<div class="container">
<h1>Recommended update for govulncheck, govulncheck-vulndb</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2024:3738-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2024-10-21T10:41:23Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP5</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that can now be installed.</p>
<h2>Description:</h2>
<p>This update for govulncheck, govulncheck-vulndb fixes the following issues:</p>
<p>govulncheck is shipped in version 1.1.3:</p>
<ul>
<li>internal/openvex: update handler test</li>
<li>LICENSE: update per Google Legal</li>
<li>internal/vulncheck: add warning message for ancient binaries</li>
<li>all: remove build restrictions requiring go1.18</li>
<li>cmd/govulncheck: clarify unsafe/reflection limitations</li>
<li>cmd/govulncheck: update docs for old Go binaries</li>
<li>internal/openvex: omit vulns with no findings</li>
<li>cmd/govulncheck/integration: adjust k8s expectations</li>
<li>all: remove skipIfShort</li>
<li>all: remove unnecessary test lines for staticcheck</li>
<li>internal/vulncheck: avoid recomputing if module is known</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/buildinfo: add support for ancient Go binaries</li>
<li>internal/goversion: comment out a printing line</li>
<li>internal/goversion: add package as copy of rsc.io/goversion/version</li>
<li>cmd/govulncheck: remove line about go version requirements</li>
<li>internal/vulncheck: improve documentation</li>
<li>internal/vulncheck: use module info when looking for symbols</li>
<li>internal/vulncheck: handle symbols ending with .</li>
<li>cmd/govulncheck/integration: make expectation check more robust</li>
<li>all: require go1.21</li>
</ul>
<p>Update to version 1.1.2:</p>
<ul>
<li>internal/osv: add review status</li>
<li>vulncheck: update documentation for vex</li>
<li>cmd/govulncheck/integration/stackrox-scanner: update expectations</li>
<li>cmd/govulncheck/integration/k8s: update expectations</li>
<li>internal/govulncheck: add more comments for emitted OSVs</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/scan: increase telemetry counter for show flag</li>
<li>internal/scan: add format and scan level telemetry</li>
<li>internal/cmd/govulncheck: remove unnecessary binary dependency</li>
<li>cmd/govulncheck/integration: update go in integration tests</li>
<li>internal/openvex: add hash for doc ID</li>
<li>internal/openvex: add statements to handler</li>
<li>internal/openvex: add handler</li>
<li>all: remove test that runs govulncheck on govulncheck</li>
<li>internal/sarif: fix a typo</li>
<li>internal/scan: limit number of binary traces shown</li>
<li>cmd/govulncheck: record scan mode telemetry</li>
</ul>
<p>Update to version 1.1.1:</p>
<ul>
<li>all: remove unit tests for staticcheck, unparam, and spellcheck</li>
<li>internal/sarif,cmd/govulncheck: publicize sarif</li>
<li>internal/vulncheck: load source code for scan symbol mode only</li>
<li>all: update golang.org/x/tools</li>
<li>internal/vulncheck: emit progress message instead of warning</li>
<li>internal/scan: improve textual output for binary traces</li>
<li>internal/buildinfo: avoid panic on nil symbol for elf</li>
<li>internal/sarif: improve GOMODCACHE relative paths</li>
<li>internal/sarif: add version to module info for locations</li>
<li>internal/sarif: remove originalURIBaseIds</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/gosym: preallocate inlined call slice</li>
<li>internal/vulncheck: improve progress message for binaries</li>
<li>internal/vulncheck: emit fetch db and vuln checking progress messages</li>
<li>internal/scan: print progress messages only in verbose mode</li>
<li>internal/scan: refactor flag usage in text handler</li>
<li>Revert "internal/scan: disallow multiple patterns in source mode"</li>
<li>internal/sarif: add missing required Message field</li>
<li>internal/scan: disallow multiple patterns in source mode</li>
<li>internal/vulncheck: use new improved DeleteSyntheticNodes</li>
</ul>
<p>Update to version 1.1.0:</p>
<ul>
<li>internal/openvex: add vex types</li>
<li>internal/sarif: compute relative paths for findings</li>
<li>internal/sarif: remove unused field</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/sarif,internal/scan,internal/traces: clean up tests</li>
<li>internal/sarif: add region part of the physical location</li>
<li>internal/sarif: add code flows</li>
<li>cmd/govulncheck: clean up test</li>
<li>cmd/govulncheck: make test case config data</li>
<li>cmd/govulncheck: add comment capability to fixups</li>
<li>cmd/govulncheck: remove unnecessary fixups</li>
<li>cmd/govulncheck: make fixup part of a test case</li>
<li>cmd/govulncheck: extract stdlib into special test case</li>
<li>cmd/govulncheck: restore parallelism for tests</li>
<li>cmd/govulncheck: add nogomod test case</li>
<li>cmd/govulncheck: restructure testdata tests</li>
<li>cmd/govulncheck: add sarif test for binaries</li>
<li>internal/sarif: add stacks</li>
<li>internal/sarif: add result message</li>
<li>internal/vulncheck: get correctly package for instantiated functions</li>
<li>internal/sarif: add result stubs to run object</li>
<li>internal/govulncheck: add scan mode to config</li>
<li>internal/vulncheck: delete only synthetic nodes not related to generics</li>
<li>internal/scan: add more info to validation errors</li>
<li>internal/sarif: add rules</li>
<li>internal/scan: fix name of the error variable</li>
<li>internal/sarif: add handler</li>
<li>internal/scan: add sarif flag</li>
<li>internal/scan: add types for format, show, mode, and scan flags</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/vulncheck: use proper stdlib check when loading packages</li>
<li>internal/vulncheck,internal/scan: sort messages where needed</li>
<li>internal/scan: introduce format flag</li>
<li>internal/vulncheck: manipulate packages from PackageGraph</li>
<li>internal/vulncheck: do not have stdlibModule as global</li>
<li>cmd/govulncheck: make sure filepath are cross-platform</li>
<li>internal/govulncheck: fix up some comments</li>
<li>internal/vulncheck: add relative paths for vendored paths</li>
<li>internal/vulncheck: emit relative paths for call findings</li>
<li>internal/vulncheck, internal/scan: improve stdlib reporting</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>all: remove bash checks</li>
<li>all: do go mod tidy test inside unit tests</li>
</ul>
<p>Update to version 1.0.4:</p>
<ul>
<li>cmd/govulncheck: mask line numbers and columns</li>
<li>internal/scan: remove redundant new lines</li>
<li>internal/vulncheck: add position for sinks in findings' trace</li>
<li>internal/scan: put -show <option> into single quotes</li>
<li>internal/buildinfo: do module-level analysis with no PCLN table</li>
<li>internal/scan: add a newline after summary</li>
<li>internal/test: add more info on GoBuild failures</li>
<li>internal/scan: remove extra dot in a comment</li>
<li>cmd/govulncheck: fix vendor test</li>
<li>internal/vulncheck: refactor a loop with an append</li>
<li>cmd/govulncheck: fix stripped bin test</li>
<li>cmd/govulncheck: update vendor tests</li>
<li>cmd/govulncheck: add more tests and reorganize them</li>
<li>internal/vulncheck: add package and module mode for binaries</li>
<li>internal/scan: replace Source with Symbol in text output</li>
<li>internal/scan: fix error statuses for scan={package|module}</li>
<li>internal/scan: add -show verbose flag</li>
<li>internal/scan: overhaul text output</li>
<li>internal/scan: simplify redundant error checking</li>
<li>internal/scan: add scan level to testdata</li>
<li>cmd/govulncheck/integration: update expectations for stackrox</li>
<li>internal/vulncheck: support osv entries with no pkg info</li>
<li>internal/vulncheck: remove redundant symbol check</li>
<li>internal/vulncheck: simplify vulnerability detection</li>
</ul>
<p>Update to version 1.0.3:</p>
<ul>
<li>internal/scan: add binary extract mode</li>
<li>internal/scan, vulncheck: use packages.load for mod info</li>
<li>internal/govulncheck: briefly explain streaming JSON</li>
<li>internal/vulncheck: remove -mod=mod flag from LoadModules</li>
</ul>
<p>Update to version 1.0.2:</p>
<ul>
<li>cmd/govulncheck: update test data</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>internal/osv: fix type name in comment</li>
<li>internal/scan: remove informational header for package and module mode</li>
<li>internal/scan: remove redundant newline for package and module mode</li>
<li>cmd/govulncheck/integration/stackrox: update vuln expectation</li>
<li>all: update tools to pick up bug fixes</li>
<li>internal/vulncheck: compute proper db names for generic functions</li>
<li>internal/vulncheck: improve error message for fetching vulns</li>
<li>testdata: Add more package/mod level tests</li>
<li>internal/scan: change text based on scan level</li>
<li>internal/scan: update show help message</li>
<li>internal/sarif: add sarif types</li>
<li>internal/scan: enable module scan mode</li>
<li>internal/scan: add scan_level to text tests</li>
<li>internal/scan: add scan level to textHandler</li>
<li>cmd/govulncheck: rearrange test files</li>
<li>all: add logging to TestGovulncheck</li>
<li>internal/scan: disallow package input in mod level</li>
<li>go.mod: update golang.org/x dependencies</li>
<li>cmd/govulncheck: fix mod level behavior</li>
<li>all: update to x/tools@v.15.0</li>
<li>internal/vulncheck: define Binary over Bin</li>
<li>internal/vulncheck: add binary abstraction data structure</li>
<li>cmd/govulncheck: organize tests into subdirs</li>
<li>internal/scan: Improve "Informational" text output</li>
<li>internal/scan: properly "genericify" choose</li>
<li>internal/vulncheck: emit package findings all at once</li>
<li>internal/vulncheck: update logic for package level analysis</li>
<li>internal/vulncheck: remove obsolete tests and helpers</li>
<li>internal/scan: remove obsolete function</li>
<li>internal/scan: check for go mod before running</li>
<li>cmd/govulncheck/integration: add new expectations</li>
<li>cmd/govulncheck: Fix no go mod tests</li>
<li>internal/vulncheck: rename moduleVulnerabilities</li>
<li>internal/vulncheck: add documentation and propagate errors</li>
<li>internal/vulncheck: emit OSVs in their raw form asap</li>
<li>internal/scan: move emit logic for findings to internal/vulncheck</li>
<li>internal: properly fetch modules in source mode</li>
<li>internal/scan: verify scan level flag</li>
<li>internal/govulncheck: update Finding docstring</li>
<li>internal/vulncheck: remove file set computation</li>
<li>internal/scan: generate better message when patterns matches no packages</li>
<li>internal/scan, vulncheck: emit vulns as found</li>
<li>internal/scan: use modVersion for mod version</li>
<li>internal/scan: suggest earliest valid fixed version as the fix</li>
<li>internal/scan: communicate default value for test flag</li>
<li>internal/semver: rename the LatestFixedVersion function</li>
<li>cmd/govulncheck: fix incorrect test file name</li>
<li>cmd/govulncheck: remove go version for test file</li>
<li>internal/vulnchec: improve comments and names for imports level logic</li>
<li>internal/govulncheck: update description of Findings</li>
<li>internal/vulncheck/internal/buildinfo: support stripped darwin binaries</li>
<li>internal/scan: update test names</li>
<li>internal/scan: text output allows module level vulns</li>
<li>internal/client: add additional context to HTTP error message</li>
<li>internal/scan: add isImported function</li>
<li>internal/scan: fix trace count bug</li>
<li>internal/vulncheck: add LoadModules using go.mod</li>
<li>internal/govulncheck: add WantPackages scan level</li>
</ul>
<p>Update to version 1.0.1:</p>
<ul>
<li>all: go get golang.org/x/tools@74c255b</li>
<li>internal/scan: change the way convert mode works</li>
<li>internal/scan: add -version flag</li>
<li>internal/vulncheck/internal/gosym: fix typo</li>
<li>internal/gosym: update binary mode version parsing</li>
<li>internal/scan: refactor to remove redundant code</li>
<li>vulncheck/internal/gosym: add support for go versions > 1.20</li>
<li>internal/vulncheck/internal/buildinfo: skip failing tests</li>
<li>cmd/govulncheck: skip TestCommand in short mode</li>
</ul>
<p>Initial package version 1.0.0:</p>
<ul>
<li>internal/scan: print the summary even when there are no findings</li>
<li>cmd,internal/govulncheck: change protocol version to v1.0.0</li>
<li>cmd,internal: remove experimental reference</li>
<li>internal/govulncheck: improve documentation</li>
</ul>
<p>Changes in govulncheck-vulndb:</p>
<ul>
<li>Update to version 0.0.20241015T183857 date 2024-10-15T18:38:57Z.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-3738=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2024-3738=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3738=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3738=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>govulncheck-1.1.3-150000.1.3.1</li>
<li>govulncheck-debuginfo-1.1.3-150000.1.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (noarch)
<ul>
<li>govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>govulncheck-1.1.3-150000.1.3.1</li>
<li>govulncheck-debuginfo-1.1.3-150000.1.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>govulncheck-1.1.3-150000.1.3.1</li>
<li>govulncheck-debuginfo-1.1.3-150000.1.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP5 (noarch)
<ul>
<li>govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>govulncheck-1.1.3-150000.1.3.1</li>
<li>govulncheck-debuginfo-1.1.3-150000.1.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP6 (noarch)
<ul>
<li>govulncheck-vulndb-0.0.20241015T183857-150000.1.3.1</li>
</ul>
</li>
</ul>
</div>