x/vuln: Unclear how to request standard-library vulnerabilities be added to DB

[rkennedy]

What did you do?

The release announcement for Go 1.19.1 mentions two vulnerabilities, one in net/http and the other in net/url. They're obviously public, but as far as I can tell, those vulnerabilities are not present in golang/vulndb. They're not specifically excluded, either.

$ git remote -v
origin  https://github.com/golang/vulndb.git (fetch)
origin  https://github.com/golang/vulndb.git (push)
$ git rev-parse HEAD
3859e52b1385c13b76efe662bcf02c80beda4321
$ git grep -i 'CVE-2022-27664|CVE-2022-32190'
$

They are vulnerabilities, though, aren't they? Or is there some nuance to the definition that I've missed?

The form for submitting additional vulnerabilities says it's for public vulnerabilities that are "not maintained by the Go Team." What's the process for adding vulnerabilities to the database that are maintained by the Go Team?

What did you expect to see?

I expected to see the known vulnerabilities accounted for in the database already, or else I expected to see some instructions about how to get Go-Team-managed vulnerabilities into vulndb.

What did you see instead?

I only see instructions about other vulnerabilities

Among the open issues for vulndb, I see ones for vulnerabilities in the standard library (including one for CVE-2022-27664). Does that mean someone misused the submission form, or what?

[seankhliao]

cc @golang/vulndb

[gopherbot]

Change https://go.dev/cl/430356 mentions this issue: .github/ISSUE_TEMPLATE: add template for missing cve/ghsa

[tatianab]

Hi Rob, thanks for the report! These two vulnerabilities should definitely be in the database. We will add them today.

For future reference, there is now a lightweight way to tell us about a missing CVE or GHSA: https://go.dev/s/vulndb-missing-cve

[rkennedy]

That new form looks just right. Thanks for adding it!