From 5898afdb70fa41129957de03117d6676e2f11659 Mon Sep 17 00:00:00 2001
From: Daniel Budris <budris@amazon.com>
Date: Tue, 26 Sep 2023 12:04:52 -0400
Subject: [PATCH] Add additional CVE entries to VEX document (#1176)

* add product identifier section for hash to vex doc

* Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json

* make json valid for vex

* simplify vex document for testing

* add 1.19 and another 1.18 cve entry to the go vex document
---
 .../eks-distro-golang-vex.json                | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json b/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json
index 0ff0fbf42..f7799efbe 100644
--- a/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json
+++ b/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json
@@ -96,6 +96,72 @@
           "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41723"
         }
       ]
+    },
+    {
+      "cve": "CVE-2022-41724",
+      "notes": [
+        {
+          "category": "description",
+          "text": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-18-10-eks-8"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2022-41724",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41724"
+        }
+      ]
+    },
+    {
+      "cve": "CVE-2023-39318",
+      "notes": [
+        {
+          "category": "description",
+          "text": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-19-12-eks-10"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2023-39318",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-39318"
+        }
+      ]
+    },
+    {
+      "cve": "CVE-2023-39319",
+      "notes": [
+        {
+          "category": "description",
+          "text": "The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-19-12-eks-10"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2023-39318",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-39319"
+        }
+      ]
     }
   ]
 }