You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Does this issue reproduce with the latest release?
YES
What operating system and processor architecture are you using (go env)?
x64 windows
What did you do?
vulnarebility scanners show error: CVE-2023-44487, CVE-2023-3978 based on a realy old x/net library being referenced in the x/crypto go.mod file. Complete bullshit ofcourse, since the crypto lib itself is not vulnarable to those weaknesses.
It however hinders automatic scanning of opensource projects and obscures real cybersecurity threats (false positive).
golang.org/x/crypto@v0.14.0 › golang.org/x/net@v0.10.0
Fixed in golang.org/x/net@0.17.0
Please update the go.mod file of package x/crypto to x/net to version > 0.17
The text was updated successfully, but these errors were encountered:
mauri870
changed the title
affected/package: x/crypto: old x/net version referenced
x/crypto: imports vulnerable x/net
Oct 29, 2023
this still seems to be an issue is there any timeline to fix?
Applications using golang.org/x/crypto are being flagged as security issue due to crypto using an old version of golang.org/x/net:v0.10.0
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
YES
What operating system and processor architecture are you using (
go env
)?x64 windows
What did you do?
vulnarebility scanners show error: CVE-2023-44487, CVE-2023-3978 based on a realy old x/net library being referenced in the x/crypto go.mod file. Complete bullshit ofcourse, since the crypto lib itself is not vulnarable to those weaknesses.
It however hinders automatic scanning of opensource projects and obscures real cybersecurity threats (false positive).
golang.org/x/crypto@v0.14.0 › golang.org/x/net@v0.10.0
Fixed in golang.org/x/net@0.17.0
Please update the go.mod file of package x/crypto to x/net to version > 0.17
The text was updated successfully, but these errors were encountered: