I think the problem here is not only the lack of a vulnerability database for go, but the fact that a lot of people use a module where only one person (the owner) has access to the repository.
Maybe it is time for a new site like gopkg.in, where each module has one or more maintainer and there is a review process similar to the one used for the development of Go. Manlio On Friday, May 7, 2021 at 9:05:22 AM UTC+2 christoph...@gmail.com wrote: > I just became aware of a security problem in the package > https://github.com/satori/go.uuid <https://github.com/satori> through > this reddit thread : > https://www.reddit.com/r/golang/comments/n6bnsh/cve20213538_issued_for_latest_release_of/?utm_source=share&utm_medium=ios_app&utm_name=iossmf > > The issue for the security problem is here: > https://github.com/satori/go.uuid/issues/73 > <https://github.com/satori/go.uuid/issues/73#issuecomment-833337384> > > There is a CVE identifier for this security problem: > https://github.com/satori/go.uuid/issues/115 > It is 3 years old and hasn't been resolved. > > The problem is that the owner of the package has apparently vanished. > > I report this problem here because this package is used by more than 20 > thousand go packages or programs (e.g. gogs). ( > https://pkg.go.dev/github.com/satori/go.uuid?tab=importedby) > > Now that we have this fantastic functionality of modules, I would like to > know if we could imagine that the go tools would issue a warning if an > imported package has a security issue reported in CVE. I have seen that > there is a github tool to do that, but we don't get these notifications by > default. > > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/5f600981-99fb-450d-8e0d-71a9d3bef3fen%40googlegroups.com.
