Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: command to find minimum version with no known CVE #50409

Open
tamalsaha opened this issue Jan 2, 2022 · 1 comment
Open

cmd/go: command to find minimum version with no known CVE #50409

tamalsaha opened this issue Jan 2, 2022 · 1 comment
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@tamalsaha
Copy link

tamalsaha commented Jan 2, 2022

Is it possible to introduce a go mod command/feature that can look at data from deps.dev and automatically use the minimum version that does NOT have a known CVE. With the prevalence of code scanners, we keep getting alerts regarding CVEs. Currently the process to fix such alerts require a lot of manual work. If go mod can automate some of this, that will be much appreciated. As an example, npm has a npm audit fix command that similar things for js projects. Thanks!

@ianlancetaylor ianlancetaylor changed the title affected/package: go mod cmd/go: command to find minimum version with no known CVE Jan 3, 2022
@ianlancetaylor ianlancetaylor added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jan 3, 2022
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 3, 2022
@ianlancetaylor
Copy link
Contributor

ianlancetaylor commented Jan 3, 2022

CC @bcmills @matloob

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

2 participants