英文:
How to run govulncheck with a specific Go version?
问题
我正在尝试使用govulncheck工具扫描我的Go模块中的漏洞。根据"管理Go安装"页面上的说明,我已经安装了两个Go版本:1.17.9和1.18.6:
$ go version
go version go1.17.9 linux/amd64
$ go1.18.6 version
go version go1.18.6 linux/amd64
我的模块是使用1.18.6构建和运行的。我使用以下命令使用go 1.18.6安装了govulncheck:
$ go1.18.6 install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220913170424-c9fe2ba7ccad
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
但是当我对我的模块运行govulncheck ./...时,它报告了针对Go 1.17.9的问题。
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
path/omitted/example.go:79:67: example.com/example-project/path/omitted/example.Method calls example.com/vulnerable-dependency/path/omitted/example.Foo.Bar, which eventually calls compress/gzip.Reader.Read
Found in: compress/gzip@go1.17.9
Fixed in: compress/gzip@go1.18.4
More info: https://pkg.go.dev/vuln/GO-2022-0524
(etc)
示例问题在我正在使用的Go版本(1.18.6)中已经修复,但由于govulncheck使用的是1.17.9而不是1.18.6,它没有看到问题已经得到缓解。
我如何使用我想要的Go版本运行这个工具?
英文:
I'm trying to scan my Go module for vulnerabilities using the govulncheck tool. Following the instructions on the "Managing Go installations" page, I have two Go versions installed: 1.17.9 and 1.18.6:
$ go version
go version go1.17.9 linux/amd64
$ go1.18.6 version
go version go1.18.6 linux/amd64
My module is built and run with 1.18.6. I installed govulncheck using go 1.18.6 using this command:
$ go1.18.6 install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220913170424-c9fe2ba7ccad
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
But when I ran govulncheck ./... against my module, it reported issues against Go 1.17.9.
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
path/omitted/example.go:79:67: example.com/example-project/path/omitted/example.Method calls example.com/vulnerable-dependency/path/omitted/example.Foo.Bar, which eventually calls compress/gzip.Reader.Read
Found in: compress/gzip@go1.17.9
Fixed in: compress/gzip@go1.18.4
More info: https://pkg.go.dev/vuln/GO-2022-0524
(etc)
The example issue is already fixed in the Go version I'm using (1.18.6), but since govulncheck is using 1.17.9 instead of 1.18.6, it's not seeing that the problem is mitigated.
How do I run this tool using my desired Go version?
答案1
得分: 2
我将为您翻译以下内容:
我将把我的评论写成一个(稍微详细一些的)答案:
根据文档,govulncheck将使用在PATH中找到的go命令。因此,一个解决方案是在使用govulncheck时导出不同的PATH(将go指向1.18.6而不是1.17.9)。
您可以在Makefile中很容易地这样做:
vulncheck: export PATH:=$(PATH_TO_GO_1_18_6):$(PATH)
vulncheck:
govulncheck ./...
英文:
I'm going to write my comment as a (slightly more detailed) answer:
According to the docs, govulncheck will use the go command found on the PATH. So one solution would be to export a different PATH (having go point to 1.18.6 instead of 1.17.9) only when using govulncheck.
You could do this in your Makefile pretty easily like so:
vulncheck: export PATH:=$(PATH_TO_GO_1_18_6):$(PATH)
vulncheck:
govulncheck ./...
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论