On Mon, 9 Oct 2017 13:58:48 -0700
Ed Marshall <esm(a)logic.net> wrote:
On 10/09/2017 04:36 AM, Jakub Cajka wrote:
> For record these vulnerabilities got assigned CVE-2017-15041 and
> CVE-2017-15042. Any packages using the affected component
> "net/smtp" needs to be rebuild with the fixed version of Go, in
> order to pick up the fix.
Oof. Do we have any tools right now for working out whether direct or
transitive dependencies of packages we maintain are affected, so we
know if we need to push a rebuild? (Speaking only for myself, I have
31 packages that don't directly import net/smtp, but I can't speak to
any of the packages they pull in.)
It seems like a standard library CVE almost demands a mass golang
rebuild, if we want to be safe (in the absence of automated tooling
to make targeted rebuilds possible). The reality is, maintainers are
going to miss this message and not rebuild, or not do the necessary
legwork to know if they need to rebuild.) :(
That would be a nice and decent tool.
I personally use a shell function of
```bash
imports() {
go list -f '{{.Name}} {{.ImportPath}} {{range .Imports}}
{{.}}{{end}}' ${@:2}
}
```
so that in a project `imports ./...` will print the imports of the
recursive paths, but that does not extend to every import of even
stdlib. Though that could be possible by some fancier shell work.
vb