Scan your go dependecies for OSV.
Database for open source vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.
go install github.com/naveensrinivasan/stunning-tribble@latest- Navigate to your
go.modfolder go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all | stunning-tribble
- If there aren't issues, it would
exitwithout an error. - If it finds any Vulnerability, it would print the vulnerability and
exitwith 1.
Every time a PR comes in for updates to go.mod/go.sum will help with any known OSV issues.
Yes, you can ignore existing ones by passing the ID via the command line as comma-separated. Here the tool will ignore GO-2020-0018,GO-2020-0016
Example
go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all | stunning-tribble GO-2020-0018,GO-2020-0016
Yes, go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
Here is an example of input that can be passed as stdin
cloud.google.com/[email protected]_<nil>
cloud.google.com/go/[email protected]_<nil>
cloud.google.com/go/[email protected]_<nil>
cloud.google.com/go/[email protected]_<nil>
cloud.google.com/go/[email protected]_<nil>
cloud.google.com/go/[email protected]_<nil>
dmitri.shuralyov.com/gpu/[email protected]_<nil>
git.schwanenlied.me/yawning/[email protected]_github.com/Yawning/bsaes v0.0.0-20180720073208-c0276d75487e
github.com/BurntSushi/[email protected]_<nil>
github.com/BurntSushi/[email protected]_<nil>
github.com/NebulousLabs/[email protected]_<nil>
github.com/NebulousLabs/[email protected]_<nil>
github.com/OneOfOne/[email protected]_<nil>
github.com/Yawning/[email protected]_<nil>
github.com/aead/[email protected]_<nil>
github.com/aead/[email protected]_<nil>
github.com/alecthomas/[email protected]_<nil>
github.com/alecthomas/[email protected]_<nil>
github.com/antihax/[email protected]_<nil>
github.com/armon/[email protected]_<nil>
github.com/armon/[email protected]_<nil>
github.com/armon/[email protected]_<nil>
github.com/asaskevich/[email protected]_<nil>
github.com/benbjohnson/[email protected]_<nil>
github.com/beorn7/[email protected]_<nil>
github.com/bgentry/[email protected]_<nil>
github.com/bketelsen/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/btcutil/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/btcwallet/wallet/[email protected]_<nil>
github.com/btcsuite/btcwallet/wallet/[email protected]_<nil>
github.com/btcsuite/btcwallet/wallet/[email protected]_<nil>
github.com/btcsuite/btcwallet/[email protected]_<nil>
github.com/btcsuite/btcwallet/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/btcsuite/[email protected]_<nil>
github.com/census-instrumentation/[email protected]_<nil>
github.com/certifi/[email protected]_<nil>
github.com/cespare/[email protected]_<nil>
github.com/cespare/xxhash/[email protected]_<nil>
github.com/chzyer/[email protected]_<nil>
github.com/chzyer/[email protected]_<nil>
github.com/chzyer/[email protected]_<nil>
github.com/client9/[email protected]_<nil>
github.com/cncf/udpa/[email protected]_<nil>
github.com/cockroachdb/[email protected]_<nil>
github.com/cockroachdb/[email protected]_<nil>
github.com/cockroachdb/[email protected]_<nil>
github.com/coreos/[email protected]_<nil>
github.com/coreos/[email protected]+incompatible_<nil>
github.com/coreos/[email protected]_<nil>
github.com/coreos/[email protected]_<nil>
github.com/coreos/go-systemd/[email protected]_<nil>
github.com/coreos/[email protected]_<nil>
github.com/cpuguy83/go-md2man/[email protected]_<nil>
github.com/creack/[email protected]_<nil>
github.com/davecgh/[email protected]_<nil>
github.com/decred/dcrd/[email protected]_<nil>
github.com/dgrijalva/[email protected]+incompatible_github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/dgryski/[email protected]_<nil>
