New CVEs Pertaining to Go Version

jtk94 opened this issue 2 years ago · 1 comments

jtk94 commented 2 years ago

Vulnerability scans using Twistlock are showing the following CVEs, all pertaining to go-1.17.7:

CVE-2022-1705
CVE-2022-1962
CVE-2022-28131
CVE-2022-30580
CVE-2022-30629
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632
CVE-2022-30633

None of these findings are currently listed in #104. Can you confirm that these CVEs do not apply to builds of gosu?

tianon commented 2 years ago

Thanks, added!

CVE-2022-1705: does not use net/http (#112)
CVE-2022-1962: no deeply nested types (#112)
CVE-2022-28131: does not use encoding/xml (#112)
CVE-2022-30580: does not (could not?) support GOOS=windows (#112)
CVE-2022-30629: does not use crypto/tls (#112)
CVE-2022-30630: does not use file globbing (#112)
CVE-2022-30631: does not use compress/gzip (#112)
CVE-2022-30632: does not use file globbing (#112)
CVE-2022-30633: does not use encoding/xml (#112)