Description
govulncheck reports GO-2021-0113 for golang.org/x/build@0a1fb72 (as of 2022/03/09)
$ govulncheck ./... Findings for vulnerability: GO-2021-0113 (CVE-2021-38561): Trace: golang.org/x/text/language.MustParse (/Users/hakim/go/pkg/mod/golang.org/x/[email protected]/cases/map.go:43:41) golang.org/x/text/cases.init#1(...) (-) golang.org/x/text/cases.init(...) (-) golang.org/x/text/secure/precis.init(...) (-) github.com/jackc/pgconn.init(...) (-) golang.org/x/build/internal/relui/db.init(...) (-)
I don't think this vulnerability is actually affecting this specific code path picked by govulncheck
(The pgconn maintainer also said in jackc/pgconn#103 this vulnerability doesn't affect the package.)
This vulnerability is not the type of vulnerability that can be analyzed with simple(?) callgraph analysis. We need data analysis to see what's fed into the vulnerable function. But with the lack of options to suppress the report, the easiest path forward is, I think, to update the dependency.
On the other hand, as seen in #51216, the Go security team wants to avoid changes triggered by false positive reports. So, I am not sure what's the Go team's policy in cases like this.
If we decide to update the dependency, now the question is which dependency to upgrade:
- update to golang.org/x/[email protected] as the GO-2021-0113 page implies.
- update the direct dependency, too: github.com/jackc/[email protected]
cc @golang/security