One of our internal scanning tools identified the following CVEs present in the included graphviz library: CVE-2019-9904 & CVE-2019-11023. I haven't validated those but I do believe the library is a handful of version behind anyway... not sure how much work it is updating the library code?

Indeed, this looks like a valid question. Can we update Graphviz? It currently looks like the Graphviz source and GO source are intermingled. Can we do this differently?

Do me a favor. I have the same problem

Btw, this looks like a really great library. The description sounds like this is my dream.
So, this wasn't meant as criticism. I am more interested whether it makes sense to get involved... Hence my request. Can we create this maybe as a fork of Graphviz itself? With the sources of this library as true extension of this fork? I noticed that Graphviz got some maintainers and is picking up speed.

Or any better idea?

I am willing to add some hours to that endeavour as well, but only started learning Go, so I would need help.

I'll prepare a mechanism to easily update the C source of Graphviz.
For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

this sounds fantastic!

I'll prepare a mechanism to easily update the C source of Graphviz. For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

I finally got you.
You are the god of salvation.
This is a moment to celebrate!

Did you ever try to compile towards WebAssembly?

I assume WebAssembly doesn't work:
imports github.com/goccy/go-graphviz/internal/ccall: build constraints exclude all Go files in ${MyPATH}/pkg/mod/github.com/goccy/go-graphviz@v0.0.9/internal/ccall

Any updates on this?

@Vithanco did you end-up having a functioning fork with updated upstream graphviz?

Sorry, after some further consideration did I choose JavaScript over Go. But I still thinking this is a great library.

Thanks for the follow up & good luck!

@goccy would love to see this happen - and of course happy to help if you can provide some pointers.

The "Mend" tool complains about three CVEs in the embedded version of GraphViz. Consider replacing the current GraphViz source with newer source. I looked up Mend's complaints, here they are:

• https://www.mend.io/vulnerability-database/CVE-2020-18032
  • High severity
  • Buffer Overflow in … "lib/common/shapes.c" component.
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/common/shapes.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/common/shapes.c
• https://www.mend.io/vulnerability-database/CVE-2019-11023
  • High severity
  • The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/obj.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/obj.c
• https://www.mend.io/vulnerability-database/CVE-2019-9904
  • Medium severity
  • lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/graph.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/graph.c