Closed mrueg closed 2 years ago
Vulnerabilities in the SSH protocol implementation definitely don't impact age. We just parse SSH keys.
I disagree that it's a best practice to cause churn in downstream projects with vulnerability false positives. They reduce the amount of attention that projects can dedicate to actually assessing if a vulnerability affected users.
For example, you'd want a vulnerability that actually affected age to be handled by producing an announcement about whether users need to re-encrypt affected files rather than silently updating the go.mod and moving on.
This is why govulncheck (what will hopefully become go audit
) does static analysis to rule out this sort of false positive.
Thanks for the quick response. I can see your point here. Unfortunately lots of the existing vulnerability scanners are not sophisticated enough yet to detect if it's exploitable or not.
Thanks also for mentioning govulncheck
that sounds really interesting!
Since age imports golang.org/x/crypto/ssh, requesting to update deps because of https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 (not sure if this is exploitable with age, so more applying best practices here)