Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln/cmd/govulncheck: surface a "fixed" version when the fix is in a subsequent major version #56206

Closed
julieqiu opened this issue Oct 13, 2022 · 1 comment
Closed

x/vuln/cmd/govulncheck: surface a "fixed" version when the fix is in a subsequent major version #56206

julieqiu opened this issue Oct 13, 2022 · 1 comment
Assignees
@zpavlinovic
Labels
NeedsFix The path to resolution is known, but the work has not been done. UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

There are reports with no fixed version in a module, but a fix exists in the next major version. We should find a way to surface this info in govulncheck

Example (https://vuln.go.dev/ID/GO-2022-0386.json):

  - module: github.com/nats-io/jwt
    versions:
      - fixed: 1.2.3-0.20210314221642-a826c77dc9d2
    vulnerable_at: 1.2.2
    packages:
      - package: github.com/nats-io/jwt
        ...
  - module: github.com/nats-io/jwt/v2
    versions:
      - fixed: 2.0.1
    vulnerable_at: 2.0.0
    packages:
      - package: github.com/nats-io/jwt/v2
      ...
@julieqiu julieqiu added UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo labels Oct 13, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Oct 13, 2022
@julieqiu julieqiu mentioned this issue Oct 13, 2022
Closed
@joedian joedian added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 14, 2022
@zpavlinovic zpavlinovic self-assigned this Sep 27, 2023
@zpavlinovic
Copy link
Contributor

Based on offline discussion, we decided to not add this. Suggesting subsequent major version might introduce a breaking change. Folks should really do their investigation on pkg.go.dev.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
NeedsFix The path to resolution is known, but the work has not been done. UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@zpavlinovic @julieqiu @gopherbot @joedian