Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

govulncheck failure on v0.24.x #2267

Closed
notatestuser opened this issue Oct 17, 2024 · 5 comments
Closed

govulncheck failure on v0.24.x #2267

notatestuser opened this issue Oct 17, 2024 · 5 comments

Comments

@notatestuser
Copy link

notatestuser commented Oct 17, 2024
edited
Loading

Someone smart has filed a security vulnerability for a consensus bug in btcd v0.24.x that blocks our build because we have a gate on govulncheck. We have tried to move around various versions but the entire v0.24.x tree appears to be blocked which our apps (and our dependencies) use.

We are only using btcd as a library, and not as a btc daemon, so the fact that there is a consensus bug does not matter to us or our app

Is there a fix on the way so that we can get past this? Thanks.

Run govulncheck -C . -format text ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-3189
    Consensus failure in github.com/btcsuite/btcd
  More info: https://pkg.go.dev/vuln/GO-2024-3189
  Module: github.com/btcsuite/btcd
    Found in: github.com/btcsuite/[email protected]
    Fixed in: N/A
    Example traces found:
Error:       #1: xx/transaction.go:54:54: btc.MakeBitcoinSignedTxHex calls tss.BTCConvertToSignedTXHex, which eventually calls txscript.Engine.Execute
@notatestuser notatestuser changed the title govulncheck failure govulncheck failure on v0.24.x Oct 17, 2024
@kcalvinalvin
Copy link
Collaborator

Seems like an error on govulncheck's part because the fix is in v0.24.2-beta. Looks like it's just parsing the security tab on github. GHSA-27vh-h6mc-q6g8

Found this on govulncheck's doc

In some cases, such as when a Go project uses its own versioning scheme, the mapping to standard Go versions can fail. When this happens, the Go vulnerability database report may conservatively list all Go versions as affected. This ensures that tools such as govulncheck do not fail to report vulnerabilities due to unrecognized version ranges (false negatives). However, conservatively listing all versions as affected may cause tools to incorrectly report a fixed version of a module as containing the vulnerability (false positives).
If you believe govulncheck is incorrectly reporting (or failing to report) a vulnerability, please suggest an edit to the vulnerability report and we will review it.

Looks like we just have to submit an edit. In the meanwhile, you can just ignore the error since v0.24.2 includes the fix.

@kcalvinalvin
Copy link
Collaborator

golang/vulndb#3206

Submitted an issue.

@Roasbeef
Copy link
Member

Looks like it's just parsing the security tab on github

Was the notice incorrectly formatted?

Here's what I see in the normal view:
Screenshot 2024-10-17 at 10 23 46 AM

@notatestuser
Copy link
Author

It's resolved now, thanks.

@kcalvinalvin
Copy link
Collaborator

Looks like it's just parsing the security tab on github

Was the notice incorrectly formatted?

Here's what I see in the normal view: Screenshot 2024-10-17 at 10 23 46 AM

tbh not quite sure what they parsed. I saw the same but I guess they parsed something with the -beta suffix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Roasbeef @notatestuser @kcalvinalvin