SUSE-RU-2024:3738-1: moderate: Recommended update for govulncheck, govulncheck-vulndb
SLE-UPDATES
null at suse.de
Mon Oct 21 12:30:02 UTC 2024
# Recommended update for govulncheck, govulncheck-vulndb
Announcement ID: SUSE-RU-2024:3738-1
Release Date: 2024-10-21T10:41:23Z
Rating: moderate
References:
Affected Products:
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Package Hub 15 15-SP5
* SUSE Package Hub 15 15-SP6
An update that can now be installed.
## Description:
This update for govulncheck, govulncheck-vulndb fixes the following issues:
govulncheck is shipped in version 1.1.3:
* internal/openvex: update handler test
* LICENSE: update per Google Legal
* internal/vulncheck: add warning message for ancient binaries
* all: remove build restrictions requiring go1.18
* cmd/govulncheck: clarify unsafe/reflection limitations
* cmd/govulncheck: update docs for old Go binaries
* internal/openvex: omit vulns with no findings
* cmd/govulncheck/integration: adjust k8s expectations
* all: remove skipIfShort
* all: remove unnecessary test lines for staticcheck
* internal/vulncheck: avoid recomputing if module is known
* go.mod: update golang.org/x dependencies
* internal/buildinfo: add support for ancient Go binaries
* internal/goversion: comment out a printing line
* internal/goversion: add package as copy of rsc.io/goversion/version
* cmd/govulncheck: remove line about go version requirements
* internal/vulncheck: improve documentation
* internal/vulncheck: use module info when looking for symbols
* internal/vulncheck: handle symbols ending with .
* cmd/govulncheck/integration: make expectation check more robust
* all: require go1.21
Update to version 1.1.2:
* internal/osv: add review status
* vulncheck: update documentation for vex
* cmd/govulncheck/integration/stackrox-scanner: update expectations
* cmd/govulncheck/integration/k8s: update expectations
* internal/govulncheck: add more comments for emitted OSVs
* go.mod: update golang.org/x dependencies
* internal/scan: increase telemetry counter for show flag
* internal/scan: add format and scan level telemetry
* internal/cmd/govulncheck: remove unnecessary binary dependency
* cmd/govulncheck/integration: update go in integration tests
* internal/openvex: add hash for doc ID
* internal/openvex: add statements to handler
* internal/openvex: add handler
* all: remove test that runs govulncheck on govulncheck
* internal/sarif: fix a typo
* internal/scan: limit number of binary traces shown
* cmd/govulncheck: record scan mode telemetry
Update to version 1.1.1:
* all: remove unit tests for staticcheck, unparam, and spellcheck
* internal/sarif,cmd/govulncheck: publicize sarif
* internal/vulncheck: load source code for scan symbol mode only
* all: update golang.org/x/tools
* internal/vulncheck: emit progress message instead of warning
* internal/scan: improve textual output for binary traces
* internal/buildinfo: avoid panic on nil symbol for elf
* internal/sarif: improve GOMODCACHE relative paths
* internal/sarif: add version to module info for locations
* internal/sarif: remove originalURIBaseIds
* go.mod: update golang.org/x dependencies
* internal/gosym: preallocate inlined call slice
* internal/vulncheck: improve progress message for binaries
* internal/vulncheck: emit fetch db and vuln checking progress messages
* internal/scan: print progress messages only in verbose mode
* internal/scan: refactor flag usage in text handler
* Revert "internal/scan: disallow multiple patterns in source mode"
* internal/sarif: add missing required Message field
* internal/scan: disallow multiple patterns in source mode
* internal/vulncheck: use new improved DeleteSyntheticNodes
Update to version 1.1.0:
* internal/openvex: add vex types
* internal/sarif: compute relative paths for findings
* internal/sarif: remove unused field
* go.mod: update golang.org/x dependencies
* internal/sarif,internal/scan,internal/traces: clean up tests
* internal/sarif: add region part of the physical location
* internal/sarif: add code flows
* cmd/govulncheck: clean up test
* cmd/govulncheck: make test case config data
* cmd/govulncheck: add comment capability to fixups
* cmd/govulncheck: remove unnecessary fixups
* cmd/govulncheck: make fixup part of a test case
* cmd/govulncheck: extract stdlib into special test case
* cmd/govulncheck: restore parallelism for tests
* cmd/govulncheck: add nogomod test case
* cmd/govulncheck: restructure testdata tests
* cmd/govulncheck: add sarif test for binaries
* internal/sarif: add stacks
* internal/sarif: add result message
* internal/vulncheck: get correctly package for instantiated functions
* internal/sarif: add result stubs to run object
* internal/govulncheck: add scan mode to config
* internal/vulncheck: delete only synthetic nodes not related to generics
* internal/scan: add more info to validation errors
* internal/sarif: add rules
* internal/scan: fix name of the error variable
* internal/sarif: add handler
* internal/scan: add sarif flag
* internal/scan: add types for format, show, mode, and scan flags
* go.mod: update golang.org/x dependencies
* internal/vulncheck: use proper stdlib check when loading packages
* internal/vulncheck,internal/scan: sort messages where needed
* internal/scan: introduce format flag
* internal/vulncheck: manipulate packages from PackageGraph
* internal/vulncheck: do not have stdlibModule as global
* cmd/govulncheck: make sure filepath are cross-platform
* internal/govulncheck: fix up some comments
* internal/vulncheck: add relative paths for vendored paths
* internal/vulncheck: emit relative paths for call findings
* internal/vulncheck, internal/scan: improve stdlib reporting
* go.mod: update golang.org/x dependencies
* all: remove bash checks
* all: do go mod tidy test inside unit tests
Update to version 1.0.4:
* cmd/govulncheck: mask line numbers and columns
* internal/scan: remove redundant new lines
* internal/vulncheck: add position for sinks in findings' trace
* internal/scan: put -show <option> into single quotes
* internal/buildinfo: do module-level analysis with no PCLN table
* internal/scan: add a newline after summary
* internal/test: add more info on GoBuild failures
* internal/scan: remove extra dot in a comment
* cmd/govulncheck: fix vendor test
* internal/vulncheck: refactor a loop with an append
* cmd/govulncheck: fix stripped bin test
* cmd/govulncheck: update vendor tests
* cmd/govulncheck: add more tests and reorganize them
* internal/vulncheck: add package and module mode for binaries
* internal/scan: replace Source with Symbol in text output
* internal/scan: fix error statuses for scan={package|module}
* internal/scan: add -show verbose flag
* internal/scan: overhaul text output
* internal/scan: simplify redundant error checking
* internal/scan: add scan level to testdata
* cmd/govulncheck/integration: update expectations for stackrox
* internal/vulncheck: support osv entries with no pkg info
* internal/vulncheck: remove redundant symbol check
* internal/vulncheck: simplify vulnerability detection
Update to version 1.0.3:
* internal/scan: add binary extract mode
* internal/scan, vulncheck: use packages.load for mod info
* internal/govulncheck: briefly explain streaming JSON
* internal/vulncheck: remove -mod=mod flag from LoadModules
Update to version 1.0.2:
* cmd/govulncheck: update test data
* go.mod: update golang.org/x dependencies
* internal/osv: fix type name in comment
* internal/scan: remove informational header for package and module mode
* internal/scan: remove redundant newline for package and module mode
* cmd/govulncheck/integration/stackrox: update vuln expectation
* all: update tools to pick up bug fixes
* internal/vulncheck: compute proper db names for generic functions
* internal/vulncheck: improve error message for fetching vulns
* testdata: Add more package/mod level tests
* internal/scan: change text based on scan level
* internal/scan: update show help message
* internal/sarif: add sarif types
* internal/scan: enable module scan mode
* internal/scan: add scan_level to text tests
* internal/scan: add scan level to textHandler
* cmd/govulncheck: rearrange test files
* all: add logging to TestGovulncheck
* internal/scan: disallow package input in mod level
* go.mod: update golang.org/x dependencies
* cmd/govulncheck: fix mod level behavior
* all: update to x/tools at v.15.0
* internal/vulncheck: define Binary over Bin
* internal/vulncheck: add binary abstraction data structure
* cmd/govulncheck: organize tests into subdirs
* internal/scan: Improve "Informational" text output
* internal/scan: properly "genericify" choose
* internal/vulncheck: emit package findings all at once
* internal/vulncheck: update logic for package level analysis
* internal/vulncheck: remove obsolete tests and helpers
* internal/scan: remove obsolete function
* internal/scan: check for go mod before running
* cmd/govulncheck/integration: add new expectations
* cmd/govulncheck: Fix no go mod tests
* internal/vulncheck: rename moduleVulnerabilities
* internal/vulncheck: add documentation and propagate errors
* internal/vulncheck: emit OSVs in their raw form asap
* internal/scan: move emit logic for findings to internal/vulncheck
* internal: properly fetch modules in source mode
* internal/scan: verify scan level flag
* internal/govulncheck: update Finding docstring
* internal/vulncheck: remove file set computation
* internal/scan: generate better message when patterns matches no packages
* internal/scan, vulncheck: emit vulns as found
* internal/scan: use modVersion for mod version
* internal/scan: suggest earliest valid fixed version as the fix
* internal/scan: communicate default value for test flag
* internal/semver: rename the LatestFixedVersion function
* cmd/govulncheck: fix incorrect test file name
* cmd/govulncheck: remove go version for test file
* internal/vulnchec: improve comments and names for imports level logic
* internal/govulncheck: update description of Findings
* internal/vulncheck/internal/buildinfo: support stripped darwin binaries
* internal/scan: update test names
* internal/scan: text output allows module level vulns
* internal/client: add additional context to HTTP error message
* internal/scan: add isImported function
* internal/scan: fix trace count bug
* internal/vulncheck: add LoadModules using go.mod
* internal/govulncheck: add WantPackages scan level
Update to version 1.0.1:
* all: go get golang.org/x/tools at 74c255b
* internal/scan: change the way convert mode works
* internal/scan: add -version flag
* internal/vulncheck/internal/gosym: fix typo
* internal/gosym: update binary mode version parsing
* internal/scan: refactor to remove redundant code
* vulncheck/internal/gosym: add support for go versions > 1.20
* internal/vulncheck/internal/buildinfo: skip failing tests
* cmd/govulncheck: skip TestCommand in short mode
Initial package version 1.0.0:
* internal/scan: print the summary even when there are no findings
* cmd,internal/govulncheck: change protocol version to v1.0.0
* cmd,internal: remove experimental reference
* internal/govulncheck: improve documentation
Changes in govulncheck-vulndb:
* Update to version 0.0.20241015T183857 date 2024-10-15T18:38:57Z.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3738=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-3738=1
* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3738=1
* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3738=1
## Package List:
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* govulncheck-1.1.3-150000.1.3.1
* govulncheck-debuginfo-1.1.3-150000.1.3.1
* openSUSE Leap 15.5 (noarch)
* govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* govulncheck-1.1.3-150000.1.3.1
* govulncheck-debuginfo-1.1.3-150000.1.3.1
* openSUSE Leap 15.6 (noarch)
* govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
* SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
* govulncheck-1.1.3-150000.1.3.1
* govulncheck-debuginfo-1.1.3-150000.1.3.1
* SUSE Package Hub 15 15-SP5 (noarch)
* govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
* SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
* govulncheck-1.1.3-150000.1.3.1
* govulncheck-debuginfo-1.1.3-150000.1.3.1
* SUSE Package Hub 15 15-SP6 (noarch)
* govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20241021/ed5272c5/attachment.htm>
More information about the sle-updates
mailing list