github.com/dustin/[email protected]_<nil>
github.com/envoyproxy/[email protected]_<nil>
github.com/envoyproxy/[email protected]_<nil>
github.com/fatih/[email protected]_<nil>
github.com/form3tech-oss/[email protected]+incompatible_<nil>
github.com/frankban/[email protected]_<nil>
github.com/fsnotify/[email protected]_<nil>
github.com/getsentry/[email protected]_<nil>
github.com/ghodss/[email protected]_<nil>
github.com/go-errors/[email protected]_<nil>
github.com/go-gl/[email protected]_<nil>
github.com/go-gl/glfw/v3.3/[email protected]_<nil>
github.com/go-kit/[email protected]_<nil>
github.com/go-kit/[email protected]_<nil>
github.com/go-logfmt/[email protected]_<nil>
github.com/go-openapi/[email protected]_<nil>
github.com/go-openapi/[email protected]_<nil>
github.com/go-stack/[email protected]_<nil>
github.com/godbus/dbus/[email protected]_<nil>
github.com/gogo/[email protected]_<nil>
github.com/golang/[email protected]_<nil>
github.com/golang/[email protected]_<nil>
github.com/golang/[email protected]_<nil>
github.com/golang/[email protected]_<nil>
github.com/golang/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/google/[email protected]+incompatible_<nil>
github.com/google/martian/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/google/[email protected]_<nil>
github.com/googleapis/gax-go/[email protected]_<nil>
github.com/gopherjs/[email protected]_<nil>
github.com/gorilla/[email protected]_<nil>
github.com/grpc-ecosystem/[email protected]_<nil>
github.com/grpc-ecosystem/[email protected]_<nil>
github.com/grpc-ecosystem/[email protected]_<nil>
github.com/grpc-ecosystem/grpc-gateway/[email protected]_<nil>
github.com/hashicorp/consul/[email protected]_<nil>
github.com/hashicorp/consul/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hashicorp/[email protected]_<nil>
github.com/hpcloud/[email protected]_<nil>
github.com/ianlancetaylor/[email protected]_<nil>
github.com/inconshreveable/[email protected]_<nil>
github.com/jackpal/[email protected]_<nil>
github.com/jackpal/[email protected]_<nil>
github.com/jedib0t/[email protected]+incompatible_<nil>
github.com/jessevdk/[email protected]_<nil>
github.com/jonboulle/[email protected]_<nil>
github.com/jpillora/[email protected]_<nil>
github.com/jrick/[email protected]_<nil>
github.com/json-iterator/[email protected]_<nil>
github.com/jstemmer/[email protected]_<nil>
github.com/jtolds/[email protected]+incompatible_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/juju/[email protected]_<nil>
github.com/julienschmidt/[email protected]_<nil>
github.com/kisielk/[email protected]_<nil>
github.com/kisielk/[email protected]_<nil>
github.com/kkdai/[email protected]_<nil>
github.com/konsorten/[email protected]_<nil>
github.com/kr/[email protected]_<nil>
github.com/kr/[email protected]_<nil>
github.com/kr/[email protected]_<nil>
github.com/kr/[email protected]_<nil>
github.com/lightninglabs/[email protected]_<nil>
github.com/lightninglabs/[email protected]_<nil>
github.com/lightninglabs/[email protected]_<nil>
github.com/lightningnetwork/[email protected]_<nil>
github.com/lightningnetwork/lnd/[email protected]_./cert
github.com/lightningnetwork/lnd/[email protected]_./clock
github.com/lightningnetwork/lnd/[email protected]_./healthcheck
github.com/lightningnetwork/lnd/[email protected]_./kvdb
github.com/lightningnetwork/lnd/[email protected]_./queue
github.com/lightningnetwork/lnd/[email protected]_./ticker
github.com/ltcsuite/[email protected]_<nil>
github.com/ltcsuite/[email protected]_<nil>
github.com/magiconair/[email protected]_<nil>
github.com/mattn/[email protected]_<nil>
github.com/mattn/[email protected]_<nil>
github.com/mattn/[email protected]_<nil>
github.com/matttproud/[email protected]_<nil>
github.com/miekg/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/mitchellh/[email protected]_<nil>
github.com/modern-go/[email protected]_<nil>
github.com/modern-go/[email protected]_<nil>
github.com/mwitkow/[email protected]_<nil>
github.com/oklog/[email protected]_<nil>
github.com/onsi/[email protected]_<nil>
github.com/onsi/[email protected]_<nil>
github.com/opentracing/[email protected]_<nil>
github.com/pascaldekloe/[email protected]_<nil>
github.com/pelletier/[email protected]_<nil>
github.com/pkg/[email protected]_<nil>
github.com/pmezard/[email protected]_<nil>
github.com/posener/[email protected]_<nil>
github.com/prometheus/[email protected]_<nil>
github.com/prometheus/[email protected]_<nil>
github.com/prometheus/[email protected]_<nil>
github.com/prometheus/[email protected]_<nil>
github.com/prometheus/[email protected]_<nil>
github.com/rogpeppe/[email protected]_<nil>
github.com/rogpeppe/[email protected]_<nil>
github.com/russross/blackfriday/[email protected]_<nil>
github.com/ryanuber/[email protected]_<nil>
github.com/sean-/[email protected]_<nil>
github.com/shurcooL/[email protected]_<nil>
github.com/sirupsen/[email protected]_<nil>
github.com/smartystreets/[email protected]_<nil>
github.com/smartystreets/[email protected]_<nil>
github.com/soheilhy/[email protected]_<nil>
github.com/spaolacci/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/spf13/[email protected]_<nil>
github.com/stretchr/[email protected]_<nil>
github.com/stretchr/[email protected]_<nil>
github.com/subosito/[email protected]_<nil>
github.com/tidwall/[email protected]_<nil>
github.com/tmc/[email protected]_<nil>
github.com/tv42/[email protected]_<nil>
github.com/urfave/[email protected]_<nil>
github.com/xiang90/[email protected]_<nil>
github.com/yuin/[email protected]_<nil>
go.etcd.io/[email protected]_<nil>
go.etcd.io/etcd/api/[email protected]_<nil>
go.etcd.io/etcd/client/pkg/[email protected]_<nil>
go.etcd.io/etcd/client/[email protected]_<nil>
go.etcd.io/etcd/client/[email protected]_<nil>
go.etcd.io/etcd/pkg/[email protected]_<nil>
go.etcd.io/etcd/raft/[email protected]_<nil>
go.etcd.io/etcd/server/[email protected]_<nil>
go.mongodb.org/[email protected]_<nil>
[email protected]_<nil>
go.opentelemetry.io/[email protected]_<nil>
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]_<nil>
go.opentelemetry.io/[email protected]_<nil>
go.opentelemetry.io/otel/exporters/[email protected]_<nil>
go.opentelemetry.io/otel/[email protected]_<nil>
go.opentelemetry.io/otel/[email protected]_<nil>
go.opentelemetry.io/otel/[email protected]_<nil>
go.opentelemetry.io/otel/sdk/export/[email protected]_<nil>
go.opentelemetry.io/otel/sdk/[email protected]_<nil>
go.opentelemetry.io/otel/[email protected]_<nil>
go.opentelemetry.io/proto/[email protected]_<nil>
go.uber.org/[email protected]_<nil>
go.uber.org/[email protected]_<nil>
go.uber.org/[email protected]_<nil>
go.uber.org/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
golang.org/x/[email protected]_<nil>
google.golang.org/[email protected]_<nil>
google.golang.org/[email protected]_<nil>
google.golang.org/[email protected]_<nil>
google.golang.org/[email protected]_<nil>
google.golang.org/[email protected]_<nil>
gopkg.in/alecthomas/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/natefinch/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
gopkg.in/[email protected]_<nil>
honnef.co/go/[email protected]_<nil>
rsc.io/[email protected]_<nil>
rsc.io/quote/[email protected]_<nil>
rsc.io/[email protected]_<nil>
sigs.k8s.io/[email protected]_<nil>
It dumps the osv json result.
Here is an example of output
{
"osv": [
{
"vulns": [
{
"id": "GO-2021-0089",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
},
"aliases": [
"CVE-2020-10675"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/192"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/188"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
}
}
]
},
{
"id": "GO-2021-0057",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.1.1"
}
]
},
"aliases": [
"CVE-2020-35381"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/221"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/219"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0017",
"package": {
"name": "github.com/dgrijalva/jwt-go",
"ecosystem": "Go"
},
"details": "If a JWT contains an audience claim with an array of strings, rather\nthan a single string, and `MapClaims.VerifyAudience` is called with\n`req` set to `false`, then audience verification will be bypassed,\nallowing an invalid set of audiences to be provided.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"introduced": "0.0.0-20150717181359-44718f8a89b0"
}
]
},
"aliases": [
"CVE-2020-26160"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"MapClaims.VerifyAudience"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/dgrijalva/jwt-go/v4.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0017.yaml"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/issues/422"
}
],
"affected": [
{
"package": {
"name": "github.com/dgrijalva/jwt-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-20150717181359-44718f8a89b0"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"MapClaims.VerifyAudience"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/dgrijalva/jwt-go/v4.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0017.yaml"
}
},
{
"package": {
"name": "github.com/dgrijalva/jwt-go/v4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-preview1"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"MapClaims.VerifyAudience"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/dgrijalva/jwt-go/v4.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0017.yaml"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0020",
"package": {
"name": "github.com/gorilla/handlers",
"ecosystem": "Go"
},
"details": "Usage of the [`CORS`] handler may apply improper CORS headers, allowing\nthe requester to explicitly control the value of the Access-Control-Allow-Origin\nheader, which bypasses the expected behavior of the Same Origin Policy.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.3.0"
}
]
},
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"cors.ServeHTTP"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0020.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/gorilla/handlers.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/gorilla/handlers/pull/116"
},
{
"type": "FIX",
"url": "https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145"
}
],
"affected": [
{
"package": {
"name": "github.com/gorilla/handlers",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"cors.ServeHTTP"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/gorilla/handlers.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0020.yaml"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0008",
"package": {
"name": "github.com/miekg/dns",
"ecosystem": "Go"
},
"details": "DNS message transaction IDs are generated using [`math/rand`] which\nmakes them relatively predictable. This reduces the complexity\nof response spoofing attacks against DNS clients.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.1.25-0.20191211073109-8ebf2e419df7"
}
]
},
"aliases": [
"CVE-2019-19794"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"id"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0008.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/miekg/dns.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/miekg/dns/pull/1044"
},
{
"type": "FIX",
"url": "https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/1037"
},
{
"type": "WEB",
"url": "https://github.com/miekg/dns/issues/1043"
}
],
"affected": [
{
"package": {
"name": "github.com/miekg/dns",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.25-0.20191211073109-8ebf2e419df7"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"id"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/miekg/dns.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0008.yaml"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0018",
"package": {
"name": "github.com/satori/go.uuid",
"ecosystem": "Go"
},
"details": "UUIDs generated using [`NewV1`] and [`NewV4`] may not read the expected\nnumber of random bytes. These UUIDs may contain a significantly smaller\namount of entropy than expected, possibly leading to collisions.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.2.1-0.20181016170032-d91630c85102"
}
]
},
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"NewV4",
"rfc4122Generator.getClockSequence",
"rfc4122Generator.getHardwareAddr"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0018.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/satori/go.uuid.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/satori/go.uuid/pull/75"
},
{
"type": "FIX",
"url": "https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45"
},
{
"type": "WEB",
"url": "https://github.com/satori/go.uuid/issues/73"
}
],
"affected": [
{
"package": {
"name": "github.com/satori/go.uuid",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1-0.20181016170032-d91630c85102"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"NewV4",
"rfc4122Generator.getClockSequence",
"rfc4122Generator.getHardwareAddr"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0018.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/satori/go.uuid.json"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0016",
"package": {
"name": "github.com/ulikunitz/xz",
"ecosystem": "Go"
},
"details": "An attacker can construct a series of bytes such that calling\n[`Reader.Read`] on the bytes could cause an infinite loop. If\nparsing user supplied input, this may be used as a denial of\nservice vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "0.5.8"
}
]
},
"aliases": [
"CVE-2021-29482"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"readUvarint"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0016.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/ulikunitz/xz.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
},
{
"type": "WEB",
"url": "https://github.com/ulikunitz/xz/issues/35"
},
{
"type": "WEB",
"url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
}
],
"affected": [
{
"package": {
"name": "github.com/ulikunitz/xz",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.8"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"readUvarint"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0016.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/ulikunitz/xz.json"
}
}
]
}
]
},
{
"vulns": [
{
"id": "GO-2020-0036",
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "2.2.8"
}
]
},
"aliases": [
"CVE-2019-11254"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"yaml_parser_fetch_more_tokens"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0036.yaml",
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/pull/555"
},
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"
}
],
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.8"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"yaml_parser_fetch_more_tokens"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0036.yaml"
}
},
{
"package": {
"name": "github.com/go-yaml/yaml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"yaml_parser_fetch_more_tokens"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0036.yaml",
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json"
}
}
]
},
{
"id": "GO-2021-0061",
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "2.2.3"
}
]
},
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"decoder.unmarshal"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0061.yaml"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
}
],
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"decoder.unmarshal"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0061.yaml",
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json"
}
},
{
"package": {
"name": "github.com/go-yaml/yaml",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"decoder.unmarshal"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/gopkg.in/yaml.v2.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0061.yaml"
}
}
]
}
]
}
]
}This project aims to have the least amount of dependency to not worry about osv on dependencies.
GitHub generated the repository name. I am not good at naming things.