Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: detect false positives based on imported by count #51944

Open
julieqiu opened this issue Mar 25, 2022 · 1 comment
Open

x/vulndb: detect false positives based on imported by count #51944

julieqiu opened this issue Mar 25, 2022 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Mar 25, 2022
edited
Loading

One of the common sources of false positive reports is that a vulnerability is found in a Go module but is not importable. We could detect for this by checking the imported by count on pkg.go.dev.

For example, in the case of golang/vulndb#353, https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby shows 0 importers.

As a starting point, it would be helpful to add a link to pkg.go.dev/?tab=importedby in the automated issue.
@gopherbot gopherbot added this to the Unreleased milestone Mar 25, 2022
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 25, 2022
@tatianab tatianab self-assigned this Apr 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/402394 mentions this issue: x/vulndb: add link to importers of a package in new automated issues

gopherbot pushed a commit to golang/vulndb that referenced this issue Apr 26, 2022
x/vulndb: add link to importers of a package in new automated issues
421e78b 
The worker now includes a link in the automated issue description to pkg.go.dev/?tab=importedby for the affected module, as a starting point in detecting false positive vulnerability reports.

For golang/go#51944

Change-Id: I3caaaba69c07e7a3e24977cf5ea5e92559ce8628
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/402394
Reviewed-by: Julie Qiu <[email protected]>
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@mknyszek @julieqiu @tatianab @gopherbot