blob: 52e3c5b31e8e66ea0408291113565c72019572aa [file] [log] [blame]
#####
# Test of basic govulncheck in source mode
$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:13:16: vuln.main calls language.Parse
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Vulnerability #3: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 2 vulnerabilities from 2 modules.
Share feedback at https://go.dev/s/govulncheck-feedback.
#####
# Test of basic govulncheck in source mode with expanded traces
$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: for function github.com/tidwall/gjson.Result.Get
.../vuln.go:14:20: golang.org/vuln.main
github.com/tidwall/gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../vuln.go:13:16: golang.org/vuln.main
golang.org/x/text/language.Parse
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Vulnerability #3: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 2 vulnerabilities from 2 modules.
Share feedback at https://go.dev/s/govulncheck-feedback.