Skip to content

x/vuln: Treat fixes in unstable releases as warnings #61729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adapptor-kurt opened this issue Aug 3, 2023 · 4 comments
Closed

x/vuln: Treat fixes in unstable releases as warnings #61729

adapptor-kurt opened this issue Aug 3, 2023 · 4 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
vuln/unplanned

Comments

@adapptor-kurt
Copy link

What version of Go are you using (go version)?

go version go1.20.6 darwin/arm64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

What did you do?

I am running govulncheck ./... as part of my CI process

What did you expect to see?

govulncheck should tell me whether there is a security vulnerability that I can take an action to fix.

What did you see instead?

govulncheck is causing a failure due to a fix in the unstable release crypto/tls@go1.21rc4. While this is useful to know about, it should be possible to ignore vulnerabilities that are not yet fixed in a stable release.
@adapptor-kurt adapptor-kurt added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Aug 3, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Aug 3, 2023
@percivalalb
Copy link

There is a stable release which fixes this vulnerability - 1.20.7. I think the confusion is that govulncheck is recommended the wrong version (especially apparent as it is a RC).

Based on the https://vuln.go.dev/ID/GO-2023-1987.json

image

I think the intended behaviour should be:

  • go < 1.19.12 it should recommend 1.19.12
  • 1.20.0 <= go < 1.20.7 it should recommend 1.20.7
  • 1.21.0 <= go < 1.21.0-rc.4 it should recommend 1.21.0-rc.4

It does not seem prudent to recommend an RC unless you are already on an RC.

@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 3, 2023
@dr2chase
Copy link
Contributor

dr2chase commented Aug 3, 2023

@golang/vulndb

This was referenced Aug 4, 2023
Closed
Closed
@zpavlinovic zpavlinovic self-assigned this Feb 8, 2024
@zpavlinovic
Copy link
Contributor

I believe this issue is addressed by now. Do you still see it?

@zpavlinovic zpavlinovic added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Feb 9, 2024
@adapptor-kurt
Copy link
Author

@zpavlinovic I'm happy to close this issue if it has been resolved, as I won't be able to reproduce the original issue. Thanks!

@golang golang locked and limited conversation to collaborators Feb 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@zpavlinovic @dr2chase @percivalalb @gopherbot @adapptor-kurt