There is a draft design <https://github.com/golang/proposal/blob/master/design/draft-vulndb.md> for a vulnerability database which could be used for this. For now, it's still a draft. But people are working on it.
On Fri, May 7, 2021 at 9:05 AM christoph...@gmail.com < christophe.mees...@gmail.com> wrote: > I just became aware of a security problem in the package > https://github.com/satori/go.uuid <https://github.com/satori> through > this reddit thread : > https://www.reddit.com/r/golang/comments/n6bnsh/cve20213538_issued_for_latest_release_of/?utm_source=share&utm_medium=ios_app&utm_name=iossmf > > The issue for the security problem is here: > https://github.com/satori/go.uuid/issues/73 > <https://github.com/satori/go.uuid/issues/73#issuecomment-833337384> > > There is a CVE identifier for this security problem: > https://github.com/satori/go.uuid/issues/115 > It is 3 years old and hasn't been resolved. > > The problem is that the owner of the package has apparently vanished. > > I report this problem here because this package is used by more than 20 > thousand go packages or programs (e.g. gogs). ( > https://pkg.go.dev/github.com/satori/go.uuid?tab=importedby) > > Now that we have this fantastic functionality of modules, I would like to > know if we could imagine that the go tools would issue a warning if an > imported package has a security issue reported in CVE. I have seen that > there is a github tool to do that, but we don't get these notifications by > default. > > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/9c18eecc-126d-4614-872d-474ebe90513cn%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/9c18eecc-126d-4614-872d-474ebe90513cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAEkBMfGa1i4Z80%2Bu%2BjJs2pQME7X6jcoEYSUQPTtOoAxPJKN6Jw%40mail.gmail.com.
