Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: Govulncheck not detecting known vulnerability in Golang dependencies #58757

Closed
mohammadv184 opened this issue Feb 27, 2023 · 6 comments
Closed

x/vuln: Govulncheck not detecting known vulnerability in Golang dependencies #58757

mohammadv184 opened this issue Feb 27, 2023 · 6 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
vuln/unplanned

Comments

@mohammadv184
Copy link
Contributor

mohammadv184 commented Feb 27, 2023
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.20.1 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mohammadv184/.cache/go-build"
GOENV="/home/mohammadv184/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/mohammadv184/go/pkg/mod"
GONOPROXY="PRIVATE_GIT"
GONOSUMDB="PRIVATE_GIT"
GOOS="linux"
GOPATH="/home/mohammadv184/go"
GOPRIVATE="PRIVATE_GIT"
GOPROXY="https://goproxy.io,direct"
GOROOT="/snap/go/10055"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/snap/go/10055/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4125085153=/tmp/go-build -gno-record-gcc-switches"

What did you do?

1.Use github.com/satori/go.uuid version 1.2.0 in a Golang project.
2.Run Govulncheck on the project using the command govulncheck ./....

What did you expect to see?

Govulncheck should report a warning about the vulnerability in the github.com/satori/go.uuid package.
Vulnerability Details: https://pkg.go.dev/vuln/GO-2022-0244

What did you see instead?

Govulncheck does not report any warnings about the vulnerability in the github.com/satori/go.uuid package.
@mohammadv184 mohammadv184 added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Feb 27, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Feb 27, 2023
@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 27, 2023
@seankhliao
Copy link
Member

how does the project use github.com/satori/go.uuid ?
if it never generates an uuid, it's not vulnerable

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Feb 27, 2023
@mohammadv184
Copy link
Contributor Author

how does the project use github.com/satori/go.uuid ? if it never generates an uuid, it's not vulnerable

I have used the github.com/satori/go.uuid package in my project and can confirm that it is being used to generate UUIDs. Additionally, I had previously received a warning from Govulncheck about a vulnerability in this package a few months ago.

However, in my recent run of Govulncheck, I did not receive any warnings about this package on the same project. The vulnerability is still present according to the Golang vulnerability database.

@mohammadv184
Copy link
Contributor Author

Any update about this issue?

@seankhliao
Copy link
Member

without a real example it's difficult to say what's happening

@seankhliao seankhliao added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Mar 5, 2023
@mohammadv184
Copy link
Contributor Author

Here is a simple Go application that generates a UUID using the github.com/satori/go.uuid package:

package main

import (
	"fmt"

	"github.com/satori/go.uuid"
)

func main() {
	id := uuid.NewV4()
	fmt.Printf("Generated UUID: %v\n", id)
}

Assuming you have the github.com/satori/go.uuid package installed in your go.mod, you can run this application by navigating to the directory containing this file and executing go run main.go. This should generate a UUID and print it to the console.

If you run Govulncheck on this application, it should detect the vulnerability in github.com/satori/go.uuid version 1.2.0 and produce a warning, but it doesn’t

@seankhliao
Copy link
Member

1.2.0 is not a vulnerable version

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Mar 5, 2023
@golang golang locked and limited conversation to collaborators May 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@gopherbot @seankhliao @thanm @mohammadv184