-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/pkgsite: vuln does not report fix versions correctly #54480
Comments
I believe this is working as intended in CL 411077 but is nonetheless confusing. CC'ing @julieqiu @jba from the Security team. I can understand go1.18.0 - go1.18.5 not being inclusive of go1.18.5 but go1.17.13 and earlier seems incorrect. Should we rework this description or revert to the table configuration? |
@jamalc It would be far less ambiguous to use standard notation. For example:
or
|
Change https://go.dev/cl/427934 mentions this issue: |
For golang/go#54480 Change-Id: I81295bfe6f03cf83d38c365195ea783115a0f959 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/427934 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com>
Fixed. |
https://pkg.go.dev/vuln/GO-2022-0537
This page currently reads as follows:
However, the actual CVE says that it was fixed in 1.17.13 and 1.18.5, so those should not be listed as affected versions.
This is just one example. All the pages under https://pkg.go.dev/vuln that I checked have this mistake.
The text was updated successfully, but these errors were encountered: