Skip to content

cmd/go: command to find minimum version with no known CVE #50409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tamalsaha opened this issue Jan 2, 2022 · 2 comments
Closed

cmd/go: command to find minimum version with no known CVE #50409

tamalsaha opened this issue Jan 2, 2022 · 2 comments
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@tamalsaha
Copy link

tamalsaha commented Jan 2, 2022
edited
Loading

Is it possible to introduce a go mod command/feature that can look at data from deps.dev and automatically use the minimum version that does NOT have a known CVE. With the prevalence of code scanners, we keep getting alerts regarding CVEs. Currently the process to fix such alerts require a lot of manual work. If go mod can automate some of this, that will be much appreciated. As an example, npm has a npm audit fix command that similar things for js projects. Thanks!
@ianlancetaylor ianlancetaylor changed the title affected/package: go mod cmd/go: command to find minimum version with no known CVE Jan 3, 2022
@ianlancetaylor ianlancetaylor added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jan 3, 2022
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 3, 2022
@ianlancetaylor
Copy link
Member

CC @bcmills @matloob

@seankhliao
Copy link
Member

I think if you're already upgrading beyond what your dependencies declare, it's unclear why you'd want minimum version without CVE rather than just upgrading to the latest. Many bugs get fixed without CVEs being filed.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@tamalsaha @ianlancetaylor @seankhliao