Re: Vulnerable Go packages

[Thomas Klausner <wiz%gatalith.at@localhost>]

Hi Benny!

On Sun, Dec 22, 2024 at 08:48:42PM +0100, Benny Siegert wrote:
> There were a few vulnerabilities in basic Go modules recently, so I thought
> I would run govulncheck on every Go package in pkgsrc.
> 
> For those that don't know, govulncheck is nice because it does static
> analysis to find if the vulnerable bit of code is actually called, and
> filters out the entries where it's not. The Go team at Google maintains the
> actual vulnerability DB.
> 
> The results are ... not ideal, with 55 vulnerable packages identified.
> 
> I put the output at
> 
> https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html
> 
> I manually removed the ones which were reported as having no
> vulnerabilities, plus the ones where govulncheck errored out. This can be
> improved a bit more in the future, but anyway:

Two minor things that would be useful to have in the report:

- an overview listing all packages, so I don't have to scroll through
  the long vulnerability list report to see if one I care about is
  affected

- the version number of the package that was tested, since this will
  hopefully get outdated quickly :)

> What should we do with this information? Turn it into pkg-vulnerabilities
> entries?

That'd be great, yes!

> Would it make sense to run this regularly and report the status?
> 
> Fixing these usually means one of the following:
> 
> 1. Package a newer upstream release.
> 2. Update the go.mod and go.sum files by running something like "go get -u
> golang.org/x/net" or whatever the vulnerable module is, record the patches,
> update checksums and make sure it still builds.

3. report the problem upstream and let them make a new release, then 1.
(I just did that for restish.)

Thank you!
 Thomas