x509.Certificate.Verify ?? #1369
-
|
govulncheck as of an hour ago complains Looking at their repo I don't see a recent commit. Does ebpf actually call this? Seems sus. I think govulncheck is confused but thought I'd ask. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @notrobpike |
Beta Was this translation helpful? Give feedback.
-
|
I normally run @latest, not any specific tagged version. This is why I looked for recent commits in their repo. govulncheck does break from time to time. But I found no recent commits. When I install @latest it tells me it is using v1.0.4. I'm running it on my own code, which imports cilium/ebpf. Indeed, if I run it against the cilium/ebpf repo, the vuln is not reported at all. In my repo, it is reported. So I think that this is just a nuisance that ebpf is even mentioned in that report. My own repo does not call Verify() either, but it does start up an http (plain) server for prometheus metrics. I suppose there is some code path where a Verify() is possible and govulncheck can't quite suss out that my code can't get there. Anyway I did have another vuln that was real, so updating to go1.21.8 stopped the complaint. |
Beta Was this translation helpful? Give feedback.
I normally run @latest, not any specific tagged version. This is why I looked for recent commits in their repo. govulncheck does break from time to time. But I found no recent commits. When I install @latest it tells me it is using v1.0.4.
I'm running it on my own code, which imports cilium/ebpf.
Indeed, if I run it against the cilium/ebpf repo, the vuln is not reported at all. In my repo, it is reported. So I think that this is just a nuisance that ebpf is even mentioned in that report.
My own repo does not call Verify() either, but it does start up an http (plain) server for prometheus metrics. I suppose there is some code path where a Verify() is possible and govulncheck can't quite su…