The version of jquery in godoc is susceptible to a security vulnerability.
Comment From: toothrot
/cc @dmitshur
Comment From: dmitshur
Thanks for the report.
The godoc command does not have code paths that involve passing HTML from untrusted sources, so I don't believe this is a security issue. If you think I'm missing something, please use the "Flagging Existing Issues as Security-related" process described at https://golang.org/security.
It can still be updated to a newer version.
Comment From: l-lindsay
Any intention on upgrading jquery to a later version? Seeing this issue pop up in a scan.
Comment From: Brookke
Looks like there's a fix for this awaiting review: https://github.com/golang/tools/pull/250
Comment From: bcmills
(CC @golang/security)
Comment From: gmonni
Hello would be possible upgrading jquery to 3.51. Security scanners identify the following vulnerabilities re jquery version currently in use?
Comment From: ghost
I'm seeing the same issues on our projects... Can the aforementioned pr be re-opened and merged to fix our vulnerability scanners?
Comment From: jakinniranye
For people facing similar issues
Fixed it by updating the static jQuery file, then replaced the tools version in the go.mod file
replace golang.org/x/tools v0.5.0 => github.com/jakinniranye/go-tools-jquery-3_5 v0.5.1
I'm new to Go, its literally my second week, so there could be a better solution out there
Comment From: gmonni
@jakinniranye thanks for sharing, unfortunately your fix requires to pull the dependency from a forked repo, not from the original repo, and this is not acceptable in some environments.
Comment From: jakinniranye
Yes, you are correct. It's just a temporary fix. The original repo should be forked into the organisation and made read-only, they might help with approval.
Comment From: FiloSottile
We have established that golang.org/x/tools is not affected by the reported vulnerabilities, see https://github.com/golang/go/issues/39535#issuecomment-643397624.
If your scanner erroneously reports these false positives and provides no way to override the incorrect flag, that's a shortcoming in your scanner that should be addressed by the scanner vendor.
Comment From: gmonni
@FiloSottile thanks for your help! the issue tho is that If golang.org/x/tools is not affected by this vulnerability then it would help if this issue was "officially" closed with a comment: this way we could request to mark this issue as false positive on our scanners. As of now, the issue is still open, hence an override request would hardly be accepted.
Comment From: seankhliao
cmd/godoc is deprecated.
Comment From: perolausson
@seankhliao there is no mention of "present" in this issue you marked my issue as a duplicate of. Even if one day (years from now?) godoc is indeed deleted, present is still using the same CVE riddled dependency. What is the issue with tidying this up?