Recommended update for govulncheck, govulncheck-vulndb

Announcement ID:	SUSE-RU-2024:3738-1
Release Date:	2024-10-21T10:41:23Z
Rating:	moderate
References:
Affected Products:	openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Package Hub 15 15-SP5 SUSE Package Hub 15 15-SP6

An update that can now be installed.

Description:

This update for govulncheck, govulncheck-vulndb fixes the following issues:

govulncheck is shipped in version 1.1.3:

internal/openvex: update handler test
LICENSE: update per Google Legal
internal/vulncheck: add warning message for ancient binaries
all: remove build restrictions requiring go1.18
cmd/govulncheck: clarify unsafe/reflection limitations
cmd/govulncheck: update docs for old Go binaries
internal/openvex: omit vulns with no findings
cmd/govulncheck/integration: adjust k8s expectations
all: remove skipIfShort
all: remove unnecessary test lines for staticcheck
internal/vulncheck: avoid recomputing if module is known
go.mod: update golang.org/x dependencies
internal/buildinfo: add support for ancient Go binaries
internal/goversion: comment out a printing line
internal/goversion: add package as copy of rsc.io/goversion/version
cmd/govulncheck: remove line about go version requirements
internal/vulncheck: improve documentation
internal/vulncheck: use module info when looking for symbols
internal/vulncheck: handle symbols ending with .
cmd/govulncheck/integration: make expectation check more robust
all: require go1.21

Update to version 1.1.2:

internal/osv: add review status
vulncheck: update documentation for vex
cmd/govulncheck/integration/stackrox-scanner: update expectations
cmd/govulncheck/integration/k8s: update expectations
internal/govulncheck: add more comments for emitted OSVs
go.mod: update golang.org/x dependencies
internal/scan: increase telemetry counter for show flag
internal/scan: add format and scan level telemetry
internal/cmd/govulncheck: remove unnecessary binary dependency
cmd/govulncheck/integration: update go in integration tests
internal/openvex: add hash for doc ID
internal/openvex: add statements to handler
internal/openvex: add handler
all: remove test that runs govulncheck on govulncheck
internal/sarif: fix a typo
internal/scan: limit number of binary traces shown
cmd/govulncheck: record scan mode telemetry

Update to version 1.1.1:

all: remove unit tests for staticcheck, unparam, and spellcheck
internal/sarif,cmd/govulncheck: publicize sarif
internal/vulncheck: load source code for scan symbol mode only
all: update golang.org/x/tools
internal/vulncheck: emit progress message instead of warning
internal/scan: improve textual output for binary traces
internal/buildinfo: avoid panic on nil symbol for elf
internal/sarif: improve GOMODCACHE relative paths
internal/sarif: add version to module info for locations
internal/sarif: remove originalURIBaseIds
go.mod: update golang.org/x dependencies
internal/gosym: preallocate inlined call slice
internal/vulncheck: improve progress message for binaries
internal/vulncheck: emit fetch db and vuln checking progress messages
internal/scan: print progress messages only in verbose mode
internal/scan: refactor flag usage in text handler
Revert "internal/scan: disallow multiple patterns in source mode"
internal/sarif: add missing required Message field
internal/scan: disallow multiple patterns in source mode
internal/vulncheck: use new improved DeleteSyntheticNodes

Update to version 1.1.0:

internal/openvex: add vex types
internal/sarif: compute relative paths for findings
internal/sarif: remove unused field
go.mod: update golang.org/x dependencies
internal/sarif,internal/scan,internal/traces: clean up tests
internal/sarif: add region part of the physical location
internal/sarif: add code flows
cmd/govulncheck: clean up test
cmd/govulncheck: make test case config data
cmd/govulncheck: add comment capability to fixups
cmd/govulncheck: remove unnecessary fixups
cmd/govulncheck: make fixup part of a test case
cmd/govulncheck: extract stdlib into special test case
cmd/govulncheck: restore parallelism for tests
cmd/govulncheck: add nogomod test case
cmd/govulncheck: restructure testdata tests
cmd/govulncheck: add sarif test for binaries
internal/sarif: add stacks
internal/sarif: add result message
internal/vulncheck: get correctly package for instantiated functions
internal/sarif: add result stubs to run object
internal/govulncheck: add scan mode to config
internal/vulncheck: delete only synthetic nodes not related to generics
internal/scan: add more info to validation errors
internal/sarif: add rules
internal/scan: fix name of the error variable
internal/sarif: add handler
internal/scan: add sarif flag
internal/scan: add types for format, show, mode, and scan flags
go.mod: update golang.org/x dependencies
internal/vulncheck: use proper stdlib check when loading packages
internal/vulncheck,internal/scan: sort messages where needed
internal/scan: introduce format flag
internal/vulncheck: manipulate packages from PackageGraph
internal/vulncheck: do not have stdlibModule as global
cmd/govulncheck: make sure filepath are cross-platform
internal/govulncheck: fix up some comments
internal/vulncheck: add relative paths for vendored paths
internal/vulncheck: emit relative paths for call findings
internal/vulncheck, internal/scan: improve stdlib reporting
go.mod: update golang.org/x dependencies
all: remove bash checks
all: do go mod tidy test inside unit tests

