Vulnerable Go packages

To: tech-pkg <tech-pkg%netbsd.org@localhost>
Subject: Vulnerable Go packages
From: Benny Siegert <bsiegert%gmail.com@localhost>
Date: Sun, 22 Dec 2024 20:48:42 +0100

Hi!

There were a few vulnerabilities in basic Go modules recently, so Ithought I would run govulncheck on every Go package in pkgsrc.

For those that don't know, govulncheck is nice because it does staticanalysis to find if the vulnerable bit of code is actually called, andfilters out the entries where it's not. The Go team at Google maintainsthe actual vulnerability DB.


The results are ... not ideal, with 55 vulnerable packages identified.

I put the output at

https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html

I manually removed the ones which were reported as having novulnerabilities, plus the ones where govulncheck errored out. This canbe improved a bit more in the future, but anyway:

What should we do with this information? Turn it intopkg-vulnerabilities entries?


Would it make sense to run this regularly and report the status?

Fixing these usually means one of the following:

1. Package a newer upstream release.

2. Update the go.mod and go.sum files by running something like "go get-u golang.org/x/net" or whatever the vulnerable module is, record thepatches, update checksums and make sure it still builds.


--
Benny

Follow-Ups:
- Re: Vulnerable Go packages
  - From: Thomas Klausner

Prev by Date: Re: CVS commit: pkgsrc/lang/gcc12
Next by Date: Re: CVS commit: pkgsrc/lang/gcc12
Previous by Thread: pbulk.conf suggestion?
Next by Thread: Re: Vulnerable Go packages
Indexes:

Home | Main Index | Thread Index | Old Index