primal/athens
1
0
Fork 0
mirror of https://github.com/gomods/athens synced 2026-02-03 08:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
athens/Dockerfile.test
William Fisher cef941bf85 go.mod: vulnerabilities: bump go version to 1.23.12 for (#2077) 
`govulncheck` detects some vulnerabilities from the current builds that
are resolved by bumping the minor Go version to `.12`. I have kept the
major version the same.

On current `main`:

    $ go build -o athens ./cmd/proxy/main.go
    $ govulncheck -mode binary ./athens
    === Symbol Results ===

    Vulnerability #1: GO-2025-3956
        Unexpected paths returned from LookPath in os/exec
      More info: https://pkg.go.dev/vuln/GO-2025-3956
      Standard library
        Found in: os/exec@go1.23.5
        Fixed in: os/exec@go1.23.12
        Vulnerable symbols found:
          #1: exec.LookPath

    Vulnerability #2: GO-2025-3849
        Incorrect results returned from Rows.Scan in database/sql
      More info: https://pkg.go.dev/vuln/GO-2025-3849
      Standard library
        Found in: database/sql@go1.23.5
        Fixed in: database/sql@go1.23.12
        Vulnerable symbols found:
          #1: sql.Row.Scan
          #2: sql.Rows.Scan

    Vulnerability #3: GO-2025-3751
        Sensitive headers not cleared on cross-origin redirect in net/http
      More info: https://pkg.go.dev/vuln/GO-2025-3751
      Standard library
        Found in: net/http@go1.23.5
        Fixed in: net/http@go1.23.10
        Vulnerable symbols found:
          #1: http.Client.Do
          #2: http.Client.Get
          #3: http.Client.Head
          #4: http.Client.Post
          #5: http.Client.PostForm

    Vulnerability #4: GO-2025-3563
        Request smuggling due to acceptance of invalid chunked data in net/http
      More info: https://pkg.go.dev/vuln/GO-2025-3563
      Standard library
        Found in: net/http/internal@go1.23.5
        Fixed in: net/http/internal@go1.23.8
        Vulnerable symbols found:
          #1: internal.chunkedReader.Read

    Your code is affected by 4 vulnerabilities from the Go standard library.
    This scan also found 0 vulnerabilities in packages you import and 2
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

After version bump:

    $ go build -o athens ./cmd/proxy/main.go
    $ govulncheck -mode=binary ./athens 
    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 0 vulnerabilities in packages you import and 2
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.
2025-10-23 16:24:05 +02:00

142 B
Raw Permalink Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink