x/pkgsite: reports vulnerabilities incorrectly for default branch #57327
Assignees
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
pkgsite
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
Comments
|
Some of these are maybe valid and just have not had a release yet, I am not sure. But there are for sure some really old ones listed too, example: https://pkg.go.dev/vuln/GO-2022-0761 |
findleyr
added
the
NeedsInvestigation
|
I think the solution here is to not show vuln information on stdlib pages at master. These vulns show up because the tag master translates to a psuedoversion (e.g., v0.0.0-20230104211531-bae7d772e800) which is within the vulnerable range according to golang.org/x/vuln/osv.Affects.AffectsSemver. cc @golang/security |
|
Change https://go.dev/cl/460817 mentions this issue: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the URL of the page with the issue?
https://pkg.go.dev/net/http@master
Screenshot
What did you do?
Go to the link above
What did you expect to see?
Not so many vulnerabilities reported. I believe that most(all?) of these are actually fixed on HEAD. Maybe vulns should only be reported on released versions?
What did you see instead?
A lot of vulnerabilities listed.
The text was updated successfully, but these errors were encountered: