Zakaria/LearnGO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

whatcanGOwrong

Browse Source
This commit is contained in:
dadgam3er
2024-09-19 21:38:24 -04:00
commit d0ae4d841d
17908 changed files with 4096831 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
go/pkg/mod/golang.org/x/vuln@v1.0.4/.gitignore
+3
View File
@@ -0,0 +1,3 @@
**/.terraform/*
.terraform.lock.hcl
terraform/terraform.tfvars
go/pkg/mod/golang.org/x/vuln@v1.0.4/CONTRIBUTING.md
+28
View File
@@ -0,0 +1,28 @@
# Contributing to the Go Vulnerability Database
Go is an open source project.
It is the work of hundreds of contributors. We appreciate your help!
## Reporting a vulnerability
To report a new *public* vulnerability,
[open an issue](https://github.com/golang/vulndb/issues/new),
send a GitHub PR, or mail a Gerrit CL.
Please read the
[Contribution Guidelines](https://golang.org/doc/contribute.html)
before sending patches.
## Contributor License Agreement
Contributions to this project must be accompanied by a Contributor License
Agreement (CLA). You (or your employer) retain the copyright to your
contribution; this simply gives us permission to use and redistribute your
contributions as part of the project. Head over to
<https://cla.developers.google.com/> to see your current agreements on file or
to sign a new one.
You generally only need to submit a CLA once, so if you've already submitted one
(even if it was for a different project), you probably don't need to do it
again.
go/pkg/mod/golang.org/x/vuln@v1.0.4/LICENSE
+27
View File
@@ -0,0 +1,27 @@
Copyright (c) 2009 The Go Authors. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
go/pkg/mod/golang.org/x/vuln@v1.0.4/PATENTS
+22
View File
@@ -0,0 +1,22 @@
Additional IP Rights Grant (Patents)
"This implementation" means the copyrightable works distributed by
Google as part of the Go project.
Google hereby grants to You a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable (except as stated in this section)
patent license to make, have made, use, offer to sell, sell, import,
transfer and otherwise run, modify and propagate the contents of this
implementation of Go, where such license applies only to those patent
claims, both currently owned or controlled by Google and acquired in
the future, licensable by Google that are necessarily infringed by this
implementation of Go. This grant does not include claims that would be
infringed only as a consequence of further modification of this
implementation. If you or your agent or exclusive licensee institute or
order or agree to the institution of patent litigation against any
entity (including a cross-claim or counterclaim in a lawsuit) alleging
that this implementation of Go or any code incorporated within this
implementation of Go constitutes direct or contributory patent
infringement, or inducement of patent infringement, then any patent
rights granted to you under this License for this implementation of Go
shall terminate as of the date such litigation is filed.
go/pkg/mod/golang.org/x/vuln@v1.0.4/README.md
+40
View File
@@ -0,0 +1,40 @@
# Go Vulnerability Management
[![Go Reference](https://pkg.go.dev/badge/golang.org/x/vuln.svg)](https://pkg.go.dev/golang.org/x/vuln)
Go's support for vulnerability management includes tooling for analyzing your
codebase and binaries to surface known vulnerabilities in your dependencies.
This tooling is backed by the Go vulnerability database, which is curated by
the Go security team. Gos tooling reduces noise in your results by only
surfacing vulnerabilities in functions that your code is actually calling.
You can install the latest version of govulncheck using
[go install](https://pkg.go.dev/cmd/go#hdr-Compile_and_install_packages_and_dependencies)
```
go install golang.org/x/vuln/cmd/govulncheck@latest
```
Then, run govulncheck inside your module:
```
govulncheck ./...
```
See [the govulncheck tutorial](https://go.dev/doc/tutorial/govulncheck) to get
started, and [https://go.dev/security/vuln](https://go.dev/security/vuln) for
more information about Go's support for vulnerability management. The API
documentation can be found at
[https://pkg.go.dev/golang.org/x/vuln/scan](https://pkg.go.dev/golang.org/x/vuln/scan).
## Privacy Policy
The privacy policy for `govulncheck` can be found at
[https://vuln.go.dev/privacy](https://vuln.go.dev/privacy).
## License
Unless otherwise noted, the Go source files are distributed under the BSD-style
license found in the LICENSE file.
Database entries available at https://vuln.go.dev are distributed under the
terms of the [CC-BY 4.0](https://creativecommons.org/licenses/by/4.0/) license.
go/pkg/mod/golang.org/x/vuln@v1.0.4/all_test.go
+169
View File
@@ -0,0 +1,169 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.17 && !windows
// +build go1.17,!windows
package main
import (
"bufio"
"bytes"
"context"
"io/fs"
"os"
"os/exec"
"regexp"
"strings"
"testing"
"golang.org/x/mod/modfile"
"golang.org/x/vuln/internal/testenv"
"golang.org/x/vuln/scan"
"mvdan.cc/unparam/check"
)
// excluded contains the set of modules that x/vuln should not depend on.
var excluded = map[string]bool{
"golang.org/x/exp": true,
}
var goHeader = regexp.MustCompile(`^// Copyright 20\d\d The Go Authors\. All rights reserved\.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file\.`)
func TestBashChecks(t *testing.T) {
skipIfShort(t)
bash, err := exec.LookPath("bash")
if err != nil {
t.Skipf("skipping: %v", err)
}
var cmd *exec.Cmd
if os.Getenv("GO_BUILDER_NAME") != "" {
cmd = exec.Command(bash, "./checks.bash", "trybots")
} else {
cmd = exec.Command(bash, "./checks.bash")
}
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
t.Fatal(err)
}
}
func TestDependencies(t *testing.T) {
dat, err := os.ReadFile("go.mod")
if err != nil {
t.Fatal(err)
}
f, err := modfile.Parse("go.mod", dat, nil)
if err != nil {
t.Fatalf("modfile.Parse: %v", err)
}
for _, r := range f.Require {
// This is used by staticcheck.
if strings.HasPrefix(r.Mod.Path, "golang.org/x/exp/typeparams") {
continue
}
for ex := range excluded {
if strings.HasPrefix(r.Mod.Path, ex) {
t.Errorf("go.mod contains %q as a dependency, which should not happen", r.Mod.Path)
}
}
}
}
func TestGovulncheck(t *testing.T) {
skipIfShort(t)
testenv.NeedsGoBuild(t)
var o string
out := bytes.NewBufferString(o)
ctx := context.Background()
cmd := scan.Command(ctx, "./...")
cmd.Stdout = out
cmd.Stderr = out
err := cmd.Start()
if err == nil {
err = cmd.Wait()
}
t.Logf("govulncheck finished with std out/err:\n%s", out.String())
switch err := err.(type) {
case nil:
t.Log("govulncheck: no vulnerabilities detected")
case interface{ ExitCode() int }:
t.Errorf("govulncheck: unexpected exit code %d and error %v", err.ExitCode(), err)
default:
t.Errorf("govulncheck: abruptly failed with error %v", err)
}
}
func TestStaticCheck(t *testing.T) {
skipIfShort(t)
rungo(t, "run", "honnef.co/go/tools/cmd/staticcheck@v0.4.3", "./...")
}
func TestUnparam(t *testing.T) {
testenv.NeedsGoBuild(t)
warns, err := check.UnusedParams(false, false, false, "./...")
if err != nil {
t.Fatalf("check.UnusedParams: %v", err)
}
for _, warn := range warns {
t.Errorf(warn)
}
}
func TestVet(t *testing.T) {
rungo(t, "vet", "-all", "./...")
}
func TestMisspell(t *testing.T) {
skipIfShort(t)
rungo(t, "run", "github.com/client9/misspell/cmd/misspell@v0.3.4", "-error", ".")
}
func TestHeaders(t *testing.T) {
sfs := os.DirFS(".")
fs.WalkDir(sfs, ".", func(path string, d fs.DirEntry, _ error) error {
if d.IsDir() {
if d.Name() == "testdata" {
return fs.SkipDir
}
return nil
}
if !strings.HasSuffix(path, ".go") {
return nil
}
f, err := sfs.Open(path)
if err != nil {
return err
}
defer f.Close()
if !goHeader.MatchReader(bufio.NewReader(f)) {
t.Errorf("%v: incorrect go header", path)
}
return nil
})
}
func rungo(t *testing.T, args ...string) {
t.Helper()
testenv.NeedsGoBuild(t)
cmd := exec.Command("go", args...)
if output, err := cmd.CombinedOutput(); err != nil {
t.Log("\n" + string(output))
t.Error("command had non zero exit code")
}
}
func skipIfShort(t *testing.T) {
if testing.Short() {
t.Skipf("skipping: short mode")
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/checks.bash
+73
View File
@@ -0,0 +1,73 @@
#!/usr/bin/env bash
# Copyright 2021 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# This file will be run by `go test`.
# See all_test.go in this directory.
# Ensure that installed go binaries are on the path.
# This bash expression follows the algorithm described at the top of
# `go install help`: first try $GOBIN, then $GOPATH/bin, then $HOME/go/bin.
go_install_dir=${GOBIN:-${GOPATH:-$HOME/go}/bin}
PATH=$PATH:$go_install_dir
source devtools/lib.sh
# check_shellcheck runs shellcheck on .bash and .sh files.
check_shellcheck() {
if ! [ -x "$(command -v shellcheck)" ]; then
echo "Please install shellcheck. See https://github.com/koalaman/shellcheck#installing."
fi
runcmd shellcheck -x checks.bash
runcmd shellcheck ./**/*.sh
}
go_modtidy() {
runcmd go mod tidy
}
# runchecks runs all checks and is intended to run as a precommit hook.
runchecks() {
trybots "$@"
# These checks only run locally due to a limitation with TryBots.
check_shellcheck
}
# trybots runs checks supported by TryBots.
trybots() {
go_modtidy
}
usage() {
cat <<EOUSAGE
Usage: $0 [subcommand]
Available subcommands:
help - display this help message
EOUSAGE
}
main() {
case "$1" in
"-h" | "--help" | "help")
usage
exit 0
;;
"")
runchecks "$@"
;;
trybots)
trybots
;;
*)
usage
exit 1
esac
if [[ "$EXIT_CODE" != 0 ]]; then
err "FAILED; see errors above"
fi
exit "$EXIT_CODE"
}
main "$@"
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/doc.go
+88
View File
@@ -0,0 +1,88 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Govulncheck reports known vulnerabilities that affect Go code. It uses static
analysis of source code or a binary's symbol table to narrow down reports to
only those that could affect the application.
By default, govulncheck makes requests to the Go vulnerability database at
https://vuln.go.dev. Requests to the vulnerability database contain only module
paths, not code or other properties of your program. See
https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a
different database, which must implement the specification at
https://go.dev/security/vuln/database.
Govulncheck looks for vulnerabilities in Go programs using a specific build
configuration. For analyzing source code, that configuration is the Go version
specified by the “go” command found on the PATH. For binaries, the build
configuration is the one used to build the binary. Note that different build
configurations may have different known vulnerabilities.
Govulncheck must be built with Go version 1.18 or later.
# Usage
To analyze source code, run govulncheck from the module directory, using the
same package path syntax that the go command uses:
$ cd my-module
$ govulncheck ./...
If no vulnerabilities are found, govulncheck will display a short message. If
there are vulnerabilities, each is displayed briefly, with a summary of a call
stack. The summary shows in brief how the package calls a vulnerable function.
For example, it might say
main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
To control which files are processed, use the -tags flag to provide a
comma-separated list of build tags, and the -test flag to indicate that test
files should be included.
To include more detailed stack traces, pass -show=traces, this will cause it to
print the full call stack for each entry.
To run govulncheck on a compiled binary, pass it the path to the binary file
with the -mode=binary flag:
$ govulncheck -mode=binary $HOME/go/bin/my-go-program
Govulncheck uses the binary's symbol information to find mentions of vulnerable
functions. Its output omits call stacks, which require source code analysis.
Govulncheck also supports -mode=extract on a Go binary for extraction of minimal
information needed to analyze the binary. This will produce a blob, typically much
smaller than the binary, that can also be passed to govulncheck as an argument with
-mode=binary. The users should not rely on the contents or representation of the blob.
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if the -json flag
is provided, regardless of the number of detected vulnerabilities.
Govulncheck supports streaming JSON. For more details, please see [golang.org/x/vuln/internal/govulncheck].
# Limitations
Govulncheck has these limitations:
- Govulncheck analyzes function pointer and interface calls conservatively,
which may result in false positives or inaccurate call stacks in some cases.
- Calls to functions made using package reflect are not visible to static
analysis. Vulnerable code reachable only through those calls will not be
reported. Use of the unsafe package may result in false negatives.
- Because Go binaries do not contain detailed call information, govulncheck
cannot show the call graphs for detected vulnerabilities. It may also
report false positives for code that is in the binary but unreachable.
- There is no support for silencing vulnerability findings. See https://go.dev/issue/61211 for
updates.
- Govulncheck only reads binaries compiled with Go 1.18 and later.
- For binaries where the symbol information cannot be extracted, govulncheck
reports vulnerabilities for all modules on which the binary depends.
# Feedback
To share feedback, see https://go.dev/security/vuln#feedback.
*/
package main
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/Dockerfile
+17
View File
@@ -0,0 +1,17 @@
FROM golang:1.20.3-alpine
# This Dockerfile sets up an image for repeated integration testing.
# This assumes the build context, i.e., CWD is vuln/
# ---- Step 0: Setup shared build tools. ----
RUN apk update && apk add bash git gcc musl-dev linux-headers gcompat
# ---- Step 1: Build govulncheck ----
COPY . /go/src/golang.org/x/vuln
WORKDIR /go/src/golang.org/x/vuln/cmd/govulncheck/integration
RUN go install golang.org/x/vuln/cmd/govulncheck
# ---- Step 2: Build other test binaries ----
RUN go install golang.org/dl/go1.18@latest
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/k8s
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/stackrox-scanner
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/integration_run.sh
+62
View File
@@ -0,0 +1,62 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
#!/bin/bash
# List of all projects for which integration test failed, if any.
failed=()
# Update status of the integration script. The first argument is
# the exit code for the integration run of a project and the second
# argument is the project name.
update_status(){
if [ "$1" -ne 0 ]; then
failed+=("$2")
fi
}
# Print go version for debugging purposes. Expected to be go1.18.8.
go version
# Clone kubernetes to a dedicated directory.
dir="$GOPATH/src/kubernetes"
if [ -d "$dir" ]; then
echo "Destination kubernetes already exists. Using the existing code."
else
git clone https://github.com/kubernetes/kubernetes.git "${dir}"
fi
# Checkout kubernetes version v1.15.11 that
# is known to have vulnerabilities.
pushd "$dir" || exit
cd pkg || exit
git checkout tags/v1.15.11
govulncheck --json ./... &> k8s.txt
k8s k8s.txt
update_status $? "kubernetes(source)"
popd || exit
# Clone scanner to a dedicated directory.
dir="$GOPATH/src/scanner"
if [ -d "$dir" ]; then
echo "Destination scanner already exists. Using the existing code."
else
git clone https://github.com/stackrox/scanner.git "${dir}"
fi
pushd "$dir" || exit
# Use scanner at specific commit and tag version for reproducibility.
git checkout 29b8761da747
go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=2.26-29-g29b8761da7-dirty" -o image/scanner/bin/scanner ./cmd/clair
govulncheck -mode=binary --json ./image/scanner/bin/scanner &> scan.txt
stackrox-scanner scan.txt
update_status $? "stackrox-scanner(binary)"
popd || exit
if [ ${#failed[@]} -ne 0 ]; then
echo "FAIL: integration run failed for the following projects: ${failed[*]}"
exit 1
fi
echo PASS
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/integration_test.sh
+15
View File
@@ -0,0 +1,15 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Runs the integration tests for whole program analysis.
# Assumes this is run from vuln/cmd/govulncheck/integration
echo "Building govulncheck docker image"
# The building context is vuln/ so we can have the current
# version of both govulncheck and its vuln dependencies
docker build -f Dockerfile -t govulncheck-integration ../../../
echo "Running govulncheck integration tests in the docker image"
docker run govulncheck-integration ./integration_run.sh
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/internal/integration/test.go
+57
View File
@@ -0,0 +1,57 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package integration
import (
"bytes"
"encoding/json"
"fmt"
"log"
"os"
"strings"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/govulncheck"
)
// CompareNonStdVulns compares vulnerable packages in out and want.
// For out, it only considers vulnerabilities outside of the standard
// library. Assumes the same for want.
func CompareNonStdVulns(out string, want map[string]bool) error {
outJson, err := os.ReadFile(out)
if err != nil {
return fmt.Errorf("failed to read: %v", out)
}
calledVulnPkgs := make(map[string]bool)
dec := json.NewDecoder(bytes.NewReader(outJson))
for dec.More() {
msg := govulncheck.Message{}
// decode the next message in the stream
if err := dec.Decode(&msg); err != nil {
log.Fatalf("failed to load json: %v", err)
}
if msg.Finding != nil {
if msg.Finding.Trace[0].Function == "" {
// No symbol means the vulnerability is
// imported but not called.
continue
}
// collect only called non-std packages
pkgPath := msg.Finding.Trace[0].Package
if !isStd(pkgPath) {
calledVulnPkgs[pkgPath] = true
}
}
}
if diff := cmp.Diff(want, calledVulnPkgs); diff != "" {
return fmt.Errorf("reachable vulnerable packages mismatch (-want, +got):\n%s", diff)
}
return nil
}
// isStd returns true iff pkg is a standard library package.
func isStd(pkg string) bool {
return !strings.Contains(pkg, ".")
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/k8s/k8s.go
+42
View File
@@ -0,0 +1,42 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"log"
"os"
"golang.org/x/vuln/cmd/govulncheck/integration/internal/integration"
)
const usage = `test helper for examining the output of running govulncheck on k8s@v1.15.11.
Example usage: ./k8s [path to output file]
`
func main() {
if len(os.Args) != 2 {
log.Fatal("Incorrect number of expected command line arguments", usage)
}
out := os.Args[1]
want := map[string]bool{
"github.com/containernetworking/cni/pkg/invoke": true,
"github.com/evanphx/json-patch": true,
"github.com/opencontainers/selinux/go-selinux": true,
"github.com/prometheus/client_golang/prometheus/promhttp": true,
"golang.org/x/crypto/cryptobyte": true,
"golang.org/x/crypto/salsa20/salsa": true,
"golang.org/x/crypto/ssh": true,
"golang.org/x/net/http/httpguts": true,
"golang.org/x/net/http2": true,
"golang.org/x/net/http2/hpack": true,
"golang.org/x/text/encoding/unicode": true,
"google.golang.org/grpc": true,
}
if err := integration.CompareNonStdVulns(out, want); err != nil {
log.Fatal(err)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/kokoro/integration.cfg
+4
View File
@@ -0,0 +1,4 @@
# Format: //devtools/kokoro/config/proto/build.proto
build_file: "vuln/cmd/govulncheck/integration/kokoro/integration.sh"
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/kokoro/integration.sh
+18
View File
@@ -0,0 +1,18 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Run integration_test.sh on kokoro.
# Fail on any error.
set -e
# Code under repo is checked out to ${KOKORO_ARTIFACTS_DIR}/git.
# The main directory name in this path is determined by the scm name specified
# in the job configuration, which in this case is "vuln".
cd "${KOKORO_ARTIFACTS_DIR}/git/vuln/cmd/govulncheck/integration"
# Run integration_test.sh
./integration_test.sh
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/stackrox-scanner/scanner.go
+41
View File
@@ -0,0 +1,41 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"log"
"os"
"golang.org/x/vuln/cmd/govulncheck/integration/internal/integration"
)
const usage = `test helper for examining the output of running govulncheck on
stackrox-io/scanner binary (https://quay.io/repository/stackrox-io/scanner).
Example usage: ./stackrox-scanner [path to output file]
`
func main() {
if len(os.Args) != 2 {
log.Fatal("Incorrect number of expected command line arguments", usage)
}
out := os.Args[1]
want := map[string]bool{
"github.com/go-git/go-git/v5": true,
"github.com/go-git/go-git/v5/config": true,
"github.com/go-git/go-git/v5/plumbing/object": true,
"github.com/go-git/go-git/v5/storage/filesystem": true,
"github.com/go-git/go-git/v5/storage/filesystem/dotgit": true,
"golang.org/x/crypto/ssh": true,
"golang.org/x/net/http2": true,
"golang.org/x/net/http2/hpack": true,
"google.golang.org/grpc": true,
"google.golang.org/grpc/internal/transport": true,
}
if err := integration.CompareNonStdVulns(out, want); err != nil {
log.Fatal(err)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/main.go
+31
View File
@@ -0,0 +1,31 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"context"
"fmt"
"os"
"golang.org/x/vuln/scan"
)
func main() {
ctx := context.Background()
cmd := scan.Command(ctx, os.Args[1:]...)
err := cmd.Start()
if err == nil {
err = cmd.Wait()
}
switch err := err.(type) {
case nil:
case interface{ ExitCode() int }:
os.Exit(err.ExitCode())
default:
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/main_test.go
+322
View File
@@ -0,0 +1,322 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Only run this on Go 1.18 or higher, because govulncheck can't
// run on binaries before 1.18.
//go:build go1.18
// +build go1.18
package main
import (
"bytes"
"context"
"flag"
"fmt"
"os"
"path/filepath"
"regexp"
"runtime"
"sync"
"testing"
"unsafe"
"github.com/google/go-cmdtest"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/govulncheck"
"golang.org/x/vuln/internal/test"
"golang.org/x/vuln/internal/web"
"golang.org/x/vuln/scan"
)
var update = flag.Bool("update", false, "update test files with results")
type fixup struct {
pattern string
compiled *regexp.Regexp
replace string
replaceFunc func(b []byte) []byte
}
var fixups = []fixup{
{
// modifies paths to Go files by replacing their directory with "...".
// For example,/a/b/c.go becomes .../c.go .
// This makes it possible to compare govulncheck output across systems, because
// Go filenames include setup-specific paths.
pattern: `[^\s"]*\.go[\s":]`,
replaceFunc: func(b []byte) []byte {
s := string(b)
return []byte(fmt.Sprintf(`.../%s%c`, filepath.Base(s[:len(s)-1]), s[len(s)-1]))
},
}, {
// modifies position lines to mask actual line and column with <l> and
// <c> placeholders, resp.
pattern: `\.go:(\d+):(\d+):`,
replace: `.go:<l>:<c>:`,
}, {
// modify position lines in json
pattern: `\"line\":(\s)*(\d+)`,
replace: `"line": <l>`,
}, {
// modify position columns in json
pattern: `\"column\":(\s)*(\d+)`,
replace: `"column": <c>`,
}, {
// modify position offset in json
pattern: `\"offset\":(\s)*(\d+)`,
replace: `"offset": <o>`,
}, {
// There was a one-line change in container/heap/heap.go between 1.18
// and 1.19 that makes the stack traces different. Ignore it.
pattern: `heap\.go:(\d+)`,
replace: `N`,
}, {
pattern: `Scanning your code and (\d+) packages across (\d+)`,
replace: `Scanning your code and P packages across M`,
}, {
pattern: `Scanner: govulncheck@v.*`,
replace: `Scanner: govulncheck@v1.0.0`,
}, {
pattern: `"([^"]*") is a file`,
replace: `govulncheck: myfile is a file`,
}, {
pattern: `"scanner_version": "[^"]*"`,
replace: `"scanner_version": "v0.0.0-00000000000-20000101010101"`,
}, {
pattern: `file:///(.*)/testdata/vulndb`,
replace: `testdata/vulndb`,
}, {
pattern: `package (.*) is not in (GOROOT|std) (.*)`,
replace: `package foo is not in GOROOT (/tmp/foo)`,
}, {
pattern: `modified (.*)\)`,
replace: `modified 01 Jan 21 00:00 UTC)`,
}, {
pattern: `Go: (go1.[\.\d]*|devel).*`,
replace: `Go: go1.18`,
}, {
pattern: `"go_version": "go[^\s"]*"`,
replace: `"go_version": "go1.18"`,
},
}
func (f *fixup) init() {
f.compiled = regexp.MustCompile(f.pattern)
}
func (f *fixup) apply(data []byte) []byte {
if f.replaceFunc != nil {
return f.compiled.ReplaceAllFunc(data, f.replaceFunc)
}
return f.compiled.ReplaceAll(data, []byte(f.replace))
}
func init() {
for i := range fixups {
fixups[i].init()
}
}
func TestCommand(t *testing.T) {
if testing.Short() {
t.Skip("skipping test that uses internet in short mode")
}
testDir, err := os.Getwd()
if err != nil {
t.Fatal(err)
}
vulndbDir, err := filepath.Abs(filepath.Join(testDir, "testdata", "vulndb-v1"))
if err != nil {
t.Fatal(err)
}
govulndbURI, err := web.URLFromFilePath(vulndbDir)
if err != nil {
t.Fatalf("failed to create make vulndb url: %v", err)
}
moduleDirs, err := filepath.Glob("testdata/modules/*")
if err != nil {
t.Fatal(err)
}
os.Setenv("moddir", filepath.Join(testDir, "testdata", "modules"))
for _, md := range moduleDirs {
// Skip nogomod module. It has intended build issues.
if filepath.Base(md) == "nogomod" {
noModDir, err := filepath.Abs(t.TempDir())
if err != nil {
t.Fatal(err)
}
os.Setenv("nomoddir", noModDir)
b, err := os.ReadFile(filepath.Join(md, "vuln.go"))
if err != nil {
t.Fatal(err)
}
err = os.WriteFile(filepath.Join(noModDir, "vuln.go"), b, 0644)
if err != nil {
t.Fatal(err)
}
continue
}
// Build test module binary.
binary, cleanup := test.GoBuild(t, md, "", filepath.Base(md) == "strip")
t.Cleanup(cleanup)
// Set an environment variable to the path to the binary, so tests
// can refer to it.
varName := filepath.Base(md) + "_binary"
os.Setenv(varName, binary)
}
testFilesDir := filepath.Join(testDir, "testdata", "testfiles")
os.Setenv("testdir", testFilesDir)
runTestSuite(t, testFilesDir, govulndbURI.String(), *update)
if runtime.GOOS != "darwin" {
// Binaries are not stripped on darwin with go1.21 and earlier. See #61051.
runTestSuite(t, filepath.Join(testDir, "testdata", "strip"), govulndbURI.String(), *update)
}
}
// Limit the number of concurrent scans. Scanning is implemented using
// x/tools/go/ssa, which is known to be memory-hungry
// (see https://go.dev/issue/14113), and by default the testing package
// allows up to GOMAXPROCS parallel tests at a time.
//
// For now we arbitrarily limit to ⌈GOMAXPROCS/4⌉, on the theory that many Go
// developer and CI machines have at least 8 logical cores and we want most
// runs of the test to exercise at least a little concurrency. If that turns
// out to still be too high, we may consider reducing it further.
//
// Since all of the scans run in the same process, we need an especially low
// limit on 32-bit platforms: we may run out of virtual address space well
// before we run out of system RAM.
var (
parallelLimiter chan struct{}
parallelLimiterInit sync.Once
)
// testSuite creates a cmdtest suite from dir. It also defines
// a govulncheck command on the suite that runs govulncheck
// against vulnerability database available at vulndbDir.
func runTestSuite(t *testing.T, dir string, govulndb string, update bool) {
parallelLimiterInit.Do(func() {
limit := (runtime.GOMAXPROCS(0) + 3) / 4
if limit > 2 && unsafe.Sizeof(uintptr(0)) < 8 {
limit = 2
}
parallelLimiter = make(chan struct{}, limit)
})
tsReadDir := dir
if filepath.Base(dir) != "strip" {
tsReadDir = filepath.Join(tsReadDir, "*")
}
ts, err := cmdtest.Read(tsReadDir)
if err != nil {
t.Fatal(err)
}
ts.DisableLogging = true
govulncheckCmd := func(args []string, inputFile string) ([]byte, error) {
parallelLimiter <- struct{}{}
defer func() { <-parallelLimiter }()
newargs := append([]string{"-db", govulndb}, args...)
buf := &bytes.Buffer{}
cmd := scan.Command(context.Background(), newargs...)
cmd.Stdout = buf
cmd.Stderr = buf
if inputFile != "" {
input, err := os.Open(filepath.Join(dir, inputFile))
if err != nil {
return nil, err
}
defer input.Close()
cmd.Stdin = input
}
// We set GOVERSION to always get the same results regardless of the underlying Go build system.
cmd.Env = append(os.Environ(), "GOVERSION=go1.18")
if err := cmd.Start(); err != nil {
return nil, err
}
err := cmd.Wait()
switch e := err.(type) {
case nil:
case interface{ ExitCode() int }:
err = &cmdtest.ExitCodeErr{Msg: err.Error(), Code: e.ExitCode()}
if e.ExitCode() == 0 {
err = nil
}
default:
fmt.Fprintln(buf, err)
err = &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
sorted := buf
if err == nil && isJSONMode(args) {
// parse, sort and reprint the output for test stability
gather := test.NewMockHandler()
if err := govulncheck.HandleJSON(buf, gather); err != nil {
return nil, err
}
sorted = &bytes.Buffer{}
h := govulncheck.NewJSONHandler(sorted)
if err := gather.Write(h); err != nil {
return nil, err
}
}
out := sorted.Bytes()
for _, fix := range fixups {
out = fix.apply(out)
}
return out, err
}
ts.Commands["govulncheck"] = govulncheckCmd
// govulncheck-cmp is like govulncheck except that the last argument is a file
// whose contents are compared to the output of govulncheck. This command does
// not output anything.
ts.Commands["govulncheck-cmp"] = func(args []string, inputFile string) ([]byte, error) {
l := len(args)
if l == 0 {
return nil, nil
}
cmpArg := args[l-1]
gArgs := args[:l-1]
out, err := govulncheckCmd(gArgs, inputFile)
if err != nil {
return nil, &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
got := string(out)
file, err := os.ReadFile(cmpArg)
if err != nil {
return nil, &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
want := string(file)
if diff := cmp.Diff(want, got); diff != "" {
return nil, &cmdtest.ExitCodeErr{Msg: "govulncheck output not matching the file contents:\n" + diff, Code: 1}
}
return nil, nil
}
if update {
ts.Run(t, true)
return
}
ts.RunParallel(t, false)
}
func isJSONMode(args []string) bool {
for _, arg := range args {
if arg == "-json" {
return true
}
}
return false
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/static/govulncheck.css
+14
View File
@@ -0,0 +1,14 @@
/*
* Copyright 2022 The Go Authors. All rights reserved.
* Use of this source code is governed by a BSD-style
* license that can be found in the LICENSE file.
*/
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu,
'Helvetica Neue', Arial, sans-serif;
}
ul {
list-style-type: none;
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/modules/nogomod/vuln.go
Vendored
+12
View File
@@ -0,0 +1,12 @@
package main
import (
"fmt"
"golang.org/x/text/language"
)
func main() {
fmt.Println("hello")
language.Parse("")
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/strip/strip.ct
Vendored
+41
View File
@@ -0,0 +1,41 @@
#####
# Test for stripped binaries (see #57764)
$ govulncheck -mode=binary ${strip_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.MatchStrings
#2: language.MustParse
#3: language.Parse
#4: language.ParseAcceptLanguage
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Example traces found:
#1: transform.String
#2: unicode.bomOverride.Transform
#3: unicode.utf16Decoder.Transform
Your code is affected by 2 vulnerabilities from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct
Vendored
+622
View File
@@ -0,0 +1,622 @@
#####
# Test basic binary scanning with json output
$ govulncheck -json -mode=binary ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "ForEach",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_text.ct
Vendored
+46
View File
@@ -0,0 +1,46 @@
#####
# Test basic binary scanning with text output
$ govulncheck -mode=binary ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: gjson.Get
#2: gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct
Vendored
+607
View File
@@ -0,0 +1,607 @@
#####
# Test basic binary scanning with json output
$ govulncheck -json -mode=binary ${vendored_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct
Vendored
+525
View File
@@ -0,0 +1,525 @@
#####
# Test binary scanning at the module level with json output
$ govulncheck -json -mode=binary -scan=module ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct
Vendored
+47
View File
@@ -0,0 +1,47 @@
#####
# Test binary scanning at the module level
$ govulncheck -mode=binary -scan module ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Vulnerability #4: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code may be affected by 4 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct
Vendored
+564
View File
@@ -0,0 +1,564 @@
#####
# Test binary scanning at the package level with json output
$ govulncheck -json -mode=binary -scan=package ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_text.ct
Vendored
+37
View File
@@ -0,0 +1,37 @@
# Test binary scanning at the package level.
$ govulncheck -mode=binary -scan package ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Your code may be affected by 3 vulnerabilities.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection and '-show
verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/convert/convert_input.json
Vendored
+281
View File
@@ -0,0 +1,281 @@
{
"config": {
"protocol_version": "v0.1.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 183,
"line": 14,
"column": 20
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 159,
"line": 13,
"column": 16
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
Vendored
+35
View File
@@ -0,0 +1,35 @@
#####
# Test using the conversion from json on stdin to text on stdout
# location of convert input is subdirectory/convert_intput
$ govulncheck -mode=convert < convert/convert_input.json --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/extract/binary_extract.ct
Vendored
+50
View File
@@ -0,0 +1,50 @@
#####
# Test binary mode using the extracted binary blob.
$ govulncheck -mode=binary ${testdir}/extract/vuln.blob --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: gjson.Get
#2: gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
# Test extract mode. Due to the size of the blob even for smallest programs, we
# directly compare its output to a target vuln_blob.json file.
$ govulncheck-cmp -mode=extract ${moddir}/vuln/vuln_dont_run_me ${testdir}/extract/vuln.blob
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/extract/vuln.blob
Vendored
+2
View File
File diff suppressed because one or more lines are too long
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/after_body.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]}{"name":"govulncheck-extract","version":"0.1.0"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/binary_fail.ct
Vendored
+69
View File
@@ -0,0 +1,69 @@
#####
# Test of passing a non-file to -mode=binary
$ govulncheck -mode=binary notafile --> FAIL 2
"notafile" is not a file
#####
# Test of passing a non-binary and non-blob file to -mode=binary
$ govulncheck -mode=binary ${moddir}/vuln/go.mod --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header id
$ govulncheck -mode=binary ${testdir}/failures/invalid_header_name.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header version
$ govulncheck -mode=binary ${testdir}/failures/invalid_header_version.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with no header
$ govulncheck -mode=binary ${testdir}/failures/no_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header, i.e., no header
$ govulncheck -mode=binary ${testdir}/failures/no_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with no body
$ govulncheck -mode=binary ${testdir}/failures/no_body.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing an empty blob/file
$ govulncheck -mode=binary ${testdir}/failures/empty.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing an empty blob message
$ govulncheck -mode=binary ${testdir}/failures/empty_message.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing blob message with multiple headers
$ govulncheck -mode=binary ${testdir}/failures/multi_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing blob message with something after the body
$ govulncheck -mode=binary ${testdir}/failures/multi_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of trying to analyze multiple binaries
$ govulncheck -mode=binary ${vuln_binary} ${vuln_binary} --> FAIL 2
only 1 binary can be analyzed at a time
#####
# Test of trying to run -mode=binary with -tags flag
$ govulncheck -tags=foo -mode=binary ${vuln_binary} --> FAIL 2
the -tags flag is not supported in binary mode
#####
# Test of trying to run -mode=binary with the -test flag
$ govulncheck -test -mode=binary ${vuln_binary} --> FAIL 2
the -test flag is not supported in binary mode
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/empty.blob
Vendored
View File
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/empty_message.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/extract_fail.ct
Vendored
+4
View File
@@ -0,0 +1,4 @@
#####
# Test extraction of an unsupported file format
$ govulncheck -mode=extract ${moddir}/vuln/go.mod --> FAIL 1
govulncheck: unrecognized binary format
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"id":"invalid-name","protocol":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header_name.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"invalid-name","version":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header_version.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"8.8.8"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/multi_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/no_body.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/no_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/query_fail.ct
Vendored
+4
View File
@@ -0,0 +1,4 @@
#####
# Test of query mode with invalid input.
$ govulncheck -mode=query -json example.com/module@ --> FAIL 2
invalid query example.com/module@: must be of the form module@version
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/source_fail.ct
Vendored
+35
View File
@@ -0,0 +1,35 @@
#####
# Test of missing go.mod error message.
$ govulncheck -C ${moddir}/{nomoddir} . --> FAIL 1
govulncheck: no go.mod file
govulncheck only works with Go modules. Try navigating to your module directory.
Otherwise, run go mod init to make your project a module.
See https://go.dev/doc/modules/managing-dependencies for more information.
#####
# Test of handing a binary to source mode
$ govulncheck ${vuln_binary} --> FAIL 2
govulncheck: myfile is a file.
By default, govulncheck runs source analysis on Go modules.
Did you mean to run govulncheck with -mode=binary?
For details, run govulncheck -h.
#####
# Test of handing an invalid package pattern to source mode
$ govulncheck -C ${moddir}/vuln blah --> FAIL 1
govulncheck: loading packages:
There are errors with the provided package patterns:
-: package foo is not in GOROOT (/tmp/foo)
For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
#####
# Test of handing a package pattern to scan level module
$ govulncheck -scan module -C ${moddir}/vuln pattern --> FAIL 2
patterns are not accepted for module only scanning
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/usage_fail.ct
Vendored
+14
View File
@@ -0,0 +1,14 @@
#####
# Test of invalid input to -mode
$ govulncheck -mode=invalid ./... --> FAIL 2
"invalid" is not a valid mode
#####
# Test of trying to run -json with -v flag
$ govulncheck -C ${moddir}/vuln -show=traces -json . --> FAIL 2
the -show flag is not supported for JSON output
#####
# Test of invalid input to -scan
$ govulncheck -scan=invalid ./... --> FAIL 2
"invalid" is not a valid scan level
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_json.ct
Vendored
+154
View File
@@ -0,0 +1,154 @@
#####
# Test of query mode for a third party module.
$ govulncheck -mode=query -json github.com/tidwall/gjson@v1.6.5
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in github.com/tidwall/gjson at v1.6.5..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_multi_json.ct
Vendored
+270
View File
@@ -0,0 +1,270 @@
#####
# Test of query mode with multiple inputs.
$ govulncheck -mode=query -json stdlib@go1.17 github.com/tidwall/gjson@v1.6.5
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at go1.17..."
}
}
{
"progress": {
"message": "Looking up vulnerabilities in github.com/tidwall/gjson at v1.6.5..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_stdlib_json.ct
Vendored
+129
View File
@@ -0,0 +1,129 @@
#####
# Test of query mode with the standard library.
$ govulncheck -mode=query -json stdlib@go1.17
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at go1.17..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_vstdlib_json.ct
Vendored
+129
View File
@@ -0,0 +1,129 @@
#####
# Test of query mode with the standard library (with a v prefix on the version).
$ govulncheck -mode=query -json stdlib@v1.17.0
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at v1.17.0..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
Vendored
+722
View File
@@ -0,0 +1,722 @@
#####
#
$ govulncheck -C ${moddir}/vuln -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../parse.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "ForEach",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "modPretty",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "execModifier",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
Vendored
+172
View File
@@ -0,0 +1,172 @@
#####
# Test of basic govulncheck in source mode
$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with expanded traces
$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: for function github.com/tidwall/gjson.Result.Get
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: for function github.com/tidwall/gjson.Result.ForEach
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with the -show verbose flag
$ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_informational_text.ct
Vendored
+14
View File
@@ -0,0 +1,14 @@
#####
# Test souce mode with no callstacks
$ govulncheck -C ${moddir}/informational -show=traces .
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 1 vulnerability
in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
Vendored
+405
View File
@@ -0,0 +1,405 @@
#####
# Test for multiple call stacks in source mode
$ govulncheck -json -C ${moddir}/multientry .
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language",
"function": "MustParse",
"position": {
"filename": ".../tags.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "foobar",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "D",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "main",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../parse.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "C",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "main",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
Vendored
+72
View File
@@ -0,0 +1,72 @@
#####
# Test for multiple call stacks in source mode
$ govulncheck -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../main.go:<l>:<c>: multientry.foobar calls language.MustParse
#2: .../main.go:<l>:<c>: multientry.C calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
#####
# Test for multple call stacks in source mode with expanded traces
$ govulncheck -show verbose -C ${moddir}/multientry -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.MustParse
.../main.go:<l>:<c>: golang.org/multientry.main
.../main.go:<l>:<c>: golang.org/multientry.D
.../main.go:<l>:<c>: golang.org/multientry.foobar
.../tags.go:<l>:<c>: golang.org/x/text/language.MustParse
#2: for function golang.org/x/text/language.Parse
.../main.go:<l>:<c>: golang.org/multientry.main
.../main.go:<l>:<c>: golang.org/multientry.C
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
Vendored
+25
View File
@@ -0,0 +1,25 @@
#####
# Test of source mode on a module with a replace directive.
$ govulncheck -C ${moddir}/replace ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../main.go:<l>:<c>: replace.main calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct
Vendored
+47
View File
@@ -0,0 +1,47 @@
#####
# Test finding stdlib vulnerability in source mode
$ govulncheck -C ${moddir}/stdlib . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Example traces found:
#1: .../stdlib.go:<l>:<c>: stdlib.main calls http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
#####
# Test finding stdlib vulnerability in source mode with expanded traces
$ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Example traces found:
#1: for function net/http.ListenAndServe
.../stdlib.go:<l>:<c>: golang.org/stdlib.main
.../server.go:<l>:<c>: net/http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct
Vendored
+51
View File
@@ -0,0 +1,51 @@
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../subdir.go:<l>:<c>: subdir.Foo calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../subdir.go:<l>:<c>: golang.org/vuln/subdir.Foo
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
Vendored
+653
View File
@@ -0,0 +1,653 @@
#####
#
$ govulncheck -C ${moddir}/vendored -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "private.com/privateuser/fakemod",
"version": "v1.0.0",
"package": "private.com/privateuser/fakemod",
"function": "Leave",
"position": {
"filename": ".../mod.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vendored",
"package": "golang.org/vendored",
"function": "main",
"position": {
"filename": ".../vendored.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../language.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vendored",
"package": "golang.org/vendored",
"function": "main",
"position": {
"filename": ".../vendored.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
Vendored
+66
View File
@@ -0,0 +1,66 @@
#####
# Vendored directory w text output
$ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vendored.go:<l>:<c>: vendored.main calls fakemod.Leave, which calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vendored.go:<l>:<c>: vendored.main calls language.Parse
=== Package Results ===
Vulnerability #1: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
Vendored
+23
View File
@@ -0,0 +1,23 @@
#####
# Test of govulncheck call analysis for vulns with no package info available.
# All symbols of the module are vulnerable.
$ govulncheck -C ${moddir}/wholemodvuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0956
Excessive resource consumption in gopkg.in/yaml.v2
More info: https://pkg.go.dev/vuln/GO-2022-0956
Module: gopkg.in/yaml.v2
Found in: gopkg.in/yaml.v2@v2.2.3
Fixed in: gopkg.in/yaml.v2@v2.2.4
Example traces found:
#1: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.main calls yaml.Marshal
#2: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.init calls yaml.init
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct
Vendored
+297
View File
@@ -0,0 +1,297 @@
#####
# Test that findings with callstacks or packages are not emitted in module mode
$ govulncheck -json -scan module -C ${moddir}/multientry
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your code across 2 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-module/source_module_text.ct
Vendored
+58
View File
@@ -0,0 +1,58 @@
#####
# Testing that govulncheck doesn't mention calls when it doesn't
# have callstack information
$ govulncheck -scan module -C ${moddir}/multientry --> FAIL 3
Scanning your code across 2 dependent modules for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 2 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
#####
# -show verbose flag should only show module results with scan level module
$ govulncheck -scan module -show verbose -C ${moddir}/multientry --> FAIL 3
Scanning your code across 2 dependent modules for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 2 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct
Vendored
+310
View File
@@ -0,0 +1,310 @@
#####
# Test that findings with callstacks are not emitted in package mode
$ govulncheck -json -scan package -C ${moddir}/multientry .