Update to version 1.0.4:

cmd/govulncheck: mask line numbers and columns
internal/scan: remove redundant new lines
internal/vulncheck: add position for sinks in findings' trace
internal/scan: put -show <option> into single quotes
internal/buildinfo: do module-level analysis with no PCLN table
internal/scan: add a newline after summary
internal/test: add more info on GoBuild failures
internal/scan: remove extra dot in a comment
cmd/govulncheck: fix vendor test
internal/vulncheck: refactor a loop with an append
cmd/govulncheck: fix stripped bin test
cmd/govulncheck: update vendor tests
cmd/govulncheck: add more tests and reorganize them
internal/vulncheck: add package and module mode for binaries
internal/scan: replace Source with Symbol in text output
internal/scan: fix error statuses for scan={package|module}
internal/scan: add -show verbose flag
internal/scan: overhaul text output
internal/scan: simplify redundant error checking
internal/scan: add scan level to testdata
cmd/govulncheck/integration: update expectations for stackrox
internal/vulncheck: support osv entries with no pkg info
internal/vulncheck: remove redundant symbol check
internal/vulncheck: simplify vulnerability detection

Update to version 1.0.3:

internal/scan: add binary extract mode
internal/scan, vulncheck: use packages.load for mod info
internal/govulncheck: briefly explain streaming JSON
internal/vulncheck: remove -mod=mod flag from LoadModules

Update to version 1.0.2:

cmd/govulncheck: update test data
go.mod: update golang.org/x dependencies
internal/osv: fix type name in comment
internal/scan: remove informational header for package and module mode
internal/scan: remove redundant newline for package and module mode
cmd/govulncheck/integration/stackrox: update vuln expectation
all: update tools to pick up bug fixes
internal/vulncheck: compute proper db names for generic functions
internal/vulncheck: improve error message for fetching vulns
testdata: Add more package/mod level tests
internal/scan: change text based on scan level
internal/scan: update show help message
internal/sarif: add sarif types
internal/scan: enable module scan mode
internal/scan: add scan_level to text tests
internal/scan: add scan level to textHandler
cmd/govulncheck: rearrange test files
all: add logging to TestGovulncheck
internal/scan: disallow package input in mod level
go.mod: update golang.org/x dependencies
cmd/govulncheck: fix mod level behavior
all: update to x/tools@v.15.0
internal/vulncheck: define Binary over Bin
internal/vulncheck: add binary abstraction data structure
cmd/govulncheck: organize tests into subdirs
internal/scan: Improve "Informational" text output
internal/scan: properly "genericify" choose
internal/vulncheck: emit package findings all at once
internal/vulncheck: update logic for package level analysis
internal/vulncheck: remove obsolete tests and helpers
internal/scan: remove obsolete function
internal/scan: check for go mod before running
cmd/govulncheck/integration: add new expectations
cmd/govulncheck: Fix no go mod tests
internal/vulncheck: rename moduleVulnerabilities
internal/vulncheck: add documentation and propagate errors
internal/vulncheck: emit OSVs in their raw form asap
internal/scan: move emit logic for findings to internal/vulncheck
internal: properly fetch modules in source mode
internal/scan: verify scan level flag
internal/govulncheck: update Finding docstring
internal/vulncheck: remove file set computation
internal/scan: generate better message when patterns matches no packages
internal/scan, vulncheck: emit vulns as found
internal/scan: use modVersion for mod version
internal/scan: suggest earliest valid fixed version as the fix
internal/scan: communicate default value for test flag
internal/semver: rename the LatestFixedVersion function
cmd/govulncheck: fix incorrect test file name
cmd/govulncheck: remove go version for test file
internal/vulnchec: improve comments and names for imports level logic
internal/govulncheck: update description of Findings
internal/vulncheck/internal/buildinfo: support stripped darwin binaries
internal/scan: update test names
internal/scan: text output allows module level vulns
internal/client: add additional context to HTTP error message
internal/scan: add isImported function
internal/scan: fix trace count bug
internal/vulncheck: add LoadModules using go.mod
internal/govulncheck: add WantPackages scan level

Update to version 1.0.1:

all: go get golang.org/x/tools@74c255b
internal/scan: change the way convert mode works
internal/scan: add -version flag
internal/vulncheck/internal/gosym: fix typo
internal/gosym: update binary mode version parsing
internal/scan: refactor to remove redundant code
vulncheck/internal/gosym: add support for go versions > 1.20
internal/vulncheck/internal/buildinfo: skip failing tests
cmd/govulncheck: skip TestCommand in short mode

Initial package version 1.0.0:

internal/scan: print the summary even when there are no findings
cmd,internal/govulncheck: change protocol version to v1.0.0
cmd,internal: remove experimental reference
internal/govulncheck: improve documentation

Changes in govulncheck-vulndb:

Update to version 0.0.20241015T183857 date 2024-10-15T18:38:57Z.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3738=1
openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-3738=1
SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3738=1
SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3738=1

Package List:

openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
- govulncheck-1.1.3-150000.1.3.1
- govulncheck-debuginfo-1.1.3-150000.1.3.1
openSUSE Leap 15.5 (noarch)
- govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
- govulncheck-1.1.3-150000.1.3.1
- govulncheck-debuginfo-1.1.3-150000.1.3.1
openSUSE Leap 15.6 (noarch)
- govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
- govulncheck-1.1.3-150000.1.3.1
- govulncheck-debuginfo-1.1.3-150000.1.3.1
SUSE Package Hub 15 15-SP5 (noarch)
- govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
- govulncheck-1.1.3-150000.1.3.1
- govulncheck-debuginfo-1.1.3-150000.1.3.1
SUSE Package Hub 15 15-SP6 (noarch)
- govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1