reports: more consistent description tone

Also remove a few improper reports, and format all of the YAML
a bit more nicely.

Change-Id: I1d4d79578228a775489c286991dbe1386e079a66
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1062398
Reviewed-by: Roland Shoemaker <[email protected]>

Author: rolandshoemaker

osv/json.go

@@ -51,7 +51,7 @@ func (ar AffectsRange) containsSemver(v string) bool {
 }
 
 type Affects struct {
-	Ranges []AffectsRange
+	Ranges []AffectsRange `json:",omitempty"`
 }
 
 func generateAffects(versions []report.VersionRange) Affects {
@@ -106,8 +106,8 @@ type Entry struct {
 	ID         string
 	Published  time.Time
 	Modified   time.Time
-	Withdrawn  *time.Time
-	Aliases    []string `json:",omitempty"`
+	Withdrawn  *time.Time `json:",omitempty"`
+	Aliases    []string   `json:",omitempty"`
 	Package    Package
 	Details    string
 	Affects    Affects

reports/GO-2020-0001.yaml

@@ -1,20 +1,20 @@
 module: github.com/gin-gonic/gin
 versions:
-- fixed: v1.6.0
+  - fixed: v1.6.0
 description: |
   The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
   (included in the [`Default`][] engine) allows attackers to inject arbitrary log
   entries by manipulating the request path.
 published: 2021-04-14T12:00:00Z
-credit: '@thinkerou <[email protected]>'
+credit: "@thinkerou <[email protected]>"
 symbols:
-- defaultLogFormatter
+  - defaultLogFormatter
 links:
   pr: https://github.com/gin-gonic/gin/pull/2237
   commit: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
 cve_metadata:
   id: CVE-9999-0001
-  cwe: 'CWE-20: Improper Input Validation'
+  cwe: "CWE-20: Improper Input Validation"
   description: |
     Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
     allows remote attackers to inject arbitary log lines.

reports/GO-2020-0002.yaml

@@ -1,6 +1,6 @@
 module: github.com/proglottis/gpgme
 versions:
-- fixed: v0.1.1
+  - fixed: v0.1.1
 description: |
   The [`Data`][], [`Context`][], or [`Key`][] finalizers might run during or
   before GPGME operations, releasing the C structures as they are still in use,

reports/GO-2020-0003.yaml

@@ -1,21 +1,21 @@
 module: github.com/revel/revel
 versions:
-- fixed: v1.0.0
+  - fixed: v1.0.0
 description: |
   If the application accepts
   [slice parameters](https://revel.github.io/manual/parameters.html#slices), an
   attacker can cause the application to allocate large amounts of memory and
   crash by manipulating the request query.
 published: 2021-04-14T12:00:00Z
-credit: '@SYM01'
+credit: "@SYM01"
 links:
   pr: https://github.com/revel/revel/pull/1427
   commit: https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605
   context:
-  - https://github.com/revel/revel/issues/1424
+    - https://github.com/revel/revel/issues/1424
 cve_metadata:
   id: CVE-9999-0002
-  cwe: 'CWE-400: Uncontrolled Resource Consumption'
+  cwe: "CWE-400: Uncontrolled Resource Consumption"
   description: |
     Unsanitized input in the query parser in github.com/revel/revel before v1.0.0
     allows remote attackers to cause resource exhaustion via memory allocation.

reports/GO-2020-0004.yaml

@@ -1,7 +1,7 @@
 module: github.com/nanobox-io/golang-nanoauth
 versions:
-- introduced: v0.0.0-20160722212129-ac0cc4484ad4
-  fixed: v0.0.0-20200131131040-063a3fb69896
+  - introduced: v0.0.0-20160722212129-ac0cc4484ad4
+    fixed: v0.0.0-20200131131040-063a3fb69896
 description: |
   If any of the `ListenAndServe` functions are called with an empty token,
   token authentication is disabled globally for all listeners.
@@ -10,17 +10,17 @@ description: |
   very low latency and able to make a lot of requests to potentially
   recover the token.
 published: 2021-04-14T12:00:00Z
-credit: '@bouk'
+credit: "@bouk"
 symbols:
-- Auth.ServerHTTP
-- Auth.ListenAndServeTLS
-- Auth.ListenAndServe
+  - Auth.ServerHTTP
+  - Auth.ListenAndServeTLS
+  - Auth.ListenAndServe
 links:
   pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
   commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
 cve_metadata:
   id: CVE-9999-0003
-  cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
+  cwe: "CWE-305: Authentication Bypass by Primary Weakness"
   description: |
     Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
     v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe

reports/GO-2020-0005.yaml

@@ -1,7 +1,7 @@
 module: go.etcd.io/etcd
 package: go.etcd.io/etcd/wal
 versions:
-- fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
+  - fixed: v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
 description: |
   Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
   out of bounds reads, or creation of arbitarily sized slices, which may be used as
@@ -10,10 +10,10 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2020-15106
 credit: Trail of Bits
 symbols:
-- WAL.ReadAll
-- decoder.decodeRecord
+  - WAL.ReadAll
+  - decoder.decodeRecord
 links:
   pr: https://github.com/etcd-io/etcd/pull/11793
   commit: https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
   context:
-  - https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf
+    - https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf

reports/GO-2020-0006.yaml

@@ -1,6 +1,6 @@
 module: github.com/miekg/dns
 versions:
-- fixed: v1.0.4-0.20180125103619-43913f2f4fbd
+  - fixed: v1.0.4-0.20180125103619-43913f2f4fbd
 description: |
   An attacker may prevent TCP connections to a [`Server`][] by opening
   a connection and leaving it idle, until the connection is closed by
@@ -9,7 +9,7 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2017-15133
 credit: Pedro Sampaio
 symbols:
-- Server.serveTCP
+  - Server.serveTCP
 links:
   pr: https://github.com/miekg/dns/pull/631
   commit: https://github.com/miekg/dns/commit/43913f2f4fbd7dcff930b8a809e709591e4dd79e

reports/GO-2020-0007.yaml

@@ -1,6 +1,6 @@
 module: github.com/seccomp/libseccomp-golang
 versions:
-- fixed: v0.9.1-0.20170424173420-06e7a29f36a3
+  - fixed: v0.9.1-0.20170424173420-06e7a29f36a3
 description: |
   Filters containing rules with multiple syscall arguments are improperly
   constructed, such that all arguments are required to match rather than
@@ -9,8 +9,8 @@ description: |
   behavior.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2017-18367
-credit: '@ihac'
+credit: "@ihac"
 symbols:
-- ScmpFilter.addRuleGeneric
+  - ScmpFilter.addRuleGeneric
 links:
   commit: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e

reports/GO-2020-0008.yaml

@@ -1,17 +1,17 @@
 module: github.com/miekg/dns
 versions:
-- fixed: v1.1.25-0.20191211073109-8ebf2e419df7
+  - fixed: v1.1.25-0.20191211073109-8ebf2e419df7
 description: |
   DNS message transaction IDs are generated using [`math/rand`] which
   makes them relatively predictable. This reduces the complexity
   of response spoofing attacks against DNS clients.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2019-19794
 symbols:
-- id
+  - id
 links:
   pr: https://github.com/miekg/dns/pull/1044
   commit: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
   context:
-  - https://github.com/miekg/dns/issues/1037
-  - https://github.com/miekg/dns/issues/1043
+    - https://github.com/miekg/dns/issues/1037
+    - https://github.com/miekg/dns/issues/1043

reports/GO-2020-0009.yaml

@@ -1,12 +1,12 @@
 module: github.com/square/go-jose
 package: github.com/square/go-jose/cipher
 additional_packages:
-- module: github.com/square/go-jose
-  symbols:
-  - JsonWebEncryption.Decrypt
-  - JsonWebEncryption.DecryptMulti
+  - module: github.com/square/go-jose
+    symbols:
+      - JsonWebEncryption.Decrypt
+      - JsonWebEncryption.DecryptMulti
 versions:
-- fixed: v0.0.0-20160903044734-789a4c4bd4c1
+  - fixed: v0.0.0-20160903044734-789a4c4bd4c1
 description: |
   On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
   with HMAC such that they can control how large the input buffer is when computing
@@ -16,21 +16,21 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2016-9123
 credit: Quan Nguyen from Google's Information Security Engineering Team
 symbols:
-- cbcAEAD.computeAuthTag
+  - cbcAEAD.computeAuthTag
 arch:
-- "386"
-- arm
-- armbe
-- amd64p32
-- mips
-- mipsle
-- mips64p32
-- mips64p32le
-- ppc
-- riscv
-- s390
-- sparc
+  - "386"
+  - arm
+  - armbe
+  - amd64p32
+  - mips
+  - mipsle
+  - mips64p32
+  - mips64p32le
+  - ppc
+  - riscv
+  - s390
+  - sparc
 links:
   commit: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
   context:
-  - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0010.yaml

