data/reports: cleanup - run fix to enforce line length

Run fix on all reports to wrap summary line length.

Change-Id: Ie1b70a3d8a549ddbe2703b317ac9591e6f6287ea
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/549239
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

data/reports/GO-2021-0063.yaml

@@ -10,7 +10,9 @@ modules:
             - serverHandler.handleMsg
           derived_symbols:
             - PrivateLightServerAPI.Benchmark
-summary: Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum
+summary: |-
+    Nil pointer dereference via malicious RPC message in
+    github.com/ethereum/go-ethereum
 description: |-
     Due to a nil pointer dereference, a maliciously crafted RPC message can cause a
     panic. If handling RPC messages from untrusted clients, this may be used as a

data/reports/GO-2021-0064.yaml

@@ -23,7 +23,9 @@ modules:
           symbols:
             - requestInfo.toCurl
           skip_fix: 'TODO: revisit this reason (module does not contain package k8s.io/kubernetes/staging/src/k8s.io/client-go/transport)'
-summary: Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go
+summary: |-
+    Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and
+    k8s.io/client-go
 description: |-
     Authorization tokens may be inappropriately logged if the verbosity level is set
     to a debug level. This is due to an incomplete fix for CVE-2019-11250.

data/reports/GO-2021-0075.yaml

@@ -9,7 +9,9 @@ modules:
           symbols:
             - ProtocolManager.handleMsg
           skip_fix: 'TODO: revisit this reason (cannot find module providing package github.com/hashicorp/golang-lru)'
-summary: Panic due to improper validation of RPC messages in github.com/ethereum/go-ethereum
+summary: |-
+    Panic due to improper validation of RPC messages in
+    github.com/ethereum/go-ethereum
 description: |-
     Due to improper argument validation in RPC messages, a maliciously crafted
     message can cause a panic, leading to denial of service.

data/reports/GO-2021-0082.yaml

@@ -6,7 +6,9 @@ modules:
       vulnerable_at: 0.31.1-0.20200311052902-c8800899625e
       packages:
         - package: github.com/facebook/fbthrift/thrift/lib/go/thrift
-summary: Denial of service via malicious message size declaration in github.com/facebook/fbthrift
+summary: |-
+    Denial of service via malicious message size declaration in
+    github.com/facebook/fbthrift
 description: |-
     Thrift Servers preallocate memory for the declared size of messages before
     checking the actual size of the message. This allows a malicious user to send

data/reports/GO-2022-0463.yaml

@@ -266,7 +266,9 @@ modules:
             - adminController.TaskStatus
             - beegoAppConfig.Bool
             - beegoAppConfig.DefaultBool
-summary: Access control bypass due to broad route matching in github.com/beego/beego and beego/v2
+summary: |-
+    Access control bypass due to broad route matching in github.com/beego/beego and
+    beego/v2
 description: |-
     Routes in the beego HTTP router can match unintended patterns. This overly-broad
     matching may permit an attacker to bypass access controls.

data/reports/GO-2022-0572.yaml

@@ -219,7 +219,9 @@ modules:
             - adminController.TaskStatus
             - beegoAppConfig.Bool
             - beegoAppConfig.DefaultBool
-summary: Access control bypass via incorrect route lookup in github.com/beego/beego and beego/v2
+summary: |-
+    Access control bypass via incorrect route lookup in github.com/beego/beego and
+    beego/v2
 description: |-
     An issue was discovered in the route lookup process in beego which attackers to
     bypass access control.

data/reports/GO-2022-0588.yaml

@@ -13,7 +13,9 @@ modules:
             - Policy.AllowLists
             - Policy.AllowTables
             - UGCPolicy
-summary: Cross-site scripting via leaked style elements in github.com/microcosm-cc/bluemonday
+summary: |-
+    Cross-site scripting via leaked style elements in
+    github.com/microcosm-cc/bluemonday
 description: |-
     The bluemonday HTML sanitizer can leak the contents of a "style" element into
     HTML output, potentially causing XSS vulnerabilities.

data/reports/GO-2022-0762.yaml

@@ -12,7 +12,9 @@ modules:
             - Policy.Sanitize
             - Policy.SanitizeBytes
             - Policy.SanitizeReader
-summary: Cross-site scripting due to incorrect sanitization in github.com/microcosm-cc/bluemonday
+summary: |-
+    Cross-site scripting due to incorrect sanitization in
+    github.com/microcosm-cc/bluemonday
 description: |-
     An XSS injection was possible because the sanitization of the Cyrillic character
     i bypass a protection mechanism against user-inputted HTML elements such as the

data/reports/GO-2022-0979.yaml

@@ -4,7 +4,9 @@ modules:
       vulnerable_at: 1.0.2
       packages:
         - package: github.com/peterzen/goresolver
-summary: Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver
+summary: |-
+    Incorrect DNSSEC validation due to unchecked owner names in
+    github.com/peterzen/goresolver
 description: |-
     DNSSEC validation is not performed correctly. An attacker can cause this package
     to report successful validation for invalid, attacker-controlled records.

data/reports/GO-2022-1026.yaml

@@ -4,7 +4,9 @@ modules:
       vulnerable_at: 1.0.2
       packages:
         - package: github.com/peterzen/goresolver
-summary: Incorrect validation of root DNSSEC public keys in github.com/peterzen/goresolver
+summary: |-
+    Incorrect validation of root DNSSEC public keys in
+    github.com/peterzen/goresolver
 description: |-
     DNSSEC validation is not performed correctly. An attacker can cause this package
     to report successful validation for invalid, attacker-controlled records.

data/reports/GO-2023-1589.yaml

@@ -21,9 +21,9 @@ modules:
           derived_symbols:
             - Document.Validate
 summary: Denial of service from memory exhaustion in github.com/notaryproject/notation-go
-description: |
-    Parsing PKIX distinguished names containing the string "=#" can
-    cause excessive memory consumption.
+description: |-
+    Parsing PKIX distinguished names containing the string "=#" can cause excessive
+    memory consumption.
 cves:
     - CVE-2023-25656
 ghsas:

data/reports/GO-2023-1821.yaml

@@ -10,8 +10,8 @@ description: |-
     to the x/crisis package to halt the chain, the chain does not halt as originally
     intended.
 
-    No patch will be released, as the package is planned to be deprecated
-    and replaced.
+    No patch will be released, as the package is planned to be deprecated and
+    replaced.
 ghsas:
     - GHSA-qfc5-6r3j-jj22
 references:

data/reports/GO-2023-1842.yaml

@@ -9,7 +9,9 @@ modules:
       packages:
         - package: cmd/go
         - package: cmd/cgo
-summary: Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
+summary: |-
+    Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in
+    cmd/go
 description: |-
     The go command may execute arbitrary code at build time when using cgo. This may
     occur when running "go get" on a malicious module, or when running any other

data/reports/GO-2023-1857.yaml

@@ -8,8 +8,7 @@ modules:
             - Parse
             - ParseList
 summary: Panic when parsing ranges with invalid masks in github.com/malfunkt/iprange
-description: |
-    Parsing a range with a mask larger than 32 bits causes a panic.
+description: Parsing a range with a mask larger than 32 bits causes a panic.
 ghsas:
     - GHSA-f99h-w337-mv56
 references:

data/reports/GO-2023-1867.yaml

@@ -9,8 +9,7 @@ modules:
       packages:
         - package: github.com/binance-chain/tss-lib/common
 summary: Replay attacks involving proofs in github.com/bnb-chain/tss-lib
-description: |
-    Replay attacks involving proofs in github.com/bnb-chain/tss-lib.
+description: Replay attacks involving proofs in github.com/bnb-chain/tss-lib.
 cves:
     - CVE-2022-47930
 references:

data/reports/GO-2023-1881.yaml

@@ -4,9 +4,7 @@ modules:
       vulnerable_at: 0.47.3
       packages:
         - package: github.com/cosmos/cosmos-sdk/x/crisis
-summary: |-
-    The x/crisis package does not charge ConstantFee in
-    github.com/cosmos/cosmos-sdk
+summary: The x/crisis package does not charge ConstantFee in github.com/cosmos/cosmos-sdk
 description: |-
     If a transaction is sent to the `x/crisis` module to check an invariant, the
     ConstantFee parameter of the chain is not charged.

data/reports/GO-2023-1882.yaml

@@ -11,13 +11,13 @@ modules:
             - PeerState.MarshalJSON
 summary: Deadlock in github.com/cometbft/cometbft/consensus
 description: |-
-    An internal modification to the way PeerState is serialized to JSON introduced
-    a deadlock when the new function MarshalJSON is called.
+    An internal modification to the way PeerState is serialized to JSON introduced a
+    deadlock when the new function MarshalJSON is called.
 
-    This function can be called in two ways. The first is via logs, by setting
-    the consensus logging module to "debug" level (which should not happen in
-    production), and setting the log output format to JSON. The second is via
-    RPC dump_consensus_state.
+    This function can be called in two ways. The first is via logs, by setting the
+    consensus logging module to "debug" level (which should not happen in
+    production), and setting the log output format to JSON. The second is via RPC
+    dump_consensus_state.
 cves:
     - CVE-2023-34450
 ghsas:

data/reports/GO-2023-1883.yaml

@@ -15,9 +15,9 @@ summary: Denial of service via OOM in github.com/cometbft/cometbft
 description: |-
     A bug in the CometBFT middleware causes the mempool's two data structures to
     fall out of sync. This can lead to duplicate transactions that cannot be
-    removed, even after they are committed in a block. The only way to remove
-    the transaction is to restart the node. This can be exploited by an attacker
-    to bring down a node by repeatedly submitting duplicate transactions.
+    removed, even after they are committed in a block. The only way to remove the
+    transaction is to restart the node. This can be exploited by an attacker to
+    bring down a node by repeatedly submitting duplicate transactions.
 cves:
     - CVE-2023-34451
 ghsas:

data/reports/GO-2023-1904.yaml

@@ -17,8 +17,7 @@ modules:
             - SHA512_256
             - SHA512_256i
 summary: Collision of hash values in github.com/bnb-chain/tss-lib
-description: |
-    Collision of hash values in github.com/bnb-chain/tss-lib.
+description: Collision of hash values in github.com/bnb-chain/tss-lib.
 cves:
     - CVE-2022-47931
 references:

data/reports/GO-2023-2000.yaml

@@ -21,8 +21,8 @@ summary: Large RSA keys can cause high resource usage in github.com/libp2p/go-li
 description: |-
     Large RSA keys can lead to resource exhaustion attacks.
 
-    With fix, the size of RSA keys transmitted during handshakes is
-    restricted to <= 8192 bits.
+    With fix, the size of RSA keys transmitted during handshakes is restricted to <=
+    8192 bits.
 cves:
     - CVE-2023-39533
 ghsas:

data/reports/GO-2023-2017.yaml

@@ -14,8 +14,8 @@ modules:
             - handleUnbatchedGraphQLRequest
 summary: Denial of service vulnerability in github.com/weaviate/weaviate
 description: |-
-    A type conversion issue in Weaviate may allow a remote attack that would
-    cause a denial of service.
+    A type conversion issue in Weaviate may allow a remote attack that would cause a
+    denial of service.
 cves:
     - CVE-2023-38976
 ghsas:

data/reports/GO-2023-2048.yaml

@@ -12,7 +12,9 @@ modules:
             - SecureJoinVFS
           derived_symbols:
             - SecureJoin
-summary: Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin
+summary: |-
+    Paths outside of the rootfs could be produced on Windows in
+    github.com/cyphar/filepath-securejoin
 description: |-
     Certain rootfs and path combinations result in generated paths that are outside
     of the provided rootfs on Windows.

data/reports/GO-2023-2052.yaml

@@ -10,7 +10,9 @@ modules:
             - Ctx.isLocalHost
           derived_symbols:
             - Ctx.IsFromLocal
-summary: IsFromLocal local address check can be circumvented in github.com/gofiber/fiber/v2
+summary: |-
+    IsFromLocal local address check can be circumvented in
+    github.com/gofiber/fiber/v2
 description: |-
     The Ctx.IsFromLocal function can incorrectly report a request as being sent from
     localhost when the request contains an X-Forwarded-For header containing a

data/reports/GO-2023-2095.yaml

@@ -9,7 +9,7 @@ modules:
       packages:
         - package: cmd/go
 summary: Arbitrary code execution during build via line directives in cmd/go
-description: |
+description: |-
     Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_"
     directives, allowing blocked linker and compiler flags to be passed during
     compilation. This can result in unexpected execution of arbitrary code when

data/reports/GO-2023-2098.yaml

@@ -27,7 +27,9 @@ modules:
         - package: github.com/consensys/gnark/std/math/bits
           symbols:
             - WithNbDigits
-summary: Unsoundness in variable comparison / non-unique binary decomposition in github.com/consensys/gnark
+summary: |-
+    Unsoundness in variable comparison / non-unique binary decomposition in
+    github.com/consensys/gnark
 cves:
     - CVE-2023-44378
 ghsas:

data/reports/GO-2023-2163.yaml

@@ -15,8 +15,8 @@ modules:
             - ckp.SealWithRand
 summary: Curve KeyPairs fail to encrypt in github.com/nats-io/nkeys
 description: |-
-    Curve KeyPairs always use the same (all-zeros) key to encrypt data,
-    and provide no security.
+    Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide
+    no security.
 cves:
     - CVE-2023-46129
 ghsas:

data/reports/GO-2023-2181.yaml

@@ -17,8 +17,8 @@ modules:
 summary: Denial of service attack from remote registry in github.com/sigstore/cosign
 description: |-
     An attacker who controls a remote registry can return a high number of
-    attestations and/or signatures to cosign. This can cause cosign to enter
-    a long loop resulting in a denial of service, i.e., endless data attack.
+    attestations and/or signatures to cosign. This can cause cosign to enter a long
+    loop resulting in a denial of service, i.e., endless data attack.
 cves:
     - CVE-2023-46737
 ghsas:

data/reports/GO-2023-2186.yaml

@@ -12,12 +12,11 @@ modules:
             - IsLocal
 summary: Incorrect detection of reserved device names on Windows in path/filepath
 description: |-
-    On Windows, The IsLocal function does not correctly detect reserved device
-    names in some cases.
+    On Windows, The IsLocal function does not correctly detect reserved device names
+    in some cases.
 
-    Reserved names followed by spaces, such as "COM1 ", and
-    reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are
-    incorrectly reported as local.
+    Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and
+    "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.
 
     With fix, IsLocal now correctly reports these names as non-local.
 references:

data/reports/GO-2023-2333.yaml

@@ -10,7 +10,9 @@ modules:
             - commitChecker.commit
             - nbR1CSConstraints
             - nbPLONKConstraints
-summary: Range checker gadget allows wider inputs than allowed in github.com/consensys/gnark
+summary: |-
+    Range checker gadget allows wider inputs than allowed in
+    github.com/consensys/gnark
 ghsas:
     - GHSA-rjjm-x32p-m3f7
 credits:

data/reports/GO-2023-2334.yaml

@@ -20,8 +20,9 @@ modules:
           derived_symbols:
             - JSONWebEncryption.Decrypt
             - JSONWebEncryption.DecryptMulti
-summary: |
-    Denial of service via decryption of malicious PBES2 JWE objects in github.com/go-jose/go-jose/v3
+summary: |-
+    Denial of service via decryption of malicious PBES2 JWE objects in
+    github.com/go-jose/go-jose/v3
 description: |-
     The go-jose package is subject to a "billion hashes attack" causing
     denial-of-service when decrypting JWE inputs. This occurs when an attacker can

data/reports/GO-2023-2379.yaml

@@ -24,9 +24,9 @@ description: |-
     Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2
     iterations needed to derive a CEK wrapping key. Its purpose is to intentionally
     slow down the key derivation function, making password brute-force and
-    dictionary attacks more resource-intensive. However, if an attacker sets the
-    p2c parameter in JWE to a very large number, it can cause excessive
-    computational consumption.
+    dictionary attacks more resource-intensive. However, if an attacker sets the p2c
+    parameter in JWE to a very large number, it can cause excessive computational
+    consumption.
 cves:
     - CVE-2023-49290
 ghsas: