Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Actions: Add govulncheck #469

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

GitHub Actions: Add govulncheck #469

wants to merge 1 commit into from

Conversation

tangrufus
Copy link
Member

@tangrufus tangrufus commented Sep 9, 2024

Note: This job is failling because we actually have a vulnerability on the master branch. See https://github.com/roots/trellis-cli/security/dependabot

$ govulncheck -version
Go: go1.23.1
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2024-09-06 20:44:22 +0000 UTC

$ git log --pretty=format:'%h %B' -n 1
b934f4a Merge pull request #466 from roots/go-1.23.1

Go 1.23

$ govulncheck -test -show verbose ./...
Scanning your code and 255 packages across 49 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2698
    Archiver Path Traversal vulnerability in github.com/mholt/archiver
  More info: https://pkg.go.dev/vuln/GO-2024-2698
  Module: github.com/mholt/archiver
    Found in: github.com/mholt/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Bz2.String
      #2: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Gz.String
      #3: github/main_test.go:130:46: github.createZipFile calls archiver.NameInArchive
      #4: github/main_test.go:115:24: github.createZipFile calls archiver.NewZip
      #5: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Rar.String
      #6: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Snappy.String
      #7: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Tar.String
      #8: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarBz2.String
      #9: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarGz.String
      #10: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarLz4.String
      #11: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarSz.String
      #12: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarXz.String
      #13: github/main.go:56:30: github.DownloadRelease calls archiver.Unarchive
      #14: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Xz.String
      #15: github/main_test.go:122:2: github.createZipFile calls archiver.Zip.Close
      #16: github/main_test.go:117:19: github.createZipFile calls archiver.Zip.Create
      #17: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Zip.String
      #18: github/main_test.go:140:18: github.createZipFile calls archiver.Zip.Write
      #19: github/main.go:13:2: github.init calls archiver.init

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.

@swalkinshaw
Copy link
Member

I guess this is the only fix for now: go-gitea/gitea#31267

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants