x/build: update to golang.org/x/text@v0.3.7+ (GO-2021-0113) #51565
Labels
Milestone
Comments
|
I'm not sure what the policy should be. For this particular case, it's not a problem to update to the latest pgconn and x/text it in x/build, so I'll add NeedsFix for now. |
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/391214 mentions this issue: |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Mar 9, 2022
This upgrades golang.org/x/text to v0.3.7 and suppresses govulncheck's report on GO-2021-0113 For golang/go#51565 Change-Id: I21ec6a3772b455c88a418087b4fbf3cabc1ecc65 Reviewed-on: https://go-review.googlesource.com/c/build/+/391214 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
|
I will close this issue - two followup issues were filed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
govulncheckreports GO-2021-0113 for golang.org/x/build@0a1fb72 (as of 2022/03/09)I don't think this vulnerability is actually affecting this specific code path picked by govulncheck
(The
pgconnmaintainer also said in jackc/pgconn#103 this vulnerability doesn't affect the package.)This vulnerability is not the type of vulnerability that can be analyzed with simple(?) callgraph analysis. We need data analysis to see what's fed into the vulnerable function. But with the lack of options to suppress the report, the easiest path forward is, I think, to update the dependency.
On the other hand, as seen in #51216, the Go security team wants to avoid changes triggered by false positive reports. So, I am not sure what's the Go team's policy in cases like this.
If we decide to update the dependency, now the question is which dependency to upgrade:
cc @golang/security
The text was updated successfully, but these errors were encountered: