x/vulndb: potential Go vuln in go.etcd.io/etcd #5
Comments
|
@jba what should be the "canonical" form? ... It would be important to get these right in https://github.com/package-url |
|
In pkg.go.dev we use the form you see above, where the version attaches to the module path. That is Go-specific, though. |
|
Moved to the Go issue tracker: golang/go#50005. The x/vulndb issue tracker is currently only meant for use by the Go security team for tracking CVEs that should be included in the Go vulnerability database. |
For #5 Change-Id: I2d5ac25521088fc330c09a1881d30b349f962eef Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/444759 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org>
|
Change https://go.dev/cl/444759 mentions this issue: |
tatianab
changed the title
|
Hi, I took over this issue to track work on GO-2020-0005, the original issue is now tracked in golang/go#50005. (The comment I made refers to a clarification in the OSV spec of the meaning of alias vs related ossf/osv-schema#193. It is just a reminder for me to go back and review all our reports that list 2 or more CVEs as an alias). |
Now used to track GO-2020-0005.
old description:
The DB is constructed assuming that package import paths are unique. But it's possible to have two different packages with the same import path, even at the same version. Example:
https://pkg.go.dev/github.com/hashicorp/vault@v1.0.1/api
https://pkg.go.dev/github.com/hashicorp/vault/api@v1.0.1
The text was updated successfully, but these errors were encountered: