My application use go-git library and I recently became aware of CVE-2022-23521 , CVE-2022-41903 issues about git.
I want to know if these issues affect go-git (https://github.com/go-git/go-git).
This is description of go-git.
go-git is a highly extensible git implementation library written in pure Go.
However I can not fully understand the meaning of 'git implementation'.
I think 1) git is VCS and 2) go-git implements functions of git as VCS and 3) CVE issues only pertains on git cli tool (https://github.com/git/git) not go-git.
My thinks are right?
While both CVE-2022-23521 and CVE-2022-41903 are specific to git/git (the original C implementation), it is a good idea to try and replicate the exploit scenario, to confirm the go-git one is not affected.
As go-git PR 620 illustrates ("Update dependencies to remove supply chain CVEs"), go-git is vulnerable to its own class of security issues, like known supply chain CVE.