Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/build: update to golang.org/x/text@v0.3.7+ (GO-2021-0113) #51565

Closed
hyangah opened this issue Mar 9, 2022 · 3 comments
Closed

x/build: update to golang.org/x/text@v0.3.7+ (GO-2021-0113) #51565

hyangah opened this issue Mar 9, 2022 · 3 comments
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@hyangah
Copy link
Contributor

hyangah commented Mar 9, 2022
edited

govulncheck reports GO-2021-0113 for golang.org/x/build@0a1fb72 (as of 2022/03/09)

$ govulncheck ./...
Findings for vulnerability: GO-2021-0113 (CVE-2021-38561):

Trace:
golang.org/x/text/language.MustParse (/Users/hakim/go/pkg/mod/golang.org/x/text@v0.3.6/cases/map.go:43:41)
golang.org/x/text/cases.init#1(...) (-)
golang.org/x/text/cases.init(...) (-)
golang.org/x/text/secure/precis.init(...) (-)
github.com/jackc/pgconn.init(...) (-)
golang.org/x/build/internal/relui/db.init(...) (-)

I don't think this vulnerability is actually affecting this specific code path picked by govulncheck
(The pgconn maintainer also said in jackc/pgconn#103 this vulnerability doesn't affect the package.)

This vulnerability is not the type of vulnerability that can be analyzed with simple(?) callgraph analysis. We need data analysis to see what's fed into the vulnerable function. But with the lack of options to suppress the report, the easiest path forward is, I think, to update the dependency.

On the other hand, as seen in #51216, the Go security team wants to avoid changes triggered by false positive reports. So, I am not sure what's the Go team's policy in cases like this.

If we decide to update the dependency, now the question is which dependency to upgrade:

  • update to golang.org/x/text@v0.3.7 as the GO-2021-0113 page implies.
  • update the direct dependency, too: github.com/jackc/pgconn@v1.11.0

cc @golang/security
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Mar 9, 2022
@gopherbot gopherbot added this to the Unreleased milestone Mar 9, 2022
@dmitshur
Copy link
Contributor

dmitshur commented Mar 9, 2022

I'm not sure what the policy should be. For this particular case, it's not a problem to update to the latest pgconn and x/text it in x/build, so I'll add NeedsFix for now.
(If we get more reports that are false positives, that might be a good time to think more, but this is the first one I'm seeing.)

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 9, 2022
@gopherbot
Copy link

Change https://go.dev/cl/391214 mentions this issue: go.mod: update github.com/jackc/pgconn dependency

@rolandshoemaker rolandshoemaker mentioned this issue Mar 9, 2022
Open
gopherbot pushed a commit to golang/build that referenced this issue Mar 9, 2022
@hyangah
go.mod: update github.com/jackc/pgconn dependency
31ecc59 
This upgrades golang.org/x/text to v0.3.7 and
suppresses govulncheck's report on GO-2021-0113

For golang/go#51565

Change-Id: I21ec6a3772b455c88a418087b4fbf3cabc1ecc65
Reviewed-on: https://go-review.googlesource.com/c/build/+/391214
Trust: Hyang-Ah Hana Kim <hyangah@gmail.com>
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@hyangah hyangah mentioned this issue Mar 9, 2022
Closed
@hyangah
Copy link
Contributor Author

hyangah commented Mar 9, 2022

I will close this issue - two followup issues were filed.
And, we updated the github.com/jackc/pgconn dependency, not only x/text dependency.

@hyangah hyangah closed this as completed Mar 9, 2022
@golang golang locked and limited conversation to collaborators Mar 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@dmitshur @hyangah @gopherbot