gosu: CVEs that do not apply to gosu
NOTE: this list is no longer actively maintained; see https://github.com/tianon/gosu/issues/104#issuecomment-1358424738:
With https://github.com/tianon/gosu/releases/tag/1.15, I’ve now got https://github.com/tianon/gosu/blob/master/SECURITY.md which makes it clear how to determine whether vulnerabilities apply to a released version/build of
gosu(TLDR, the answer is nowgovulncheck, which checks for invocations of the actual vulnerable functionality).
CVEs that do not apply to builds of gosu:
- CVE-2019-11254: …
gosuis not Kubernetes (and does not parse YAML) (#105) - CVE-2020-14039: does not use certificates (docker-library/mongo#529)
- CVE-2020-15586: does not use
net/http(docker-library/mongo#529) - CVE-2020-16845: does not use
encoding/binary(docker-library/mongo#529) - CVE-2020-24553: does not use
text/htmlor CGI/FCGI (docker-library/mongo#529) - CVE-2020-28362: does not use
math/big(docker-library/mongo#529) - CVE-2020-28366: vulnerability in
cmd/go, not Go programs (docker-library/mongo#529) - CVE-2020-28367: vulnerability in
cmd/go, not Go programs (docker-library/mongo#529) - CVE-2021-27918: does not use
encoding/xml(docker-library/mongo#529) - CVE-2021-29923: does not parse IP addresses (#91, docker-library/mongo#529)
- CVE-2021-31525: does not use
net/http(docker-library/mongo#529) - CVE-2021-33194: does not use
golang.org/x/net(#107) - CVE-2021-33195: does not perform DNS lookups (docker-library/mongo#529)
- CVE-2021-33196: does not use
archive/zip(#94, docker-library/mongo#529) - CVE-2021-33197: does not use
net/http/httputil(docker-library/mongo#529) - CVE-2021-33198: does not use
math/big(docker-library/mongo#529) - CVE-2021-36221: does not use
net/http/httputil(docker-library/mongo#529) - CVE-2021-38297: does not (could not?) support
GOARCH=wasm(#98, docker-library/mongo#529) - CVE-2021-39293: does not use
archive/zip(#94, #97, #101, docker-library/mongo#529) - CVE-2021-41771: does not use
debug/macho(#98, docker-library/mongo#529) - CVE-2021-41772: does not use
archive/zip(docker-library/mongo#529) - CVE-2021-43784: vulnerable
runccode not used (#100) - CVE-2021-44716: does not use
net/http(#98, docker-library/mongo#529) - CVE-2022-1705: does not use
net/http(#112) - CVE-2022-1962: no deeply nested types (#112)
- CVE-2022-23772: does not use
math/big(#103) - CVE-2022-23773: vulnerability in
cmd/go, not Go programs (#99) - CVE-2022-23806: does not use
crypto/elliptic(#99) - CVE-2022-24675: does not use
encoding/pem(#108) - CVE-2022-24769: does not change process capabilities (#115)
- CVE-2022-24921: does not use deeply nested
regexp(#107) - CVE-2022-27191: does not use
golang.org/x/crypto/ssh(#108) - CVE-2022-27664: does not use
net/http - CVE-2022-28131: does not use
encoding/xml(#112) - CVE-2022-28327: does not use
crypto/elliptic(#108) - CVE-2022-29162: does not change process capabilities (#109)
- CVE-2022-29526: does not use
Faccessat - CVE-2022-30580: does not (could not?) support
GOOS=windows(#112) - CVE-2022-30629: does not use
crypto/tls(#112) - CVE-2022-30630: does not use file globbing (#112)
- CVE-2022-30631: does not use
compress/gzip(#112) - CVE-2022-30632: does not use file globbing (#112)
- CVE-2022-30633: does not use
encoding/xml(#112) - CVE-2022-30635: does not use
encoding/gob - CVE-2022-32189: does not use
math/big
If you use (or maintain) a security scanner which reports any of these against gosu, please report them to the security vendor as false positives.
(See also https://snarky.ca/the-social-contract-of-open-source/)
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 25 (10 by maintainers)
Commits related to this issue
- Update to Go 1.19, Alpine 3.16, runc 1.1.4 — committed to tianon/gosu by tianon 2 years ago
Let me get this straight. You’d rather maintain this growing list of false-positive CVEs and respond to continuing bug reports and requests rather than releasing a new incremental version that would clear most if not all of these reports?
Consumers of tools like this generally don’t build it from source. They consume released artifacts. The last release doesn’t include changes you’ve merged into
masterin the last 15 months. Those changes include dependency updates and even a new Go version. You’ve merged the changes why not release them?I see your argument elsewhere that until there are “functional changes” you won’t release a new version. I can see that reasoning. Following that reasoning the update to Go 1.19 should justify a new release. There have been a number of changes to Go compiler and runtime since
gosu 1.14was built and released. While the gosu code hasn’t changed the build outputs and runtime behavior have. Based on your own comments that should be sufficient reason for a new release.Can I just ask if there is something about updating to a new version of golang that poses more effort than updating all of these vulnerability tools? I understand that this project doesn’t use the parts of the code that have the CVE at the moment, but I can’t help but wonder if it is less effort to just update the go version than it is to ask all of the tools to ignore the warnings for this tool.
Thanks.
FYI:
All fine - we will use redis 7.0.8 with gosu 1.16. (1.14 where where we had the CVEs), but we will upgrade to be sure.
similar to many of the CVEs that are listed, “does not use
math/big” / “does not usenet/http”encoding/gob