-
Notifications
You must be signed in to change notification settings - Fork 18.4k
Closed
@klausman Output of
Description
govulncheck version
Go: go1.24.4
Scanner: govulncheck@v1.1.4
DB: https://vuln.go.dev
DB updated: 2025年08月20日 17:47:35 +0000 UTC
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes
Output of go env in your module/workspace:
AR='ar' CC='gcc' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_ENABLED='1' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' CXX='g++' GCCGO='gccgo' GO111MODULE='' GOAMD64='v1' GOARCH='amd64' GOAUTH='netrc' GOBIN='' GOCACHE='/home/klausman/.cache/go-build' GOCACHEPROG='' GODEBUG='' GOENV='/home/klausman/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFIPS140='off' GOFLAGS='' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3429450969=/tmp/go-build -gno-record-gcc-switches' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMOD='/home/klausman/src/nelly/go.mod' GOMODCACHE='/home/klausman/.local/share/go/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/home/klausman/.local/share/go' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/usr/lib/go-1.24' GOSUMDB='sum.golang.org' GOTELEMETRY='local' GOTELEMETRYDIR='/home/klausman/.config/go/telemetry' GOTMPDIR='' GOTOOLCHAIN='local+path' GOTOOLDIR='/usr/lib/go-1.24/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.24.4' GOWORK='' PKG_CONFIG='pkg-config'
What did you do?
Scan one of my projects, which has no vulnerability known to gvc when scanned at the source level (govulncheck -show=verbose ./...), but if I build the binary and then check that (govulncheck -show=verbose -mode=binary ...), it claims it is using a vulnerable piece of the stdlib (sql).
What did you see happen?
Fetching vulnerabilities from the database...
Checking the code against the vulnerabilities...
The package pattern matched the following root package:
github.com/klausman/nelly
Govulncheck scanned the following 4 modules and the go1.24.4 standard library:
github.com/klausman/nelly
golang.org/x/sys@v0.31.0
golang.org/x/term@v0.30.0
gopkg.in/yaml.v2@v2.4.0
=== Symbol Results ===
No vulnerabilities found.
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
More info: https://pkg.go.dev/vuln/GO-2025-3849
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.6
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
$ go build
$ $ govulncheck -show=verbose -mode=binary nelly
Scanning your binary for known vulnerabilities...
Fetching vulnerabilities from the database...
Checking the binary against the vulnerabilities...
The package pattern matched the following root package:
github.com/klausman/nelly
Govulncheck scanned the following 4 modules and the go1.24.4 standard library:
github.com/klausman/nelly@v0.0.0-20250312142026-d03f3a95c5be
golang.org/x/sys@v0.31.0
golang.org/x/term@v0.30.0
gopkg.in/yaml.v2@v2.4.0
=== Symbol Results ===
Vulnerability #1: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
More info: https://pkg.go.dev/vuln/GO-2025-3849
Standard library
Found in: database/sql@go1.24.4
Fixed in: database/sql@go1.24.6
Vulnerable symbols found:
#1: sql.Row.Scan
#2: sql.Rows.Scan
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
No other vulnerabilities found.
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
### What did you expect to see?
The output of src vs binary mode should basically be the same. _Or,_ if this is a known limitation of binary mode (false positives), there should be a remark to that effect.