golang.org/x/vuln: unable to temporarly suppress vulnerabilities

Question

golang.org/x/vuln: unable to temporarly suppress vulnerabilities

Closed this issue a day ago · 0 comments

Go version

1.25.4

Output of `go env` in your module/workspace:

n.a.

What did you do?

govulncheck ./...

=== Symbol Results ===

Vulnerability #1: GO-2025-4020
    DoS risk due to unrestricted RAR dictionary sizes in
    github.com/nwaples/rardecode
  More info: https://pkg.go.dev/vuln/GO-2025-4020
  Module: github.com/nwaples/rardecode
    Found in: github.com/nwaples/rardecode@v1.1.3
    Fixed in: N/A
    Example traces found:
      #1: internal/pkg/sbom/syft.go:39:28: sbom.generateSyftSBOM calls syft.GetSource, which eventually calls rardecode.FileHeader.Mode
      #2: internal/pkg/sbom/syft.go:39:28: sbom.generateSyftSBOM calls syft.GetSource, which eventually calls rardecode.NewReader
      #3: internal/pkg/sbom/syft.go:39:28: sbom.generateSyftSBOM calls syft.GetSource, which eventually calls rardecode.OpenReader
      #4: internal/pkg/sbom/syft.go:39:28: sbom.generateSyftSBOM calls syft.GetSource, which eventually calls rardecode.ReadCloser.Close
      #5: internal/pkg/sbom/syft.go:39:28: sbom.generateSyftSBOM calls syft.GetSource, which eventually calls rardecode.Reader.Next
      #6: internal/pkg/container/image/downloader/data/data.go:204:25: data.IOCopy.Copy calls io.Copy, which eventually calls rardecode.Reader.Read
      #7: internal/pkg/container/image/downloader/data/data.go:204:25: data.IOCopy.Copy calls io.Copy, which eventually calls rardecode.cipherBlockReader.Read
      #8: internal/pkg/container/image/downloader/data/data.go:204:25: data.IOCopy.Copy calls io.Copy, which eventually calls rardecode.decodeReader.Read
      #9: internal/pkg/sbom/syft.go:9:2: sbom.init calls syft.init, which eventually calls rardecode.init
      #10: internal/pkg/container/image/downloader/data/data.go:204:25: data.IOCopy.Copy calls io.Copy, which eventually calls rardecode.limitedReader.Read
      #11: internal/pkg/container/image/downloader/data/data.go:204:25: data.IOCopy.Copy calls io.Copy, which eventually calls rardecode.packedFileReader.Read
      #12: internal/pkg/container/image/downloader/data/archive/archive.go:73:23: archive.CompressedArchive.Archive calls archives.CompressedArchive.Archive, which eventually calls rardecode.volume.Close

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

What did you see happen?

Exit 3.

What did you expect to see?

Suppress a vulnerability, e.g. GO-2025-4020 using a config file.

Go version

Output of go env in your module/workspace:

What did you do?

What did you see happen?

What did you expect to see?

Output of `go env` in your module/workspace: