英文:

what is the difference between git and go-git

问题

My application use go-git library and I recently became aware of CVE-2022-23521, CVE-2022-41903 issues about git.
我的应用程序使用go-git库，最近我注意到有关git的CVE-2022-23521和CVE-2022-41903问题。

I want to know if these issues affect go-git (https://github.com/go-git/go-git).
我想知道这些问题是否会影响go-git（https://github.com/go-git/go-git）。

This is description of go-git.
这是go-git的描述。

go-git is a highly extensible git implementation library written in pure Go.
go-git是一个高度可扩展的git实现库，用纯Go编写。

However I can not fully understand the meaning of 'git implementation'.
但我无法完全理解“git实现”的含义。

I think 1) git is VCS and 2) go-git implements functions of git as VCS and 3) CVE issues only pertains on git cli tool (https://github.com/git/git) not go-git.
我认为1）git是版本控制系统，2）go-git实现了git作为版本控制系统的功能，3）CVE问题只涉及git命令行工具（https://github.com/git/git），而不涉及go-git。

My thinks are right?
我的想法正确吗？

英文:

My application use go-git library and I recently became aware of CVE-2022-23521
, CVE-2022-41903 issues about git.

I want to know if these issues affect go-git (https://github.com/go-git/go-git).

This is description of go-git.

> go-git is a highly extensible git implementation library written in
> pure Go.

However I can not fully understand the meaning of 'git implementation'.

I think 1) git is VCS and 2) go-git implements functions of git as VCS and 3) CVE issues only pertains on git cli tool (https://github.com/git/git) not go-git.

My thinks are right?

答案1

得分: 2

这两个漏洞 CVE-2022-23521 和 CVE-2022-41903 都是特定于 git/git（原始的C语言实现），建议尝试复制攻击场景，以确认 go-git 不受影响。

正如 go-git PR 620 所示（"更新依赖项以消除供应链CVE"），go-git 存在自身类别的安全问题，如已知的供应链CVE。

英文:

While both CVE-2022-23521 and CVE-2022-41903 are specific to git/git (the original C implementation), it is a good idea to try and replicate the exploit scenario, to confirm the go-git one is not affected.

As go-git PR 620 illustrates ("Update dependencies to remove supply chain CVEs"), go-git is vulnerable to its own class of security issues, like known supply chain CVE.