blob: d275d119469b5ab5207fa62eb063f9d168e93785 [file] [log] [blame]
#####
#
$ govulncheck -C ${moddir}/vuln -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 183,
"line": 14,
"column": 20
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 159,
"line": 13,
"column": 16
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}