The dependency golang.org/x/text v0.3.2 has a CVE issued against it

go-enry / go-license-detector

Reliable project licenses detector.

Other

127 stars 36 forks source link

The dependency golang.org/x/text v0.3.2 has a CVE issued against it #6

Closed karlmutch closed 3 years ago

karlmutch commented 3 years ago

Hi,

When using the github security checking tools the golang.org/x/text v0.3.2 dependency causes an issue to be raised.

https://nvd.nist.gov/vuln/detail/CVE-2020-14040

https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTENCODINGUNICODE-609611

Thanks for this project I am finding it very useful, Karl

bzz commented 3 years ago

Thank you for rising it @karlmutch !

Thanks for this project I am finding it very useful,

Glad to hear!

Did I get it right that the resolution path is to upgrade golang.org/x/text/encoding/unicode to version 0.3.3 or higher? A PR would be very welcome ;)

karlmutch commented 3 years ago

Thanks.

PR Added at https://github.com/go-enry/go-license-detector/pull/8

There appeared to be some issues in the github based testing which don't occur when I use stock go test. Should these be tagged as false positives ?

Karl

bzz commented 3 years ago

Indeed, I have fixed one for the CI profiles in #12 and CI build on windows needs further investigation and does not seem to be related to the changes.

Thank you for the fix!

vmarkovtsev commented 3 years ago

Thank you for maintaining the project @bzz :heart:! I wish I could devote some time... Let's hope for the summer.