Skip to content

Instantly share code, notes, and snippets.

@liggitt

liggitt/example.sh

Last active August 3, 2023 19:29
Show Gist options
  • Save liggitt/4674c7eb194738989183abf08feb333f to your computer and use it in GitHub Desktop.
Save liggitt/4674c7eb194738989183abf08feb333f to your computer and use it in GitHub Desktop.
Download ZIP
govulncheck results
Raw
example.sh
# run on k8s.io/kubernetes checkout at 99190634ab252604a4496882912ac328542d649d
# go version 1.20.6
govulncheck -scan module -json -test ./... > module_test.json
govulncheck -scan module -json ./... > module.json
govulncheck -scan package -json -test ./... > package_test.json
govulncheck -scan package -json ./... > package.json
govulncheck -scan symbol -json -test ./... > symbol_test.json
govulncheck -scan symbol -json ./... > symbol.json
Raw
module.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your code and 1967 packages across 204 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Raw
module_test.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your code and 2048 packages across 206 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Raw
package.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your code and 1967 packages across 204 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Raw
package_test.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your code and 2048 packages across 206 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Raw
symbol.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and 1967 packages across 204 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Handshake",
"receiver": "*Conn"
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc/credentials",
"function": "ServerHandshake",
"receiver": "*tlsCreds",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/credentials/tls.go",
"offset": 3098,
"line": 115,
"column": 26
}
},
{
"module": "go.etcd.io/etcd/client/v3",
"version": "v3.5.9",
"package": "go.etcd.io/etcd/client/v3/credentials",
"function": "ServerHandshake",
"receiver": "*transportCredential",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/go.etcd.io/etcd/client/v3/credentials/credentials.go",
"offset": 2388,
"line": 83,
"column": 31
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc/internal/transport",
"function": "NewServerTransport",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/internal/transport/http2_server.go",
"offset": 5195,
"line": 146,
"column": 59
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "newHTTP2Transport",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 30542,
"line": 925,
"column": 41
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "handleRawConn",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 29256,
"line": 882,
"column": 27
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "Serve$3",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 28830,
"line": 866,
"column": 19
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "Serve",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 28800,
"line": 865,
"column": 3
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/pkg/kubelet/server",
"function": "ListenAndServePodResources",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/pkg/kubelet/server/server.go",
"offset": 8428,
"line": 234,
"column": 24
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "HandshakeContext",
"receiver": "*Conn"
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "net/http",
"function": "serve",
"receiver": "*conn",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/net/http/server.go",
"offset": 57899,
"line": 1877,
"column": 37
}
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "net/http",
"function": "Serve",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/net/http/server.go",
"offset": 98053,
"line": 3089,
"column": 3
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/pkg/proxy/healthcheck",
"function": "Run",
"receiver": "*proxierHealthServer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/pkg/proxy/healthcheck/proxier_health.go",
"offset": 6065,
"line": 179,
"column": 24
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Read",
"receiver": "*Conn"
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "io",
"function": "ReadAll",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/io/io.go",
"offset": 21408,
"line": 701,
"column": 19
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/e2e/framework/network",
"function": "PokeHTTP",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/e2e/framework/network/utils.go",
"offset": 44934,
"line": 1026,
"column": 25
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Write",
"receiver": "*Conn"
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "bufio",
"function": "Flush",
"receiver": "*Writer",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/bufio/bufio.go",
"offset": 16862,
"line": 628,
"column": 22
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/cmd/kubeadm/app/preflight",
"function": "Check",
"receiver": "SystemVerificationCheck",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/cmd/kubeadm/app/preflight/checks.go",
"offset": 16964,
"line": 544,
"column": 13
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Dial"
},
{
"module": "./staging/src/k8s.io/client-go",
"package": "k8s.io/client-go/util/cert",
"function": "GetServingCertificates",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert/server_inspection.go",
"offset": 2403,
"line": 74,
"column": 23
}
