New CVEs Pertaining to Go Version
jtk94 opened this issue · 1 comments
jtk94 commented
Vulnerability scans using Twistlock are showing the following CVEs, all pertaining to go-1.17.7:
CVE-2022-1705
CVE-2022-1962
CVE-2022-28131
CVE-2022-30580
CVE-2022-30629
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632
CVE-2022-30633
None of these findings are currently listed in #104. Can you confirm that these CVEs do not apply to builds of gosu
?
tianon commented
Thanks, added!
- CVE-2022-1705: does not use
net/http
(#112) - CVE-2022-1962: no deeply nested types (#112)
- CVE-2022-28131: does not use
encoding/xml
(#112) - CVE-2022-30580: does not (could not?) support
GOOS=windows
(#112) - CVE-2022-30629: does not use
crypto/tls
(#112) - CVE-2022-30630: does not use file globbing (#112)
- CVE-2022-30631: does not use
compress/gzip
(#112) - CVE-2022-30632: does not use file globbing (#112)
- CVE-2022-30633: does not use
encoding/xml
(#112)