data/reports: update 4 REVIEWED reports

nicholashusin · gopherbot · commit d02edb6cf663 · 2025-11-20T14:03:19.000-08:00
- data/reports/GO-2023-2331.yaml - data/reports/GO-2024-2587.yaml - data/reports/GO-2025-3770.yaml - data/reports/GO-2025-4007.yaml Fixes #4016 Fixes #4080 Fixes #4089 Fixes #4092 Fixes #4132 Change-Id: I1053af845eb7fc5fe2f3fc2573c4af283af0a81a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/721782 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ethan Lee <ethanalee@google.com> Auto-Submit: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com>
diff --git a/data/cve/v5/GO-2025-4007.json b/data/cve/v5/GO-2025-4007.json
@@ -13,7 +13,7 @@
       "descriptions": [
         {
           "lang": "en",
-          "value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."
+          "value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."
         }
       ],
       "affected": [
diff --git a/data/osv/GO-2023-2331.json b/data/osv/GO-2023-2331.json
@@ -20,7 +20,7 @@
           "type": "SEMVER",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "0.37.0"
             },
             {
               "fixed": "0.46.0"
diff --git a/data/osv/GO-2024-2587.json b/data/osv/GO-2024-2587.json
@@ -36,6 +36,19 @@
               "ExecCypherMap"
             ]
           }
+        ],
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.1.1"
+              }
+            ]
+          }
         ]
       }
     }
diff --git a/data/osv/GO-2025-3770.json b/data/osv/GO-2025-3770.json
@@ -6,77 +6,9 @@
   "aliases": [
     "GHSA-vrw8-fxc6-2r93"
   ],
-  "summary": "Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi",
-  "details": "Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi",
+  "summary": "Host header injection which leads to open redirect in RedirectSlashes in github.com/go-chi/chi",
+  "details": "Host header injection which leads to open redirect in RedirectSlashes in github.com/go-chi/chi",
   "affected": [
-    {
-      "package": {
-        "name": "github.com/go-chi/chi",
-        "ecosystem": "Go"
-      },
-      "ranges": [
-        {
-          "type": "SEMVER",
-          "events": [
-            {
-              "introduced": "0"
-            }
-          ]
-        }
-      ],
-      "ecosystem_specific": {}
-    },
-    {
-      "package": {
-        "name": "github.com/go-chi/chi/v2",
-        "ecosystem": "Go"
-      },
-      "ranges": [
-        {
-          "type": "SEMVER",
-          "events": [
-            {
-              "introduced": "0"
-            }
-          ]
-        }
-      ],
-      "ecosystem_specific": {}
-    },
-    {
-      "package": {
-        "name": "github.com/go-chi/chi/v3",
-        "ecosystem": "Go"
-      },
-      "ranges": [
-        {
-          "type": "SEMVER",
-          "events": [
-            {
-              "introduced": "0"
-            }
-          ]
-        }
-      ],
-      "ecosystem_specific": {}
-    },
-    {
-      "package": {
-        "name": "github.com/go-chi/chi/v4",
-        "ecosystem": "Go"
-      },
-      "ranges": [
-        {
-          "type": "SEMVER",
-          "events": [
-            {
-              "introduced": "0"
-            }
-          ]
-        }
-      ],
-      "ecosystem_specific": {}
-    },
     {
       "package": {
         "name": "github.com/go-chi/chi/v5",
@@ -87,7 +19,7 @@
           "type": "SEMVER",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "5.2.1"
             },
             {
               "fixed": "5.2.2"
diff --git a/data/osv/GO-2025-4007.json b/data/osv/GO-2025-4007.json
@@ -8,7 +8,7 @@
     "CVE-2025-58187"
   ],
   "summary": "Quadratic complexity when checking name constraints in crypto/x509",
-  "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.",
+  "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.",
   "affected": [
     {
       "package": {
diff --git a/data/reports/GO-2023-2331.yaml b/data/reports/GO-2023-2331.yaml
@@ -2,6 +2,7 @@ id: GO-2023-2331
 modules:
     - module: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
       versions:
+        - introduced: 0.37.0
         - fixed: 0.46.0
       vulnerable_at: 0.45.0
       packages:
diff --git a/data/reports/GO-2024-2587.yaml b/data/reports/GO-2024-2587.yaml
@@ -1,6 +1,8 @@
 id: GO-2024-2587
 modules:
     - module: github.com/apache/age/drivers/golang
+      non_go_versions:
+        - fixed: 1.1.1
       vulnerable_at: 0.0.0-20240221054422-3b2b394eb669
       packages:
         - package: github.com/apache/age/drivers/golang/age
diff --git a/data/reports/GO-2025-3770.yaml b/data/reports/GO-2025-3770.yaml
@@ -1,20 +1,13 @@
 id: GO-2025-3770
 modules:
-    - module: github.com/go-chi/chi
-      vulnerable_at: 1.5.5
-    - module: github.com/go-chi/chi/v2
-      vulnerable_at: 2.1.1
-    - module: github.com/go-chi/chi/v3
-      vulnerable_at: 3.3.5
-    - module: github.com/go-chi/chi/v4
-      vulnerable_at: 4.1.3
     - module: github.com/go-chi/chi/v5
       versions:
+        - introduced: 5.2.1
         - fixed: 5.2.2
       vulnerable_at: 5.2.1
 summary: |-
-    Host Header Injection which Leads to Open Redirect in RedirectSlashes
-    in github.com/go-chi/chi
+    Host header injection which leads to open redirect in RedirectSlashes in
+    github.com/go-chi/chi
 ghsas:
     - GHSA-vrw8-fxc6-2r93
 references:
diff --git a/data/reports/GO-2025-4007.yaml b/data/reports/GO-2025-4007.yaml
@@ -46,7 +46,7 @@ modules:
 summary: Quadratic complexity when checking name constraints in crypto/x509
 description: |-
     Due to the design of the name constraint checking algorithm, the processing time
-    of some inputs scals non-linearly with respect to the size of the certificate.
+    of some inputs scale non-linearly with respect to the size of the certificate.
 
     This affects programs which validate arbitrary certificate chains.
 cves:

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`"descriptions": [`
`14`	`14`	`{`
`15`	`15`	`"lang": "en",`
`16`		`- "value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."`
	`16`	`+ "value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."`
`17`	`17`	`}`
`18`	`18`	`],`
`19`	`19`	`"affected": [`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@`
`20`	`20`	`"type": "SEMVER",`
`21`	`21`	`"events": [`
`22`	`22`	`{`
`23`		`- "introduced": "0"`
	`23`	`+ "introduced": "0.37.0"`
`24`	`24`	`},`
`25`	`25`	`{`
`26`	`26`	`"fixed": "0.46.0"`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,19 @@`
`36`	`36`	`"ExecCypherMap"`
`37`	`37`	`]`
`38`	`38`	`}`
	`39`	`+ ],`
	`40`	`+ "custom_ranges": [`
	`41`	`+ {`
	`42`	`+ "type": "ECOSYSTEM",`
	`43`	`+ "events": [`
	`44`	`+ {`
	`45`	`+ "introduced": "0"`
	`46`	`+ },`
	`47`	`+ {`
	`48`	`+ "fixed": "1.1.1"`
	`49`	`+ }`
	`50`	`+ ]`
	`51`	`+ }`
`39`	`52`	`]`
`40`	`53`	`}`
`41`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`"CVE-2025-58187"`
`9`	`9`	`],`
`10`	`10`	`"summary": "Quadratic complexity when checking name constraints in crypto/x509",`
`11`		`- "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.",`
	`11`	`+ "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.",`
`12`	`12`	`"affected": [`
`13`	`13`	`{`
`14`	`14`	`"package": {`