Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
internal/vulncheck: remove stdlib confidence in call stacks
Call stacks going through standard library were designated as more likely to be true positive, i.e., we have more confidence in them. This does not seem to have a firm footing. If the call stack consists of static calls, then the vulnerable symbol is a std symbol, in which case comparison to other call stacks boils down to length comparison (which we do) since standard library packages import only standard library packages. Otherwise if the call stacks have dynamic call sites, there is no reason to believe that a callee of a dynamic site is more likely to be correctly inferred compared to a dynamic site outside of the standard library. Updates golang/go#60708 Change-Id: Ib8cdd778ccf8902f5e42473fe145e452d28f3960 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/504715 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Cottrell <iancottrell@google.com>
- Loading branch information