@@ -1,11 +1,11 @@
 module: github.com/square/go-jose
 package: github.com/square/go-jose/cipher
 additional_packages:
-- module: github.com/square/go-jose
-  symbols:
-  - JsonWebEncryption.Decrypt
+  - module: github.com/square/go-jose
+    symbols:
+      - JsonWebEncryption.Decrypt
 versions:
-- fixed: v0.0.0-20160831185616-c7581939a365
+  - fixed: v0.0.0-20160831185616-c7581939a365
 description: |
   When using ECDH-ES an attacker can mount an invalid curve attack during
   decryption as the supplied public key is not checked to be on the same
@@ -14,10 +14,10 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2016-9121
 credit: Quan Nguyen from Google's Information Security Engineering Team
 symbols:
-- DeriveECDHES
-- ecDecrypterSigner.decryptKey
-- rawJsonWebKey.ecPublicKey
+  - DeriveECDHES
+  - ecDecrypterSigner.decryptKey
+  - rawJsonWebKey.ecPublicKey
 links:
   commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
   context:
-  - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0011.yaml

@@ -1,6 +1,6 @@
 module: github.com/square/go-jose
 versions:
-- fixed: v0.0.0-20160922232413-2c5656adca99
+  - fixed: v0.0.0-20160922232413-2c5656adca99
 description: |
   When decrypting JsonWebEncryption objects with multiple recipients
   or JsonWebSignature objects with multiple signatures the Decrypt
@@ -11,9 +11,9 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2016-9122
 credit: Quan Nguyen from Google's Information Security Engineering Team
 symbols:
-- JsonWebEncryption.Decrypt
-- JsonWebSignature.Verify
+  - JsonWebEncryption.Decrypt
+  - JsonWebSignature.Verify
 links:
   commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
   context:
-  - https://www.openwall.com/lists/oss-security/2016/11/03/1
+    - https://www.openwall.com/lists/oss-security/2016/11/03/1

reports/GO-2020-0012.yaml

@@ -1,22 +1,23 @@
 module: golang.org/x/crypto
 package: golang.org/x/crypto/ssh
 versions:
-- fixed: v0.0.0-20200220183623-bac4c82f6975
+  - fixed: v0.0.0-20200220183623-bac4c82f6975
 description: |
   An attacker can craft an ssh-ed25519 or [email protected] public
   key, such that the library will panic when trying to verify a signature
-  with it.
+  with it. If verifying signatures using user supplied public keys, this
+  may be used as a denial of service vector.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2020-9283
 credit: Alex Gaynor, Fish in a Barrel
 symbols:
-- parseED25519
-- ed25519PublicKey.Verify
-- parseSKEd25519
-- skEd25519PublicKey.Verify
-- NewPublicKey
+  - parseED25519
+  - ed25519PublicKey.Verify
+  - parseSKEd25519
+  - skEd25519PublicKey.Verify
+  - NewPublicKey
 links:
   pr: https://go-review.googlesource.com/c/crypto/+/220357
   commit: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
   context:
-  - https://groups.google.com/g/golang-announce/c/3L45YRc91SY
+    - https://groups.google.com/g/golang-announce/c/3L45YRc91SY

reports/GO-2020-0013.yaml

@@ -1,7 +1,7 @@
 module: golang.org/x/crypto
 package: golang.org/x/crypto/ssh
 versions:
-- fixed: v0.0.0-20170330155735-e4e2799dd7aa
+  - fixed: v0.0.0-20170330155735-e4e2799dd7aa
 description: |
   By default host key verification is disabled which allows for
   man-in-the-middle attacks against SSH clients if
@@ -10,10 +10,10 @@ published: 2021-04-14T12:00:00Z
 cve: CVE-2017-3204
 credit: Phil Pennock
 symbols:
-- NewClientConn
+  - NewClientConn
 links:
   pr: https://go-review.googlesource.com/38701
   commit: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
   context:
-  - https://github.com/golang/go/issues/19767
-  - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
+    - https://github.com/golang/go/issues/19767
+    - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/

reports/GO-2020-0014.yaml

@@ -1,18 +1,19 @@
 module: golang.org/x/net
 package: golang.org/x/net/html
 versions:
-- fixed: v0.0.0-20190125091013-d26f9f9a57f3
+  - fixed: v0.0.0-20190125091013-d26f9f9a57f3
 description: |
   [`html.Parse`] does not properly handle "select" tags, which can lead
-  to an infinite loop.
+  to an infinite loop. If parsing user supplied input, this may be used
+  as a denial of service vector.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2018-17846
-credit: '@tr3ee'
+credit: "@tr3ee"
 symbols:
-- inSelectIM
-- inSelectInTableIM
+  - inSelectIM
+  - inSelectInTableIM
 links:
   pr: https://go-review.googlesource.com/c/137275
   commit: https://github.com/golang/net/commit/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
   context:
-  - https://github.com/golang/go/issues/27842
+    - https://github.com/golang/go/issues/27842