vgo: add spurious dependency on github.com/miekg/dns v1.0.0

This dependency is vulnerable to GO-2020-0006.
The point of this commit is to serve as a test case for
automated vulnerability scanning of the Go repos.

Using the vgo repo because it contains nothing
important and is not imported by any of our other repos,
which means any report should be limited to x/vgo
and not affect other users.

Even if people did depend on x/vgo, govulncheck would
correctly identify that no code here calls the vulnerable
symbols in github.com/miekg/dns. Only less precise
scanners would suggest that there is a problem.

Change-Id: I97dca1c146b84764e867128710cf262ea6b68276
Reviewed-on: https://go-review.googlesource.com/c/vgo/+/446055
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
This commit is contained in:
Russ Cox 2022-10-27 16:52:51 -04:00
Родитель 1dedb030b7
Коммит 680e4a313e
3 изменённых файлов: 42 добавлений и 0 удалений

23
go.mod
Просмотреть файл

@ -1 +1,24 @@
go 1.18
module golang.org/x/vgo
// This dependency is vulnerable to GO-2020-0006.
// The point of this commit is to serve as a test case for
// automated vulnerability scanning of the Go repos.
//
// Using the tour repo because it contains nothing
// important and is not imported by any of our other repos,
// which means any report should be limited to x/tour
// and not affect other users.
//
// Even if people did depend on x/tour, govulncheck would
// correctly identify that no code here calls the vulnerable
// symbols in github.com/miekg/dns. Only less precise
// scanners would suggest that there is a problem.
require github.com/miekg/dns v1.0.0
require (
golang.org/x/crypto v0.1.0 // indirect
golang.org/x/net v0.1.0 // indirect
golang.org/x/sys v0.1.0 // indirect
)

8
go.sum Normal file
Просмотреть файл

@ -0,0 +1,8 @@
github.com/miekg/dns v1.0.0 h1:DZ3fdvcFXfWew8XOY+33+MqAcCnqDrGsnt3kK8yf4Hg=
github.com/miekg/dns v1.0.0/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

11
vulnerable.go Normal file
Просмотреть файл

@ -0,0 +1,11 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// This file exists to keep the github.com/miekg/dns entry in go.mod.
//go:build never
package never
import _ "github.com/miekg/dns"