govulncheck vulnerabilities detected
Closed this issue · 0 comments
TyBrown commented
I ran govulncheck
on this app today because we use it in production, and have found that it's got a vulnerability in a dependency that should be fairly trivial to fix by upgrading dependencies.
$ govulncheck .
Scanning your code and 201 packages across 16 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2022-0322
Uncontrolled resource consumption in github.com/prometheus/client_golang
More info: https://pkg.go.dev/vuln/GO-2022-0322
Module: github.com/prometheus/client_golang
Found in: github.com/prometheus/client_golang@v1.10.0
Fixed in: github.com/prometheus/client_golang@v1.11.1
Example traces found:
#1: app/metrics.go:70:69: app.providerPrometheus.GetRouter calls promhttp.Handler
#2: app/domain.go:368:73: app.CheckDomain calls bolt.panicked.Error, which eventually calls promhttp.responseWriterDelegator.Write
#3: app/domain.go:368:73: app.CheckDomain calls bolt.panicked.Error, which eventually calls promhttp.responseWriterDelegator.WriteHeader
#4: app/http.go:175:7: app.StartAPIServer calls negroni.Negroni.Run, which eventually calls promhttp.sanitizeMethod
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-0493
Incorrect privilege reporting in syscall and golang.org/x/sys/unix
More info: https://pkg.go.dev/vuln/GO-2022-0493
Module: golang.org/x/sys
Found in: golang.org/x/sys@v0.0.0-20210309074719-68d13333faf2
Fixed in: golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad
Your code is affected by 1 vulnerability from 1 module.
Share feedback at https://go.dev/s/govulncheck-feedback.```