Thanks to visit codestin.com
Credit goes to github.com

Skip to content

build: Use govulncheck action #3831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2025
Merged

build: Use govulncheck action #3831

merged 1 commit into from
Feb 7, 2025

Conversation

alexandear
Copy link
Contributor

This PR replaced manual govulncheck installation with golang/govulncheck-action.

This will silence govulncheck as it's by default uses the latest patched Go version.

Run govulncheck ./...
  govulncheck ./...
  shell: /usr/bin/bash -e {0}
=== Symbol Results ===

Vulnerability #1: GO-[2](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:2)025-3447
    Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
  More info: https://pkg.go.dev/vuln/GO-2025-[3](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:3)447
  Standard library
    Found in: crypto/internal/[email protected]
    Fixed in: crypto/internal/[email protected]
    Platforms: ppc6[4](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:5)le
    Example traces found:
Error:       #1: internal/engine/postgresql/analyzer/analyze.go:217:3[5](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:6): analyzer.Analyzer.Analyze calls pgxpool.ParseConfig, which eventually calls nistec.P25[6](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:7)Point.ScalarBaseMult
Error:       #2: internal/cmd/generate.go:145:14: cmd.Generate calls fmt.Fprintf, which eventually calls nistec.P256Point.ScalarMult
Error:       #3: internal/engine/sqlite/parser/sqlite_parser.go:[12](https://github.com/sqlc-dev/sqlc/actions/runs/13201723883/job/36855116383#step:5:13)14:20: parser.SQLiteParserInit calls sync.Once.Do, which eventually calls nistec.P256Point.SetBytes

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Feb 7, 2025
@alexandear alexandear mentioned this pull request Feb 7, 2025
Closed
@dosubot dosubot bot added the 🔧 golang label Feb 7, 2025
@kyleconroy kyleconroy merged commit 17336cc into sqlc-dev:main Feb 7, 2025
8 checks passed
@alexandear alexandear deleted the use-govulncheck-action branch February 7, 2025 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size:XS This PR changes 0-9 lines, ignoring generated files. 🔧 golang
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexandear @kyleconroy