Zakaria/LearnGO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

whatcanGOwrong

Browse Source
This commit is contained in:
dadgam3er
2024-09-19 21:38:24 -04:00
commit d0ae4d841d
17908 changed files with 4096831 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/doc.go
+88
View File
@@ -0,0 +1,88 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Govulncheck reports known vulnerabilities that affect Go code. It uses static
analysis of source code or a binary's symbol table to narrow down reports to
only those that could affect the application.
By default, govulncheck makes requests to the Go vulnerability database at
https://vuln.go.dev. Requests to the vulnerability database contain only module
paths, not code or other properties of your program. See
https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a
different database, which must implement the specification at
https://go.dev/security/vuln/database.
Govulncheck looks for vulnerabilities in Go programs using a specific build
configuration. For analyzing source code, that configuration is the Go version
specified by the “go” command found on the PATH. For binaries, the build
configuration is the one used to build the binary. Note that different build
configurations may have different known vulnerabilities.
Govulncheck must be built with Go version 1.18 or later.
# Usage
To analyze source code, run govulncheck from the module directory, using the
same package path syntax that the go command uses:
$ cd my-module
$ govulncheck ./...
If no vulnerabilities are found, govulncheck will display a short message. If
there are vulnerabilities, each is displayed briefly, with a summary of a call
stack. The summary shows in brief how the package calls a vulnerable function.
For example, it might say
main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
To control which files are processed, use the -tags flag to provide a
comma-separated list of build tags, and the -test flag to indicate that test
files should be included.
To include more detailed stack traces, pass -show=traces, this will cause it to
print the full call stack for each entry.
To run govulncheck on a compiled binary, pass it the path to the binary file
with the -mode=binary flag:
$ govulncheck -mode=binary $HOME/go/bin/my-go-program
Govulncheck uses the binary's symbol information to find mentions of vulnerable
functions. Its output omits call stacks, which require source code analysis.
Govulncheck also supports -mode=extract on a Go binary for extraction of minimal
information needed to analyze the binary. This will produce a blob, typically much
smaller than the binary, that can also be passed to govulncheck as an argument with
-mode=binary. The users should not rely on the contents or representation of the blob.
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if the -json flag
is provided, regardless of the number of detected vulnerabilities.
Govulncheck supports streaming JSON. For more details, please see [golang.org/x/vuln/internal/govulncheck].
# Limitations
Govulncheck has these limitations:
- Govulncheck analyzes function pointer and interface calls conservatively,
which may result in false positives or inaccurate call stacks in some cases.
- Calls to functions made using package reflect are not visible to static
analysis. Vulnerable code reachable only through those calls will not be
reported. Use of the unsafe package may result in false negatives.
- Because Go binaries do not contain detailed call information, govulncheck
cannot show the call graphs for detected vulnerabilities. It may also
report false positives for code that is in the binary but unreachable.
- There is no support for silencing vulnerability findings. See https://go.dev/issue/61211 for
updates.
- Govulncheck only reads binaries compiled with Go 1.18 and later.
- For binaries where the symbol information cannot be extracted, govulncheck
reports vulnerabilities for all modules on which the binary depends.
# Feedback
To share feedback, see https://go.dev/security/vuln#feedback.
*/
package main
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/Dockerfile
+17
View File
@@ -0,0 +1,17 @@
FROM golang:1.20.3-alpine
# This Dockerfile sets up an image for repeated integration testing.
# This assumes the build context, i.e., CWD is vuln/
# ---- Step 0: Setup shared build tools. ----
RUN apk update && apk add bash git gcc musl-dev linux-headers gcompat
# ---- Step 1: Build govulncheck ----
COPY . /go/src/golang.org/x/vuln
WORKDIR /go/src/golang.org/x/vuln/cmd/govulncheck/integration
RUN go install golang.org/x/vuln/cmd/govulncheck
# ---- Step 2: Build other test binaries ----
RUN go install golang.org/dl/go1.18@latest
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/k8s
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/stackrox-scanner
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/integration_run.sh
+62
View File
@@ -0,0 +1,62 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
#!/bin/bash
# List of all projects for which integration test failed, if any.
failed=()
# Update status of the integration script. The first argument is
# the exit code for the integration run of a project and the second
# argument is the project name.
update_status(){
if [ "$1" -ne 0 ]; then
failed+=("$2")
fi
}
# Print go version for debugging purposes. Expected to be go1.18.8.
go version
# Clone kubernetes to a dedicated directory.
dir="$GOPATH/src/kubernetes"
if [ -d "$dir" ]; then
echo "Destination kubernetes already exists. Using the existing code."
else
git clone https://github.com/kubernetes/kubernetes.git "${dir}"
fi
# Checkout kubernetes version v1.15.11 that
# is known to have vulnerabilities.
pushd "$dir" || exit
cd pkg || exit
git checkout tags/v1.15.11
govulncheck --json ./... &> k8s.txt
k8s k8s.txt
update_status $? "kubernetes(source)"
popd || exit
# Clone scanner to a dedicated directory.
dir="$GOPATH/src/scanner"
if [ -d "$dir" ]; then
echo "Destination scanner already exists. Using the existing code."
else
git clone https://github.com/stackrox/scanner.git "${dir}"
fi
pushd "$dir" || exit
# Use scanner at specific commit and tag version for reproducibility.
git checkout 29b8761da747
go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=2.26-29-g29b8761da7-dirty" -o image/scanner/bin/scanner ./cmd/clair
govulncheck -mode=binary --json ./image/scanner/bin/scanner &> scan.txt
stackrox-scanner scan.txt
update_status $? "stackrox-scanner(binary)"
popd || exit
if [ ${#failed[@]} -ne 0 ]; then
echo "FAIL: integration run failed for the following projects: ${failed[*]}"
exit 1
fi
echo PASS
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/integration_test.sh
+15
View File
@@ -0,0 +1,15 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Runs the integration tests for whole program analysis.
# Assumes this is run from vuln/cmd/govulncheck/integration
echo "Building govulncheck docker image"
# The building context is vuln/ so we can have the current
# version of both govulncheck and its vuln dependencies
docker build -f Dockerfile -t govulncheck-integration ../../../
echo "Running govulncheck integration tests in the docker image"
docker run govulncheck-integration ./integration_run.sh
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/internal/integration/test.go
+57
View File
@@ -0,0 +1,57 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package integration
import (
"bytes"
"encoding/json"
"fmt"
"log"
"os"
"strings"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/govulncheck"
)
// CompareNonStdVulns compares vulnerable packages in out and want.
// For out, it only considers vulnerabilities outside of the standard
// library. Assumes the same for want.
func CompareNonStdVulns(out string, want map[string]bool) error {
outJson, err := os.ReadFile(out)
if err != nil {
return fmt.Errorf("failed to read: %v", out)
}
calledVulnPkgs := make(map[string]bool)
dec := json.NewDecoder(bytes.NewReader(outJson))
for dec.More() {
msg := govulncheck.Message{}
// decode the next message in the stream
if err := dec.Decode(&msg); err != nil {
log.Fatalf("failed to load json: %v", err)
}
if msg.Finding != nil {
if msg.Finding.Trace[0].Function == "" {
// No symbol means the vulnerability is
// imported but not called.
continue
}
// collect only called non-std packages
pkgPath := msg.Finding.Trace[0].Package
if !isStd(pkgPath) {
calledVulnPkgs[pkgPath] = true
}
}
}
if diff := cmp.Diff(want, calledVulnPkgs); diff != "" {
return fmt.Errorf("reachable vulnerable packages mismatch (-want, +got):\n%s", diff)
}
return nil
}
// isStd returns true iff pkg is a standard library package.
func isStd(pkg string) bool {
return !strings.Contains(pkg, ".")
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/k8s/k8s.go
+42
View File
@@ -0,0 +1,42 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"log"
"os"
"golang.org/x/vuln/cmd/govulncheck/integration/internal/integration"
)
const usage = `test helper for examining the output of running govulncheck on k8s@v1.15.11.
Example usage: ./k8s [path to output file]
`
func main() {
if len(os.Args) != 2 {
log.Fatal("Incorrect number of expected command line arguments", usage)
}
out := os.Args[1]
want := map[string]bool{
"github.com/containernetworking/cni/pkg/invoke": true,
"github.com/evanphx/json-patch": true,
"github.com/opencontainers/selinux/go-selinux": true,
"github.com/prometheus/client_golang/prometheus/promhttp": true,
"golang.org/x/crypto/cryptobyte": true,
"golang.org/x/crypto/salsa20/salsa": true,
"golang.org/x/crypto/ssh": true,
"golang.org/x/net/http/httpguts": true,
"golang.org/x/net/http2": true,
"golang.org/x/net/http2/hpack": true,
"golang.org/x/text/encoding/unicode": true,
"google.golang.org/grpc": true,
}
if err := integration.CompareNonStdVulns(out, want); err != nil {
log.Fatal(err)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/kokoro/integration.cfg
+4
View File
@@ -0,0 +1,4 @@
# Format: //devtools/kokoro/config/proto/build.proto
build_file: "vuln/cmd/govulncheck/integration/kokoro/integration.sh"
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/kokoro/integration.sh
+18
View File
@@ -0,0 +1,18 @@
#!/bin/bash
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Run integration_test.sh on kokoro.
# Fail on any error.
set -e
# Code under repo is checked out to ${KOKORO_ARTIFACTS_DIR}/git.
# The main directory name in this path is determined by the scm name specified
# in the job configuration, which in this case is "vuln".
cd "${KOKORO_ARTIFACTS_DIR}/git/vuln/cmd/govulncheck/integration"
# Run integration_test.sh
./integration_test.sh
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/integration/stackrox-scanner/scanner.go
+41
View File
@@ -0,0 +1,41 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"log"
"os"
"golang.org/x/vuln/cmd/govulncheck/integration/internal/integration"
)
const usage = `test helper for examining the output of running govulncheck on
stackrox-io/scanner binary (https://quay.io/repository/stackrox-io/scanner).
Example usage: ./stackrox-scanner [path to output file]
`
func main() {
if len(os.Args) != 2 {
log.Fatal("Incorrect number of expected command line arguments", usage)
}
out := os.Args[1]
want := map[string]bool{
"github.com/go-git/go-git/v5": true,
"github.com/go-git/go-git/v5/config": true,
"github.com/go-git/go-git/v5/plumbing/object": true,
"github.com/go-git/go-git/v5/storage/filesystem": true,
"github.com/go-git/go-git/v5/storage/filesystem/dotgit": true,
"golang.org/x/crypto/ssh": true,
"golang.org/x/net/http2": true,
"golang.org/x/net/http2/hpack": true,
"google.golang.org/grpc": true,
"google.golang.org/grpc/internal/transport": true,
}
if err := integration.CompareNonStdVulns(out, want); err != nil {
log.Fatal(err)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/main.go
+31
View File
@@ -0,0 +1,31 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"context"
"fmt"
"os"
"golang.org/x/vuln/scan"
)
func main() {
ctx := context.Background()
cmd := scan.Command(ctx, os.Args[1:]...)
err := cmd.Start()
if err == nil {
err = cmd.Wait()
}
switch err := err.(type) {
case nil:
case interface{ ExitCode() int }:
os.Exit(err.ExitCode())
default:
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/main_test.go
+322
View File
@@ -0,0 +1,322 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Only run this on Go 1.18 or higher, because govulncheck can't
// run on binaries before 1.18.
//go:build go1.18
// +build go1.18
package main
import (
"bytes"
"context"
"flag"
"fmt"
"os"
"path/filepath"
"regexp"
"runtime"
"sync"
"testing"
"unsafe"
"github.com/google/go-cmdtest"
"github.com/google/go-cmp/cmp"
"golang.org/x/vuln/internal/govulncheck"
"golang.org/x/vuln/internal/test"
"golang.org/x/vuln/internal/web"
"golang.org/x/vuln/scan"
)
var update = flag.Bool("update", false, "update test files with results")
type fixup struct {
pattern string
compiled *regexp.Regexp
replace string
replaceFunc func(b []byte) []byte
}
var fixups = []fixup{
{
// modifies paths to Go files by replacing their directory with "...".
// For example,/a/b/c.go becomes .../c.go .
// This makes it possible to compare govulncheck output across systems, because
// Go filenames include setup-specific paths.
pattern: `[^\s"]*\.go[\s":]`,
replaceFunc: func(b []byte) []byte {
s := string(b)
return []byte(fmt.Sprintf(`.../%s%c`, filepath.Base(s[:len(s)-1]), s[len(s)-1]))
},
}, {
// modifies position lines to mask actual line and column with <l> and
// <c> placeholders, resp.
pattern: `\.go:(\d+):(\d+):`,
replace: `.go:<l>:<c>:`,
}, {
// modify position lines in json
pattern: `\"line\":(\s)*(\d+)`,
replace: `"line": <l>`,
}, {
// modify position columns in json
pattern: `\"column\":(\s)*(\d+)`,
replace: `"column": <c>`,
}, {
// modify position offset in json
pattern: `\"offset\":(\s)*(\d+)`,
replace: `"offset": <o>`,
}, {
// There was a one-line change in container/heap/heap.go between 1.18
// and 1.19 that makes the stack traces different. Ignore it.
pattern: `heap\.go:(\d+)`,
replace: `N`,
}, {
pattern: `Scanning your code and (\d+) packages across (\d+)`,
replace: `Scanning your code and P packages across M`,
}, {
pattern: `Scanner: govulncheck@v.*`,
replace: `Scanner: govulncheck@v1.0.0`,
}, {
pattern: `"([^"]*") is a file`,
replace: `govulncheck: myfile is a file`,
}, {
pattern: `"scanner_version": "[^"]*"`,
replace: `"scanner_version": "v0.0.0-00000000000-20000101010101"`,
}, {
pattern: `file:///(.*)/testdata/vulndb`,
replace: `testdata/vulndb`,
}, {
pattern: `package (.*) is not in (GOROOT|std) (.*)`,
replace: `package foo is not in GOROOT (/tmp/foo)`,
}, {
pattern: `modified (.*)\)`,
replace: `modified 01 Jan 21 00:00 UTC)`,
}, {
pattern: `Go: (go1.[\.\d]*|devel).*`,
replace: `Go: go1.18`,
}, {
pattern: `"go_version": "go[^\s"]*"`,
replace: `"go_version": "go1.18"`,
},
}
func (f *fixup) init() {
f.compiled = regexp.MustCompile(f.pattern)
}
func (f *fixup) apply(data []byte) []byte {
if f.replaceFunc != nil {
return f.compiled.ReplaceAllFunc(data, f.replaceFunc)
}
return f.compiled.ReplaceAll(data, []byte(f.replace))
}
func init() {
for i := range fixups {
fixups[i].init()
}
}
func TestCommand(t *testing.T) {
if testing.Short() {
t.Skip("skipping test that uses internet in short mode")
}
testDir, err := os.Getwd()
if err != nil {
t.Fatal(err)
}
vulndbDir, err := filepath.Abs(filepath.Join(testDir, "testdata", "vulndb-v1"))
if err != nil {
t.Fatal(err)
}
govulndbURI, err := web.URLFromFilePath(vulndbDir)
if err != nil {
t.Fatalf("failed to create make vulndb url: %v", err)
}
moduleDirs, err := filepath.Glob("testdata/modules/*")
if err != nil {
t.Fatal(err)
}
os.Setenv("moddir", filepath.Join(testDir, "testdata", "modules"))
for _, md := range moduleDirs {
// Skip nogomod module. It has intended build issues.
