Closed bryanhelm closed 11 months ago
neild
commented
11 months ago The google.golang.org/protobuf module requires a minimum version of the github.com/golang/protobuf module if you use both, but does not make use of that module in any way. There is no vulnerability here.
wburningham
commented
11 months ago Hi @neild I don't follow your comment. Could you explain a little more about how google.golang.org/protobuf play into the advisory being a false positive? Thanks in advance.
dsnet
commented
11 months ago There is a cyclic dependency between google.golang.org/protobuf and github.com/golang/protobuf. It is impossible to depend on google.golang.org/protobuf without also implicitly depending on github.com/golang/protobuf.
This security warning is a false positive as there is (to my knowledge) no security issue with github.com/golang/protobuf. The module is deprecated because it's been replaced with google.golang.org/protobuf, but it's not any less secure (since they both use the same runtime implementation).
What version of protobuf and what language are you using? Version: 1.5.3
What did you do? Ran a Black Duck scan on a Go program using 3rd party packages that go.mod indicates depend on golang/protobuf 1.5.3. Not sure which direct dependency depends on it.
What did you expect to see? No security risks
What did you see instead? BDSA-2023-1439
I came to check up on the reported issue and did not see it here. I'm not sure this is the way to handle it, but I figured it couldn't hurt. This is what Black Duck says: Protobuf contains an out-of-bounds read vulnerability due to a lack of user input validation. A remote attacker could exploit this by providing protobuf with a crafted message in order to cause the system to crash.
Anything else we should know about your project / environment? This issue is not specific to my project or environment.