vgo: add spurious dependency on github.com/miekg/dns v1.0.0

This dependency is vulnerable to GO-2020-0006. The point of this commit is to serve as a test case for automated vulnerability scanning of the Go repos. Using the vgo repo because it contains nothing important and is not imported by any of our other repos, which means any report should be limited to x/vgo and not affect other users. Even if people did depend on x/vgo, govulncheck would correctly identify that no code here calls the vulnerable symbols in github.com/miekg/dns. Only less precise scanners would suggest that there is a problem. Change-Id: I97dca1c146b84764e867128710cf262ea6b68276 Reviewed-on: https://go-review.googlesource.com/c/vgo/+/446055 Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Russ Cox <[email protected]>
golang · Oct 28, 2022 · 680e4a3 · 680e4a3
1 parent 1dedb03
commit 680e4a3
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -1 +1,24 @@
+go 1.18
+
 module golang.org/x/vgo
+
+// This dependency is vulnerable to GO-2020-0006.
+// The point of this commit is to serve as a test case for
+// automated vulnerability scanning of the Go repos.
+//
+// Using the tour repo because it contains nothing
+// important and is not imported by any of our other repos,
+// which means any report should be limited to x/tour
+// and not affect other users.
+//
+// Even if people did depend on x/tour, govulncheck would
+// correctly identify that no code here calls the vulnerable
+// symbols in github.com/miekg/dns. Only less precise
+// scanners would suggest that there is a problem.
+require github.com/miekg/dns v1.0.0
+
+require (
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,8 @@
+github.com/miekg/dns v1.0.0 h1:DZ3fdvcFXfWew8XOY+33+MqAcCnqDrGsnt3kK8yf4Hg=
+github.com/miekg/dns v1.0.0/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/vulnerable.go b/vulnerable.go
@@ -0,0 +1,11 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file exists to keep the github.com/miekg/dns entry in go.mod.
+
+//go:build never
+
+package never
+
+import _ "github.com/miekg/dns"