x509.Certificate.Verify ?? #1369
-
govulncheck as of an hour ago complains
Looking at their repo I don't see a recent commit. Does ebpf actually call this? Seems sus. I think govulncheck is confused but thought I'd ask. |
Beta Was this translation helpful? Give feedback.
Answered by
notrobpike
Mar 7, 2024
Replies: 1 comment 1 reply
-
Hi @notrobpike |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I normally run @latest, not any specific tagged version. This is why I looked for recent commits in their repo. govulncheck does break from time to time. But I found no recent commits. When I install @latest it tells me it is using v1.0.4.
I'm running it on my own code, which imports cilium/ebpf.
Indeed, if I run it against the cilium/ebpf repo, the vuln is not reported at all. In my repo, it is reported. So I think that this is just a nuisance that ebpf is even mentioned in that report.
My own repo does not call Verify() either, but it does start up an http (plain) server for prometheus metrics. I suppose there is some code path where a Verify() is possible and govulncheck can't quite su…