if filepath.Base(md) == "nogomod" {
noModDir, err := filepath.Abs(t.TempDir())
if err != nil {
t.Fatal(err)
}
os.Setenv("nomoddir", noModDir)
b, err := os.ReadFile(filepath.Join(md, "vuln.go"))
if err != nil {
t.Fatal(err)
}
err = os.WriteFile(filepath.Join(noModDir, "vuln.go"), b, 0644)
if err != nil {
t.Fatal(err)
}
continue
}
// Build test module binary.
binary, cleanup := test.GoBuild(t, md, "", filepath.Base(md) == "strip")
t.Cleanup(cleanup)
// Set an environment variable to the path to the binary, so tests
// can refer to it.
varName := filepath.Base(md) + "_binary"
os.Setenv(varName, binary)
}
testFilesDir := filepath.Join(testDir, "testdata", "testfiles")
os.Setenv("testdir", testFilesDir)
runTestSuite(t, testFilesDir, govulndbURI.String(), *update)
if runtime.GOOS != "darwin" {
// Binaries are not stripped on darwin with go1.21 and earlier. See #61051.
runTestSuite(t, filepath.Join(testDir, "testdata", "strip"), govulndbURI.String(), *update)
}
}
// Limit the number of concurrent scans. Scanning is implemented using
// x/tools/go/ssa, which is known to be memory-hungry
// (see https://go.dev/issue/14113), and by default the testing package
// allows up to GOMAXPROCS parallel tests at a time.
//
// For now we arbitrarily limit to ⌈GOMAXPROCS/4⌉, on the theory that many Go
// developer and CI machines have at least 8 logical cores and we want most
// runs of the test to exercise at least a little concurrency. If that turns
// out to still be too high, we may consider reducing it further.
//
// Since all of the scans run in the same process, we need an especially low
// limit on 32-bit platforms: we may run out of virtual address space well
// before we run out of system RAM.
var (
parallelLimiter chan struct{}
parallelLimiterInit sync.Once
)
// testSuite creates a cmdtest suite from dir. It also defines
// a govulncheck command on the suite that runs govulncheck
// against vulnerability database available at vulndbDir.
func runTestSuite(t *testing.T, dir string, govulndb string, update bool) {
parallelLimiterInit.Do(func() {
limit := (runtime.GOMAXPROCS(0) + 3) / 4
if limit > 2 && unsafe.Sizeof(uintptr(0)) < 8 {
limit = 2
}
parallelLimiter = make(chan struct{}, limit)
})
tsReadDir := dir
if filepath.Base(dir) != "strip" {
tsReadDir = filepath.Join(tsReadDir, "*")
}
ts, err := cmdtest.Read(tsReadDir)
if err != nil {
t.Fatal(err)
}
ts.DisableLogging = true
govulncheckCmd := func(args []string, inputFile string) ([]byte, error) {
parallelLimiter <- struct{}{}
defer func() { <-parallelLimiter }()
newargs := append([]string{"-db", govulndb}, args...)
buf := &bytes.Buffer{}
cmd := scan.Command(context.Background(), newargs...)
cmd.Stdout = buf
cmd.Stderr = buf
if inputFile != "" {
input, err := os.Open(filepath.Join(dir, inputFile))
if err != nil {
return nil, err
}
defer input.Close()
cmd.Stdin = input
}
// We set GOVERSION to always get the same results regardless of the underlying Go build system.
cmd.Env = append(os.Environ(), "GOVERSION=go1.18")
if err := cmd.Start(); err != nil {
return nil, err
}
err := cmd.Wait()
switch e := err.(type) {
case nil:
case interface{ ExitCode() int }:
err = &cmdtest.ExitCodeErr{Msg: err.Error(), Code: e.ExitCode()}
if e.ExitCode() == 0 {
err = nil
}
default:
fmt.Fprintln(buf, err)
err = &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
sorted := buf
if err == nil && isJSONMode(args) {
// parse, sort and reprint the output for test stability
gather := test.NewMockHandler()
if err := govulncheck.HandleJSON(buf, gather); err != nil {
return nil, err
}
sorted = &bytes.Buffer{}
h := govulncheck.NewJSONHandler(sorted)
if err := gather.Write(h); err != nil {
return nil, err
}
}
out := sorted.Bytes()
for _, fix := range fixups {
out = fix.apply(out)
}
return out, err
}
ts.Commands["govulncheck"] = govulncheckCmd
// govulncheck-cmp is like govulncheck except that the last argument is a file
// whose contents are compared to the output of govulncheck. This command does
// not output anything.
ts.Commands["govulncheck-cmp"] = func(args []string, inputFile string) ([]byte, error) {
l := len(args)
if l == 0 {
return nil, nil
}
cmpArg := args[l-1]
gArgs := args[:l-1]
out, err := govulncheckCmd(gArgs, inputFile)
if err != nil {
return nil, &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
got := string(out)
file, err := os.ReadFile(cmpArg)
if err != nil {
return nil, &cmdtest.ExitCodeErr{Msg: err.Error(), Code: 1}
}
want := string(file)
if diff := cmp.Diff(want, got); diff != "" {
return nil, &cmdtest.ExitCodeErr{Msg: "govulncheck output not matching the file contents:\n" + diff, Code: 1}
}
return nil, nil
}
if update {
ts.Run(t, true)
return
}
ts.RunParallel(t, false)
}
func isJSONMode(args []string) bool {
for _, arg := range args {
if arg == "-json" {
return true
}
}
return false
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/static/govulncheck.css
+14
View File
@@ -0,0 +1,14 @@
/*
* Copyright 2022 The Go Authors. All rights reserved.
* Use of this source code is governed by a BSD-style
* license that can be found in the LICENSE file.
*/
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu,
'Helvetica Neue', Arial, sans-serif;
}
ul {
list-style-type: none;
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/modules/nogomod/vuln.go
Vendored
+12
View File
@@ -0,0 +1,12 @@
package main
import (
"fmt"
"golang.org/x/text/language"
)
func main() {
fmt.Println("hello")
language.Parse("")
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/strip/strip.ct
Vendored
+41
View File
@@ -0,0 +1,41 @@
#####
# Test for stripped binaries (see #57764)
$ govulncheck -mode=binary ${strip_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.MatchStrings
#2: language.MustParse
#3: language.Parse
#4: language.ParseAcceptLanguage
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Example traces found:
#1: transform.String
#2: unicode.bomOverride.Transform
#3: unicode.utf16Decoder.Transform
Your code is affected by 2 vulnerabilities from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct
Vendored
+622
View File
@@ -0,0 +1,622 @@
#####
# Test basic binary scanning with json output
$ govulncheck -json -mode=binary ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "ForEach",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_text.ct
Vendored
+46
View File
@@ -0,0 +1,46 @@
#####
# Test basic binary scanning with text output
$ govulncheck -mode=binary ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: gjson.Get
#2: gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct
Vendored
+607
View File
@@ -0,0 +1,607 @@
#####
# Test basic binary scanning with json output
$ govulncheck -json -mode=binary ${vendored_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct
Vendored
+525
View File
@@ -0,0 +1,525 @@
#####
# Test binary scanning at the module level with json output
$ govulncheck -json -mode=binary -scan=module ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct
Vendored
+47
View File
@@ -0,0 +1,47 @@
#####
# Test binary scanning at the module level
$ govulncheck -mode=binary -scan module ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Vulnerability #4: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code may be affected by 4 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct
Vendored
+564
View File
@@ -0,0 +1,564 @@
#####
# Test binary scanning at the package level with json output
$ govulncheck -json -mode=binary -scan=package ${vuln_binary}
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your binary for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_text.ct
Vendored
+37
View File
@@ -0,0 +1,37 @@
# Test binary scanning at the package level.
$ govulncheck -mode=binary -scan package ${vuln_binary} --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Your code may be affected by 3 vulnerabilities.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection and '-show
verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/convert/convert_input.json
Vendored
+281
View File
@@ -0,0 +1,281 @@
{
"config": {
"protocol_version": "v0.1.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 183,
"line": 14,
"column": 20
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 159,
"line": 13,
"column": 16
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
Vendored
+35
View File
@@ -0,0 +1,35 @@
#####
# Test using the conversion from json on stdin to text on stdout
# location of convert input is subdirectory/convert_intput
$ govulncheck -mode=convert < convert/convert_input.json --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/extract/binary_extract.ct
Vendored
+50
View File
@@ -0,0 +1,50 @@
#####
# Test binary mode using the extracted binary blob.
$ govulncheck -mode=binary ${testdir}/extract/vuln.blob --> FAIL 3
Scanning your binary for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: gjson.Get
#2: gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
# Test extract mode. Due to the size of the blob even for smallest programs, we
# directly compare its output to a target vuln_blob.json file.
$ govulncheck-cmp -mode=extract ${moddir}/vuln/vuln_dont_run_me ${testdir}/extract/vuln.blob
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/extract/vuln.blob
Vendored
+2
View File
File diff suppressed because one or more lines are too long
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/after_body.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]}{"name":"govulncheck-extract","version":"0.1.0"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/binary_fail.ct
Vendored
+69
View File
@@ -0,0 +1,69 @@
#####
# Test of passing a non-file to -mode=binary
$ govulncheck -mode=binary notafile --> FAIL 2
"notafile" is not a file
#####
# Test of passing a non-binary and non-blob file to -mode=binary
$ govulncheck -mode=binary ${moddir}/vuln/go.mod --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header id
$ govulncheck -mode=binary ${testdir}/failures/invalid_header_name.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header version
$ govulncheck -mode=binary ${testdir}/failures/invalid_header_version.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with no header
$ govulncheck -mode=binary ${testdir}/failures/no_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with invalid header, i.e., no header
$ govulncheck -mode=binary ${testdir}/failures/no_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing a blob with no body
$ govulncheck -mode=binary ${testdir}/failures/no_body.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing an empty blob/file
$ govulncheck -mode=binary ${testdir}/failures/empty.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing an empty blob message
$ govulncheck -mode=binary ${testdir}/failures/empty_message.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing blob message with multiple headers
$ govulncheck -mode=binary ${testdir}/failures/multi_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of passing blob message with something after the body
$ govulncheck -mode=binary ${testdir}/failures/multi_header.blob --> FAIL 1
govulncheck: unrecognized binary format
#####
# Test of trying to analyze multiple binaries
$ govulncheck -mode=binary ${vuln_binary} ${vuln_binary} --> FAIL 2
only 1 binary can be analyzed at a time
#####
# Test of trying to run -mode=binary with -tags flag
$ govulncheck -tags=foo -mode=binary ${vuln_binary} --> FAIL 2
the -tags flag is not supported in binary mode
#####
# Test of trying to run -mode=binary with the -test flag
$ govulncheck -test -mode=binary ${vuln_binary} --> FAIL 2
the -test flag is not supported in binary mode
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/empty.blob
Vendored
View File
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/empty_message.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/extract_fail.ct
Vendored
+4
View File
@@ -0,0 +1,4 @@
#####
# Test extraction of an unsupported file format
$ govulncheck -mode=extract ${moddir}/vuln/go.mod --> FAIL 1
govulncheck: unrecognized binary format
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"id":"invalid-name","protocol":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header_name.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"invalid-name","version":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/invalid_header_version.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"8.8.8"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/multi_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/no_body.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"name":"govulncheck-extract","version":"0.1.0"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/no_header.blob
Vendored
+1
View File
@@ -0,0 +1 @@
{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/query_fail.ct
Vendored
+4
View File
@@ -0,0 +1,4 @@
#####
# Test of query mode with invalid input.
$ govulncheck -mode=query -json example.com/module@ --> FAIL 2
invalid query example.com/module@: must be of the form module@version
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/source_fail.ct
Vendored
+35
View File
@@ -0,0 +1,35 @@
#####
# Test of missing go.mod error message.
$ govulncheck -C ${moddir}/{nomoddir} . --> FAIL 1
govulncheck: no go.mod file
govulncheck only works with Go modules. Try navigating to your module directory.
Otherwise, run go mod init to make your project a module.
