commit | 0d8d4a79d87ebd9e2b8da7c1f9eb89786e75e33e | [log] [tgz] |
---|---|---|
author | Zvonimir Pavlinovic <zpavlinovic@google.com> | Tue Aug 31 16:22:37 2021 -0700 |
committer | Zvonimir Pavlinovic <zpavlinovic@google.com> | Thu Sep 02 22:59:53 2021 +0000 |
tree | 213fe73528770f9ef7fe152a36be1dabb25b9047 | |
parent | bd4e8a33fc32d17070e0402b7186d2fde8ca0c1f [diff] |
vulndb/internal/audit: filter out vulns for modules with "" version When a module version is unknown (""), the current implementation assumes that any vulnerability version range applies to it. This can lead to false alarms, the most prominent example being when audit is run on a top-level module (which will have "" version) that has known vulnerabilities. This CL makes sure no vulnerabilities apply for a module with an unavailable version. Fixes golang/go#48079 Change-Id: Idd9f080f9037d105d86311b62de77f29ef4664a2 Reviewed-on: https://go-review.googlesource.com/c/exp/+/346609 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Trust: Zvonimir Pavlinovic <zpavlinovic@google.com>
This subrepository holds experimental and deprecated (in the old
directory) packages.
The idea for this subrepository originated as the pkg/exp
directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get
these packages.
Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.
In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)
Caveat emptor.