0

I have an application that was built with go 1.16.4, which uses (imports) the archive/zip component of the Go std lib. I took a look at the golang Release Notes and see that a security vulnerability has been fixed in archive/zip in golang 1.16.5. How do I ensure that my application is no longer vulnerable? Must I upgrade my version of go itself, and then rebuild with that new version of go? Or could I vendor the newer version of the fixed component then rebuild? Must the files in the build machine's $GOROOT be updated?

the_endian
  • 2,259
  • 1
  • 24
  • 49
  • 6
    Update your Go tool, then rebuild the app. Easiest, safest, simplest. – icza Jul 27 '21 at 21:47
  • 2
    The standard library is a part of Go; you cannot specify a version, nor can you vendor it. Just update Go and rebuild. – Adrian Jul 27 '21 at 21:51
  • 1
    If binary is built with docker (a good solution to make repeatable builds, instead of a local environment), it is as simple as changing the version of the image to 1.16.5 and recompile. – Fulldump Jul 27 '21 at 22:37
  • Forget about GOROOT you wont need it (ever). – Volker Jul 28 '21 at 07:34

1 Answers1

1

Must I upgrade my version of go itself, and then rebuild with that new version of go?

Yes...

  1. Upgrade Go.
  2. Rebuild.

Or could I vendor the newer version of the fixed component then rebuild?

No, you can't vendor the Go standard library.

Must the files in the build machine's $GOROOT be updated?

GOROOT is the root folder of the Go SDK installation. It is updated when you upgrade Go on the machine (or container) that invokes go build/go install.

rustyx
  • 80,671
  • 25
  • 200
  • 267