Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: command to find minimum version with no known CVE #50409

Open
tamalsaha opened this issue Jan 2, 2022 · 1 comment
Open

cmd/go: command to find minimum version with no known CVE #50409

tamalsaha opened this issue Jan 2, 2022 · 1 comment

Comments

@tamalsaha
Copy link

@tamalsaha tamalsaha commented Jan 2, 2022

Is it possible to introduce a go mod command/feature that can look at data from deps.dev and automatically use the minimum version that does NOT have a known CVE. With the prevalence of code scanners, we keep getting alerts regarding CVEs. Currently the process to fix such alerts require a lot of manual work. If go mod can automate some of this, that will be much appreciated. As an example, npm has a npm audit fix command that similar things for js projects. Thanks!

@ianlancetaylor ianlancetaylor changed the title affected/package: go mod cmd/go: command to find minimum version with no known CVE Jan 3, 2022
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 3, 2022
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 3, 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants