x/vulndb: suggestion regarding GO-2022-0470

[cdupuis]

Report ID

GO-2022-0470

Suggestion/Comment

Per the GitHub advisory, not all versions are affected by this:

github.com/blevesearch/bleve <= 1.10.14
github.com/blevesearch/bleve/v2 <= 2.3.6

See GHSA-9w9f-6mg8-jp7w

[thatnealpatel]

Hi @cdupuis,

The GHSA lists no patch for this advisory; therefore, there is no further action we may take on this report.

Furthermore, the advisory explicitly states:

Has the problem been patched? What versions should users upgrade to?

No. The http package is purely intended to be used for demonstration purposes.
And bleve is never designed to be handling the RBACs or it was ever advertised to be used in that way.
Hence the collaborators of this project have decided to stay away from adding any authentication or
authorization to bleve project at the moment.

For additional context on the reasoning of this action, see #3440 (comment)

Feel free to re-open to continue discussion.

[cdupuis]

Thanks for the explanation. Not sure this applies here though as the vulnerable code was removed in blevesearch/bleve#2156. Also this has been reflected in the project's advisory at GHSA-9w9f-6mg8-jp7w.

Feel free to re-open to continue discussion.

That doesn’t seem to be possible.