data/reports: add skip_fix to some reports

These already had vulnerable_at, but fixed failed. Change-Id: I4f9b2e570b0642566123b6f2f6ed2b4625a9b9bc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465817 Run-TryBot: Tatiana Bradley <[email protected]> Reviewed-by: Tim King <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
golang · Feb 7, 2023 · d7fb56a · d7fb56a
1 parent 03da7df
commit d7fb56a
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 0 deletions.
diff --git a/data/reports/GO-2022-0189.yaml b/data/reports/GO-2022-0189.yaml
@@ -9,6 +9,8 @@ modules:
       - package: cmd/go/internal/get
         symbols:
           - downloadPackage
+        skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2
+            of standard library package cmd/go/internal/get'
 description: |
     The "go get" command is vulnerable to remote code execution when executed
     with the -u flag and the import path of a malicious Go package, or a

diff --git a/data/reports/GO-2022-0190.yaml b/data/reports/GO-2022-0190.yaml
@@ -9,6 +9,8 @@ modules:
       - package: cmd/go/internal/get
         symbols:
           - downloadPackage
+        skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2
+            of standard library package cmd/go/internal/get'
 description: |
     The "go get" command is vulnerable to directory traversal when executed
     with the import path of a malicious Go package which contains curly brace

diff --git a/data/reports/GO-2022-0318.yaml b/data/reports/GO-2022-0318.yaml
@@ -10,6 +10,7 @@ modules:
         symbols:
           - codeRepo.convert
           - codeRepo.validatePseudoVersion
+        skip_fix: "TODO: revisit this reason (cant request explicit version v1.17.6 of standard library package cmd/go/internal/modfetch)"
 description: |
     Incorrect access control is possible in the go command.
 

diff --git a/data/reports/GO-2022-0475.yaml b/data/reports/GO-2022-0475.yaml
@@ -9,9 +9,11 @@ modules:
       - package: cmd/go
         symbols:
           - Builder.cgo
+        skip_fix: "TODO: revisit this reason (cant request explicit version v1.15.4 of standard library package cmd/go)"
       - package: cmd/cgo
         symbols:
           - dynimport
+        skip_fix: "TODO: revisit this reason (cant request explicit version v1.15.4 of standard library package cmd/go)"
 description: |
     The go command may execute arbitrary code at build time when cgo is in use.
     This may occur when running go get on a malicious package, or any other

diff --git a/data/reports/GO-2022-0755.yaml b/data/reports/GO-2022-0755.yaml
@@ -7,9 +7,11 @@ modules:
       - package: github.com/rancher/rancher/server
         symbols:
           - Start
+        skip_fix: "TODO: revisit this reason (multiple cannot find module providing package errors)"
       - package: github.com/rancher/rancher/pkg/clusterrouter
         symbols:
           - Router.ServeHTTP
+        skip_fix: "TODO: revisit this reason (multiple cannot find module providing package errors)"
 description: |
     Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking
     attack that allows an exploiter to gain access to clusters managed by