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-package/source_package_text.ct
Vendored
+53
View File
@@ -0,0 +1,53 @@
#####
# Testing that govulncheck doesn't mention calls when it doesn't have the relevant info
$ govulncheck -scan package -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 1 vulnerability.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection and '-show
verbose' for more details.
#####
# Test for package level scan with the -show verbose flag
$ govulncheck -show verbose -scan package -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Your code may be affected by 1 vulnerability.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/usage/source_no_packages.ct
Vendored
+6
View File
@@ -0,0 +1,6 @@
#####
# Test message when there are no packages matching the provided pattern (#59623).
$ govulncheck -C ${moddir}/vuln pkg/no-govulncheck/...
No packages matching the provided pattern.
No vulnerabilities found.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/usage/usage.ct
Vendored
+46
View File
@@ -0,0 +1,46 @@
#####
# Test of govulncheck help output
$ govulncheck -h
Govulncheck reports known vulnerabilities in dependencies.
Usage:
govulncheck [flags] [patterns]
govulncheck -mode=binary [flags] [binary]
-C dir
change to dir before running govulncheck
-db url
vulnerability database url (default "https://vuln.go.dev")
-json
output JSON
-mode string
supports source or binary (default "source")
-scan string
set the scanning level desired, one of module, package or symbol (default "symbol")
-show list
enable display of additional information specified by the comma separated list
The supported values are 'traces','color', 'version', and 'verbose'
-tags list
comma-separated list of build tags
-test
analyze test files (only valid for source mode, default false)
-version
print the version information
For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
#####
# Not scanning anything.
$ govulncheck
No vulnerabilities found.
#####
# Reporting version without scanning anything.
$ govulncheck -version
Go: go1.18
Scanner: govulncheck@v1.0.0
DB: testdata/vulndb-v1
DB updated: 2023-04-03 15:57:51 +0000 UTC
No vulnerabilities found.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"],"details":"An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.3"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/encoding/unicode","symbols":["bomOverride.Transform","utf16Decoder.Transform"]},{"path":"golang.org/x/text/transform","symbols":["String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/238238"},{"type":"FIX","url":"https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"},{"type":"REPORT","url":"https://go.dev/issue/39491"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"}],"credits":[{"name":"@abacabadabacaba and Anton Gyllenberg"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0015"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0054.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"],"details":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.6"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Result.ForEach","unwrap"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/196"}],"credits":[{"name":"@toptotu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0054"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0054.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0059.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"],"details":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.4"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Get","GetBytes","GetMany","GetManyBytes","Result.Array","Result.Get","Result.Map","Result.Value","squash"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/192"}],"credits":[{"name":"@toptotu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0059"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0059.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0113.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido Vranken"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0113.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0265.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","published":"2022-08-15T18:06:07Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"],"details":"A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.3"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Get","GetBytes","GetMany","GetManyBytes","Result.Get","parseObject","queryMatches"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/237"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/236"},{"type":"WEB","url":"https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0265"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0265.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0956.json
Vendored
+46
View File
@@ -0,0 +1,46 @@
{
"schema_version": "1.3.1",
"id": "GO-2022-0956",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-08-29T22:15:46Z",
"aliases": [
"CVE-2022-3064",
"GHSA-6q6q-88xp-6f2r"
],
"summary": "Excessive resource consumption in gopkg.in/yaml.v2",
"details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.",
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4"
}
]
}
]
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"type": "WEB",
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0969.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","published":"2022-09-12T20:23:06Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"],"details":"HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.18.6"},{"introduced":"1.19.0"},{"fixed":"1.19.1"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["ListenAndServe","ListenAndServeTLS","Serve","ServeTLS","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","http2Server.ServeConn","http2serverConn.goAway"]}]}},{"package":{"name":"golang.org/x/net","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220906165146-f3363e06e74c"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["Server.ServeConn","serverConn.goAway"]}]}}],"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"},{"type":"REPORT","url":"https://go.dev/issue/54658"},{"type":"FIX","url":"https://go.dev/cl/428735"}],"credits":[{"name":"Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0969.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/db.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"modified":"2023-04-03T15:57:51Z"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/db.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/modules.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"path":"github.com/tidwall/gjson","vulns":[{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","fixed":"1.6.6"},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","fixed":"1.6.4"},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","fixed":"1.9.3"}]},{"path":"golang.org/x/net","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"0.0.0-20220906165146-f3363e06e74c"}]},{"path":"golang.org/x/text","vulns":[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","fixed":"0.3.3"},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","fixed":"0.3.7"}]},{"path":"stdlib","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"1.19.1"}]},{"path":"gopkg.in/yaml.v2","vulns":[{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","fixed":"2.2.4"}]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/modules.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"]},{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"]},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"]},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"]},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"]},{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"]},{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","aliases":["CVE-2022-3064","GHSA-6q6q-88xp-6f2r"]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/devtools/lib.sh
+51
View File
@@ -0,0 +1,51 @@
#!/bin/bash
# Copyright 2021 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Library of useful bash functions and variables.
RED=; GREEN=; YELLOW=; NORMAL=;
MAXWIDTH=0
if tput setaf 1 >& /dev/null; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
NORMAL=$(tput sgr0)
MAXWIDTH=$(( $(tput cols) - 2 ))
fi
EXIT_CODE=0
export EXIT_CODE
info() { echo -e "${GREEN}$*${NORMAL}" 1>&2; }
warn() { echo -e "${YELLOW}$*${NORMAL}" 1>&2; }
err() { echo -e "${RED}$*${NORMAL}" 1>&2; EXIT_CODE=1; }
die() {
err "$@"
exit 1
}
dryrun=false
# runcmd prints an info log describing the command that is about to be run, and
# then runs it. It sets EXIT_CODE to non-zero if the command fails, but does not exit
# the script.
runcmd() {
msg="$*"
if $dryrun; then
echo -e "${YELLOW}dryrun${GREEN}\$ $msg${NORMAL}"
return 0
fi
# Truncate command logging for narrow terminals.
# Account for the 2 characters of '$ '.
if [[ $MAXWIDTH -gt 0 && ${#msg} -gt $MAXWIDTH ]]; then
msg="${msg::$(( MAXWIDTH - 3 ))}..."
fi
echo -e "$*\n" 1>&2;
"$@" || err "command failed"
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/devtools/snapshot_vulndb.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env -S bash -e
# Copyright 2023 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
source devtools/lib.sh || { echo "Are you at repo root?"; exit 1; }
# Script for copying data from the v1 schema in vuln.go.dev for tests.
origin="https://vuln.go.dev"
go install golang.org/x/vulndb/cmd/indexdb@latest
# Copy files for unit tests.
copyFiles=(
"ID/GO-2021-0159.json"
"ID/GO-2022-0229.json"
"ID/GO-2022-0463.json"
"ID/GO-2022-0569.json"
"ID/GO-2022-0572.json"
"ID/GO-2021-0068.json"
"ID/GO-2022-0475.json"
"ID/GO-2022-0476.json"
"ID/GO-2021-0240.json"
"ID/GO-2021-0264.json"
"ID/GO-2022-0273.json"
)
UNIT_OUT_DIR=$(pwd)/internal/client/testdata/vulndb-v1
for f in "${copyFiles[@]}"; do
mkdir -p "$UNIT_OUT_DIR/$(dirname "$f")" && curl -L $origin/"$f" --output "$UNIT_OUT_DIR"/"$f"
done
unit_vulns="$UNIT_OUT_DIR/ID"
indexdb -out "$UNIT_OUT_DIR" -vulns "$unit_vulns"
# Copy files for integration tests.
copyFiles=(
"ID/GO-2022-0969.json"
"ID/GO-2020-0015.json"
"ID/GO-2021-0113.json"
"ID/GO-2021-0054.json"
"ID/GO-2021-0059.json"
"ID/GO-2021-0265.json"
)
INTEG_OUT_DIR=$(pwd)/cmd/govulncheck/testdata/vulndb-v1
for f in "${copyFiles[@]}"; do
mkdir -p "$INTEG_OUT_DIR"/"$(dirname "$f")" && curl -L "$origin"/"$f" --output "$INTEG_OUT_DIR"/"$f"
done
integ_vulns="$INTEG_OUT_DIR/ID"
indexdb -out "$INTEG_OUT_DIR" -vulns "$integ_vulns"
go/pkg/mod/golang.org/x/vuln@v1.0.4/doc/vulndb.md
+26
View File
@@ -0,0 +1,26 @@
# Go Vulnerability Database
## Accessing the database
The Go vulnerability database is rooted at
`https://vuln.go.dev` and provides data as JSON.
Do not rely on the contents of the x/vulndb repository. The YAML files in that
repository are maintained using an internal format that is subject to change
without warning.
The endpoints the table below are supported. For each path:
- $base is the path portion of a Go vulnerability database URL (`https://vuln.go.dev`).
- $module is a module path
- $vuln is a Go vulnerabilitiy ID (for example, `GO-2021-1234`)
| Path | Description |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| $base/index.json | List of module paths in the database mapped to its last modified timestamp ([link](https://vuln.go.dev/index.json)). |
| $base/$module.json | List of vulnerability entries for that module ([example](https://vuln.go.dev/golang.org/x/crypto.json)). |
| $base/ID/index.json | List of all the vulnerability entries in the database |
| $base/ID/$vuln.json | An individual Go vulnerability report |
Note that these paths and format are provisional and likely to change until an
approved proposal.
go/pkg/mod/golang.org/x/vuln@v1.0.4/go.mod
+14
View File
@@ -0,0 +1,14 @@
module golang.org/x/vuln
go 1.18
require (
github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786
github.com/google/go-cmp v0.5.8
golang.org/x/mod v0.14.0
golang.org/x/sync v0.6.0
golang.org/x/tools v0.17.0
mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8
)
require github.com/google/renameio v0.1.0 // indirect
go/pkg/mod/golang.org/x/vuln@v1.0.4/go.sum
+15
View File
@@ -0,0 +1,15 @@
github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 h1:VuJo4Mt0EVPychre4fNlDWDuE5AjXtPJpRUWqZDQhaI=
mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8/go.mod h1:Oh/d7dEtzsNHGOq1Cdv8aMm3KdKhVvPbRQcM8WFpBR8=
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/README.md
+9
View File
@@ -0,0 +1,9 @@
This code is a copied and slightly modified subset of go/src/debug/buildinfo.
It contains logic for parsing Go binary files for the purpose of extracting
module dependency and symbol table information.
Logic added by vulncheck is located in files with "additions_" prefix.
Within the originally named files, changed or added logic is annotated with
a comment starting with "Addition:".
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/additions_buildinfo.go
+257
View File
@@ -0,0 +1,257 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.18
// +build go1.18
package buildinfo
// This file adds to buildinfo the functionality for extracting the PCLN table.
import (
"debug/elf"
"debug/macho"
"debug/pe"
"encoding/binary"
"errors"
"fmt"
"io"
)
// ErrNoSymbols represents non-existence of symbol
// table in binaries supported by buildinfo.
var ErrNoSymbols = errors.New("no symbol section")
// SymbolInfo is derived from cmd/internal/objfile/elf.go:symbols, symbolData.
func (x *elfExe) SymbolInfo(name string) (uint64, uint64, io.ReaderAt, error) {
sym, err := x.lookupSymbol(name)
if err != nil {
if errors.Is(err, elf.ErrNoSymbols) {
return 0, 0, nil, ErrNoSymbols
}
return 0, 0, nil, fmt.Errorf("no symbol %q", name)
}
prog := x.progContaining(sym.Value)
if prog == nil {
return 0, 0, nil, fmt.Errorf("no Prog containing value %d for %q", sym.Value, name)
}
return sym.Value, prog.Vaddr, prog.ReaderAt, nil
}
func (x *elfExe) lookupSymbol(name string) (*elf.Symbol, error) {
x.symbolsOnce.Do(func() {
syms, err := x.f.Symbols()
if err != nil {
x.symbolsErr = err
return
}
x.symbols = make(map[string]*elf.Symbol, len(syms))
for _, s := range syms {
s := s // make a copy to prevent aliasing
x.symbols[s.Name] = &s
}
})
if x.symbolsErr != nil {
return nil, x.symbolsErr
}
return x.symbols[name], nil
}
func (x *elfExe) progContaining(addr uint64) *elf.Prog {
for _, p := range x.f.Progs {
if addr >= p.Vaddr && addr < p.Vaddr+p.Filesz {
return p
}
}
return nil
}
const go12magic = 0xfffffffb
const go116magic = 0xfffffffa
// PCLNTab is derived from cmd/internal/objfile/elf.go:pcln.
func (x *elfExe) PCLNTab() ([]byte, uint64) {
var offset uint64
text := x.f.Section(".text")
if text != nil {
offset = text.Offset
}
pclntab := x.f.Section(".gopclntab")
if pclntab == nil {
// Addition: this code is added to support some form of stripping.
pclntab = x.f.Section(".data.rel.ro.gopclntab")
if pclntab == nil {
pclntab = x.f.Section(".data.rel.ro")
if pclntab == nil {
return nil, 0
}
// Possibly the PCLN table has been stuck in the .data.rel.ro section, but without
// its own section header. We can search for for the start by looking for the four
// byte magic and the go magic.
b, err := pclntab.Data()
if err != nil {
return nil, 0
}
// TODO(rolandshoemaker): I'm not sure if the 16 byte increment during the search is
// actually correct. During testing it worked, but that may be because I got lucky
// with the binary I was using, and we need to do four byte jumps to exhaustively
// search the section?
for i := 0; i < len(b); i += 16 {
if len(b)-i > 16 && b[i+4] == 0 && b[i+5] == 0 &&
(b[i+6] == 1 || b[i+6] == 2 || b[i+6] == 4) &&
(b[i+7] == 4 || b[i+7] == 8) {
// Also check for the go magic
leMagic := binary.LittleEndian.Uint32(b[i:])
beMagic := binary.BigEndian.Uint32(b[i:])
switch {
case leMagic == go12magic:
fallthrough
case beMagic == go12magic:
fallthrough
case leMagic == go116magic:
fallthrough
case beMagic == go116magic:
return b[i:], offset
}
}
}
}
}
b, err := pclntab.Data()
if err != nil {
return nil, 0
}
return b, offset
}
// SymbolInfo is derived from cmd/internal/objfile/pe.go:findPESymbol, loadPETable.
func (x *peExe) SymbolInfo(name string) (uint64, uint64, io.ReaderAt, error) {
sym, err := x.lookupSymbol(name)
if err != nil {
return 0, 0, nil, err
}
if sym == nil {
return 0, 0, nil, fmt.Errorf("no symbol %q", name)
}
sect := x.f.Sections[sym.SectionNumber-1]
// In PE, the symbol's value is the offset from the section start.
return uint64(sym.Value), 0, sect.ReaderAt, nil
}
func (x *peExe) lookupSymbol(name string) (*pe.Symbol, error) {
x.symbolsOnce.Do(func() {
x.symbols = make(map[string]*pe.Symbol, len(x.f.Symbols))
if len(x.f.Symbols) == 0 {
x.symbolsErr = ErrNoSymbols
return
}
for _, s := range x.f.Symbols {
x.symbols[s.Name] = s
}
})
if x.symbolsErr != nil {
return nil, x.symbolsErr
}
return x.symbols[name], nil
}
// PCLNTab is derived from cmd/internal/objfile/pe.go:pcln.
// Assumes that the underlying symbol table exists, otherwise
// it might panic.
func (x *peExe) PCLNTab() ([]byte, uint64) {
var textOffset uint64
for _, section := range x.f.Sections {
if section.Name == ".text" {
textOffset = uint64(section.Offset)
break
}
}
var start, end int64
var section int
if s, _ := x.lookupSymbol("runtime.pclntab"); s != nil {
start = int64(s.Value)
section = int(s.SectionNumber - 1)
}
if s, _ := x.lookupSymbol("runtime.epclntab"); s != nil {
end = int64(s.Value)
}
if start == 0 || end == 0 {
return nil, 0
}
offset := int64(x.f.Sections[section].Offset) + start
size := end - start
pclntab := make([]byte, size)
if _, err := x.r.ReadAt(pclntab, offset); err != nil {
return nil, 0
}
return pclntab, textOffset
}
// SymbolInfo is derived from cmd/internal/objfile/macho.go:symbols.
func (x *machoExe) SymbolInfo(name string) (uint64, uint64, io.ReaderAt, error) {
sym, err := x.lookupSymbol(name)
if err != nil {
return 0, 0, nil, err
}
if sym == nil {
return 0, 0, nil, fmt.Errorf("no symbol %q", name)
}
seg := x.segmentContaining(sym.Value)
if seg == nil {
return 0, 0, nil, fmt.Errorf("no Segment containing value %d for %q", sym.Value, name)
}
return sym.Value, seg.Addr, seg.ReaderAt, nil
}
func (x *machoExe) lookupSymbol(name string) (*macho.Symbol, error) {
const mustExistSymbol = "runtime.main"
x.symbolsOnce.Do(func() {
x.symbols = make(map[string]*macho.Symbol, len(x.f.Symtab.Syms))
for _, s := range x.f.Symtab.Syms {
s := s // make a copy to prevent aliasing
x.symbols[s.Name] = &s
}
// In the presence of stripping, the symbol table for darwin
// binaries will not be empty, but the program symbols will
// be missing.
if _, ok := x.symbols[mustExistSymbol]; !ok {
x.symbolsErr = ErrNoSymbols
}
})
if x.symbolsErr != nil {
return nil, x.symbolsErr
}
return x.symbols[name], nil
}
func (x *machoExe) segmentContaining(addr uint64) *macho.Segment {
for _, load := range x.f.Loads {
seg, ok := load.(*macho.Segment)
if ok && seg.Addr <= addr && addr <= seg.Addr+seg.Filesz-1 && seg.Name != "__PAGEZERO" {
return seg
}
}
return nil
}
// SymbolInfo is derived from cmd/internal/objfile/macho.go:pcln.
func (x *machoExe) PCLNTab() ([]byte, uint64) {
var textOffset uint64
text := x.f.Section("__text")
if text != nil {
textOffset = uint64(text.Offset)
}
pclntab := x.f.Section("__gopclntab")
if pclntab == nil {
return nil, 0
}
b, err := pclntab.Data()
if err != nil {
return nil, 0
}
return b, textOffset
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/additions_scan.go
+143
View File
@@ -0,0 +1,143 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.18
// +build go1.18
package buildinfo
// Code in this package is dervied from src/cmd/go/internal/version/version.go
// and cmd/go/internal/version/exe.go.
import (
"debug/buildinfo"
"errors"
"fmt"
"io"
"net/url"
"runtime/debug"
"strings"
"golang.org/x/tools/go/packages"
"golang.org/x/vuln/internal/gosym"
)
func debugModulesToPackagesModules(debugModules []*debug.Module) []*packages.Module {
packagesModules := make([]*packages.Module, len(debugModules))
for i, mod := range debugModules {
packagesModules[i] = &packages.Module{
Path: mod.Path,
Version: mod.Version,
}
if mod.Replace != nil {
packagesModules[i].Replace = &packages.Module{
Path: mod.Replace.Path,
Version: mod.Replace.Version,
}
}
}
return packagesModules
}
type Symbol struct {
Pkg string `json:"pkg,omitempty"`
Name string `json:"name,omitempty"`
}
// ExtractPackagesAndSymbols extracts symbols, packages, modules from
// bin as well as bin's metadata.
//
// If the symbol table is not available, such as in the case of stripped
// binaries, returns module and binary info but without the symbol info.
func ExtractPackagesAndSymbols(bin io.ReaderAt) ([]*packages.Module, []Symbol, *debug.BuildInfo, error) {
bi, err := buildinfo.Read(bin)
if err != nil {
return nil, nil, nil, err
}
funcSymName := gosym.FuncSymName(bi.GoVersion)
if funcSymName == "" {
return nil, nil, nil, fmt.Errorf("binary built using unsupported Go version: %q", bi.GoVersion)
}
x, err := openExe(bin)
if err != nil {
return nil, nil, nil, err
}
value, base, r, err := x.SymbolInfo(funcSymName)
if err != nil {
if errors.Is(err, ErrNoSymbols) {
// bin is stripped, so return just module info and metadata.
return debugModulesToPackagesModules(bi.Deps), nil, bi, nil
}
return nil, nil, nil, fmt.Errorf("reading %v: %v", funcSymName, err)
}
pclntab, textOffset := x.PCLNTab()
if pclntab == nil {
// If we have build information, but not PCLN table, fall
// back to much higher granularity vulnerability checking.
return debugModulesToPackagesModules(bi.Deps), nil, bi, nil
}
lineTab := gosym.NewLineTable(pclntab, textOffset)
if lineTab == nil {
return nil, nil, nil, errors.New("invalid line table")
}
tab, err := gosym.NewTable(nil, lineTab)
if err != nil {
return nil, nil, nil, err
}
pkgSyms := make(map[Symbol]bool)
for _, f := range tab.Funcs {
if f.Func == nil {
continue
}
pkgName, symName, err := parseName(f.Func.Sym)
if err != nil {
return nil, nil, nil, err
}
pkgSyms[Symbol{pkgName, symName}] = true
// Collect symbols that were inlined in f.
it, err := lineTab.InlineTree(&f, value, base, r)
if err != nil {
return nil, nil, nil, fmt.Errorf("InlineTree: %v", err)
}
for _, ic := range it {
pkgName, symName, err := parseName(&gosym.Sym{Name: ic.Name})
if err != nil {
return nil, nil, nil, err
}
pkgSyms[Symbol{pkgName, symName}] = true
}
}
var syms []Symbol
for ps := range pkgSyms {
syms = append(syms, ps)
}
return debugModulesToPackagesModules(bi.Deps), syms, bi, nil
}
func parseName(s *gosym.Sym) (pkg, sym string, err error) {
symName := s.BaseName()
if r := s.ReceiverName(); r != "" {
if strings.HasPrefix(r, "(*") {
r = strings.Trim(r, "(*)")
}
symName = fmt.Sprintf("%s.%s", r, symName)
}
pkgName := s.PackageName()
if pkgName != "" {
pkgName, err = url.PathUnescape(pkgName)
if err != nil {
return "", "", err
}
}
return pkgName, symName, nil
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/additions_scan_test.go
+170
View File
@@ -0,0 +1,170 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.18
// +build go1.18
package buildinfo
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"sort"
"testing"
"github.com/google/go-cmp/cmp"
"golang.org/x/tools/go/packages/packagestest"
"golang.org/x/vuln/internal/test"
"golang.org/x/vuln/internal/testenv"
)
// testAll executes testing function ft on all valid combinations
// of gooss and goarchs.
func testAll(t *testing.T, gooss, goarchs []string, ft func(*testing.T, string, string)) {
// unsupported platforms for building Go binaries.
var unsupported = map[string]bool{
"darwin/386": true,
"darwin/arm": true,
}
for _, g := range gooss {
for _, a := range goarchs {
goos := g
goarch := a
ga := goos + "/" + goarch
if unsupported[ga] {
continue
}
t.Run(ga, func(t *testing.T) {
ft(t, goos, goarch)
})
}
}
}
func TestExtractPackagesAndSymbols(t *testing.T) {
testAll(t, []string{"linux", "darwin", "windows", "freebsd"}, []string{"amd64", "386", "arm", "arm64"},
func(t *testing.T, goos, goarch string) {
binary, done := test.GoBuild(t, "testdata", "", false, "GOOS", goos, "GOARCH", goarch)
defer done()
f, err := os.Open(binary)
if err != nil {
t.Fatal(err)
}
defer f.Close()
_, syms, _, err := ExtractPackagesAndSymbols(f)
if err != nil {
t.Fatal(err)
}
got := sortedSymbols("main", syms)
want := []Symbol{
{"main", "f"},
{"main", "g"},
{"main", "main"},
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("(-want,+got):%s", diff)
}
})
}
// sortedSymbols gets symbols for pkg and
// sorts them for testing purposes.
func sortedSymbols(pkg string, syms []Symbol) []Symbol {
var s []Symbol
for _, ps := range syms {
if ps.Pkg == pkg {
s = append(s, ps)
}
}
sort.SliceStable(s, func(i, j int) bool { return s[i].Pkg+"."+s[i].Name < s[j].Pkg+"."+s[j].Name })
return s
}
// Test58509 is supposed to test issue #58509 where a whole
// vulnerable function is deleted from the binary so we
// cannot detect its presence.
//
// Note: the issue is still not addressed and the test
// expectations are set to fail once it gets addressed.
func Test58509(t *testing.T) {
testenv.NeedsGoBuild(t)
vulnLib := `package bvuln
%s debug = true
func Vuln() {
if debug {
return
}
print("vuln")
}`
for _, tc := range []struct {
gl string
want bool
}{
{"const", false}, // TODO(https://go.dev/issue/58509): change expectations once issue is addressed
{"var", true},
} {
tc := tc
t.Run(tc.gl, func(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"main.go": `
package main
import (
"golang.org/bmod/bvuln"
)
func main() {
bvuln.Vuln()
}
`,
}},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"bvuln/bvuln.go": fmt.Sprintf(vulnLib, tc.gl)},
},
})
defer e.Cleanup()
cmd := exec.Command("go", "build", "-o", "entry")
cmd.Dir = e.Config.Dir
cmd.Env = e.Config.Env
out, err := cmd.CombinedOutput()
if err != nil || len(out) > 0 {
t.Fatalf("failed to build the binary %v %v", err, string(out))
}
exe, err := os.Open(filepath.Join(e.Config.Dir, "entry"))
if err != nil {
t.Fatal(err)
}
defer exe.Close()
_, syms, _, err := ExtractPackagesAndSymbols(exe)
if err != nil {
t.Fatal(err)
}
// effectively, Vuln is not optimized away from the program
got := len(sortedSymbols("golang.org/bmod/bvuln", syms)) != 0
if got != tc.want {
t.Errorf("want %t; got %t", tc.want, got)
}
})
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/additions_stripped_122_test.go
+38
View File
@@ -0,0 +1,38 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.22
// +build go1.22
package buildinfo
import (
"os"
"testing"
"golang.org/x/vuln/internal/test"
)
// TestStrippedBinary checks that there is no symbol table for
// stripped binaries.
func TestStrippedBinary(t *testing.T) {
testAll(t, []string{"linux", "windows", "freebsd", "darwin"}, []string{"amd64", "386", "arm", "arm64"},
func(t *testing.T, goos, goarch string) {
binary, done := test.GoBuild(t, "testdata", "", true, "GOOS", goos, "GOARCH", goarch)
defer done()
f, err := os.Open(binary)
if err != nil {
t.Fatal(err)
}
defer f.Close()
_, syms, _, err := ExtractPackagesAndSymbols(f)
if err != nil {
t.Fatal(err)
}
if len(syms) != 0 {
t.Errorf("want empty symbol table; got %v symbols", len(syms))
}
})
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/additions_stripped_test.go
+74
View File
@@ -0,0 +1,74 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.18 && !go1.22
// +build go1.18,!go1.22
package buildinfo
import (
"os"
"testing"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/test"
)
// TestStrippedBinary checks that there is no symbol table for
// stripped binaries. This does not include darwin binaries.
// For more info, see #61051.
func TestStrippedBinary(t *testing.T) {
// We exclude darwin as its stripped binaries seem to
// preserve the symbol table. See TestStrippedDarwin.
testAll(t, []string{"linux", "windows", "freebsd"}, []string{"amd64", "386", "arm", "arm64"},
func(t *testing.T, goos, goarch string) {
binary, done := test.GoBuild(t, "testdata", "", true, "GOOS", goos, "GOARCH", goarch)
defer done()
f, err := os.Open(binary)
if err != nil {
t.Fatal(err)
}
defer f.Close()
_, syms, _, err := ExtractPackagesAndSymbols(f)
if err != nil {
t.Fatal(err)
}
if syms != nil {
t.Errorf("want empty symbol table; got %v symbols", len(syms))
}
})
}
// TestStrippedDarwin checks that the symbol table exists and
// is complete on darwin even in the presence of stripping.
// For more info, see #61051.
func TestStrippedDarwin(t *testing.T) {
testAll(t, []string{"darwin"}, []string{"amd64", "386"},
func(t *testing.T, goos, goarch string) {
binary, done := test.GoBuild(t, "testdata", "", true, "GOOS", goos, "GOARCH", goarch)
defer done()
f, err := os.Open(binary)
if err != nil {
t.Fatal(err)
}
defer f.Close()
_, syms, _, err := ExtractPackagesAndSymbols(f)
if err != nil {
t.Fatal(err)
}
got := sortedSymbols("main", syms)
want := []Symbol{
{"main", "f"},
{"main", "g"},
{"main", "main"},
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("(-want,+got):%s", diff)
}
})
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/buildinfo.go
+221
View File
@@ -0,0 +1,221 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.18
// +build go1.18
package buildinfo
// Addition: this file is a trimmed and slightly modified version of debug/buildinfo/buildinfo.go
import (
"bytes"
"debug/elf"
"debug/macho"
"debug/pe"
"fmt"
"sync"
// "internal/xcoff"
"io"
)
// Addition: modification of rawBuildInfo in the original file.
// openExe returns reader r as an exe.
func openExe(r io.ReaderAt) (exe, error) {
data := make([]byte, 16)
if _, err := r.ReadAt(data, 0); err != nil {
return nil, err
}
if bytes.HasPrefix(data, []byte("\x7FELF")) {
e, err := elf.NewFile(r)
if err != nil {
return nil, err
}
return &elfExe{f: e}, nil
}
if bytes.HasPrefix(data, []byte("MZ")) {
e, err := pe.NewFile(r)
if err != nil {
return nil, err
}
return &peExe{r: r, f: e}, nil
}
if bytes.HasPrefix(data, []byte("\xFE\xED\xFA")) || bytes.HasPrefix(data[1:], []byte("\xFA\xED\xFE")) {
e, err := macho.NewFile(r)
if err != nil {
return nil, err
}
return &machoExe{f: e}, nil
}
return nil, fmt.Errorf("unrecognized executable format")
}
type exe interface {
// ReadData reads and returns up to size byte starting at virtual address addr.
ReadData(addr, size uint64) ([]byte, error)
// DataStart returns the virtual address of the segment or section that
// should contain build information. This is either a specially named section
// or the first writable non-zero data segment.
DataStart() uint64
PCLNTab() ([]byte, uint64) // Addition: for constructing symbol table
SymbolInfo(name string) (uint64, uint64, io.ReaderAt, error) // Addition: for inlining purposes
}
// elfExe is the ELF implementation of the exe interface.
type elfExe struct {
f *elf.File
symbols map[string]*elf.Symbol // Addition: symbols in the binary
symbolsOnce sync.Once // Addition: for computing symbols
symbolsErr error // Addition: error for computing symbols
}
func (x *elfExe) ReadData(addr, size uint64) ([]byte, error) {
for _, prog := range x.f.Progs {
if prog.Vaddr <= addr && addr <= prog.Vaddr+prog.Filesz-1 {
n := prog.Vaddr + prog.Filesz - addr
if n > size {
n = size
}
data := make([]byte, n)
_, err := prog.ReadAt(data, int64(addr-prog.Vaddr))
if err != nil {
return nil, err
}
return data, nil
}
}
return nil, fmt.Errorf("address not mapped") // Addition: custom error
}
func (x *elfExe) DataStart() uint64 {
for _, s := range x.f.Sections {
if s.Name == ".go.buildinfo" {
return s.Addr
}
}
for _, p := range x.f.Progs {
if p.Type == elf.PT_LOAD && p.Flags&(elf.PF_X|elf.PF_W) == elf.PF_W {
return p.Vaddr
}
}
return 0
}
// peExe is the PE (Windows Portable Executable) implementation of the exe interface.
type peExe struct {
r io.ReaderAt
f *pe.File
symbols map[string]*pe.Symbol // Addition: symbols in the binary
symbolsOnce sync.Once // Addition: for computing symbols
symbolsErr error // Addition: error for computing symbols
}
func (x *peExe) imageBase() uint64 {
switch oh := x.f.OptionalHeader.(type) {
case *pe.OptionalHeader32:
return uint64(oh.ImageBase)
case *pe.OptionalHeader64:
return oh.ImageBase
}
return 0
}
func (x *peExe) ReadData(addr, size uint64) ([]byte, error) {
addr -= x.imageBase()
for _, sect := range x.f.Sections {
if uint64(sect.VirtualAddress) <= addr && addr <= uint64(sect.VirtualAddress+sect.Size-1) {
n := uint64(sect.VirtualAddress+sect.Size) - addr
if n > size {
n = size
}
data := make([]byte, n)
_, err := sect.ReadAt(data, int64(addr-uint64(sect.VirtualAddress)))
if err != nil {
return nil, err
}
return data, nil
}
}
return nil, fmt.Errorf("address not mapped") // Addition: custom error
}
func (x *peExe) DataStart() uint64 {
// Assume data is first writable section.
const (
IMAGE_SCN_CNT_CODE = 0x00000020
IMAGE_SCN_CNT_INITIALIZED_DATA = 0x00000040
IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080
IMAGE_SCN_MEM_EXECUTE = 0x20000000
IMAGE_SCN_MEM_READ = 0x40000000
IMAGE_SCN_MEM_WRITE = 0x80000000
IMAGE_SCN_MEM_DISCARDABLE = 0x2000000
IMAGE_SCN_LNK_NRELOC_OVFL = 0x1000000
IMAGE_SCN_ALIGN_32BYTES = 0x600000
)
for _, sect := range x.f.Sections {
if sect.VirtualAddress != 0 && sect.Size != 0 &&
sect.Characteristics&^IMAGE_SCN_ALIGN_32BYTES == IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE {
return uint64(sect.VirtualAddress) + x.imageBase()
}
}
return 0
}
// machoExe is the Mach-O (Apple macOS/iOS) implementation of the exe interface.
type machoExe struct {
f *macho.File
symbols map[string]*macho.Symbol // Addition: symbols in the binary
symbolsOnce sync.Once // Addition: for computing symbols
symbolsErr error // Addition: error for computing symbols
}
func (x *machoExe) ReadData(addr, size uint64) ([]byte, error) {
for _, load := range x.f.Loads {
seg, ok := load.(*macho.Segment)
if !ok {
continue
}
if seg.Addr <= addr && addr <= seg.Addr+seg.Filesz-1 {
if seg.Name == "__PAGEZERO" {
continue
}
n := seg.Addr + seg.Filesz - addr
if n > size {
n = size
}
data := make([]byte, n)
_, err := seg.ReadAt(data, int64(addr-seg.Addr))
if err != nil {
return nil, err
}
return data, nil
}
}
return nil, fmt.Errorf("address not mapped") // Addition: custom error
}
func (x *machoExe) DataStart() uint64 {
// Look for section named "__go_buildinfo".
for _, sec := range x.f.Sections {
if sec.Name == "__go_buildinfo" {
return sec.Addr
}
}
// Try the first non-empty writable segment.
const RW = 3
for _, load := range x.f.Loads {
seg, ok := load.(*macho.Segment)
if ok && seg.Addr != 0 && seg.Filesz != 0 && seg.Prot == RW && seg.Maxprot == RW {
return seg.Addr
}
}
return 0
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/buildinfo/testdata/main.go
Vendored
+14
View File
@@ -0,0 +1,14 @@
package main
func main() {
f()
}
func f() {
g()
g()
}
func g() {
println(1)
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/client/client.go
+347
View File
@@ -0,0 +1,347 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package client provides an interface for accessing vulnerability
// databases, via either HTTP or local filesystem access.
//
// The protocol is described at https://go.dev/security/vuln/database.
package client
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"os"
"path/filepath"
"sort"
"strings"
"time"
"golang.org/x/sync/errgroup"
"golang.org/x/vuln/internal/derrors"
"golang.org/x/vuln/internal/osv"
isem "golang.org/x/vuln/internal/semver"
"golang.org/x/vuln/internal/web"
)
// A Client for reading vulnerability databases.
type Client struct {
source
}
type Options struct {
HTTPClient *http.Client
}
// NewClient returns a client that reads the vulnerability database
// in source (an "http" or "file" prefixed URL).
//
// It supports databases following the API described
// in https://go.dev/security/vuln/database#api.
func NewClient(source string, opts *Options) (_ *Client, err error) {
source = strings.TrimRight(source, "/")
uri, err := url.Parse(source)
if err != nil {
return nil, err
}
switch uri.Scheme {
case "http", "https":
return newHTTPClient(uri, opts)
case "file":
return newLocalClient(uri)
default:
return nil, fmt.Errorf("source %q has unsupported scheme", uri)
}
}
var errUnknownSchema = errors.New("unrecognized vulndb format; see https://go.dev/security/vuln/database#api for accepted schema")
func newHTTPClient(uri *url.URL, opts *Options) (*Client, error) {
source := uri.String()
// v1 returns true if the source likely follows the V1 schema.
v1 := func() bool {
return source == "https://vuln.go.dev" ||
endpointExistsHTTP(source, "index/modules.json.gz")
}
if v1() {
return &Client{source: newHTTPSource(uri.String(), opts)}, nil
}
return nil, errUnknownSchema
}
func endpointExistsHTTP(source, endpoint string) bool {
r, err := http.Head(source + "/" + endpoint)
return err == nil && r.StatusCode == http.StatusOK
}
func newLocalClient(uri *url.URL) (*Client, error) {
dir, err := toDir(uri)
if err != nil {
return nil, err
}
// Check if the DB likely follows the v1 schema by
// looking for the "index/modules.json" endpoint.
if endpointExistsDir(dir, modulesEndpoint+".json") {
return &Client{source: newLocalSource(dir)}, nil
}
// If the DB doesn't follow the v1 schema,
// attempt to intepret it as a flat list of OSV files.
// This is currently a "hidden" feature, so don't output the
// specific error if this fails.
src, err := newHybridSource(dir)
if err != nil {
return nil, errUnknownSchema
}
return &Client{source: src}, nil
}
func toDir(uri *url.URL) (string, error) {
dir, err := web.URLToFilePath(uri)
if err != nil {
return "", err
}
fi, err := os.Stat(dir)
if err != nil {
return "", err
}
if !fi.IsDir() {
return "", fmt.Errorf("%s is not a directory", dir)
}
return dir, nil
}
func endpointExistsDir(dir, endpoint string) bool {
_, err := os.Stat(filepath.Join(dir, endpoint))
return err == nil
}
func NewInMemoryClient(entries []*osv.Entry) (*Client, error) {
s, err := newInMemorySource(entries)
if err != nil {
return nil, err
}
return &Client{source: s}, nil
}
func (c *Client) LastModifiedTime(ctx context.Context) (_ time.Time, err error) {
derrors.Wrap(&err, "LastModifiedTime()")
b, err := c.source.get(ctx, dbEndpoint)
if err != nil {
return time.Time{}, err
}
var dbMeta dbMeta
if err := json.Unmarshal(b, &dbMeta); err != nil {
return time.Time{}, err
}
return dbMeta.Modified, nil
}
type ModuleRequest struct {
// The module path to filter on.
// This must be set (if empty, ByModule errors).
Path string
// (Optional) If set, only return vulnerabilities affected
// at this version.
Version string
}
type ModuleResponse struct {
Path string
Version string
Entries []*osv.Entry
}
// ByModules returns a list of responses
// containing the OSV entries corresponding to each request.
//
// The order of the requests is preserved, and each request has
// a response even if there are no entries (in which case the Entries
// field is nil).
func (c *Client) ByModules(ctx context.Context, reqs []*ModuleRequest) (_ []*ModuleResponse, err error) {
derrors.Wrap(&err, "ByModules(%v)", reqs)
metas, err := c.moduleMetas(ctx, reqs)
if err != nil {
return nil, err
}
resps := make([]*ModuleResponse, len(reqs))
g, gctx := errgroup.WithContext(ctx)
g.SetLimit(10)
for i, req := range reqs {
i, req := i, req
g.Go(func() error {
entries, err := c.byModule(gctx, req, metas[i])
if err != nil {
return err
}
resps[i] = &ModuleResponse{
Path: req.Path,
Version: req.Version,
Entries: entries,
}
return nil
})
}
if err := g.Wait(); err != nil {
return nil, err
}
return resps, nil
}
func (c *Client) moduleMetas(ctx context.Context, reqs []*ModuleRequest) (_ []*moduleMeta, err error) {
b, err := c.source.get(ctx, modulesEndpoint)
if err != nil {
return nil, err
}
dec, err := newStreamDecoder(b)
if err != nil {
return nil, err
}
metas := make([]*moduleMeta, len(reqs))
for dec.More() {
var m moduleMeta
err := dec.Decode(&m)
if err != nil {
return nil, err
}
for i, req := range reqs {
if m.Path == req.Path {
metas[i] = &m
}
}
}
return metas, nil
}
// byModule returns the OSV entries matching the ModuleRequest,
// or (nil, nil) if there are none.
func (c *Client) byModule(ctx context.Context, req *ModuleRequest, m *moduleMeta) (_ []*osv.Entry, err error) {
// This module isn't in the database.
if m == nil {
return nil, nil
}
if req.Path == "" {
return nil, fmt.Errorf("module path must be set")
}
if req.Version != "" && !isem.Valid(req.Version) {
return nil, fmt.Errorf("version %s is not valid semver", req.Version)
}
var ids []string
for _, v := range m.Vulns {
if v.Fixed == "" || isem.Less(req.Version, v.Fixed) {
ids = append(ids, v.ID)
}
}
if len(ids) == 0 {
return nil, nil
}
entries, err := c.byIDs(ctx, ids)
if err != nil {
return nil, err
}
// Filter by version.
if req.Version != "" {
affected := func(e *osv.Entry) bool {
for _, a := range e.Affected {
if a.Module.Path == req.Path && isem.Affects(a.Ranges, req.Version) {
return true
}
}
return false
}
var filtered []*osv.Entry
for _, entry := range entries {
if affected(entry) {
filtered = append(filtered, entry)
}
}
if len(filtered) == 0 {
return nil, nil
}
}
sort.SliceStable(entries, func(i, j int) bool {
return entries[i].ID < entries[j].ID
})
return entries, nil
}
func (c *Client) byIDs(ctx context.Context, ids []string) (_ []*osv.Entry, err error) {
entries := make([]*osv.Entry, len(ids))
g, gctx := errgroup.WithContext(ctx)
g.SetLimit(10)
for i, id := range ids {
i, id := i, id
g.Go(func() error {
e, err := c.byID(gctx, id)
if err != nil {
return err
}
entries[i] = e
return nil
})
}
if err := g.Wait(); err != nil {
return nil, err
}
return entries, nil
}
// byID returns the OSV entry with the given ID,
// or an error if it does not exist / cannot be unmarshaled.
func (c *Client) byID(ctx context.Context, id string) (_ *osv.Entry, err error) {
derrors.Wrap(&err, "byID(%s)", id)
b, err := c.source.get(ctx, entryEndpoint(id))
if err != nil {
return nil, err
}
var entry osv.Entry
if err := json.Unmarshal(b, &entry); err != nil {
return nil, err
}
return &entry, nil
}
// newStreamDecoder returns a decoder that can be used
// to read an array of JSON objects.
func newStreamDecoder(b []byte) (*json.Decoder, error) {
dec := json.NewDecoder(bytes.NewBuffer(b))
// skip open bracket
_, err := dec.Token()
if err != nil {
return nil, err
}
return dec, nil
}

Some files were not shown because too many files have changed in this diff Show More