| ##### |
| # Test of basic govulncheck in source mode |
| $ govulncheck -C ${moddir}/vuln ./... --> FAIL 3 |
| Scanning your code and P packages across M dependent modules for known vulnerabilities... |
| |
| === Symbol Results === |
| |
| Vulnerability #1: GO-2021-0265 |
| A maliciously crafted path can cause Get and other query functions to |
| consume excessive amounts of CPU and time. |
| More info: https://pkg.go.dev/vuln/GO-2021-0265 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.9.3 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get |
| |
| Vulnerability #2: GO-2021-0113 |
| Due to improper index calculation, an incorrectly formatted language tag can |
| cause Parse to panic via an out of bounds read. If Parse is used to process |
| untrusted user inputs, this may be used as a vector for a denial of service |
| attack. |
| More info: https://pkg.go.dev/vuln/GO-2021-0113 |
| Module: golang.org/x/text |
| Found in: golang.org/x/text@v0.3.0 |
| Fixed in: golang.org/x/text@v0.3.7 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse |
| |
| Vulnerability #3: GO-2021-0054 |
| Due to improper bounds checking, maliciously crafted JSON objects can cause |
| an out-of-bounds panic. If parsing user input, this may be used as a denial |
| of service vector. |
| More info: https://pkg.go.dev/vuln/GO-2021-0054 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.6.6 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach |
| |
| Your code is affected by 3 vulnerabilities from 2 modules. |
| This scan also found 0 vulnerabilities in packages you import and 2 |
| vulnerabilities in modules you require, but your code doesn't appear to call |
| these vulnerabilities. |
| Use '-show verbose' for more details. |
| |
| ##### |
| # Test of basic govulncheck in source mode with expanded traces |
| $ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3 |
| Scanning your code and P packages across M dependent modules for known vulnerabilities... |
| |
| === Symbol Results === |
| |
| Vulnerability #1: GO-2021-0265 |
| A maliciously crafted path can cause Get and other query functions to |
| consume excessive amounts of CPU and time. |
| More info: https://pkg.go.dev/vuln/GO-2021-0265 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.9.3 |
| Example traces found: |
| #1: for function github.com/tidwall/gjson.Result.Get |
| .../vuln.go:<l>:<c>: golang.org/vuln.main |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get |
| |
| Vulnerability #2: GO-2021-0113 |
| Due to improper index calculation, an incorrectly formatted language tag can |
| cause Parse to panic via an out of bounds read. If Parse is used to process |
| untrusted user inputs, this may be used as a vector for a denial of service |
| attack. |
| More info: https://pkg.go.dev/vuln/GO-2021-0113 |
| Module: golang.org/x/text |
| Found in: golang.org/x/text@v0.3.0 |
| Fixed in: golang.org/x/text@v0.3.7 |
| Example traces found: |
| #1: for function golang.org/x/text/language.Parse |
| .../vuln.go:<l>:<c>: golang.org/vuln.main |
| .../parse.go:<l>:<c>: golang.org/x/text/language.Parse |
| |
| Vulnerability #3: GO-2021-0054 |
| Due to improper bounds checking, maliciously crafted JSON objects can cause |
| an out-of-bounds panic. If parsing user input, this may be used as a denial |
| of service vector. |
| More info: https://pkg.go.dev/vuln/GO-2021-0054 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.6.6 |
| Example traces found: |
| #1: for function github.com/tidwall/gjson.Result.ForEach |
| .../vuln.go:<l>:<c>: golang.org/vuln.main |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty |
| .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach |
| |
| Your code is affected by 3 vulnerabilities from 2 modules. |
| This scan also found 0 vulnerabilities in packages you import and 2 |
| vulnerabilities in modules you require, but your code doesn't appear to call |
| these vulnerabilities. |
| Use '-show verbose' for more details. |
| |
| ##### |
| # Test of basic govulncheck in source mode with the -show verbose flag |
| $ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3 |
| Scanning your code and P packages across M dependent modules for known vulnerabilities... |
| |
| === Symbol Results === |
| |
| Vulnerability #1: GO-2021-0265 |
| A maliciously crafted path can cause Get and other query functions to |
| consume excessive amounts of CPU and time. |
| More info: https://pkg.go.dev/vuln/GO-2021-0265 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.9.3 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get |
| |
| Vulnerability #2: GO-2021-0113 |
| Due to improper index calculation, an incorrectly formatted language tag can |
| cause Parse to panic via an out of bounds read. If Parse is used to process |
| untrusted user inputs, this may be used as a vector for a denial of service |
| attack. |
| More info: https://pkg.go.dev/vuln/GO-2021-0113 |
| Module: golang.org/x/text |
| Found in: golang.org/x/text@v0.3.0 |
| Fixed in: golang.org/x/text@v0.3.7 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse |
| |
| Vulnerability #3: GO-2021-0054 |
| Due to improper bounds checking, maliciously crafted JSON objects can cause |
| an out-of-bounds panic. If parsing user input, this may be used as a denial |
| of service vector. |
| More info: https://pkg.go.dev/vuln/GO-2021-0054 |
| Module: github.com/tidwall/gjson |
| Found in: github.com/tidwall/gjson@v1.6.5 |
| Fixed in: github.com/tidwall/gjson@v1.6.6 |
| Example traces found: |
| #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach |
| |
| === Package Results === |
| |
| No other vulnerabilities found. |
| |
| === Module Results === |
| |
| Vulnerability #1: GO-2022-0969 |
| HTTP/2 server connections can hang forever waiting for a clean shutdown that |
| was preempted by a fatal error. This condition can be exploited by a |
| malicious client to cause a denial of service. |
| More info: https://pkg.go.dev/vuln/GO-2022-0969 |
| Standard library |
| Found in: net/http@go1.18 |
| Fixed in: net/http@go1.18.6 |
| |
| Vulnerability #2: GO-2020-0015 |
| An attacker could provide a single byte to a UTF16 decoder instantiated with |
| UseBOM or ExpectBOM to trigger an infinite loop if the String function on |
| the Decoder is called, or the Decoder is passed to transform.String. If used |
| to parse user supplied input, this may be used as a denial of service |
| vector. |
| More info: https://pkg.go.dev/vuln/GO-2020-0015 |
| Module: golang.org/x/text |
| Found in: golang.org/x/text@v0.3.0 |
| Fixed in: golang.org/x/text@v0.3.3 |
| |
| Your code is affected by 3 vulnerabilities from 2 modules. |
| This scan also found 0 vulnerabilities in packages you import and 2 |
| vulnerabilities in modules you require, but your code doesn't appear to call |
| these vulnerabilities. |