Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability 1: GO-2022-0236
A malicious HTTP server or client can cause the net/http client
or server to panic. ReadRequest and ReadResponse can hit an
unrecoverable panic when reading a very large header (over 7MB
on 64-bit architectures, or over 4MB on 32-bit ones). Transport
and Client are vulnerable and the program can be made to crash
by a malicious server. Server is not vulnerable by default, but
can be if the default max header of 1MB is overridden by setting
Server.MaxHeaderBytes to a higher value, in which case the
program can be made to crash by a malicious client. This also
affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken
in golang.org/x/net/http/httpguts.
Call stacks in your code:
requester/requester.go:185:19: github.com/rakyll/hey/requester.Work.makeRequest calls net/http.Client.Do, which eventually calls golang.org/x/net/http/httpguts.HeaderValuesContainsToken
Found in: golang.org/x/net/http/httpguts@v0.0.0-20191009170851-d66e71096ffb
Fixed in: golang.org/x/net/http/httpguts@v1.16.4
More info: https://pkg.go.dev/vuln/GO-2022-0236
Informational
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability 1: GO-2022-0288
An attacker can cause unbounded memory growth in servers accepting
HTTP/2 requests.
Found in: golang.org/x/net/http2@v0.0.0-20191009170851-d66e71096ffb
Fixed in: golang.org/x/net/http2@v1.17.5
More info: https://pkg.go.dev/vuln/GO-2022-0288
Vulnerability 2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String.
If used to parse user supplied input, this may be used as a denial of service
vector.
Details
Scanning for dependencies with known vulnerabilities... Found 1 known vulnerability.
Vulnerability 1: GO-2022-0236
A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
Call stacks in your code: requester/requester.go:185:19: github.com/rakyll/hey/requester.Work.makeRequest calls net/http.Client.Do, which eventually calls golang.org/x/net/http/httpguts.HeaderValuesContainsToken
Found in: golang.org/x/net/http/httpguts@v0.0.0-20191009170851-d66e71096ffb Fixed in: golang.org/x/net/http/httpguts@v1.16.4 More info: https://pkg.go.dev/vuln/GO-2022-0236
Informational
The vulnerabilities below are in packages that you import, but your code doesn't appear to call any vulnerable functions. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability 1: GO-2022-0288
An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.
Found in: golang.org/x/net/http2@v0.0.0-20191009170851-d66e71096ffb Fixed in: golang.org/x/net/http2@v1.17.5 More info: https://pkg.go.dev/vuln/GO-2022-0288
Vulnerability 2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.
Found in: golang.org/x/text/transform@v0.3.2 Fixed in: golang.org/x/text/transform@v0.3.3 More info: https://pkg.go.dev/vuln/GO-2020-0015
Test
Build