Skip to content

x/vuln: recommend stable releases only #61735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Crystalix007 opened this issue Aug 3, 2023 · 3 comments
Closed

x/vuln: recommend stable releases only #61735

Crystalix007 opened this issue Aug 3, 2023 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@Crystalix007
Copy link

Crystalix007 commented Aug 3, 2023
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.20.6 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/kucm/.cache/go-build"
GOENV="/home/kucm/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/kucm/go/pkg/mod"
GONOPROXY="none"
GONOSUMDB="*.netcraft.com"
GOOS="linux"
GOPATH="/home/kucm/go"
GOPRIVATE="*.netcraft.com"
GOPROXY=""
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.6"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3339256111=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ govulncheck ./...
Using go1.20.6 and govulncheck@v1.0.0 with vulnerability data from https://vuln.go.dev/ (last modified 2023-08-02 20:33:39 +0000 UTC).
Scanning your code and 284 packages across 55 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/tls@go1.20.6
    Fixed in: crypto/tls@go1.21rc4
    Example traces found:
      --snipped--
Your code is affected by 1 vulnerability from the Go standard library.
Share feedback at https://go.dev/s/govulncheck-feedback.

What did you expect to see?

Fixed in: crypto/tls@go1.20.7

What did you see instead?

Fixed in: crypto/tls@go1.21rc4

Either govulncheck should provide a flag to only recommend stable releases, or the logic should be adjusted so that:

  • go < 1.19.12 it should suggest 1.19.12
  • 1.20.0 <= go < 1.20.7 it should suggest 1.20.7
  • 1.21.0 <= go < 1.21.0-rc.4 it should suggest 1.21.0-rc.4

It doesn't really make sense for the default recommendation to be to use a release candidate, when that is not a stable release yet.
@Crystalix007 Crystalix007 added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Aug 3, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Aug 3, 2023
@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 3, 2023
@dr2chase
Copy link
Contributor

dr2chase commented Aug 3, 2023

@golang/vulndb

@elagergren-spideroak
Copy link

elagergren-spideroak commented Aug 3, 2023
edited
Loading

also, (mostly a) dupe of #61735

@seankhliao
Copy link
Member

Duplicate of #61729

@seankhliao seankhliao marked this as a duplicate of #61729 Aug 4, 2023
@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Aug 4, 2023
@golang golang locked and limited conversation to collaborators Aug 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@dr2chase @Crystalix007 @gopherbot @seankhliao @elagergren-spideroak