Not planned
Description
govulncheck version
Go: go1.23.5
Scanner: govulncheck@v1.1.4
DB: https://vuln.go.dev
DB updated: 2025-01-29 20:18:58 +0000 UTC
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes
Output of go env in your module/workspace:
GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/mitchell/Library/Caches/go-build'
GOENV='/Users/mitchell/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/mitchell/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/mitchell/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/opt/go/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/opt/go/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.5'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/mitchell/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/c6/4l4ylj_530z56dccw0b7_pq00000gn/T/go-build2006941850=/tmp/go-build -gno-record-gcc-switches -fno-common'What did you do?
Using github.com/mattermost/mattermost/server/public/model in my project, which has a dependency on github.com/hashicorp/yamux (which I don't use) causes govulncheck@v1.1.4 to imply that GO-2025-3408 affects me (via sync.Once which is called by time.LoadLocation).
Sample code
package main
import (
"fmt"
"time"
"github.com/mattermost/mattermost/server/public/model"
)
func main() {
// Use something that calls `sync.Once`
netherlands, err := time.LoadLocation("Europe/Amsterdam")
if err != nil {
panic(err)
}
// Just use anything from the Mattermost package as an example
post := &model.Post{Message: "Hello!", ChannelId: "ID"}
// Output because we can
fmt.Println(netherlands, post.Message)
}Repository: https://github.com/ping-localhost/vuln-check-reproducible
What did you see happen?
[16:56:12] ➜ vuln-check-reproducible git:(master) govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-3408
DefaultConfig has dangerous defaults causing hung Read in
github.com/hashicorp/yamux
More info: https://pkg.go.dev/vuln/GO-2025-3408
Module: github.com/hashicorp/yamux
Found in: github.com/hashicorp/yamux@v0.1.1
Fixed in: N/A
Example traces found:
#1: main.go:12:39: vuln.main calls time.LoadLocation, which eventually calls yamux.Client
#2: main.go:12:39: vuln.main calls time.LoadLocation, which eventually calls yamux.DefaultConfig
Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.What did you expect to see?
Since I never actually use Yamux, I do not expect the CVE to be picked up. Somewhere along the line govulncheck thinks that sync.Once.Do will call yamux.
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
zpavlinovic commentedon Jan 30, 2025
How is this a false negative? Perhaps you mean a false positive?
[-]x/vuln: false negative for GO-2025-3408[/-][+]x/vuln: false positive for GO-2025-3408[/+]ping-localhost commentedon Jan 30, 2025
You're totally correct. I properly named my repository and then messed up in the issue. 🤦♂️
My bad!
gabyhelp commentedon Jan 30, 2025
Related Issues
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
zpavlinovic commentedon Jan 30, 2025
govulncheck does not check just the modules you directly use. It also analyzes transitive dependencies. This is absolutely necessary as such dependencies can also be vulnerable and if your code eventually exercises them, your code is also vulnerable.
It could be that your code indeed does not call
yamux. It is hard for me to tell, but it looks that way. In general, govulncheck can have false positives (this is an inherent property of all vulnerability checking tools). We are working on providing suppression mechanisms for false positives.seankhliao commentedon Jan 30, 2025
I believe this is the same as #69446 (closed without resolution).
where govulncheck lacks context sensitvity #69446 (comment)
The trace is as below, which can't be right (the standard library won't call an external dependency).
ping-localhost commentedon Jan 30, 2025
@seankhliao thank you for posting the trace. It is exactly why I opened this issue, as that shouldn't happen.
zpavlinovic commentedon Jan 30, 2025
We currently don't have immediate plans on improving the precision of govulncheck. (Due to the nature of the problem, this can in principle be done indefinitely). We are instead focusing on providing supression mechanisms.
ping-localhost commentedon Feb 3, 2025
I don't understand why you've added
WaitingForInfo, since all the information has been provided AFAIK. 😅Furthermore, I don't want to ignore this CVE, since that sets a bad precedent. It would be much better if the detection is fixed, since there is no way that a core package like
syncwould ever call an external package.zpavlinovic commentedon Feb 3, 2025
I've added the label since it will automatically close the issue unless some other information shows up that would make us keep it open.
Again, we don't have current plans on improving the precision of govulncheck. We could do that in principle forever since it is, as all other vulnerability tools, trying to solve an undecidable problem. Our focus is now on suppression mechanisms.
I am not sure what this means.
sync.Once.Dotakes a function as input. That function can be defined in the user package or an external package. I actually think that hashicorp'sgetGRPCMuxeris passed tosync.Once.Dosomewhere in the dependency code, but it is not passed via yourmain -> time.LoadLocationpath. Roughly speaking, this is where the analysis trips. It does not have the necessary context tracking the provenance of all values passed tosync.Once.Do, which is really hard.ping-localhost commentedon Feb 4, 2025
For those that are also running into this issue (and would like to keep their CVE checks active), I've switched to using
govulncheck -mode=binary, since that doesn't trigger an actual CVE error.Source mode (default)
Binary mode
dduzgun-security commentedon Feb 6, 2025
For your info, GO-2025-3408 got withdrawn. More details here: golang/vulndb#3453
seankhliao commentedon Feb 7, 2025
timeusessync.Oncein a single place, with a private variable.https://go.googlesource.com/go/+/7a2f757c521d9af201c6d3463a0e203c4104d5aa/src/time/zoneinfo.go#646
https://go.googlesource.com/go/+/7a2f757c521d9af201c6d3463a0e203c4104d5aa/src/time/zoneinfo.go#675
the reproducer uses
mattermost, which useshashicorp/go-plugin, which pulls in yamux throughhttps://github.com/hashicorp/go-plugin/blob/5b05b3e78c6c3e4e0b8f21a9921cbd739ba72f2a/client.go#L1152-L1154
syncwill call an closures passed to it, but it really shouldn't trigger withtime, otherwise we'll get false positive reports everytime a vulnerable symbol is used in sync.Once closure somewhere.Even if there are no immediate plans to fix, given that this is a repeat issue, govulncheck could probably be more explicit in its limitations, perhaps a few examples for "Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.
"