New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVEs that do not apply to gosu #104
Comments
Dear @tianon, I would like to respectfully ask if there are any plans on life cycling the golang packages in the near future? Thank you. |
I try to keep the main development branch up-to-date with newer package versions, but I have no plans to make a new release of |
@tianon please make a minor 1.15 release to update the runc to 1.1.2 and make people happy. CVE wise I'm getting only two that actually bother me a bit CVE-2022-29162 / CVE-2022-29526 |
|
@tianon can you take a look at CVE-2022-30635? Our scanner started to show it lately. |
|
Hi @tianon , Prisma found two new vulnerabilities :
Can you take a look? Thanks! |
similar to many of the CVEs that are listed, "does not use |
|
With https://github.com/tianon/gosu/releases/tag/1.15, I've now got https://github.com/tianon/gosu/blob/master/SECURITY.md which makes it clear how to determine whether vulnerabilities apply to a released version/build of |
@tianon CVE-2022-32148 is a net/http, so this is according to readme not affecting. CVE-2022-41716 is a os/exec - So does it mean it is affecting? |
Please run |
Thanks. FYI:
All fine - we will use redis 7.0.8 with gosu 1.16. (1.14 where where we had the CVEs), but we will upgrade to be sure. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
$ ./gosu-amd64 --version
1.16 (go1.18.2 on linux/amd64; gc)
$ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20230331150530-a42f9910daf3
go: downloading golang.org/x/mod v0.9.0
go: downloading golang.org/x/tools v0.7.0
go: downloading golang.org/x/sys v0.6.0
$ govulncheck ./gosu-amd64
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Using govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 2023-03-29 14:45:38 +0000 UTC).
Scanning your binary for known vulnerabilities...
No vulnerabilities found. |
HI @tianon Thank you for your time and response. Just want to double-check, govulncheck is not showing CVE-2022-32190 CVE, so can we mark it as false positive? |
Please read https://github.com/tianon/gosu/blob/6a1967c98c3d1854dd29f32433f1e0c59b244c5f/SECURITY.md again, especially the third paragraph. |
@tianon would you add CVE-2023-28642 to this list please? I appreciate your position on CVEs related to go. I've got my SecOps team onboard with using this issue as justification for dismissing/reporting false postives |
Unfortunately, no, I will not be updating/maintaining this list. I made a lot of changes to the way I build/release in support of the updated security policy (https://github.com/tianon/gosu/blob/master/SECURITY.md), in which I now treat the results of |
Can I just ask if there is something about updating to a new version of golang that poses more effort than updating all of these vulnerability tools? I understand that this project doesn't use the parts of the code that have the CVE at the moment, but I can't help but wonder if it is less effort to just update the go version than it is to ask all of the tools to ignore the warnings for this tool. |
NOTE: this list is no longer actively maintained; see #104 (comment):
CVEs that do not apply to builds of
gosu
:gosu
is not Kubernetes (and does not parse YAML) (#105)net/http
(docker-library/mongo#529)encoding/binary
(docker-library/mongo#529)text/html
or CGI/FCGI (docker-library/mongo#529)math/big
(docker-library/mongo#529)cmd/go
, not Go programs (docker-library/mongo#529)cmd/go
, not Go programs (docker-library/mongo#529)encoding/xml
(docker-library/mongo#529)net/http
(docker-library/mongo#529)golang.org/x/net
(#107)archive/zip
(#94, docker-library/mongo#529)net/http/httputil
(docker-library/mongo#529)math/big
(docker-library/mongo#529)net/http/httputil
(docker-library/mongo#529)GOARCH=wasm
(#98, docker-library/mongo#529)archive/zip
(#94, #97, #101, docker-library/mongo#529)debug/macho
(#98, docker-library/mongo#529)archive/zip
(docker-library/mongo#529)runc
code not used (#100)net/http
(#98, docker-library/mongo#529)net/http
(#112)math/big
(#103)cmd/go
, not Go programs (#99)crypto/elliptic
(#99)encoding/pem
(#108)regexp
(#107)golang.org/x/crypto/ssh
(#108)net/http
encoding/xml
(#112)crypto/elliptic
(#108)Faccessat
GOOS=windows
(#112)crypto/tls
(#112)compress/gzip
(#112)encoding/xml
(#112)encoding/gob
math/big
If you use (or maintain) a security scanner which reports any of these against
gosu
, please report them to the security vendor as false positives.(See also https://snarky.ca/the-social-contract-of-open-source/)
The text was updated successfully, but these errors were encountered: