What I'd like:
Currently, Bottlerocket does not have a clear way to report Go advisories from CVEs patched in the bottlerocket-sdk repository.
One solution is to add a no-op libstd-go package to the core-kit that we tag Go vulnerabilities to, which would simplify the BRSAs for them.
Any alternatives you've considered:
N/A
What I'd like:
Currently, Bottlerocket does not have a clear way to report Go advisories from CVEs patched in the
bottlerocket-sdkrepository.One solution is to add a no-op
libstd-gopackage to the core-kit that we tag Go vulnerabilities to, which would simplify the BRSAs for them.Any alternatives you've considered:
N/A