최근 Go에서 취약점 관리에 사용되는 새로운 도구를 공식 출시한 것을 발견했는데, 보고된 취약점을 알려주고 어떤 버전으로 업그레이드해야 하는지 알려줍니다.
버전 요구 사항은 다음과 같습니다. Go >= 1.18
go install golang.org/x/vuln/cmd/govulncheck@latest
进入项目目录
govulncheck ./...
출력은 다음과 같습니다
Scanning your code and 470 packages across 91 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2023-2043
Improper handling of special tags within script contexts in html/template
More info: https://pkg.go.dev/vuln/GO-2023-2043
Standard library
Found in: html/[email protected]
Fixed in: html/[email protected]
Example traces found:
#1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
#2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate
Vulnerability #2: GO-2023-2041
Improper handling of HTML-like comments in script contexts in html/template
More info: https://pkg.go.dev/vuln/GO-2023-2041
Standard library
Found in: html/[email protected]
Fixed in: html/[email protected]
Example traces found:
#1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
#2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate
Vulnerability #3: GO-2023-1987
Large RSA keys can cause high CPU usage in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2023-1987
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: pkg/gredis/redis.go:22:24: gredis.Setup calls redis.Dial, which calls tls.Conn.Handshake
#2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: pkg/util/util.go:140:19: util.CreateUuidStringNew calls rand.Read, which eventually calls tls.Conn.Read
#4: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.Write
#5: pkg/curl/curl.go:62:23: curl.HttpClientRequest calls http.Client.Do, which eventually calls tls.Dialer.DialContext
....
....
GO-2023-2043
취약점 번호 다음에 취약점에 대한 설명과 이를 복구하기 위한 제안 사항이 표시됩니다.
구체적인 지침은 https://mp.weixin.qq.com/s/xO_w3FvNN8OeiuEYFarwGQ 문서를 참조하세요.