Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: add support for suppressing vulnerabilities by ID #59507

Open
bentcoder opened this issue Apr 8, 2023 · 2 comments
Open

x/vuln: add support for suppressing vulnerabilities by ID #59507

bentcoder opened this issue Apr 8, 2023 · 2 comments
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@bentcoder
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.20.2 darwin/amd64

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
MacOS amd64 darwin

Hi,

Requesting to introduce a config file (ideally) or a flag that allows users to explicitly exclude some vulnerabilities? Maybe until they resolve them, they can be suppressed in CI so on.

Thanks

Config file

$ govulncheck -config vuln.yaml ./...

# vuln.yaml
vulnerability:
    exclude:
        - GO-2023-1704
        - GO-2023-1705

Flag

$ govulncheck \
    -exclude GO-2023-1704 \
    -exclude GO-2023-1705 \
    ./...
@bentcoder bentcoder added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Apr 8, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Apr 8, 2023
@seankhliao seankhliao changed the title x/vuln: [feature request] config or flag to exclude set of vulnerabilities x/vuln: config or flag to exclude set of vulnerabilities Apr 8, 2023
@julieqiu julieqiu changed the title x/vuln: config or flag to exclude set of vulnerabilities x/vuln: add support for suppressing vulnerabilities by ID Apr 10, 2023
@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 14, 2023
@tianon tianon mentioned this issue Jun 26, 2023
Closed
@tianon
Copy link
Contributor

tianon commented Jun 26, 2023

In my case, I'm wanting this because govulncheck is now reporting GO-2023-1840 (https://pkg.go.dev/vuln/GO-2023-1840) on my binaries, but I've already got my own mitigation code for setuid bits being set, so the vulnerability doesn't really apply (which is the whole reason I love govulncheck - it normally is very good at filtering out things that don't apply, but in this case it really can't know ❤️). 😞 😅

@tianon tianon mentioned this issue Jun 27, 2023
Merged
@julieqiu julieqiu mentioned this issue Jul 6, 2023
Open
@paveljanda
Copy link

We would love to support this solution. 👍

In our case, our pipelines are set to fail if govulncheck fails. That being said, not all govulncheck errors are necessarily related to our production code use-cases.

Is kind of an industry standard to make false-positives ignored in vulnarability checks, static code analysis tools etc.

Thx. 👍

@msays2000 msays2000 mentioned this issue Nov 29, 2023
Merged
5 tasks
@seankhliao seankhliao mentioned this issue Dec 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
6 participants
@tianon @paveljanda @dr2chase @gopherbot @bentcoder @seankhliao