Skip to content

Commit b99b550

Browse files
tatianabtatianab
committed
internal/report: fix formatting of "non go explanation"
- Only append a v prefix to (plausible) semver versions - Don't add a period until the very end Change-Id: I627774c66efb7b29f8f22fc3b7ae2ed30456d835 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610808 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
1 parent 0c509fd commit b99b550

File tree

5 files changed

+16
-13
lines changed

5 files changed

+16
-13
lines changed

data/osv/GO-2024-2450.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
"GHSA-w88v-pjr8-cmv2"
99
],
1010
"summary": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server",
11-
"details": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10.; github.com/mattermost/mattermost/server/v8 before v8.1.1.",
11+
"details": "Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.",
1212
"affected": [
1313
{
1414
"package": {

data/osv/GO-2024-2750.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
"GHSA-2v35-wj4r-rcmv"
99
],
1010
"summary": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure",
11-
"details": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10.; github.com/hashicorp/vault-csi-provider before v0.0.6.",
11+
"details": "Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10; github.com/hashicorp/vault-csi-provider before v0.0.6.",
1212
"affected": [
1313
{
1414
"package": {

data/osv/GO-2024-2924.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
"GHSA-7jp9-vgmq-c8r5"
99
],
1010
"summary": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome",
11-
"details": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome.",
11+
"details": "AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
1212
"affected": [
1313
{
1414
"package": {

data/osv/GO-2024-2979.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
"GHSA-55r9-5mx9-qq7r"
99
],
1010
"summary": "Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot",
11-
"details": "Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: zotregistry.dev/zot before v2.1.0.; zotregistry.io/zot before v2.1.0.",
11+
"details": "Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: zotregistry.dev/zot before v2.1.0; zotregistry.io/zot before v2.1.0.",
1212
"affected": [
1313
{
1414
"package": {

internal/report/osv.go

+12-9
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ import (
1919
"golang.org/x/vulndb/internal/idstr"
2020
"golang.org/x/vulndb/internal/osv"
2121
"golang.org/x/vulndb/internal/stdlib"
22+
"golang.org/x/vulndb/internal/version"
2223
)
2324

2425
var (
@@ -51,10 +52,10 @@ func (r *Report) nonGoVersionsStr() string {
5152
var vs []string
5253
for _, m := range r.Modules {
5354
if s := m.NonGoVersions.verboseString(); s != "" {
54-
vs = append(vs, fmt.Sprintf("%s %s.", m.Module, s))
55+
vs = append(vs, fmt.Sprintf("%s %s", m.Module, s))
5556
}
5657
}
57-
return strings.Join(vs, "; ")
58+
return strings.Join(vs, "; ") + "."
5859
}
5960

6061
func (v Versions) verboseString() string {
@@ -94,7 +95,13 @@ func (vs Versions) collectRangePairs() []pair {
9495
ps []pair
9596
p pair
9697
)
97-
prefix := "v"
98+
addPrefix := func(s *string) {
99+
const semverPrefix = "v"
100+
if *s != "" && version.IsValid(*s) {
101+
*s = semverPrefix + *s
102+
}
103+
}
104+
98105
for _, v := range vs {
99106
if v.IsIntroduced() {
100107
// We expected Introduced and Fixed to alternate, but if
@@ -104,15 +111,11 @@ func (vs Versions) collectRangePairs() []pair {
104111
if p.intro == "0" {
105112
p.intro = ""
106113
}
107-
if p.intro != "" {
108-
p.intro = prefix + p.intro
109-
}
114+
addPrefix(&p.intro)
110115
}
111116
if v.IsFixed() {
112117
p.fixed = v.Version
113-
if p.fixed != "" {
114-
p.fixed = prefix + p.fixed
115-
}
118+
addPrefix(&p.fixed)
116119
ps = append(ps, p)
117120
p = pair{}
118121
}

0 commit comments

Comments
 (0)