Skip to content

x/vuln: reports vulnerability for unrelated Go version #55049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
szuecs opened this issue Sep 13, 2022 · 1 comment
Closed

x/vuln: reports vulnerability for unrelated Go version #55049

szuecs opened this issue Sep 13, 2022 · 1 comment
Assignees
@zpavlinovic
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Milestone
vuln/2022

Comments

@szuecs
Copy link

szuecs commented Sep 13, 2022

What version of Go are you using (go version)?

$ go version
go version go1.18.6 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

GO111MODULE=""


GOARCH="amd64"

GOBIN="/usr/local/bin"

GOCACHE="/root/.cache/go-build"

GOENV="/root/.config/go/env"

GOEXE=""

GOEXPERIMENT=""

GOFLAGS=""

GOHOSTARCH="amd64"

GOHOSTOS="linux"

GOINSECURE=""

GOMODCACHE="/go/pkg/mod"

GONOPROXY="github.bus.zalan.do"

GONOSUMDB="github.bus.zalan.do"

GOOS="linux"

GOPATH="/go"

GOPRIVATE="github.bus.zalan.do"

GOPROXY="https://proxy.golang.org,direct"

GOROOT="/usr/local/go"

GOSUMDB="sum.golang.org"

GOTMPDIR=""

GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"

GOVCS=""

GOVERSION="go1.18.6"

GCCGO="gccgo"

GOAMD64="v1"

AR="ar"

CC="gcc"

CXX="g++"

CGO_ENABLED="1"

GOMOD="/workspace/go.mod"

GOWORK=""

CGO_CFLAGS="-g -O2"

CGO_CPPFLAGS=""

CGO_CXXFLAGS="-g -O2"

CGO_FFLAGS="-g -O2"

CGO_LDFLAGS="-g -O2"

PKG_CONFIG="pkg-config"

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2160206033=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I run govulncheck ./... on https://github.com/zalando/skipper with Go 1.18.6

What did you expect to see?

I want to see only vulnerability reports that are targeted for the running Go version.
URL.JoinPath is a new API available since Go 1.19, so 1.18.6 is not vulnerable.

What did you see instead?

I got

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended
  to a relative path. For example, JoinPath("https://go.dev", "../go")
  returns the URL "https://go.dev/../go", despite the JoinPath documentation
  stating that ../ path elements are removed from the result.

  Found in: net/url@go1.18.6
  Fixed in: net/url@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0988
make: *** [Makefile:153: govulncheck] Error 3
@szuecs szuecs added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 13, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 13, 2022
@szuecs szuecs mentioned this issue Sep 13, 2022
Closed
@zpavlinovic zpavlinovic self-assigned this Sep 13, 2022
@zpavlinovic zpavlinovic modified the milestones: Unreleased, vuln/2022 Sep 13, 2022
@zpavlinovic
Copy link
Contributor

Thanks for reporting this! This is a duplicate of #55035, so we'll track the status there and reopen this if needed.

@golang golang locked and limited conversation to collaborators Sep 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Projects
None yet
Milestone
vuln/2022
Development

No branches or pull requests
3 participants
@szuecs @zpavlinovic @gopherbot