data/reports: review GO-2024-3140

  - data/reports/GO-2024-3140.yaml

Fixes #3140

Change-Id: Id1a59bbd480201ae29e3a1882dac2262922316d4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635218
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: tatianab

data/osv/GO-2024-3140.json

@@ -8,7 +8,7 @@
     "GHSA-xxxw-3j6h-q7h6"
   ],
   "summary": "Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go",
-  "details": "Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go",
+  "details": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running \"git remote get-url origin\".\n\nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.",
   "affected": [
     {
       "package": {
@@ -28,18 +28,39 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/grafana/grafana-plugin-sdk-go/build",
+            "symbols": [
+              "Build.Backend",
+              "Build.Darwin",
+              "Build.DarwinARM64",
+              "Build.Debug",
+              "Build.DebugDarwinAMD64",
+              "Build.DebugDarwinARM64",
+              "Build.DebugLinuxAMD64",
+              "Build.DebugLinuxARM64",
+              "Build.DebugWindowsAMD64",
+              "Build.Linux",
+              "Build.LinuxARM",
+              "Build.LinuxARM64",
+              "Build.Windows",
+              "Info.appendFlags",
+              "getBuildBackendCmdInfo",
+              "getBuildInfoFromEnvironment",
+              "getEnvironment"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-xxxw-3j6h-q7h6"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8986"
-    },
     {
       "type": "FIX",
       "url": "https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41"
@@ -51,6 +72,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3140",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }

data/reports/GO-2024-3140.yaml

@@ -4,17 +4,47 @@ modules:
       versions:
         - fixed: 0.250.0
       vulnerable_at: 0.249.0
-summary: Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go
+      packages:
+        - package: github.com/grafana/grafana-plugin-sdk-go/build
+          symbols:
+            - Info.appendFlags
+            - getEnvironment
+            - getBuildInfoFromEnvironment
+            - getBuildBackendCmdInfo
+          derived_symbols:
+            - Build.Backend
+            - Build.Darwin
+            - Build.DarwinARM64
+            - Build.Debug
+            - Build.DebugDarwinAMD64
+            - Build.DebugDarwinARM64
+            - Build.DebugLinuxAMD64
+            - Build.DebugLinuxARM64
+            - Build.DebugWindowsAMD64
+            - Build.Linux
+            - Build.LinuxARM
+            - Build.LinuxARM64
+            - Build.Windows
+summary: |-
+    Grafana plugin SDK Information Leakage in
+    github.com/grafana/grafana-plugin-sdk-go
+description: |-
+    The grafana plugin SDK bundles build metadata into the binaries it compiles;
+    this metadata includes the repository URI for the plugin being built, as
+    retrieved by running "git remote get-url origin".
+
+    If credentials are included in the repository URI (for instance, to allow for
+    fetching of private dependencies), the final binary will contain the full URI,
+    including said credentials.
 cves:
     - CVE-2024-8986
 ghsas:
     - GHSA-xxxw-3j6h-q7h6
 references:
     - advisory: https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8986
     - fix: https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
     - web: https://grafana.com/security/security-advisories/cve-2024-8986
 source:
     id: GHSA-xxxw-3j6h-q7h6
-    created: 2024-11-12T11:30:05.469931-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-11T14:44:16.467308-05:00
+review_status: REVIEWED