Open prattmic opened 2 years ago
Thank you for reporting this issue!
It is currently out of scope for vulncheck to automatically do analysis of call arguments to vulnerable symbols. However, unix.Access
should not be considered a vulnerable symbol for the reasons you outlined. We'll investigate a potential remedy.
What version of Go are you using (
go version
)?Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes, using
v0.0.0-20220902211423-27dd78d2ca39
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
Vulnerabilities affecting these packages.
What did you see instead?
This vulnerability affects
Faccessat
when called withflags != 0
. This report flags a call viaunix.Access
, which always passesflags == 0
.In theory vulncheck could encode that this vulnerability depends on a certain argument value and then statically find calls that don't match that value.