Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.9K
active users

social.tchncs.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

Olivier Forget

FYI flags that crypto in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.

Lucky for me that means I don't have to change anything in my project.

Thanks to @filippo

Github dependabot page for project Dropserver for "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto" CVE-2024-45337
Verbose output of govulncheck on same Dropserver project showing that it is not affected by the vulnerability because we don't appear to call affect methods. Full text: "DropServer git:(tailscale-1) ✗ govulncheck -show verbose ./... Scanning your code and 643 packages across 83 dependent modules for known vulnerabilities... Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... === Symbol Results === No vulnerabilities found. === Package Results === No other vulnerabilities found. === Module Results === Vulnerability #1: GO-2024-3321 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2024-3321 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.29.0 Fixed in: golang.org/x/crypto@v0.31.0 Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities.
Dec 12, 2024, 10:14 PM·Public·Phanpy
2boosts·3favorites
Public
Olivier Forget

(I wonder how many people mute the word "crypto" and miss out on all kinds of important/interesting things?)

Quiet public
Martin Atkins

@teleclimber @filippo
That these rudimentary "vulnerability scanners" get to externalize the cost of their overly simplistic implementation on every open source project is maddening to me.

I wish the folks receiving these false positives would pressure the tool vendors to improve rather than pressuring everyone else to walk this endless treadmill, but of course they don't because the user of those tools usually doesn't have enough information to tell whether the report is reasonable.

ExploreLive feeds
About