Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable govulncheck due to false positive #83

Merged
merged 1 commit into from Oct 14, 2022
Merged

Disable govulncheck due to false positive #83

merged 1 commit into from Oct 14, 2022

Conversation

mislav
Copy link
Contributor

@mislav mislav commented Oct 13, 2022

govulcheck detected a case where --jq user input directly constructs a regexp in gojq code, which govulncheck considers a failure since it can lead to denial-of-service attacks. This risk doesn't not affect us, however, since we're building CLI apps and not hosted apps. As a user, you can crash your own gh process using your own malicious input as much as you'd like.

govulncheck presently does not have a way of silencing or allow-listing specific violations, so this disables govulncheck completely.

Ref. https://github.com/cli/go-gh/actions/runs/3243823451/jobs/5319105048
Reverts #71

govulcheck detected a case where `--jq` user input directly constructs a regexp in gojq code, which govulncheck considers a failure since it can lead to denial-of-service attacks. This risk doesn't not affect us, however, since we're building CLI apps and not hosted apps. As a user, you can crash your own `gh` process using your own malicious input as much as you'd like.

govulncheck presently does not have a way of silencing or allow-listing specific violations, so this disables govulncheck completely.
Copy link
Contributor

@samcoe samcoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dang, unfortunate this didn't work out. I think there is potential there, maybe in the future the tooling around it will become better so we can dismiss false positives.

@mislav mislav merged commit 2479ec8 into trunk Oct 14, 2022
@mislav mislav deleted the no-govulncheck branch October 14, 2022 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants