Manlio, FYI:
Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source Rob Pike, Eric Brewer, Abhishek Arya, Anne Bertucio and Kim Lewandowski https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html Surviving software dependencies Russ Cox https://dl.acm.org/doi/10.1145/3347446 Peter On Friday, May 7, 2021 at 5:10:48 AM UTC-4 manlio....@gmail.com wrote: > I think the problem here is not only the lack of a vulnerability database > for go, but the fact that a lot of people use a module where only one > person (the owner) has access to the repository. > > Maybe it is time for a new site like gopkg.in, where each module has one > or more maintainer and there is a review process similar to the one used > for the development of Go. > > Manlio > On Friday, May 7, 2021 at 9:05:22 AM UTC+2 christoph...@gmail.com wrote: > >> I just became aware of a security problem in the package >> https://github.com/satori/go.uuid <https://github.com/satori> through >> this reddit thread : >> https://www.reddit.com/r/golang/comments/n6bnsh/cve20213538_issued_for_latest_release_of/?utm_source=share&utm_medium=ios_app&utm_name=iossmf >> >> The issue for the security problem is here: >> https://github.com/satori/go.uuid/issues/73 >> <https://github.com/satori/go.uuid/issues/73#issuecomment-833337384> >> >> There is a CVE identifier for this security problem: >> https://github.com/satori/go.uuid/issues/115 >> It is 3 years old and hasn't been resolved. >> >> The problem is that the owner of the package has apparently vanished. >> >> I report this problem here because this package is used by more than 20 >> thousand go packages or programs (e.g. gogs). ( >> https://pkg.go.dev/github.com/satori/go.uuid?tab=importedby) >> >> Now that we have this fantastic functionality of modules, I would like to >> know if we could imagine that the go tools would issue a warning if an >> imported package has a security issue reported in CVE. I have seen that >> there is a github tool to do that, but we don't get these notifications by >> default. >> >> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/c32e20a1-11a0-4253-8fb6-5841aea32429n%40googlegroups.com.
