Toolchain directive in go.mod not being considered #1606
Comments
|
That output was using osv-scanner via a Trunk plugin. Here's the same using osv-scanner 1.9.2 directly: Full output with {
"results": [
{
"source": {
"path": "/Users/matt/temp/example/go.mod",
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "stdlib",
"version": "1.23.5",
"ecosystem": "Go"
},
"vulnerabilities": [
{
"modified": "2025-02-08T08:11:54Z",
"published": "2025-02-06T16:38:14Z",
"schema_version": "1.6.0",
"id": "GO-2025-3447",
"aliases": [
"BIT-golang-2025-22866",
"CVE-2025-22866"
],
"summary": "Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec",
"details": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "stdlib",
"purl": "pkg:golang/stdlib"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.22.12"
},
{
"introduced": "1.23.0-0"
},
{
"fixed": "1.23.6"
},
{
"introduced": "1.24.0-0"
},
{
"fixed": "1.24.0-rc.3"
}
]
}
],
"database_specific": {
"source": "https://vuln.go.dev/ID/GO-2025-3447.json"
},
"ecosystem_specific": {
"imports": [
{
"goarch": [
"ppc64le"
],
"path": "crypto/internal/nistec",
"symbols": [
"P256Point.ScalarBaseMult",
"P256Point.ScalarMult",
"P256Point.SetBytes",
"p256NegCond"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/643735"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/71383"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k"
}
],
"database_specific": {
"review_status": "REVIEWED",
"url": "https://pkg.go.dev/vuln/GO-2025-3447"
}
}
],
"groups": [
{
"ids": [
"GO-2025-3447"
],
"aliases": [
"BIT-golang-2025-22866",
"CVE-2025-22866",
"GO-2025-3447"
],
"experimentalAnalysis": {
"GO-2025-3447": {
"called": false,
"unimportant": false
}
},
"max_severity": ""
}
]
}
]
}
],
"experimental_config": {
"licenses": {
"summary": false,
"allowlist": null
}
}
} |
|
Aside - since the vuln is |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Consider a project with a
go.modfile as follows:According to the docs for Go Toolchains:
Since the standard library is part of the toolchain, then as long as Go 1.23.6 is installed, Go will use
stdlibfrom Go 1.23.6 with this configuration.However, OSV-Scanner reports:
... which was one of the issues fixed in Go 1.23.6.
I conclude that the
toolchaindirective is not being honored. Is that correct?The text was updated successfully, but these errors were encountered: