You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ make vulncheck
Scanning your code and 587 packages across 96 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2024-2466
Denial of service in github.com/go-git/go-git/v5 and
gopkg.in/src-d/go-git.v4
More info: https://pkg.go.dev/vuln/GO-2024-2466
Module: github.com/go-git/go-git/v5
Found in: github.com/go-git/go-git/[email protected]
Fixed in: github.com/go-git/go-git/[email protected]
Example traces found:
#1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
#2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
#3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects
Vulnerability #2: GO-2024-2456
Path traversal and RCE in github.com/go-git/go-git/v5 and
gopkg.in/src-d/go-git.v4
More info: https://pkg.go.dev/vuln/GO-2024-2456
Module: github.com/go-git/go-git/v5
Found in: github.com/go-git/go-git/[email protected]
Fixed in: github.com/go-git/go-git/[email protected]
Example traces found:
#1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
#2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
#3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects
Vulnerability #3: GO-2023-2402
Man-in-the-middle attacker can compromise integrity of secure channel in
golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2023-2402
Module: golang.org/x/crypto
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Example traces found:
#1: libs/os/os.go:110:18: os.CopyFile calls io.Copy, which eventually calls ssh.extChannel.Read
=== Informational ===
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2024-2453
Timing side channel in github.com/cloudflare/circl
More info: https://pkg.go.dev/vuln/GO-2024-2453
Module: github.com/cloudflare/circl
Found in: github.com/cloudflare/[email protected]
Fixed in: github.com/cloudflare/[email protected]
Vulnerability #2: GO-2023-1765
Leaked shared secret and weak blinding in github.com/cloudflare/circl
More info: https://pkg.go.dev/vuln/GO-2023-1765
Module: github.com/cloudflare/circl
Found in: github.com/cloudflare/[email protected]
Fixed in: github.com/cloudflare/[email protected]
Your code is affected by 3 vulnerabilities from 2 modules.
Share feedback at https://go.dev/s/govulncheck-feedback.
exit status 3
make: *** [vulncheck] Error 1
Proposal
Upgrade deps to resolve go vulncheck identified issues
The text was updated successfully, but these errors were encountered:
rootulp
changed the title
go vulncheck fails on v0.34.x branch
go vulncheck fails on v0.34.x-celestia branch
Feb 2, 2024
rootulp
pushed a commit
to rootulp/celestia-core
that referenced
this issue
Sep 20, 2024
Problem
Proposal
Upgrade deps to resolve go vulncheck identified issues
The text was updated successfully, but these errors were encountered: