New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: govulncheck surfaces function calls with trusted input (e.g., GO-2022-1039) #56099
Comments
I was able to confirm that upgrading to both go1.18.7 and go1.19.2 fixes this. |
Hi Yuval, thanks for filing an issue! You're absolutely correct that govulncheck will always surface this vulnerability (unless you update to the latest Go version, as you just did), whether the call is safe or not. This is a tricky problem because there are so many ways that a certain call could be safe or unsafe, some of which are automatically detectable and some of which are not. So, for now, we mark calls as potentially vulnerable and leave it up to humans to decide if the vulnerability applies to their code. I've transferred this issue to the main issue tracker, and the team will discuss this further. We're also open to ideas or suggestions. |
As @tatianab pointed out, govulncheck will report this vulnerability whenever it concludes that Would some form of warning suppression help in your case? If so, would that be a code annotation, or a config file you'd be willing provide to govulncheck, or perhaps something entirely different? |
Thanks for the quick reply, both! Yes, warning suppression would be totally fine. I think the easiest from a user's perspective would be an annotation/comment directly in the code. |
Thank you for your feedback! This will help us in planning for future iterations of govulncheck. |
In case it's helpful (re "we mark calls as potentially vulnerable and leave it up to humans to decide", above): my use case is that I wanted to run One option would be for me to get the results as json (which I know Thanks again! |
Report ID
GO-2022-1039
Suggestion/Comment
The content of the warning is:
My code does indeed call
MustCompile
, but all of the non-test call sites pass in a literal string to the regex. As such, the call is trusted. If I undestand this vulnerability report correctly, it effectively means we can't ever use regexes and get a clean bill of health fromgovulncheck
.The text was updated successfully, but these errors were encountered: