fix and run govulncheck

README.md

@@ -236,6 +236,8 @@ bash scripts run_sast_sarif.sh
 
 ## Анализ зависимостей на известные уязвимости
 
+Используется версия govulncheck 1.1.4, т.к. следующие (1.2.0, 1.3.0) требуют Go версии 1.25.
+
 1. cd govulncheck
 
 2. ./install.sh

analysis_report.md

@@ -14,7 +14,7 @@ Go версии 1.24, Debian 13.
 
 * Gosec - ориентирован на поиск проблем с безопасностью, нашёл (как и bearer) проблему с путём загрузки конфига и (в отличие от bearer) предложил способ исправления.
 
-* Golangci-lint - больше линтер, нежели статический анализатор, указал только на возможную замену if с условием "ИЛИ" на switch (я считаю, что это false positive).
+* Golangci-lint - больше линтер, нежели статический анализатор, указал только на возможную замену if с условием, содержащем "ИЛИ", на switch (я считаю, что это false positive).
 
 * Svace (svacer) - проприетарный инструмент, который был развёрнут во внутренней сети компании и был также использован, но не был включён в итоги;
 было одно срабатывание на код самого приложения и достаточно много - на использованные модули; по моему мнению, все срабатывания - false positive.
@@ -45,3 +45,12 @@ Go хорош тем, что не даёт скомпилировать прог
 * golang.org/x/term - библиотека для функций работы с терминалом, используется для скрытия пароля при его вводе
 
 * golang.org/x/sys - зависимость golang.org/x/term для низкоуровневой работы с ОС
+
+Анализ зависимостей на известные уязвимости с помощью утилиты govulncheck дал такой результат (это именно вызовы уязвимых функций, подробнее см. в директории govulncheck):
+
+Vulnerability #1: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url (More info: https://pkg.go.dev/vuln/GO-2026-4341)
+
+Vulnerability #2: GO-2025-3849 Incorrect results returned from Rows.Scan in database/sql (More info: https://pkg.go.dev/vuln/GO-2025-3849)
+
+Your code is affected by 2 vulnerabilities from the Go standard library.
+This scan also found 4 vulnerabilities in packages you import and 29 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities.

govulncheck/install.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-go install golang.org/x/vuln/cmd/govulncheck@latest
+go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

govulncheck/results.txt

@@ -0,0 +1,25 @@
+=== Symbol Results ===
+
+Vulnerability #1: GO-2026-4341
+    Memory exhaustion in query parameter parsing in net/url
+  More info: https://pkg.go.dev/vuln/GO-2026-4341
+  Standard library
+    Found in: net/url@go1.24.4
+    Fixed in: net/url@go1.24.12
+    Example traces found:
+      #1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery
+
+Vulnerability #2: GO-2025-3849
+    Incorrect results returned from Rows.Scan in database/sql
+  More info: https://pkg.go.dev/vuln/GO-2025-3849
+  Standard library
+    Found in: database/sql@go1.24.4
+    Fixed in: database/sql@go1.24.6
+    Example traces found:
+      #1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan
+
+Your code is affected by 2 vulnerabilities from the Go standard library.
+This scan also found 4 vulnerabilities in packages you import and 29
+vulnerabilities in modules you require, but your code doesn't appear to call
+these vulnerabilities.
+Use '-show verbose' for more details.

govulncheck/run.sh

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-govulncheck ../...
+export PATH=$PATH:$HOME/go/bin
+
+govulncheck ../... | tee results.txt
+printf "\nАнализ известных уязвимостей в использованных библиотечных функциях завершён, результаты на экране продублированы в results.txt\nЗапуск подробного анализа (-show verbose)\n"
+govulncheck -show verbose ../... > verbose_results.txt
+printf "\nПодробный анализ завершён, его результаты сохранены в verbose_resulsts.txt\n"

govulncheck/verbose_results.txt

@@ -0,0 +1,290 @@
+Fetching vulnerabilities from the database...
+
+Checking the code against the vulnerabilities...
+
+The package pattern matched the following 10 root packages:
+  linux-auth/internal/db
+  linux-auth/internal/utils
+  linux-auth/cmd/add_user
+  linux-auth/internal/auth
+  linux-auth/internal/config
+  linux-auth/internal/ui
+  linux-auth/cmd/authapp
+  linux-auth/cmd/init_users
+  linux-auth/golang-fuzz
+  linux-auth/myfuzz
+Govulncheck scanned the following 5 modules and the go1.24.4 standard library:
+  linux-auth
+  github.com/mattn/go-sqlite3@v1.14.33
+  github.com/pelletier/go-toml/v2@v2.2.4
+  golang.org/x/sys@v0.39.0
+  golang.org/x/term@v0.38.0
+
+=== Symbol Results ===
+
+Vulnerability #1: GO-2026-4341
+    Memory exhaustion in query parameter parsing in net/url
+  More info: https://pkg.go.dev/vuln/GO-2026-4341
+  Standard library
+    Found in: net/url@go1.24.4
+    Fixed in: net/url@go1.24.12
+    Example traces found:
+      #1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery
+
+Vulnerability #2: GO-2025-3849
+    Incorrect results returned from Rows.Scan in database/sql
+  More info: https://pkg.go.dev/vuln/GO-2025-3849
+  Standard library
+    Found in: database/sql@go1.24.4
+    Fixed in: database/sql@go1.24.6
+    Example traces found:
+      #1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan
+
+=== Package Results ===
+
+Vulnerability #1: GO-2026-4864
+    TOCTOU permits root escape on Linux via Root.Chmod in os in
+    internal/syscall/unix
+  More info: https://pkg.go.dev/vuln/GO-2026-4864
+  Standard library
+    Found in: internal/syscall/unix@go1.24.4
+    Fixed in: internal/syscall/unix@go1.25.9
+    Platforms: linux
+
+Vulnerability #2: GO-2026-4602
+    FileInfo can escape from a Root in os
+  More info: https://pkg.go.dev/vuln/GO-2026-4602
+  Standard library
+    Found in: os@go1.24.4
+    Fixed in: os@go1.25.8
+
+Vulnerability #3: GO-2026-4601
+    Incorrect parsing of IPv6 host literals in net/url
+  More info: https://pkg.go.dev/vuln/GO-2026-4601
+  Standard library
+    Found in: net/url@go1.24.4
+    Fixed in: net/url@go1.25.8
+
+Vulnerability #4: GO-2025-4010
+    Insufficient validation of bracketed IPv6 hostnames in net/url
+  More info: https://pkg.go.dev/vuln/GO-2025-4010
+  Standard library
+    Found in: net/url@go1.24.4
+    Fixed in: net/url@go1.24.8
+
+=== Module Results ===
+
+Vulnerability #1: GO-2026-4986
+    Quadratic string concatentation in consumeComment in net/mail
+  More info: https://pkg.go.dev/vuln/GO-2026-4986
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #2: GO-2026-4982
+    Bypass of meta content URL escaping causes XSS in html/template
+  More info: https://pkg.go.dev/vuln/GO-2026-4982
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #3: GO-2026-4981
+    Crash when handling long CNAME response in net
+  More info: https://pkg.go.dev/vuln/GO-2026-4981
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #4: GO-2026-4980
+    Escaper bypass leads to XSS in html/template
+  More info: https://pkg.go.dev/vuln/GO-2026-4980
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #5: GO-2026-4977
+    Quadratic string concatenation in consumePhrase in net/mail
+  More info: https://pkg.go.dev/vuln/GO-2026-4977
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #6: GO-2026-4976
+    ReverseProxy forwards queries with more than urlmaxqueryparams parameters in
+    net/http/httputil
+  More info: https://pkg.go.dev/vuln/GO-2026-4976
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #7: GO-2026-4971
+    Panic in Dial and LookupPort when handling NUL byte on Windows in net
+  More info: https://pkg.go.dev/vuln/GO-2026-4971
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #8: GO-2026-4947
+    Unexpected work during chain building in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2026-4947
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.9
+
+Vulnerability #9: GO-2026-4946
+    Inefficient policy validation in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2026-4946
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.9
+
+Vulnerability #10: GO-2026-4918
+    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
+    net/http/internal/http2 in golang.org/x/net
+  More info: https://pkg.go.dev/vuln/GO-2026-4918
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.10
+
+Vulnerability #11: GO-2026-4870
+    Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection
+    retention and DoS in crypto/tls
+  More info: https://pkg.go.dev/vuln/GO-2026-4870
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.9
+
+Vulnerability #12: GO-2026-4869
+    Unbounded allocation for old GNU sparse in archive/tar
+  More info: https://pkg.go.dev/vuln/GO-2026-4869
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.9
+
+Vulnerability #13: GO-2026-4865
+    JsBraceDepth Context Tracking Bugs (XSS) in html/template
+  More info: https://pkg.go.dev/vuln/GO-2026-4865
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.9
+
+Vulnerability #14: GO-2026-4603
+    URLs in meta content attribute actions are not escaped in html/template
+  More info: https://pkg.go.dev/vuln/GO-2026-4603
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.25.8
+
+Vulnerability #15: GO-2026-4342
+    Excessive CPU consumption when building archive index in archive/zip
+  More info: https://pkg.go.dev/vuln/GO-2026-4342
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.12
+
+Vulnerability #16: GO-2026-4340
+    Handshake messages may be processed at the incorrect encryption level in
+    crypto/tls
+  More info: https://pkg.go.dev/vuln/GO-2026-4340
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.12
+
+Vulnerability #17: GO-2026-4337
+    Unexpected session resumption in crypto/tls
+  More info: https://pkg.go.dev/vuln/GO-2026-4337
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.13
+
+Vulnerability #18: GO-2025-4175
+    Improper application of excluded DNS name constraints when verifying
+    wildcard names in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2025-4175
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.11
+
+Vulnerability #19: GO-2025-4155
+    Excessive resource consumption when printing error string for host
+    certificate validation in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2025-4155
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.11
+
+Vulnerability #20: GO-2025-4015
+    Excessive CPU consumption in Reader.ReadResponse in net/textproto
+  More info: https://pkg.go.dev/vuln/GO-2025-4015
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #21: GO-2025-4014
+    Unbounded allocation when parsing GNU sparse map in archive/tar
+  More info: https://pkg.go.dev/vuln/GO-2025-4014
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #22: GO-2025-4013
+    Panic when validating certificates with DSA public keys in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2025-4013
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #23: GO-2025-4012
+    Lack of limit when parsing cookies can cause memory exhaustion in net/http
+  More info: https://pkg.go.dev/vuln/GO-2025-4012
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #24: GO-2025-4011
+    Parsing DER payload can cause memory exhaustion in encoding/asn1
+  More info: https://pkg.go.dev/vuln/GO-2025-4011
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #25: GO-2025-4009
+    Quadratic complexity when parsing some invalid inputs in encoding/pem
+  More info: https://pkg.go.dev/vuln/GO-2025-4009
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #26: GO-2025-4008
+    ALPN negotiation error contains attacker controlled information in
+    crypto/tls
+  More info: https://pkg.go.dev/vuln/GO-2025-4008
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #27: GO-2025-4007
+    Quadratic complexity when checking name constraints in crypto/x509
+  More info: https://pkg.go.dev/vuln/GO-2025-4007
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.9
+
+Vulnerability #28: GO-2025-4006
+    Excessive CPU consumption in ParseAddress in net/mail
+  More info: https://pkg.go.dev/vuln/GO-2025-4006
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.8
+
+Vulnerability #29: GO-2025-3956
+    Unexpected paths returned from LookPath in os/exec
+  More info: https://pkg.go.dev/vuln/GO-2025-3956
+  Standard library
+    Found in: stdlib@go1.24.4
+    Fixed in: stdlib@go1.24.6
+
+Your code is affected by 2 vulnerabilities from the Go standard library.
+This scan also found 4 vulnerabilities in packages you import and 29
+vulnerabilities in modules you require, but your code doesn't appear to call
+these vulnerabilities.