)
for i, req := range reqs {
i, req := i, req
g.Go(func() error {
entries, err := c.byModule(gctx, req, metas[i])
if err != nil {
return err
}
resps[i] = &ModuleResponse{
Path: req.Path,
Version: req.Version,
Entries: entries,
}
return nil
})
}
if err := g.Wait(); err != nil {
return nil, err
}
return resps, nil
}
func (c *Client) moduleMetas(ctx context.Context, reqs []*ModuleRequest) (_ []*moduleMeta, err error) {
b, err := c.source.get(ctx, modulesEndpoint)
if err != nil {
return nil, err
}
dec, err := newStreamDecoder(b)
if err != nil {
return nil, err
}
metas := make([]*moduleMeta, len(reqs))
for dec.More() {
var m moduleMeta
err := dec.Decode(&m)
if err != nil {
return nil, err
}
for i, req := range reqs {
if m.Path == req.Path {
metas[i] = &m
}
}
}
return metas, nil
}
// byModule returns the OSV entries matching the ModuleRequest,
// or (nil, nil) if there are none.
func (c *Client) byModule(ctx context.Context, req *ModuleRequest, m *moduleMeta) (_ []*osv.Entry, err error) {
// This module isn't in the database.
if m == nil {
return nil, nil
}
if req.Path == "" {
return nil, fmt.Errorf("module path must be set")
}
if req.Version != "" && !isem.Valid(req.Version) {
return nil, fmt.Errorf("version %s is not valid semver", req.Version)
}
var ids []string
for _, v := range m.Vulns {
if v.Fixed == "" || isem.Less(req.Version, v.Fixed) {
ids = append(ids, v.ID)
}
}
if len(ids) == 0 {
return nil, nil
}
entries, err := c.byIDs(ctx, ids)
if err != nil {
return nil, err
}
// Filter by version.
if req.Version != "" {
affected := func(e *osv.Entry) bool {
for _, a := range e.Affected {
if a.Module.Path == req.Path && isem.Affects(a.Ranges, req.Version) {
return true
}
}
return false
}
var filtered []*osv.Entry
for _, entry := range entries {
if affected(entry) {
filtered = append(filtered, entry)
}
}
if len(filtered) == 0 {
return nil, nil
}
}
sort.SliceStable(entries, func(i, j int) bool {
return entries[i].ID < entries[j].ID
})
return entries, nil
}
func (c *Client) byIDs(ctx context.Context, ids []string) (_ []*osv.Entry, err error) {
entries := make([]*osv.Entry, len(ids))
g, gctx := errgroup.WithContext(ctx)
g.SetLimit(10)
for i, id := range ids {
i, id := i, id
g.Go(func() error {
e, err := c.byID(gctx, id)
if err != nil {
return err
}
entries[i] = e
return nil
})
}
if err := g.Wait(); err != nil {
return nil, err
}
return entries, nil
}
// byID returns the OSV entry with the given ID,
// or an error if it does not exist / cannot be unmarshaled.
func (c *Client) byID(ctx context.Context, id string) (_ *osv.Entry, err error) {
derrors.Wrap(&err, "byID(%s)", id)
b, err := c.source.get(ctx, entryEndpoint(id))
if err != nil {
return nil, err
}
var entry osv.Entry
if err := json.Unmarshal(b, &entry); err != nil {
return nil, err
}
return &entry, nil
}
// newStreamDecoder returns a decoder that can be used
// to read an array of JSON objects.
func newStreamDecoder(b []byte) (*json.Decoder, error) {
dec := json.NewDecoder(bytes.NewBuffer(b))
// skip open bracket
_, err := dec.Token()
if err != nil {
return nil, err
}
return dec, nil
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/client_test.go
+341
View File
@@ -0,0 +1,341 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package client
import (
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"testing"
"time"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/osv"
"golang.org/x/vuln/internal/web"
)
var (
testLegacyVulndb = filepath.Join("testdata", "vulndb-legacy")
testLegacyVulndbFileURL = localURL(testLegacyVulndb)
testVulndb = filepath.Join("testdata", "vulndb-v1")
testVulndbFileURL = localURL(testVulndb)
testFlatVulndb = filepath.Join("testdata", "vulndb-v1", "ID")
testFlatVulndbFileURL = localURL(testFlatVulndb)
testIDs = []string{
"GO-2021-0159",
"GO-2022-0229",
"GO-2022-0463",
"GO-2022-0569",
"GO-2022-0572",
"GO-2021-0068",
"GO-2022-0475",
"GO-2022-0476",
"GO-2021-0240",
"GO-2021-0264",
"GO-2022-0273",
}
)
func newTestServer(dir string) *httptest.Server {
mux := http.NewServeMux()
mux.Handle("/", http.FileServer(http.Dir(dir)))
return httptest.NewServer(mux)
}
func entries(ids []string) ([]*osv.Entry, error) {
if len(ids) == 0 {
return nil, nil
}
entries := make([]*osv.Entry, len(ids))
for i, id := range ids {
b, err := os.ReadFile(filepath.Join(testVulndb, idDir, id+".json"))
if err != nil {
return nil, err
}
var entry osv.Entry
if err := json.Unmarshal(b, &entry); err != nil {
return nil, err
}
entries[i] = &entry
}
return entries, nil
}
func localURL(dir string) string {
absDir, err := filepath.Abs(dir)
if err != nil {
panic(fmt.Sprintf("failed to read %s: %v", dir, err))
}
u, err := web.URLFromFilePath(absDir)
if err != nil {
panic(fmt.Sprintf("failed to read %s: %v", dir, err))
}
return u.String()
}
func TestNewClient(t *testing.T) {
t.Run("vuln.go.dev", func(t *testing.T) {
src := "https://vuln.go.dev"
c, err := NewClient(src, nil)
if err != nil {
t.Fatal(err)
}
if c == nil {
t.Errorf("NewClient(%s) = nil, want instantiated *Client", src)
}
})
t.Run("http/v1", func(t *testing.T) {
srv := newTestServer(testVulndb)
t.Cleanup(srv.Close)
c, err := NewClient(srv.URL, &Options{HTTPClient: srv.Client()})
if err != nil {
t.Fatal(err)
}
if c == nil {
t.Errorf("NewClient(%s) = nil, want instantiated *Client", srv.URL)
}
})
t.Run("http/legacy", func(t *testing.T) {
srv := newTestServer(testLegacyVulndb)
t.Cleanup(srv.Close)
_, err := NewClient(srv.URL, &Options{HTTPClient: srv.Client()})
if err == nil || !errors.Is(err, errUnknownSchema) {
t.Errorf("NewClient() = %s, want error %s", err, errUnknownSchema)
}
})
t.Run("local/v1", func(t *testing.T) {
src := testVulndbFileURL
c, err := NewClient(src, nil)
if err != nil {
t.Fatal(err)
}
if c == nil {
t.Errorf("NewClient(%s) = nil, want instantiated *Client", src)
}
})
t.Run("local/flat", func(t *testing.T) {
src := testFlatVulndbFileURL
c, err := NewClient(src, nil)
if err != nil {
t.Fatal(err)
}
if c == nil {
t.Errorf("NewClient(%s) = nil, want instantiated *Client", src)
}
})
t.Run("local/legacy", func(t *testing.T) {
src := testLegacyVulndbFileURL
_, err := NewClient(src, nil)
if err == nil || !errors.Is(err, errUnknownSchema) {
t.Errorf("NewClient() = %s, want error %s", err, errUnknownSchema)
}
})
}
func TestLastModifiedTime(t *testing.T) {
test := func(t *testing.T, c *Client) {
got, err := c.LastModifiedTime(context.Background())
if err != nil {
t.Fatal(err)
}
want, err := time.Parse(time.RFC3339, "2023-04-03T15:57:51Z")
if err != nil {
t.Fatal(err)
}
if got != want {
t.Errorf("LastModifiedTime = %s, want %s", got, want)
}
}
testAllClientTypes(t, test)
}
func TestByModules(t *testing.T) {
tcs := []struct {
module *ModuleRequest
wantIDs []string
}{
{
module: &ModuleRequest{
Path: "github.com/beego/beego",
},
wantIDs: []string{"GO-2022-0463", "GO-2022-0569", "GO-2022-0572"},
},
{
module: &ModuleRequest{
Path: "github.com/beego/beego",
// "GO-2022-0463" not affected at this version.
Version: "1.12.10",
},
wantIDs: []string{"GO-2022-0569", "GO-2022-0572"},
},
{
module: &ModuleRequest{
Path: "stdlib",
},
wantIDs: []string{"GO-2021-0159", "GO-2021-0240", "GO-2021-0264", "GO-2022-0229", "GO-2022-0273"},
},
{
module: &ModuleRequest{
Path: "stdlib",
Version: "go1.17",
},
wantIDs: []string{"GO-2021-0264", "GO-2022-0273"},
},
{
module: &ModuleRequest{
Path: "toolchain",
},
wantIDs: []string{"GO-2021-0068", "GO-2022-0475", "GO-2022-0476"},
},
{
module: &ModuleRequest{
Path: "toolchain",
// All vulns affected at this version.
Version: "1.14.13",
},
wantIDs: []string{"GO-2021-0068", "GO-2022-0475", "GO-2022-0476"},
},
{
module: &ModuleRequest{
Path: "golang.org/x/crypto",
},
wantIDs: []string{"GO-2022-0229"},
},
{
module: &ModuleRequest{
Path: "golang.org/x/crypto",
// Vuln was fixed at exactly this version.
Version: "1.13.7",
},
wantIDs: nil,
},
{
module: &ModuleRequest{
Path: "does.not/exist",
},
wantIDs: nil,
},
{
module: &ModuleRequest{
Path: "does.not/exist",
Version: "1.0.0",
},
wantIDs: nil,
},
}
// Test each case as an individual call to ByModules.
for _, tc := range tcs {
t.Run(tc.module.Path+"@"+tc.module.Version, func(t *testing.T) {
test := func(t *testing.T, c *Client) {
got, err := c.ByModules(context.Background(), []*ModuleRequest{tc.module})
if err != nil {
t.Fatal(err)
}
wantEntries, err := entries(tc.wantIDs)
if err != nil {
t.Fatal(err)
}
want := []*ModuleResponse{{
Path: tc.module.Path,
Version: tc.module.Version,
Entries: wantEntries,
}}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("ByModule() mismatch (-want +got):\n%s", diff)
}
}
testAllClientTypes(t, test)
})
}
// Now create a single test that makes all the requests
// in a single call to ByModules.
reqs := make([]*ModuleRequest, len(tcs))
want := make([]*ModuleResponse, len(tcs))
for i, tc := range tcs {
reqs[i] = tc.module
wantEntries, err := entries(tc.wantIDs)
if err != nil {
t.Fatal(err)
}
want[i] = &ModuleResponse{
Path: tc.module.Path,
Version: tc.module.Version,
Entries: wantEntries,
}
}
t.Run("all", func(t *testing.T) {
test := func(t *testing.T, c *Client) {
got, err := c.ByModules(context.Background(), reqs)
if err != nil {
t.Fatal(err)
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("ByModules() mismatch (-want +got):\n%s", diff)
}
}
testAllClientTypes(t, test)
})
}
// testAllClientTypes runs a given test for all client types.
func testAllClientTypes(t *testing.T, test func(t *testing.T, c *Client)) {
t.Run("http", func(t *testing.T) {
srv := newTestServer(testVulndb)
t.Cleanup(srv.Close)
hc, err := NewClient(srv.URL, &Options{HTTPClient: srv.Client()})
if err != nil {
t.Fatal(err)
}
test(t, hc)
})
t.Run("local", func(t *testing.T) {
fc, err := NewClient(testVulndbFileURL, nil)
if err != nil {
t.Fatal(err)
}
test(t, fc)
})
t.Run("hybrid", func(t *testing.T) {
fc, err := NewClient(testFlatVulndbFileURL, nil)
if err != nil {
t.Fatal(err)
}
test(t, fc)
})
t.Run("in-memory", func(t *testing.T) {
testEntries, err := entries(testIDs)
if err != nil {
t.Fatal(err)
}
mc, err := NewInMemoryClient(testEntries)
if err != nil {
t.Fatal(err)
}
test(t, mc)
})
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/index.go
+120
View File
@@ -0,0 +1,120 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package client
import (
"encoding/json"
"fmt"
"io/fs"
"os"
"path/filepath"
"golang.org/x/vuln/internal/osv"
isem "golang.org/x/vuln/internal/semver"
)
// indexFromDir returns a raw index created from a directory
// containing OSV entries.
// It skips any non-JSON files but errors if any of the JSON files
// cannot be unmarshaled into OSV, or have a filename other than <ID>.json.
func indexFromDir(dir string) (map[string][]byte, error) {
idx := newIndex()
f := os.DirFS(dir)
if err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
fname := d.Name()
ext := filepath.Ext(fname)
switch {
case err != nil:
return err
case d.IsDir():
return nil
case ext != ".json":
return nil
}
b, err := fs.ReadFile(f, d.Name())
if err != nil {
return err
}
var entry osv.Entry
if err := json.Unmarshal(b, &entry); err != nil {
return err
}
if fname != entry.ID+".json" {
return fmt.Errorf("OSV entries must have filename of the form <ID>.json, got %s", fname)
}
idx.add(&entry)
return nil
}); err != nil {
return nil, err
}
return idx.raw()
}
func indexFromEntries(entries []*osv.Entry) (map[string][]byte, error) {
idx := newIndex()
for _, entry := range entries {
idx.add(entry)
}
return idx.raw()
}
type index struct {
db *dbMeta
modules modulesIndex
}
func newIndex() *index {
return &index{
db: &dbMeta{},
modules: make(map[string]*moduleMeta),
}
}
func (i *index) add(entry *osv.Entry) {
// Add to db index.
if entry.Modified.After(i.db.Modified) {
i.db.Modified = entry.Modified
}
// Add to modules index.
for _, affected := range entry.Affected {
modulePath := affected.Module.Path
if _, ok := i.modules[modulePath]; !ok {
i.modules[modulePath] = &moduleMeta{
Path: modulePath,
Vulns: []moduleVuln{},
}
}
module := i.modules[modulePath]
module.Vulns = append(module.Vulns, moduleVuln{
ID: entry.ID,
Modified: entry.Modified,
Fixed: isem.NonSupersededFix(affected.Ranges),
})
}
}
func (i *index) raw() (map[string][]byte, error) {
data := make(map[string][]byte)
b, err := json.Marshal(i.db)
if err != nil {
return nil, err
}
data[dbEndpoint] = b
b, err = json.Marshal(i.modules)
if err != nil {
return nil, err
}
data[modulesEndpoint] = b
return data, nil
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/schema.go
+77
View File
@@ -0,0 +1,77 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package client
import (
"encoding/json"
"path"
"sort"
"time"
)
const (
idDir = "ID"
indexDir = "index"
)
var (
dbEndpoint = path.Join(indexDir, "db")
modulesEndpoint = path.Join(indexDir, "modules")
)
func entryEndpoint(id string) string {
return path.Join(idDir, id)
}
// dbMeta contains metadata about the database itself.
type dbMeta struct {
// Modified is the time the database was last modified, calculated
// as the most recent time any single OSV entry was modified.
Modified time.Time `json:"modified"`
}
// moduleMeta contains metadata about a Go module that has one
// or more vulnerabilities in the database.
//
// Found in the "index/modules" endpoint of the vulnerability database.
type moduleMeta struct {
// Path is the module path.
Path string `json:"path"`
// Vulns is a list of vulnerabilities that affect this module.
Vulns []moduleVuln `json:"vulns"`
}
// moduleVuln contains metadata about a vulnerability that affects
// a certain module.
type moduleVuln struct {
// ID is a unique identifier for the vulnerability.
// The Go vulnerability database issues IDs of the form
// GO-<YEAR>-<ENTRYID>.
ID string `json:"id"`
// Modified is the time the vuln was last modified.
Modified time.Time `json:"modified"`
// Fixed is the latest version that introduces a fix for the
// vulnerability, in SemVer 2.0.0 format, with no leading "v" prefix.
Fixed string `json:"fixed,omitempty"`
}
// modulesIndex represents an in-memory modules index.
type modulesIndex map[string]*moduleMeta
func (m modulesIndex) MarshalJSON() ([]byte, error) {
modules := make([]*moduleMeta, 0, len(m))
for _, module := range m {
modules = append(modules, module)
}
sort.SliceStable(modules, func(i, j int) bool {
return modules[i].Path < modules[j].Path
})
for _, module := range modules {
sort.SliceStable(module.Vulns, func(i, j int) bool {
return module.Vulns[i].ID < module.Vulns[j].ID
})
}
return json.Marshal(modules)
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/source.go
+150
View File
@@ -0,0 +1,150 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package client
import (
"compress/gzip"
"context"
"encoding/json"
"fmt"
"io"
"io/fs"
"net/http"
"os"
"path/filepath"
"golang.org/x/vuln/internal/derrors"
"golang.org/x/vuln/internal/osv"
)
type source interface {
// get returns the raw, uncompressed bytes at the
// requested endpoint, which should be bare with no file extensions
// (e.g., "index/modules" instead of "index/modules.json.gz").
// It errors if the endpoint cannot be reached or does not exist
// in the expected form.
get(ctx context.Context, endpoint string) ([]byte, error)
}
func newHTTPSource(url string, opts *Options) *httpSource {
c := http.DefaultClient
if opts != nil && opts.HTTPClient != nil {
c = opts.HTTPClient
}
return &httpSource{url: url, c: c}
}
// httpSource reads a vulnerability database from an http(s) source.
type httpSource struct {
url string
c *http.Client
}
func (hs *httpSource) get(ctx context.Context, endpoint string) (_ []byte, err error) {
derrors.Wrap(&err, "get(%s)", endpoint)
method := http.MethodGet
reqURL := fmt.Sprintf("%s/%s", hs.url, endpoint+".json.gz")
req, err := http.NewRequestWithContext(ctx, method, reqURL, nil)
if err != nil {
return nil, err
}
resp, err := hs.c.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("HTTP %s %s returned unexpected status: %s", method, reqURL, resp.Status)
}
// Uncompress the result.
r, err := gzip.NewReader(resp.Body)
if err != nil {
return nil, err
}
defer r.Close()
return io.ReadAll(r)
}
func newLocalSource(dir string) *localSource {
return &localSource{fs: os.DirFS(dir)}
}
// localSource reads a vulnerability database from a local file system.
type localSource struct {
fs fs.FS
}
func (ls *localSource) get(ctx context.Context, endpoint string) (_ []byte, err error) {
derrors.Wrap(&err, "get(%s)", endpoint)
return fs.ReadFile(ls.fs, endpoint+".json")
}
func newHybridSource(dir string) (*hybridSource, error) {
index, err := indexFromDir(dir)
if err != nil {
return nil, err
}
return &hybridSource{
index: &inMemorySource{data: index},
osv: &localSource{fs: os.DirFS(dir)},
}, nil
}
// hybridSource reads OSV entries from a local file system, but reads
// indexes from an in-memory map.
type hybridSource struct {
index *inMemorySource
osv *localSource
}
func (hs *hybridSource) get(ctx context.Context, endpoint string) (_ []byte, err error) {
derrors.Wrap(&err, "get(%s)", endpoint)
dir, file := filepath.Split(endpoint)
if filepath.Dir(dir) == indexDir {
return hs.index.get(ctx, endpoint)
}
return hs.osv.get(ctx, file)
}
// newInMemorySource creates a new in-memory source from OSV entries.
// Adapted from x/vulndb/internal/database.go.
func newInMemorySource(entries []*osv.Entry) (*inMemorySource, error) {
data, err := indexFromEntries(entries)
if err != nil {
return nil, err
}
for _, entry := range entries {
b, err := json.Marshal(entry)
if err != nil {
return nil, err
}
data[entryEndpoint(entry.ID)] = b
}
return &inMemorySource{data: data}, nil
}
// inMemorySource reads databases from an in-memory map.
// Currently intended for use only in unit tests.
type inMemorySource struct {
data map[string][]byte
}
func (db *inMemorySource) get(ctx context.Context, endpoint string) ([]byte, error) {
b, ok := db.data[endpoint]
if !ok {
return nil, fmt.Errorf("no data found at endpoint %q", endpoint)
}
return b, nil
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/source_test.go
+79
View File
@@ -0,0 +1,79 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package client
import (
"context"
"os"
"testing"
)
func TestGet(t *testing.T) {
tcs := []struct {
endpoint string
}{
{
endpoint: "index/db",
},
{
endpoint: "index/modules",
},
{
endpoint: "ID/GO-2021-0068",
},
}
for _, tc := range tcs {
test := func(t *testing.T, s source) {
got, err := s.get(context.Background(), tc.endpoint)
if err != nil {
t.Fatal(err)
}
want, err := os.ReadFile(testVulndb + "/" + tc.endpoint + ".json")
if err != nil {
t.Fatal(err)
}
if string(got) != string(want) {
t.Errorf("get(%s) = %s, want %s", tc.endpoint, got, want)
}
}
testAllSourceTypes(t, test)
}
}
// testAllSourceTypes runs a given test for all source types.
func testAllSourceTypes(t *testing.T, test func(t *testing.T, s source)) {
t.Run("http", func(t *testing.T) {
srv := newTestServer(testVulndb)
hs := newHTTPSource(srv.URL, &Options{HTTPClient: srv.Client()})
test(t, hs)
})
t.Run("local", func(t *testing.T) {
test(t, newLocalSource(testVulndb))
})
t.Run("in-memory", func(t *testing.T) {
testEntries, err := entries(testIDs)
if err != nil {
t.Fatal(err)
}
ms, err := newInMemorySource(testEntries)
if err != nil {
t.Fatal(err)
}
test(t, ms)
})
t.Run("hybrid", func(t *testing.T) {
hs, err := newHybridSource(testFlatVulndb)
if err != nil {
t.Fatal(err)
}
test(t, hs)
})
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/GO-2021-0157.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"id":"GO-2021-0157","published":"2022-01-05T20:00:00Z","modified":"2022-08-29T16:50:59Z","aliases":["CVE-2015-5739"],"details":"The MIME header parser treated spaces and hyphens\nas equivalent, which can permit HTTP request smuggling.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.3"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0157"},"ecosystem_specific":{"imports":[{"path":"net/textproto","symbols":["CanonicalMIMEHeaderKey","canonicalMIMEHeaderKey"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/11772"},{"type":"FIX","url":"https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9"},{"type":"REPORT","url":"https://go.dev/issue/53035"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ"}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/GO-2021-0159.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"id":"GO-2021-0159","published":"2022-01-05T21:39:14Z","modified":"2022-08-29T16:50:59Z","aliases":["CVE-2015-5739","CVE-2015-5740","CVE-2015-5741"],"details":"HTTP headers were not properly parsed, which allows remote attackers to\nconduct HTTP request smuggling attacks via a request that contains\nContent-Length and Transfer-Encoding header fields.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.3"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0159"},"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["CanonicalMIMEHeaderKey","body.readLocked","canonicalMIMEHeaderKey","chunkWriter.writeHeader","fixLength","fixTransferEncoding","readTransfer","transferWriter.shouldSendContentLength","validHeaderFieldByte"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/13148"},{"type":"FIX","url":"https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f"},{"type":"FIX","url":"https://go.dev/cl/11772"},{"type":"FIX","url":"https://go.dev/cl/11810"},{"type":"FIX","url":"https://go.dev/cl/12865"},{"type":"FIX","url":"https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9"},{"type":"FIX","url":"https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f"},{"type":"FIX","url":"https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87"},{"type":"REPORT","url":"https://go.dev/issue/12027"},{"type":"REPORT","url":"https://go.dev/issue/11930"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ"}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/GO-2022-0463.json
Vendored
+293
View File
@@ -0,0 +1,293 @@
{
"id": "GO-2022-0463",
"published": "2022-07-01T20:06:59Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2022-31259",
"GHSA-qx32-f6g6-fcfr"
],
"details": "Routes in the beego HTTP router can match unintended patterns.\nThis overly-broad matching may permit an attacker to bypass access\ncontrols.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\".\nThis may bypass access control applied to the prefix \"/a/\".\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.9"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0463"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"App.Run",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.ServeHTTP",
"FilterRouter.ValidRouter",
"InitBeegoBeforeTest",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.Match",
"Tree.match",
