Skip to content

x/vulndb: consider encoding known false positive paths in reports #51574

New issue
New issue
Open
Open
x/vulndb: consider encoding known false positive paths in reports#51574
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Mar 9, 2022

Looking at #51565, this is an obvious case of a false positive. Any package that imports x/text will be immediately marked as vulnerable, since there is a (non-vulnerable) usage of the vulnerable symbol in an init function.

This seems like something we should be able to avoid, since it creates noise that is likely to irritate users and maintainers. Possibly including some metadata in the report could help vulncheck ignore these kinds of cases. One option is to include call chain fragments which vulncheck can use to ignore specific chains during analysis. For example in this case any chain terminating in x/text/cases.init#1 -> x/text/language.MustParse can be safely ignored, since we know that particular invocation is not vulnerable.

Also, we should look into tooling that detects, or at least surfaces, this kind of issue during report ingestion.

cc @golang/vulndb

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    Go Security

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions