commit daf01e65df3743203c2ba21b67519cad5c825413 Author: Alex Vanin Date: Mon Feb 19 11:27:31 2024 +0300 Initial commit diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..2e92840 --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module git.frostfs.info/alexvanin/vulncheck-example + +go 1.22.0 diff --git a/unusedvulndep/go.mod b/unusedvulndep/go.mod new file mode 100644 index 0000000..bea77f2 --- /dev/null +++ b/unusedvulndep/go.mod @@ -0,0 +1,7 @@ +module git.frostfs.info/alexvanin/vulncheck-example/unusedvulndep + +go 1.22.0 + +require golang.org/x/crypto v0.16.0 + +require golang.org/x/sys v0.15.0 // indirect diff --git a/unusedvulndep/go.sum b/unusedvulndep/go.sum new file mode 100644 index 0000000..b0d8ac8 --- /dev/null +++ b/unusedvulndep/go.sum @@ -0,0 +1,6 @@ +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= diff --git a/unusedvulndep/module.go b/unusedvulndep/module.go new file mode 100644 index 0000000..803eb5a --- /dev/null +++ b/unusedvulndep/module.go @@ -0,0 +1,17 @@ +// Unusedvulndep is a package that imports golang.org/x/crypto package +// with vulnarability https://pkg.go.dev/vuln/GO-2023-2402 and provides +// function that is not affected by vulnarability +package usedvulndep + +import ( + "golang.org/x/crypto/ssh" +) + +// FunctionWithVulnarability is a nop function that transitively adds +// vulnarable dependency but unvunarable code to a call trace of +// your application +func FunctionWithoutVulnarability() error { + var s ssh.Signer + _, err := ssh.NewCertSigner(new(ssh.Certificate), s) + return err +} diff --git a/usedvulndep/go.mod b/usedvulndep/go.mod new file mode 100644 index 0000000..18ec9cf --- /dev/null +++ b/usedvulndep/go.mod @@ -0,0 +1,7 @@ +module git.frostfs.info/alexvanin/vulncheck-example/usedvulndep + +go 1.22.0 + +require golang.org/x/crypto v0.16.0 + +require golang.org/x/sys v0.15.0 // indirect diff --git a/usedvulndep/go.sum b/usedvulndep/go.sum new file mode 100644 index 0000000..b0d8ac8 --- /dev/null +++ b/usedvulndep/go.sum @@ -0,0 +1,6 @@ +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= diff --git a/usedvulndep/module.go b/usedvulndep/module.go new file mode 100644 index 0000000..6029424 --- /dev/null +++ b/usedvulndep/module.go @@ -0,0 +1,18 @@ +// Usedvulndep is a package that imports golang.org/x/crypto package +// with vulnarability https://pkg.go.dev/vuln/GO-2023-2402 and provides +// function that affected by vulnarability +package usedvulndep + +import ( + "net" + + "golang.org/x/crypto/ssh" +) + +// FunctionWithVulnarability is a nop function that transitively adds +// vulnarable code to a call trace of your application +func FunctionWithVulnarability() error { + var c net.Conn + _, _, _, err := ssh.NewServerConn(c, new(ssh.ServerConfig)) + return err +}