search

exasol / python-toolbox

Infrastructure & Automation Tooling for Python Projects
https://exasol.github.io/python-toolbox/
MIT License
3 stars 0 forks source link

✨ Support creating tickets for vulnerabilities in Go projects #98

Open kaklakariada opened 1 year ago

kaklakariada commented 1 year ago

Summary

In https://github.com/exasol/python-toolbox/pull/88 we added support for creating issues for vulnerabilities in Maven projects. This would be useful for Go projects, too.

Details

We can use govulncheck:

Text output

# install
go install golang.org/x/vuln/cmd/govulncheck@latest
# Run
govulncheck -mode=source -scan=symbol -test ./...

Example output:

Scanning your code and 293 packages across 44 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2163
    curve KeyPairs fail to encrypt github.com/nats-io/nkeys
  More info: https://pkg.go.dev/vuln/GO-2023-2163
  Module: github.com/nats-io/nkeys
    Found in: github.com/nats-io/nkeys@v0.4.0
    Fixed in: github.com/nats-io/nkeys@v0.4.6

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

JSON output:

govulncheck -mode=source -scan=symbol -test ./...
{
  "config": {
    "protocol_version": "v1.0.0",
    "scanner_name": "govulncheck",
    "scanner_version": "v1.0.1",
    "db": "https://vuln.go.dev",
    "db_last_modified": "2023-11-06T21:39:09Z",
    "go_version": "go1.21.3",
    "scan_level": "symbol"
  }
}
{
  "progress": {
    "message": "Scanning your code and 293 packages across 44 dependent modules for known vulnerabilities..."
  }
}
{
  "osv": {
    "schema_version": "1.3.1",
    "id": "GO-2023-2163",
    "modified": "2023-11-02T21:47:24Z",
    "published": "2023-11-02T21:47:24Z",
    "aliases": [
      "CVE-2023-46129",
      "GHSA-mr45-rx8q-wcm9"
    ],
    "summary": "curve KeyPairs fail to encrypt github.com/nats-io/nkeys",
    "details": "Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide no security.",
    "affected": [
      {
        "package": {
          "name": "github.com/nats-io/nkeys",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "0.4.0"
              },
              {
                "fixed": "0.4.6"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "github.com/nats-io/nkeys",
              "symbols": [
                "ckp.Open",
                "ckp.Seal",
                "ckp.SealWithRand",
                "decodePubCurveKey"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "ADVISORY",
        "url": "https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9"
      },
      {
        "type": "FIX",
        "url": "https://github.com/nats-io/nkeys/commit/58fb9d69f42ea73fffad1d14e5914dc666f3daa1"
      }
    ],
    "credits": [
      {
        "name": "Quentin Matillat (GitHub @tinou98)"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2023-2163"
    }
  }
}
{
  "finding": {
    "osv": "GO-2023-2163",
    "fixed_version": "v0.4.6",
    "trace": [
      {
        "module": "github.com/nats-io/nkeys",
        "version": "v0.4.0",
        "package": "github.com/nats-io/nkeys"
      }
    ]
  }
}