Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: detect false positives based on imported by count #51944

Open
julieqiu opened this issue Mar 25, 2022 · 1 comment
Open

x/vulndb: detect false positives based on imported by count #51944

julieqiu opened this issue Mar 25, 2022 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Mar 25, 2022
edited
Loading

One of the common sources of false positive reports is that a vulnerability is found in a Go module but is not importable. We could detect for this by checking the imported by count on pkg.go.dev.

For example, in the case of golang/vulndb#353, https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby shows 0 importers.

As a starting point, it would be helpful to add a link to pkg.go.dev/?tab=importedby in the automated issue.
@gopherbot gopherbot added this to the Unreleased milestone Mar 25, 2022
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 25, 2022
@tatianab tatianab self-assigned this Apr 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/402394 mentions this issue: x/vulndb: add link to importers of a package in new automated issues

gopherbot pushed a commit to golang/vulndb that referenced this issue Apr 26, 2022
x/vulndb: add link to importers of a package in new automated issues
421e78b 
The worker now includes a link in the automated issue description to pkg.go.dev/?tab=importedby for the affected module, as a starting point in detecting false positive vulnerability reports.

For golang/go#51944

Change-Id: I3caaaba69c07e7a3e24977cf5ea5e92559ce8628
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402394
Reviewed-by: Julie Qiu <julieqiu@google.com>
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@mknyszek @julieqiu @tatianab @gopherbot