Giters

golang / go

The Go programming language

Home Page:https://go.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVEs still showing up in latest version of Go 1.22.2

MyDogIsMyPersonality opened this issue · comments

commented

govulncheck version

go version (v1.22.2)

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

Output of go env in your module/workspace:

na

What did you do?

The following CVE's are still showing up in our container scans although they are reported as patched. We downloaded the latest go version (v1.22.2), but we still see the stdib CVEs being reported for latest golang version.

CVE-2023-29405 patched ;
CVE-2023-29402 patch;
CVE-2023-29404 patch;

HIGH:
CVE-2023-29403 patch
CVE-2023-39323 info ;
CVE-2023-39325 info;
CVE-2023-44487 info;
CVE-2023-45285 info;

What did you see happen?

CVE's noted above still show up in scans

What did you expect to see?

Scans showing these CVEs as remediated in latest version

commented

Note that Go 1.22.2 is not the current latest version. That version is Go 1.22.3, released 10 days: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0. Go 1.22.3 includes fixes for CVE-2024-24787 and CVE-2024-24788, but you're referring to other CVEs.

CC @golang/vulndb. (Edit: I thought this bug was about govulncheck because it was mentioned, but I realize now that it's not clear without additional information.)

commented

CVE 2023-29040 -> https://pkg.go.dev/vuln/GO-2023-1842 fixed in go1.20.5
CVE 2023-29402 -> https://pkg.go.dev/vuln/GO-2023-1839 fixed in go1.20.5
CVE 2023-29404 -> https://pkg.go.dev/vuln/GO-2023-1841 fixed in go1.20.5
CVE 2023-29403 -> https://pkg.go.dev/vuln/GO-2023-1840 fixed in go1.20.5
CVE 2023-39323 -> https://pkg.go.dev/vuln/GO-2023-2095 fixed in go1.21.2
CVE 2023-39325 -> https://pkg.go.dev/vuln/GO-2023-2102 fixed in go1.21.3
CVE 2023-44487 -> not found from pkg.go.dev/vuln. From Snyk https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327 it's an old issue
CVE 2023-45285 -> https://pkg.go.dev/vuln/GO-2023-2383 fixed in go1.21.5

@MyDogIsMyPersonality I don't know what vuln scanner you are using, but can you please contact your vulnerability scanning service provider for this issue?

commented

In addition, are you scanning Go binaries in your containers or source code? If you are scanning binaries, downloading a newer version of Go is not sufficient. Binaries need to be recompiled.