},
{
"module": "./staging/src/k8s.io/client-go",
"package": "k8s.io/client-go/util/cert",
"function": "GetServingCertificatesForURL",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert/server_inspection.go",
"offset": 3255,
"line": 101,
"column": 31
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/utils/apiserver",
"function": "writeKubeConfigForWardleServerToKASConnection",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/utils/apiserver/testapiserver.go",
"offset": 2787,
"line": 73,
"column": 59
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/utils/apiserver",
"function": "StartAPITestServer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/utils/apiserver/testapiserver.go",
"offset": 2121,
"line": 59,
"column": 65
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "DialWithDialer"
},
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/websocket",
"function": "dialWithDialer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/golang.org/x/net/websocket/dial.go",
"offset": 454,
"line": 18,
"column": 33
}
},
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/websocket",
"function": "DialConfig",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/golang.org/x/net/websocket/client.go",
"offset": 2299,
"line": 93,
"column": 30
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/e2e/framework/websocket",
"function": "OpenWebSocketForURL",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/e2e/framework/websocket/websocket_util.go",
"offset": 1733,
"line": 61,
"column": 29
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "DialContext",
"receiver": "*Dialer"
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "dialWithoutProxy",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 8864,
"line": 292,
"column": 30
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "dial",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 4737,
"line": 148,
"column": 28
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "Dial",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 4251,
"line": 126,
"column": 21
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "RoundTrip",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 9733,
"line": 314,
"column": 21
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/images/agnhost/inclusterclient",
"function": "RoundTrip",
"receiver": "*debugRt",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/images/agnhost/inclusterclient/main.go",
"offset": 2563,
"line": 100,
"column": 24
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Raw
symbol_test.json
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.0",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-02T20:33:39Z",
"go_version": "go1.20.6",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and 2048 packages across 206 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1987",
"modified": "2023-08-02T17:25:58Z",
"published": "2023-08-02T17:25:58Z",
"aliases": [
"CVE-2023-29409"
],
"summary": "Large RSA keys can cause high CPU usage in crypto/tls",
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.12"
},
{
"introduced": "1.20.0-0"
},
{
"fixed": "1.20.7"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.0-rc.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/tls",
"symbols": [
"Conn.Handshake",
"Conn.HandshakeContext",
"Conn.Read",
"Conn.Write",
"Conn.processCertsFromClient",
"Conn.verifyServerCertificate",
"Dial",
"DialWithDialer",
"Dialer.Dial",
"Dialer.DialContext"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61460"
},
{
"type": "FIX",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
}
],
"credits": [
{
"name": "Mateusz Poliwczak"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
}
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Handshake",
"receiver": "*Conn"
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc/credentials",
"function": "ServerHandshake",
"receiver": "*tlsCreds",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/credentials/tls.go",
"offset": 3098,
"line": 115,
"column": 26
}
},
{
"module": "go.etcd.io/etcd/client/v3",
"version": "v3.5.9",
"package": "go.etcd.io/etcd/client/v3/credentials",
"function": "ServerHandshake",
"receiver": "*transportCredential",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/go.etcd.io/etcd/client/v3/credentials/credentials.go",
"offset": 2388,
"line": 83,
"column": 31
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc/internal/transport",
"function": "NewServerTransport",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/internal/transport/http2_server.go",
"offset": 5195,
"line": 146,
"column": 59
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "newHTTP2Transport",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 30542,
"line": 925,
"column": 41
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "handleRawConn",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 29256,
"line": 882,
"column": 27
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "Serve$3",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 28830,
"line": 866,
"column": 19
}
},
{
"module": "google.golang.org/grpc",
"version": "v1.54.0",
"package": "google.golang.org/grpc",
"function": "Serve",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/google.golang.org/grpc/server.go",
"offset": 28800,
"line": 865,
"column": 3
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/pkg/kubelet/server",
"function": "ListenAndServePodResources",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/pkg/kubelet/server/server.go",
"offset": 8428,
"line": 234,
"column": 24
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "HandshakeContext",
"receiver": "*Conn"
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "net/http",
"function": "serve",
"receiver": "*conn",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/net/http/server.go",
"offset": 57899,
"line": 1877,
"column": 37
}
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "net/http",
"function": "Serve",
"receiver": "*Server",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/net/http/server.go",
"offset": 98053,
"line": 3089,
"column": 3
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/pkg/proxy/healthcheck",
"function": "Run",
"receiver": "*proxierHealthServer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/pkg/proxy/healthcheck/proxier_health.go",
"offset": 6065,
"line": 179,
"column": 24
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Read",
"receiver": "*Conn"
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/integration/garbagecollector",
"function": "Read",
"receiver": "*readDelayer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/integration/garbagecollector/cluster_scoped_owner_test.go",
"offset": 1356,
"line": 50,
"column": 26
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Write",
"receiver": "*Conn"
},
{
"module": "stdlib",
"version": "v1.20.6",
"package": "bufio",
"function": "Flush",
"receiver": "*Writer",
"position": {
"filename": "/Users/liggitt/.gimme/versions/go1.20.6.darwin.arm64/src/bufio/bufio.go",
"offset": 16862,
"line": 628,
"column": 22
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/cmd/kubeadm/app/preflight",
"function": "Check",
"receiver": "SystemVerificationCheck",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/cmd/kubeadm/app/preflight/checks.go",
"offset": 16964,
"line": 544,
"column": 13
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "Dial"
},
{
"module": "./staging/src/k8s.io/client-go",
"package": "k8s.io/client-go/util/cert",
"function": "GetServingCertificates",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert/server_inspection.go",
"offset": 2403,
"line": 74,
"column": 23
}
},
{
"module": "./staging/src/k8s.io/client-go",
"package": "k8s.io/client-go/util/cert",
"function": "GetServingCertificatesForURL",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert/server_inspection.go",
"offset": 3255,
"line": 101,
"column": 31
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/integration/apiserver/certreload",
"function": "TestSNICert",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go",
"offset": 20031,
"line": 547,
"column": 58
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "DialWithDialer"
},
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/websocket",
"function": "dialWithDialer",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/golang.org/x/net/websocket/dial.go",
"offset": 454,
"line": 18,
"column": 33
}
},
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/websocket",
"function": "DialConfig",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/golang.org/x/net/websocket/client.go",
"offset": 2299,
"line": 93,
"column": 30
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/e2e/framework/websocket",
"function": "OpenWebSocketForURL",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/e2e/framework/websocket/websocket_util.go",
"offset": 1733,
"line": 61,
"column": 29
}
}
]
}
}
{
"finding": {
"osv": "GO-2023-1987",
"fixed_version": "v1.21.0-rc.4",
"trace": [
{
"module": "stdlib",
"version": "v1.20.6",
"package": "crypto/tls",
"function": "DialContext",
"receiver": "*Dialer"
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "dialWithoutProxy",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 8864,
"line": 292,
"column": 30
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "dial",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 4737,
"line": 148,
"column": 28
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "Dial",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 4251,
"line": 126,
"column": 21
}
},
{
"module": "./staging/src/k8s.io/apimachinery",
"package": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
"function": "RoundTrip",
"receiver": "*SpdyRoundTripper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go",
"offset": 9733,
"line": 314,
"column": 21
}
},
{
"module": "k8s.io/kubernetes",
"package": "k8s.io/kubernetes/test/integration/apiserver",
"function": "RoundTrip",
"receiver": "*callWrapper",
"position": {
"filename": "/Users/liggitt/go/src/k8s.io/kubernetes/test/integration/apiserver/apiserver_test.go",
"offset": 28014,
"line": 908,
"column": 33
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2023-1988",
"modified": "2023-08-02T15:06:27Z",
"published": "2023-08-02T15:06:27Z",
"aliases": [
"CVE-2023-3978"
],
"summary": "Improper rendering of text nodes in golang.org/x/net/html",
"details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"affected": [
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/html",
"symbols": [
"Render",
"render1"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/61615"
},
{
"type": "FIX",
"url": "https://go.dev/cl/514896"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1988"
}
}
}
{
"finding": {
"osv": "GO-2023-1988",
"fixed_version": "v0.13.0",
"trace": [
{
"module": "golang.org/x/net",
"version": "v0.12.0",
"package": "golang.org/x/net/html"
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment