Skip to content

x/vuln: go.mod file depend on module have // indirect suffix which should need to analyze? #57831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tarihub opened this issue Jan 16, 2023 · 1 comment
Closed

x/vuln: go.mod file depend on module have // indirect suffix which should need to analyze? #57831

tarihub opened this issue Jan 16, 2023 · 1 comment
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@tarihub
Copy link

tarihub commented Jan 16, 2023

What version of Go are you using (go version)?

$ go version
go version go1.18 darwin/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/tari/Library/Caches/go-build"
GOENV="/Users/tari/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/tari/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/tari/go"
GOPRIVATE=""
GOPROXY="https://goproxy.cn,direct"
GOROOT="/Users/tari/go/go1.18"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/tari/go/go1.18/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.18"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/z4/g_tg5mqn17bd8zrf6n89652h0000gn/T/go-build2022532343=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

go.mod

module ...

go 1.18

require golang.org/x/text/language 0.3.6 // indirect

govulncheck ./...

The result will show golang.org/x/text/language is a vulnerability module

I think indirect is likely to go.sum, govulncheck only scan go.mod and not scan go.sum.
Maybe it's better to not scan the go.mod file content which have indirect field?
@tarihub tarihub added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 16, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jan 16, 2023
@seankhliao
Copy link
Member

vulncheck checks for reachable code via execution. indirect dependencies just mean they aren't directly imported by you, but they're still needed.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Jan 17, 2023
@golang golang locked and limited conversation to collaborators Jan 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @tarihub