`govulncheck` detects some vulnerabilities from the current builds that
are resolved by bumping the minor Go version to `.12`. I have kept the
major version the same.
On current `main`:
$ go build -o athens ./cmd/proxy/main.go
$ govulncheck -mode binary ./athens
=== Symbol Results ===
Vulnerability #1: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
More info: https://pkg.go.dev/vuln/GO-2025-3956
Standard library
Found in: os/exec@go1.23.5
Fixed in: os/exec@go1.23.12
Vulnerable symbols found:
#1: exec.LookPath
Vulnerability #2: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
More info: https://pkg.go.dev/vuln/GO-2025-3849
Standard library
Found in: database/sql@go1.23.5
Fixed in: database/sql@go1.23.12
Vulnerable symbols found:
#1: sql.Row.Scan
#2: sql.Rows.Scan
Vulnerability #3: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3751
Standard library
Found in: net/http@go1.23.5
Fixed in: net/http@go1.23.10
Vulnerable symbols found:
#1: http.Client.Do
#2: http.Client.Get
#3: http.Client.Head
#4: http.Client.Post
#5: http.Client.PostForm
Vulnerability #4: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3563
Standard library
Found in: net/http/internal@go1.23.5
Fixed in: net/http/internal@go1.23.8
Vulnerable symbols found:
#1: internal.chunkedReader.Read
Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
After version bump:
$ go build -o athens ./cmd/proxy/main.go
$ govulncheck -mode=binary ./athens
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Upgrades to the Go 1.22 toolchain. Upgrades golangci-lint to 1.61.0 and disables some new linters.
---------
Co-authored-by: Nicholas Wiersma <nick@wiersma.co.za>
* Update .drone.yml for Go 1.14
* Update appveyor.yml for Go 1.14
* Update Dockerfile.test for Go 1.14
* Update Dockerfile for Go 1.14
* Update scripts/build-image/Dockerfile
* added environment argument for golang version
* Revert: added environment argument for golang version (84298506)
* reverted to specifying go version 1.12 as the default
* fix spacing
