tianon
commented
2 years ago From that page: "... when GOARCH=wasm GOOS=js" :see_no_evil:
(That does not apply to gosu. I'm not sure it even could work via WASM?)
From that page: "ImportedSymbols in debug/macho (for Open or OpenFat) ..."
I've frankly never heard of debug/macho before now, must less used it (intentionally or otherwise). :sweat_smile:
I'm not sure whether it helps in this case, but a related datapoint is that the gosu binaries I publish are all compiled with -ldflags '-d -s -w', so shouldn't even have debug symbols in them.
From that page: "net/http in Go ..."
The gosu binaries don't ever invoke net/http (to my knowledge). At a high level, they parse /etc/passwd and /etc/group, and invoke a couple system calls.
I think it's pretty safe to say none of these apply to gosu.
Our security scanning is detecting the following vulnerabilites related to golang version 1.16.7. https://nvd.nist.gov/vuln/detail/CVE-2021-38297 https://nvd.nist.gov/vuln/detail/CVE-2021-41771 https://nvd.nist.gov/vuln/detail/CVE-2021-44716
Would you be able to comment on if gosu has exposure to these vulnerabilities?