Btc related packages

[jmrepetti]

Hello team,

why there are bitcoin related packages? What are they used for?

I ran this nancy vulnerabilioty check (1) and one of them is affected:

go/noscl ( master ) $  go list -json -deps ./... | nancy sleuth

pkg:golang/github.com/btcsuite/btcd@v0.22.1
**2 known vulnerabilities affecting installed version** 
[CVE-2022-44797] CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer                                                                                                                    
[CVE-2022-39389] CWE-20: Improper Input Validation                                                                                                                                                                     

(1) https://github.com/sonatype-nexus-community/nancy

[fiatjaf]

It uses https://pkg.go.dev/github.com/btcsuite/btcd/btcec/v2 which does the Schnorr Signatures.

It's unfortunate that it is mingled with some other Bitcoin-related packages. These vulnerabilities you found are strictly related to Bitcoin block parsing operations performed by the same library and we don't touch these things here at all (but we could update the dependency if you want just to make nancy happier).