Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: command to find minimum version with no known CVE #50409

Open
tamalsaha opened this issue Jan 2, 2022 · 1 comment
Open

cmd/go: command to find minimum version with no known CVE #50409

tamalsaha opened this issue Jan 2, 2022 · 1 comment
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@tamalsaha
Copy link

tamalsaha commented Jan 2, 2022
edited

Is it possible to introduce a go mod command/feature that can look at data from deps.dev and automatically use the minimum version that does NOT have a known CVE. With the prevalence of code scanners, we keep getting alerts regarding CVEs. Currently the process to fix such alerts require a lot of manual work. If go mod can automate some of this, that will be much appreciated. As an example, npm has a npm audit fix command that similar things for js projects. Thanks!
@ianlancetaylor ianlancetaylor changed the title affected/package: go mod cmd/go: command to find minimum version with no known CVE Jan 3, 2022
@ianlancetaylor ianlancetaylor added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jan 3, 2022
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 3, 2022
@ianlancetaylor
Copy link
Contributor

CC @bcmills @matloob

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@tamalsaha @ianlancetaylor