aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Jarry <robin@jarry.cc>2022-10-07 10:52:26 +0200
committerTim Culverhouse <tim@timculverhouse.com>2022-10-07 17:51:54 -0500
commite804fac59f410f395fc57c22a7853a1669efcfa4 (patch)
treefc164b12c32943e5d80dd45eec86258c0d4212f9
parent049c72393a26806f2e7408075a48849467262c00 (diff)
downloadaerc-e804fac59f410f395fc57c22a7853a1669efcfa4.tar.gz
mk: exclude govulncheck from lint
The vulnerability database is evolving with time. It can cause the lint step to fail suddenly without any source code changes on our side. Moreover, sometimes, there is nothing we can do to fix the issue nor to silence that specific error. Found 1 known vulnerability. Vulnerability #1: GO-2022-1039 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Call stacks in your code: config/config.go:1000:46: git.sr.ht/~rjarry/aerc/config.AercConfig.LoadBinds calls regexp.Compile, which eventually calls regexp/syntax.Parse Found in: regexp/syntax@go1.18.6 Fixed in: regexp/syntax@go1.19.2 More info: https://pkg.go.dev/vuln/GO-2022-1039 Move govulncheck into its own make target to be executed manually. Signed-off-by: Robin Jarry <robin@jarry.cc> Acked-by: Tim Culverhouse <tim@timculverhouse.com>
-rw-r--r--Makefile3
1 files changed, 3 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index fa385e7c..04ee08e4 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,9 @@ lint:
&& echo The above files need to be formatted, please run make fmt && exit 1 \
|| echo all files formatted.
$(GO) run github.com/golangci/golangci-lint/cmd/golangci-lint run
+
+.PHONY: vulncheck
+vulncheck:
$(GO) run golang.org/x/vuln/cmd/govulncheck@latest ./...
.PHONY: tests