Thanks for raising this, wanted to get back to you to confirm if it's a problem or not.

Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck it notes that:

Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2074
    Parser out-of-bounds read vulnerability caused by a malformed markdown input
  More info: https://pkg.go.dev/vuln/GO-2023-2074
  Module: github.com/gomarkdown/markdown
    Found in: github.com/gomarkdown/markdown@v0.0.0-20230716120725-531d2d74bc12
    Fixed in: github.com/gomarkdown/markdown@v0.0.0-20230922105210-14b16010c2ee

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

So I believe it's not actually a problem - it's worth checking within your own project's usage of the API to see if this does affect you

Hello @jamietanna !
It might be not an issue from the runtime perspective, but it's an issue in case if you publish your software to some marketplace(redhat, aws, etc.). They perform scan and rejects a release in case if it contains vulns with known fixes

Thanks for letting me know - in these cases is it not possible to flag it as a false positive?

I can try and look into getting dependency updates in next week, but in the meantime it may be worth investigating that as an option too 🤞

in these cases is it not possible to flag it as a false positive?

It is possible. But this will require explanations for everyone who faces it first. Also, some companies are pretty strict on ignoring known vulnerabilities that have patches (regardless if they affect them directly or not).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.