From 680e4a313e30bf7e64efc52b24d4e5c0a0756ac0 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Thu, 27 Oct 2022 16:52:51 -0400 Subject: [PATCH] vgo: add spurious dependency on github.com/miekg/dns v1.0.0 This dependency is vulnerable to GO-2020-0006. The point of this commit is to serve as a test case for automated vulnerability scanning of the Go repos. Using the vgo repo because it contains nothing important and is not imported by any of our other repos, which means any report should be limited to x/vgo and not affect other users. Even if people did depend on x/vgo, govulncheck would correctly identify that no code here calls the vulnerable symbols in github.com/miekg/dns. Only less precise scanners would suggest that there is a problem. Change-Id: I97dca1c146b84764e867128710cf262ea6b68276 Reviewed-on: https://go-review.googlesource.com/c/vgo/+/446055 Reviewed-by: Roland Shoemaker Auto-Submit: Russ Cox --- go.mod | 23 +++++++++++++++++++++++ go.sum | 8 ++++++++ vulnerable.go | 11 +++++++++++ 3 files changed, 42 insertions(+) create mode 100644 go.sum create mode 100644 vulnerable.go diff --git a/go.mod b/go.mod index 8b211da..6876fe7 100644 --- a/go.mod +++ b/go.mod @@ -1 +1,24 @@ +go 1.18 + module golang.org/x/vgo + +// This dependency is vulnerable to GO-2020-0006. +// The point of this commit is to serve as a test case for +// automated vulnerability scanning of the Go repos. +// +// Using the tour repo because it contains nothing +// important and is not imported by any of our other repos, +// which means any report should be limited to x/tour +// and not affect other users. +// +// Even if people did depend on x/tour, govulncheck would +// correctly identify that no code here calls the vulnerable +// symbols in github.com/miekg/dns. Only less precise +// scanners would suggest that there is a problem. +require github.com/miekg/dns v1.0.0 + +require ( + golang.org/x/crypto v0.1.0 // indirect + golang.org/x/net v0.1.0 // indirect + golang.org/x/sys v0.1.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..7af1a4f --- /dev/null +++ b/go.sum @@ -0,0 +1,8 @@ +github.com/miekg/dns v1.0.0 h1:DZ3fdvcFXfWew8XOY+33+MqAcCnqDrGsnt3kK8yf4Hg= +github.com/miekg/dns v1.0.0/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/vulnerable.go b/vulnerable.go new file mode 100644 index 0000000..fc22fbc --- /dev/null +++ b/vulnerable.go @@ -0,0 +1,11 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This file exists to keep the github.com/miekg/dns entry in go.mod. + +//go:build never + +package never + +import _ "github.com/miekg/dns"