"adminApp.Run"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0463"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"AddNamespace",
"Any",
"AutoPrefix",
"AutoRouter",
"Compare",
"CompareNot",
"Controller.Bind",
"Controller.BindForm",
"Controller.BindXML",
"Controller.BindYAML",
"Controller.GetSecureCookie",
"Controller.ParseForm",
"Controller.Render",
"Controller.RenderBytes",
"Controller.RenderString",
"Controller.Resp",
"Controller.SaveToFile",
"Controller.ServeFormatted",
"Controller.ServeXML",
"Controller.ServeYAML",
"Controller.SetSecureCookie",
"Controller.Trace",
"Controller.URLFor",
"Controller.XMLResp",
"Controller.XSRFFormHTML",
"Controller.XSRFToken",
"Controller.YamlResp",
"ControllerRegister.Add",
"ControllerRegister.AddAuto",
"ControllerRegister.AddAutoPrefix",
"ControllerRegister.AddMethod",
"ControllerRegister.AddRouterMethod",
"ControllerRegister.Any",
"ControllerRegister.CtrlAny",
"ControllerRegister.CtrlDelete",
"ControllerRegister.CtrlGet",
"ControllerRegister.CtrlHead",
"ControllerRegister.CtrlOptions",
"ControllerRegister.CtrlPatch",
"ControllerRegister.CtrlPost",
"ControllerRegister.CtrlPut",
"ControllerRegister.Delete",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.Get",
"ControllerRegister.Handler",
"ControllerRegister.Head",
"ControllerRegister.Include",
"ControllerRegister.Init",
"ControllerRegister.InsertFilter",
"ControllerRegister.Options",
"ControllerRegister.Patch",
"ControllerRegister.Post",
"ControllerRegister.Put",
"ControllerRegister.ServeHTTP",
"ControllerRegister.URLFor",
"CtrlAny",
"CtrlDelete",
"CtrlGet",
"CtrlHead",
"CtrlOptions",
"CtrlPatch",
"CtrlPost",
"CtrlPut",
"Date",
"DateParse",
"Delete",
"Exception",
"ExecuteTemplate",
"ExecuteViewPathTemplate",
"FilterRouter.ValidRouter",
"FlashData.Error",
"FlashData.Notice",
"FlashData.Set",
"FlashData.Store",
"FlashData.Success",
"FlashData.Warning",
"Get",
"GetConfig",
"HTML2str",
"Handler",
"Head",
"Htmlquote",
"Htmlunquote",
"HttpServer.Any",
"HttpServer.AutoPrefix",
"HttpServer.AutoRouter",
"HttpServer.CtrlAny",
"HttpServer.CtrlDelete",
"HttpServer.CtrlGet",
"HttpServer.CtrlHead",
"HttpServer.CtrlOptions",
"HttpServer.CtrlPatch",
"HttpServer.CtrlPost",
"HttpServer.CtrlPut",
"HttpServer.Delete",
"HttpServer.Get",
"HttpServer.Handler",
"HttpServer.Head",
"HttpServer.Include",
"HttpServer.InsertFilter",
"HttpServer.Options",
"HttpServer.Patch",
"HttpServer.Post",
"HttpServer.PrintTree",
"HttpServer.Put",
"HttpServer.RESTRouter",
"HttpServer.Router",
"HttpServer.RouterWithOpts",
"HttpServer.Run",
"Include",
"InitBeegoBeforeTest",
"InsertFilter",
"LoadAppConfig",
"MapGet",
"Namespace.Any",
"Namespace.AutoPrefix",
"Namespace.AutoRouter",
"Namespace.Cond",
"Namespace.CtrlAny",
"Namespace.CtrlDelete",
"Namespace.CtrlGet",
"Namespace.CtrlHead",
"Namespace.CtrlOptions",
"Namespace.CtrlPatch",
"Namespace.CtrlPost",
"Namespace.CtrlPut",
"Namespace.Delete",
"Namespace.Filter",
"Namespace.Get",
"Namespace.Handler",
"Namespace.Head",
"Namespace.Include",
"Namespace.Namespace",
"Namespace.Options",
"Namespace.Patch",
"Namespace.Post",
"Namespace.Put",
"Namespace.Router",
"NewControllerRegister",
"NewControllerRegisterWithCfg",
"NewHttpServerWithCfg",
"NewHttpSever",
"NewNamespace",
"NotNil",
"Options",
"ParseForm",
"Patch",
"Policy",
"Post",
"PrintTree",
"Put",
"RESTRouter",
"ReadFromRequest",
"RenderForm",
"Router",
"RouterWithOpts",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.AddRouter",
"Tree.AddTree",
"Tree.Match",
"Tree.match",
"URLFor",
"URLMap.GetMap",
"URLMap.GetMapData",
"adminApp.Run",
"adminController.AdminIndex",
"adminController.Healthcheck",
"adminController.ListConf",
"adminController.ProfIndex",
"adminController.PrometheusMetrics",
"adminController.QpsIndex",
"adminController.TaskStatus",
"beegoAppConfig.Bool",
"beegoAppConfig.DefaultBool"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/4958"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd"
},
{
"type": "WEB",
"url": "https://beego.vip"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/issues/4946"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/pull/4954"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31259"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-qx32-f6g6-fcfr"
}
]
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/GO-2022-0569.json
Vendored
+94
View File
@@ -0,0 +1,94 @@
{
"id": "GO-2022-0569",
"published": "2022-08-23T13:24:17Z",
"modified": "2022-08-23T13:24:17Z",
"aliases": [
"CVE-2022-31836",
"GHSA-95f9-94vc-665h"
],
"details": "The leafInfo.match() function uses path.join()\nto deal with wildcard values which can lead to cross directory risk.\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.11"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0569"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"Tree.Match"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0569"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"Tree.Match"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/5025"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/5025/commits/ea5ae58d40589d249cf577a053e490509de2bf57"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31836"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-95f9-94vc-665h"
}
]
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/GO-2022-0572.json
Vendored
+91
View File
@@ -0,0 +1,91 @@
{
"id": "GO-2022-0572",
"published": "2022-08-22T17:56:17Z",
"modified": "2022-08-23T19:54:38Z",
"aliases": [
"CVE-2021-30080",
"GHSA-28r6-jm5h-mrgg"
],
"details": "An issue was discovered in the route lookup process in\nbeego which attackers to bypass access control.\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0572"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"Tree.Match"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0572"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"Tree.Match"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/4459"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30080"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-28r6-jm5h-mrgg"
}
]
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/ID/index.json
Vendored
+5
View File
@@ -0,0 +1,5 @@
[
"GO-2022-0463",
"GO-2022-0569",
"GO-2022-0572"
]
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/aliases.json
Vendored
+1204
View File
File diff suppressed because it is too large Load Diff
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/github.com/!bee!go/beego.json
Vendored
+480
View File
@@ -0,0 +1,480 @@
[
{
"id": "GO-2022-0463",
"published": "2022-07-01T20:06:59Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2022-31259",
"GHSA-qx32-f6g6-fcfr"
],
"details": "Routes in the beego HTTP router can match unintended patterns.\nThis overly-broad matching may permit an attacker to bypass access\ncontrols.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\".\nThis may bypass access control applied to the prefix \"/a/\".\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.9"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0463"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"App.Run",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.ServeHTTP",
"FilterRouter.ValidRouter",
"InitBeegoBeforeTest",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.Match",
"Tree.match",
"adminApp.Run"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0463"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"AddNamespace",
"Any",
"AutoPrefix",
"AutoRouter",
"Compare",
"CompareNot",
"Controller.Bind",
"Controller.BindForm",
"Controller.BindXML",
"Controller.BindYAML",
"Controller.GetSecureCookie",
"Controller.ParseForm",
"Controller.Render",
"Controller.RenderBytes",
"Controller.RenderString",
"Controller.Resp",
"Controller.SaveToFile",
"Controller.ServeFormatted",
"Controller.ServeXML",
"Controller.ServeYAML",
"Controller.SetSecureCookie",
"Controller.Trace",
"Controller.URLFor",
"Controller.XMLResp",
"Controller.XSRFFormHTML",
"Controller.XSRFToken",
"Controller.YamlResp",
"ControllerRegister.Add",
"ControllerRegister.AddAuto",
"ControllerRegister.AddAutoPrefix",
"ControllerRegister.AddMethod",
"ControllerRegister.AddRouterMethod",
"ControllerRegister.Any",
"ControllerRegister.CtrlAny",
"ControllerRegister.CtrlDelete",
"ControllerRegister.CtrlGet",
"ControllerRegister.CtrlHead",
"ControllerRegister.CtrlOptions",
"ControllerRegister.CtrlPatch",
"ControllerRegister.CtrlPost",
"ControllerRegister.CtrlPut",
"ControllerRegister.Delete",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.Get",
"ControllerRegister.Handler",
"ControllerRegister.Head",
"ControllerRegister.Include",
"ControllerRegister.Init",
"ControllerRegister.InsertFilter",
"ControllerRegister.Options",
"ControllerRegister.Patch",
"ControllerRegister.Post",
"ControllerRegister.Put",
"ControllerRegister.ServeHTTP",
"ControllerRegister.URLFor",
"CtrlAny",
"CtrlDelete",
"CtrlGet",
"CtrlHead",
"CtrlOptions",
"CtrlPatch",
"CtrlPost",
"CtrlPut",
"Date",
"DateParse",
"Delete",
"Exception",
"ExecuteTemplate",
"ExecuteViewPathTemplate",
"FilterRouter.ValidRouter",
"FlashData.Error",
"FlashData.Notice",
"FlashData.Set",
"FlashData.Store",
"FlashData.Success",
"FlashData.Warning",
"Get",
"GetConfig",
"HTML2str",
"Handler",
"Head",
"Htmlquote",
"Htmlunquote",
"HttpServer.Any",
"HttpServer.AutoPrefix",
"HttpServer.AutoRouter",
"HttpServer.CtrlAny",
"HttpServer.CtrlDelete",
"HttpServer.CtrlGet",
"HttpServer.CtrlHead",
"HttpServer.CtrlOptions",
"HttpServer.CtrlPatch",
"HttpServer.CtrlPost",
"HttpServer.CtrlPut",
"HttpServer.Delete",
"HttpServer.Get",
"HttpServer.Handler",
"HttpServer.Head",
"HttpServer.Include",
"HttpServer.InsertFilter",
"HttpServer.Options",
"HttpServer.Patch",
"HttpServer.Post",
"HttpServer.PrintTree",
"HttpServer.Put",
"HttpServer.RESTRouter",
"HttpServer.Router",
"HttpServer.RouterWithOpts",
"HttpServer.Run",
"Include",
"InitBeegoBeforeTest",
"InsertFilter",
"LoadAppConfig",
"MapGet",
"Namespace.Any",
"Namespace.AutoPrefix",
"Namespace.AutoRouter",
"Namespace.Cond",
"Namespace.CtrlAny",
"Namespace.CtrlDelete",
"Namespace.CtrlGet",
"Namespace.CtrlHead",
"Namespace.CtrlOptions",
"Namespace.CtrlPatch",
"Namespace.CtrlPost",
"Namespace.CtrlPut",
"Namespace.Delete",
"Namespace.Filter",
"Namespace.Get",
"Namespace.Handler",
"Namespace.Head",
"Namespace.Include",
"Namespace.Namespace",
"Namespace.Options",
"Namespace.Patch",
"Namespace.Post",
"Namespace.Put",
"Namespace.Router",
"NewControllerRegister",
"NewControllerRegisterWithCfg",
"NewHttpServerWithCfg",
"NewHttpSever",
"NewNamespace",
"NotNil",
"Options",
"ParseForm",
"Patch",
"Policy",
"Post",
"PrintTree",
"Put",
"RESTRouter",
"ReadFromRequest",
"RenderForm",
"Router",
"RouterWithOpts",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.AddRouter",
"Tree.AddTree",
"Tree.Match",
"Tree.match",
"URLFor",
"URLMap.GetMap",
"URLMap.GetMapData",
"adminApp.Run",
"adminController.AdminIndex",
"adminController.Healthcheck",
"adminController.ListConf",
"adminController.ProfIndex",
"adminController.PrometheusMetrics",
"adminController.QpsIndex",
"adminController.TaskStatus",
"beegoAppConfig.Bool",
"beegoAppConfig.DefaultBool"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/4958"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd"
},
{
"type": "WEB",
"url": "https://beego.vip"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/issues/4946"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/pull/4954"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31259"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-qx32-f6g6-fcfr"
}
]
},
{
"id": "GO-2022-0569",
"published": "2022-08-23T13:24:17Z",
"modified": "2022-08-23T13:24:17Z",
"aliases": [
"CVE-2022-31836",
"GHSA-95f9-94vc-665h"
],
"details": "The leafInfo.match() function uses path.join()\nto deal with wildcard values which can lead to cross directory risk.\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.11"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0569"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"Tree.Match"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0569"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"Tree.Match"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/5025"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/5025/commits/ea5ae58d40589d249cf577a053e490509de2bf57"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31836"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-95f9-94vc-665h"
}
]
},
{
"id": "GO-2022-0572",
"published": "2022-08-22T17:56:17Z",
"modified": "2022-08-23T19:54:38Z",
"aliases": [
"CVE-2021-30080",
"GHSA-28r6-jm5h-mrgg"
],
"details": "An issue was discovered in the route lookup process in\nbeego which attackers to bypass access control.\n",
"affected": [
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0572"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"Tree.Match"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0572"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"Tree.Match"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/4459"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30080"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-28r6-jm5h-mrgg"
}
]
}
]
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/github.com/tidwall/gjson.json
Vendored
+268
View File
@@ -0,0 +1,268 @@
[
{"id": "GO-2021-0054",
"published": "2021-04-14T20:04:52Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2020-36067"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36067"
}
]
},
{
"id": "GO-2021-0059",
"published": "2021-04-14T20:04:52Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"sqaush"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35380"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-w942-gw6m-p62c"
}
]
},
{
"id": "GO-2021-0265",
"published": "2022-01-14T17:30:24Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2020-36066",
"CVE-2021-42836",
"GHSA-ppj4-34rq-v8j9",
"GHSA-wjm3-fq3r-5x46"
],
"details": "GJSON allowed a ReDoS (regular expression denial of service) attack.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"match.Match"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36066"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42836"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-ppj4-34rq-v8j9"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-wjm3-fq3r-5x46"
}
]
},
{
"id": "GO-2022-0592",
"published": "2022-08-15T18:06:07Z",
"modified": "2022-08-19T22:21:47Z",
"aliases": [
"CVE-2021-42248",
"GHSA-c9gm-7rfj-8w5h"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0592"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42248"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-c9gm-7rfj-8w5h"
}
]
}
]
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-legacy/index.json
Vendored
+4
View File
@@ -0,0 +1,4 @@
{
"github.com/BeeGo/beego": "2022-08-23T19:54:38Z",
"github.com/tidwall/gjson": "2022-08-23T19:54:38Z"
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0068.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0068","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2021-3115"],"details":"The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.14"},{"introduced":"1.15.0"},{"fixed":"1.15.7"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go","goos":["windows"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/284783"},{"type":"FIX","url":"https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0"},{"type":"REPORT","url":"https://go.dev/issue/43783"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ"},{"type":"FIX","url":"https://go.dev/cl/284780"},{"type":"FIX","url":"https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0"}],"credits":[{"name":"RyotaK"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0068"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0068.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0159.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0159","modified":"2023-04-03T15:57:51Z","published":"2022-01-05T21:39:14Z","aliases":["CVE-2015-5739","CVE-2015-5740","CVE-2015-5741"],"details":"HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.3"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["CanonicalMIMEHeaderKey","body.readLocked","canonicalMIMEHeaderKey","chunkWriter.writeHeader","fixLength","fixTransferEncoding","readTransfer","transferWriter.shouldSendContentLength","validHeaderFieldByte"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/13148"},{"type":"FIX","url":"https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f"},{"type":"FIX","url":"https://go.dev/cl/11772"},{"type":"FIX","url":"https://go.dev/cl/11810"},{"type":"FIX","url":"https://go.dev/cl/12865"},{"type":"FIX","url":"https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9"},{"type":"FIX","url":"https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f"},{"type":"FIX","url":"https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87"},{"type":"REPORT","url":"https://go.dev/issue/12027"},{"type":"REPORT","url":"https://go.dev/issue/11930"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ"}],"credits":[{"name":"Jed Denlea and Régis Leroy"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0159"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0159.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0240.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0240","modified":"2023-04-03T15:57:51Z","published":"2022-02-17T17:33:25Z","aliases":["CVE-2021-33196"],"details":"NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.15.13"},{"introduced":"1.16.0"},{"fixed":"1.16.5"}]}],"ecosystem_specific":{"imports":[{"path":"archive/zip","symbols":["Reader.init"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/318909"},{"type":"FIX","url":"https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"},{"type":"REPORT","url":"https://go.dev/issue/46242"}],"credits":[{"name":"the OSS-Fuzz project for discovering this issue and\nEmmanuel Odeke for reporting it\n"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0240"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0240.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0264.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0264","modified":"2023-04-03T15:57:51Z","published":"2022-01-13T20:54:43Z","aliases":["CVE-2021-41772"],"details":"Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or \"..\" path elements.\n\nOpen could also panic if passed the empty string directly as an argument.\n\nNow, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.\n\nNote that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.\n\nFinally, the actual panic site was made robust as a defense-in-depth measure.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.16.10"},{"introduced":"1.17.0"},{"fixed":"1.17.3"}]}],"ecosystem_specific":{"imports":[{"path":"archive/zip","symbols":["Reader.Open","split"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/349770"},{"type":"FIX","url":"https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/0fM21h43arc"},{"type":"REPORT","url":"https://go.dev/issue/48085"}],"credits":[{"name":"Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0264"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2021-0264.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0229.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0229","modified":"2023-04-03T15:57:51Z","published":"2022-07-06T18:23:48Z","aliases":["CVE-2020-7919","GHSA-cjjc-xp8v-855w"],"details":"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.12.16"},{"introduced":"1.13.0"},{"fixed":"1.13.7"}]}],"ecosystem_specific":{"imports":[{"path":"crypto/x509"}]}},{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20200124225646-8b5121be2f68"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/cryptobyte"}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/216680"},{"type":"FIX","url":"https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574"},{"type":"FIX","url":"https://go.dev/cl/216677"},{"type":"REPORT","url":"https://go.dev/issue/36837"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Hsw4mHYc470"}],"credits":[{"name":"Project Wycheproof"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0229"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0229.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0273.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0273","modified":"2023-04-03T15:57:51Z","published":"2022-05-18T18:23:31Z","aliases":["CVE-2021-39293"],"details":"The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.16.8"},{"introduced":"1.17.0"},{"fixed":"1.17.1"}]}],"ecosystem_specific":{"imports":[{"path":"archive/zip","symbols":["NewReader","OpenReader"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/343434"},{"type":"FIX","url":"https://go.googlesource.com/go/+/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b"},{"type":"REPORT","url":"https://go.dev/issue/47801"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/dx9d7IOseHw"}],"credits":[{"name":"OSS-Fuzz Project and Emmanuel Odeke"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0273"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0273.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0463.json
Vendored
+1
View File
File diff suppressed because one or more lines are too long
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0463.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0475.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0475","modified":"2023-04-03T15:57:51Z","published":"2022-07-28T17:24:30Z","aliases":["CVE-2020-28366"],"details":"The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.\n\nThis can be caused by malicious unquoted symbol name in a linked object file.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.12"},{"introduced":"1.15.0"},{"fixed":"1.15.5"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go","symbols":["Builder.cgo"]},{"path":"cmd/cgo","symbols":["dynimport"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/269658"},{"type":"FIX","url":"https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"},{"type":"REPORT","url":"https://go.dev/issue/42559"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}],"credits":[{"name":"Chris Brown and Tempus Ex"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0475"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0475.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0476.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0476","modified":"2023-04-03T15:57:51Z","published":"2022-07-28T17:24:43Z","aliases":["CVE-2020-28367"],"details":"The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.\n\nThis can be caused by malicious gcc flags specified via a cgo directive.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.12"},{"introduced":"1.15.0"},{"fixed":"1.15.5"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go","symbols":["validCompilerFlags"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/267277"},{"type":"FIX","url":"https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"},{"type":"REPORT","url":"https://go.dev/issue/42556"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}],"credits":[{"name":"Imre Rad"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0476"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0476.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0569.json
Vendored
+1
View File
File diff suppressed because one or more lines are too long
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0569.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0572.json
Vendored
+1
View File
File diff suppressed because one or more lines are too long
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/ID/GO-2022-0572.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/db.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"modified":"2023-04-03T15:57:51Z"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/db.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/modules.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"path":"github.com/astaxie/beego","vulns":[{"id":"GO-2022-0463","modified":"2023-04-03T15:57:51Z"},{"id":"GO-2022-0569","modified":"2023-04-03T15:57:51Z"},{"id":"GO-2022-0572","modified":"2023-04-03T15:57:51Z"}]},{"path":"github.com/beego/beego","vulns":[{"id":"GO-2022-0463","modified":"2023-04-03T15:57:51Z","fixed":"1.12.9"},{"id":"GO-2022-0569","modified":"2023-04-03T15:57:51Z","fixed":"1.12.11"},{"id":"GO-2022-0572","modified":"2023-04-03T15:57:51Z"}]},{"path":"github.com/beego/beego/v2","vulns":[{"id":"GO-2022-0463","modified":"2023-04-03T15:57:51Z","fixed":"2.0.3"},{"id":"GO-2022-0569","modified":"2023-04-03T15:57:51Z","fixed":"2.0.4"},{"id":"GO-2022-0572","modified":"2023-04-03T15:57:51Z","fixed":"2.0.3"}]},{"path":"golang.org/x/crypto","vulns":[{"id":"GO-2022-0229","modified":"2023-04-03T15:57:51Z","fixed":"0.0.0-20200124225646-8b5121be2f68"}]},{"path":"stdlib","vulns":[{"id":"GO-2021-0159","modified":"2023-04-03T15:57:51Z","fixed":"1.4.3"},{"id":"GO-2021-0240","modified":"2023-04-03T15:57:51Z","fixed":"1.16.5"},{"id":"GO-2021-0264","modified":"2023-04-03T15:57:51Z","fixed":"1.17.3"},{"id":"GO-2022-0229","modified":"2023-04-03T15:57:51Z","fixed":"1.13.7"},{"id":"GO-2022-0273","modified":"2023-04-03T15:57:51Z","fixed":"1.17.1"}]},{"path":"toolchain","vulns":[{"id":"GO-2021-0068","modified":"2023-04-03T15:57:51Z","fixed":"1.15.7"},{"id":"GO-2022-0475","modified":"2023-04-03T15:57:51Z","fixed":"1.15.5"},{"id":"GO-2022-0476","modified":"2023-04-03T15:57:51Z","fixed":"1.15.5"}]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/modules.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/vulns.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"id":"GO-2021-0068","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-3115"]},{"id":"GO-2021-0159","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2015-5739","CVE-2015-5740","CVE-2015-5741"]},{"id":"GO-2021-0240","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-33196"]},{"id":"GO-2021-0264","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-41772"]},{"id":"GO-2022-0229","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-7919","GHSA-cjjc-xp8v-855w"]},{"id":"GO-2022-0273","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-39293"]},{"id":"GO-2022-0463","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-31259","GHSA-qx32-f6g6-fcfr"]},{"id":"GO-2022-0475","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-28366"]},{"id":"GO-2022-0476","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-28367"]},{"id":"GO-2022-0569","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-31836","GHSA-95f9-94vc-665h"]},{"id":"GO-2022-0572","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-30080","GHSA-28r6-jm5h-mrgg"]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/testdata/vulndb-v1/index/vulns.json.gz
Vendored
BIN
View File
Binary file not shown.