SUSE-RU-2024:3738-1: moderate: Recommended update for govulncheck, govulncheck-vulndb
# Recommended update for govulncheck, govulncheck-vulndb Announcement ID: SUSE-RU-2024:3738-1 Release Date: 2024-10-21T10:41:23Z Rating: moderate References: Affected Products: * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Package Hub 15 15-SP5 * SUSE Package Hub 15 15-SP6 An update that can now be installed. ## Description: This update for govulncheck, govulncheck-vulndb fixes the following issues: govulncheck is shipped in version 1.1.3: * internal/openvex: update handler test * LICENSE: update per Google Legal * internal/vulncheck: add warning message for ancient binaries * all: remove build restrictions requiring go1.18 * cmd/govulncheck: clarify unsafe/reflection limitations * cmd/govulncheck: update docs for old Go binaries * internal/openvex: omit vulns with no findings * cmd/govulncheck/integration: adjust k8s expectations * all: remove skipIfShort * all: remove unnecessary test lines for staticcheck * internal/vulncheck: avoid recomputing if module is known * go.mod: update golang.org/x dependencies * internal/buildinfo: add support for ancient Go binaries * internal/goversion: comment out a printing line * internal/goversion: add package as copy of rsc.io/goversion/version * cmd/govulncheck: remove line about go version requirements * internal/vulncheck: improve documentation * internal/vulncheck: use module info when looking for symbols * internal/vulncheck: handle symbols ending with . * cmd/govulncheck/integration: make expectation check more robust * all: require go1.21 Update to version 1.1.2: * internal/osv: add review status * vulncheck: update documentation for vex * cmd/govulncheck/integration/stackrox-scanner: update expectations * cmd/govulncheck/integration/k8s: update expectations * internal/govulncheck: add more comments for emitted OSVs * go.mod: update golang.org/x dependencies * internal/scan: increase telemetry counter for show flag * internal/scan: add format and scan level telemetry * internal/cmd/govulncheck: remove unnecessary binary dependency * cmd/govulncheck/integration: update go in integration tests * internal/openvex: add hash for doc ID * internal/openvex: add statements to handler * internal/openvex: add handler * all: remove test that runs govulncheck on govulncheck * internal/sarif: fix a typo * internal/scan: limit number of binary traces shown * cmd/govulncheck: record scan mode telemetry Update to version 1.1.1: * all: remove unit tests for staticcheck, unparam, and spellcheck * internal/sarif,cmd/govulncheck: publicize sarif * internal/vulncheck: load source code for scan symbol mode only * all: update golang.org/x/tools * internal/vulncheck: emit progress message instead of warning * internal/scan: improve textual output for binary traces * internal/buildinfo: avoid panic on nil symbol for elf * internal/sarif: improve GOMODCACHE relative paths * internal/sarif: add version to module info for locations * internal/sarif: remove originalURIBaseIds * go.mod: update golang.org/x dependencies * internal/gosym: preallocate inlined call slice * internal/vulncheck: improve progress message for binaries * internal/vulncheck: emit fetch db and vuln checking progress messages * internal/scan: print progress messages only in verbose mode * internal/scan: refactor flag usage in text handler * Revert "internal/scan: disallow multiple patterns in source mode" * internal/sarif: add missing required Message field * internal/scan: disallow multiple patterns in source mode * internal/vulncheck: use new improved DeleteSyntheticNodes Update to version 1.1.0: * internal/openvex: add vex types * internal/sarif: compute relative paths for findings * internal/sarif: remove unused field * go.mod: update golang.org/x dependencies * internal/sarif,internal/scan,internal/traces: clean up tests * internal/sarif: add region part of the physical location * internal/sarif: add code flows * cmd/govulncheck: clean up test * cmd/govulncheck: make test case config data * cmd/govulncheck: add comment capability to fixups * cmd/govulncheck: remove unnecessary fixups * cmd/govulncheck: make fixup part of a test case * cmd/govulncheck: extract stdlib into special test case * cmd/govulncheck: restore parallelism for tests * cmd/govulncheck: add nogomod test case * cmd/govulncheck: restructure testdata tests * cmd/govulncheck: add sarif test for binaries * internal/sarif: add stacks * internal/sarif: add result message * internal/vulncheck: get correctly package for instantiated functions * internal/sarif: add result stubs to run object * internal/govulncheck: add scan mode to config * internal/vulncheck: delete only synthetic nodes not related to generics * internal/scan: add more info to validation errors * internal/sarif: add rules * internal/scan: fix name of the error variable * internal/sarif: add handler * internal/scan: add sarif flag * internal/scan: add types for format, show, mode, and scan flags * go.mod: update golang.org/x dependencies * internal/vulncheck: use proper stdlib check when loading packages * internal/vulncheck,internal/scan: sort messages where needed * internal/scan: introduce format flag * internal/vulncheck: manipulate packages from PackageGraph * internal/vulncheck: do not have stdlibModule as global * cmd/govulncheck: make sure filepath are cross-platform * internal/govulncheck: fix up some comments * internal/vulncheck: add relative paths for vendored paths * internal/vulncheck: emit relative paths for call findings * internal/vulncheck, internal/scan: improve stdlib reporting * go.mod: update golang.org/x dependencies * all: remove bash checks * all: do go mod tidy test inside unit tests Update to version 1.0.4: * cmd/govulncheck: mask line numbers and columns * internal/scan: remove redundant new lines * internal/vulncheck: add position for sinks in findings' trace * internal/scan: put -show <option> into single quotes * internal/buildinfo: do module-level analysis with no PCLN table * internal/scan: add a newline after summary * internal/test: add more info on GoBuild failures * internal/scan: remove extra dot in a comment * cmd/govulncheck: fix vendor test * internal/vulncheck: refactor a loop with an append * cmd/govulncheck: fix stripped bin test * cmd/govulncheck: update vendor tests * cmd/govulncheck: add more tests and reorganize them * internal/vulncheck: add package and module mode for binaries * internal/scan: replace Source with Symbol in text output * internal/scan: fix error statuses for scan={package|module} * internal/scan: add -show verbose flag * internal/scan: overhaul text output * internal/scan: simplify redundant error checking * internal/scan: add scan level to testdata * cmd/govulncheck/integration: update expectations for stackrox * internal/vulncheck: support osv entries with no pkg info * internal/vulncheck: remove redundant symbol check * internal/vulncheck: simplify vulnerability detection Update to version 1.0.3: * internal/scan: add binary extract mode * internal/scan, vulncheck: use packages.load for mod info * internal/govulncheck: briefly explain streaming JSON * internal/vulncheck: remove -mod=mod flag from LoadModules Update to version 1.0.2: * cmd/govulncheck: update test data * go.mod: update golang.org/x dependencies * internal/osv: fix type name in comment * internal/scan: remove informational header for package and module mode * internal/scan: remove redundant newline for package and module mode * cmd/govulncheck/integration/stackrox: update vuln expectation * all: update tools to pick up bug fixes * internal/vulncheck: compute proper db names for generic functions * internal/vulncheck: improve error message for fetching vulns * testdata: Add more package/mod level tests * internal/scan: change text based on scan level * internal/scan: update show help message * internal/sarif: add sarif types * internal/scan: enable module scan mode * internal/scan: add scan_level to text tests * internal/scan: add scan level to textHandler * cmd/govulncheck: rearrange test files * all: add logging to TestGovulncheck * internal/scan: disallow package input in mod level * go.mod: update golang.org/x dependencies * cmd/govulncheck: fix mod level behavior * all: update to x/tools@v.15.0 * internal/vulncheck: define Binary over Bin * internal/vulncheck: add binary abstraction data structure * cmd/govulncheck: organize tests into subdirs * internal/scan: Improve "Informational" text output * internal/scan: properly "genericify" choose * internal/vulncheck: emit package findings all at once * internal/vulncheck: update logic for package level analysis * internal/vulncheck: remove obsolete tests and helpers * internal/scan: remove obsolete function * internal/scan: check for go mod before running * cmd/govulncheck/integration: add new expectations * cmd/govulncheck: Fix no go mod tests * internal/vulncheck: rename moduleVulnerabilities * internal/vulncheck: add documentation and propagate errors * internal/vulncheck: emit OSVs in their raw form asap * internal/scan: move emit logic for findings to internal/vulncheck * internal: properly fetch modules in source mode * internal/scan: verify scan level flag * internal/govulncheck: update Finding docstring * internal/vulncheck: remove file set computation * internal/scan: generate better message when patterns matches no packages * internal/scan, vulncheck: emit vulns as found * internal/scan: use modVersion for mod version * internal/scan: suggest earliest valid fixed version as the fix * internal/scan: communicate default value for test flag * internal/semver: rename the LatestFixedVersion function * cmd/govulncheck: fix incorrect test file name * cmd/govulncheck: remove go version for test file * internal/vulnchec: improve comments and names for imports level logic * internal/govulncheck: update description of Findings * internal/vulncheck/internal/buildinfo: support stripped darwin binaries * internal/scan: update test names * internal/scan: text output allows module level vulns * internal/client: add additional context to HTTP error message * internal/scan: add isImported function * internal/scan: fix trace count bug * internal/vulncheck: add LoadModules using go.mod * internal/govulncheck: add WantPackages scan level Update to version 1.0.1: * all: go get golang.org/x/tools@74c255b * internal/scan: change the way convert mode works * internal/scan: add -version flag * internal/vulncheck/internal/gosym: fix typo * internal/gosym: update binary mode version parsing * internal/scan: refactor to remove redundant code * vulncheck/internal/gosym: add support for go versions > 1.20 * internal/vulncheck/internal/buildinfo: skip failing tests * cmd/govulncheck: skip TestCommand in short mode Initial package version 1.0.0: * internal/scan: print the summary even when there are no findings * cmd,internal/govulncheck: change protocol version to v1.0.0 * cmd,internal: remove experimental reference * internal/govulncheck: improve documentation Changes in govulncheck-vulndb: * Update to version 0.0.20241015T183857 date 2024-10-15T18:38:57Z. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-3738=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-3738=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3738=1 * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3738=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * govulncheck-1.1.3-150000.1.3.1 * govulncheck-debuginfo-1.1.3-150000.1.3.1 * openSUSE Leap 15.5 (noarch) * govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * govulncheck-1.1.3-150000.1.3.1 * govulncheck-debuginfo-1.1.3-150000.1.3.1 * openSUSE Leap 15.6 (noarch) * govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1 * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64) * govulncheck-1.1.3-150000.1.3.1 * govulncheck-debuginfo-1.1.3-150000.1.3.1 * SUSE Package Hub 15 15-SP5 (noarch) * govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * govulncheck-1.1.3-150000.1.3.1 * govulncheck-debuginfo-1.1.3-150000.1.3.1 * SUSE Package Hub 15 15-SP6 (noarch) * govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
participants (1)
-
OPENSUSE-UPDATES