See https://go.dev/doc/modules/managing-dependencies for more information.
#####
# Test of handing a binary to source mode
$ govulncheck ${vuln_binary} --> FAIL 2
govulncheck: myfile is a file.
By default, govulncheck runs source analysis on Go modules.
Did you mean to run govulncheck with -mode=binary?
For details, run govulncheck -h.
#####
# Test of handing an invalid package pattern to source mode
$ govulncheck -C ${moddir}/vuln blah --> FAIL 1
govulncheck: loading packages:
There are errors with the provided package patterns:
-: package foo is not in GOROOT (/tmp/foo)
For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
#####
# Test of handing a package pattern to scan level module
$ govulncheck -scan module -C ${moddir}/vuln pattern --> FAIL 2
patterns are not accepted for module only scanning
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/failures/usage_fail.ct
Vendored
+14
View File
@@ -0,0 +1,14 @@
#####
# Test of invalid input to -mode
$ govulncheck -mode=invalid ./... --> FAIL 2
"invalid" is not a valid mode
#####
# Test of trying to run -json with -v flag
$ govulncheck -C ${moddir}/vuln -show=traces -json . --> FAIL 2
the -show flag is not supported for JSON output
#####
# Test of invalid input to -scan
$ govulncheck -scan=invalid ./... --> FAIL 2
"invalid" is not a valid scan level
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_json.ct
Vendored
+154
View File
@@ -0,0 +1,154 @@
#####
# Test of query mode for a third party module.
$ govulncheck -mode=query -json github.com/tidwall/gjson@v1.6.5
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in github.com/tidwall/gjson at v1.6.5..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_multi_json.ct
Vendored
+270
View File
@@ -0,0 +1,270 @@
#####
# Test of query mode with multiple inputs.
$ govulncheck -mode=query -json stdlib@go1.17 github.com/tidwall/gjson@v1.6.5
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at go1.17..."
}
}
{
"progress": {
"message": "Looking up vulnerabilities in github.com/tidwall/gjson at v1.6.5..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_stdlib_json.ct
Vendored
+129
View File
@@ -0,0 +1,129 @@
#####
# Test of query mode with the standard library.
$ govulncheck -mode=query -json stdlib@go1.17
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at go1.17..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/query/query_vstdlib_json.ct
Vendored
+129
View File
@@ -0,0 +1,129 @@
#####
# Test of query mode with the standard library (with a v prefix on the version).
$ govulncheck -mode=query -json stdlib@v1.17.0
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Looking up vulnerabilities in stdlib at v1.17.0..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
Vendored
+722
View File
@@ -0,0 +1,722 @@
#####
#
$ govulncheck -C ${moddir}/vuln -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../parse.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "ForEach",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "modPretty",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "execModifier",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
Vendored
+172
View File
@@ -0,0 +1,172 @@
#####
# Test of basic govulncheck in source mode
$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with expanded traces
$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: for function github.com/tidwall/gjson.Result.Get
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: for function github.com/tidwall/gjson.Result.ForEach
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with the -show verbose flag
$ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_informational_text.ct
Vendored
+14
View File
@@ -0,0 +1,14 @@
#####
# Test souce mode with no callstacks
$ govulncheck -C ${moddir}/informational -show=traces .
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 1 vulnerability
in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
Vendored
+405
View File
@@ -0,0 +1,405 @@
#####
# Test for multiple call stacks in source mode
$ govulncheck -json -C ${moddir}/multientry .
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language",
"function": "MustParse",
"position": {
"filename": ".../tags.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "foobar",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "D",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "main",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../parse.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "C",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/multientry",
"package": "golang.org/multientry",
"function": "main",
"position": {
"filename": ".../main.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
Vendored
+72
View File
@@ -0,0 +1,72 @@
#####
# Test for multiple call stacks in source mode
$ govulncheck -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../main.go:<l>:<c>: multientry.foobar calls language.MustParse
#2: .../main.go:<l>:<c>: multientry.C calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
#####
# Test for multple call stacks in source mode with expanded traces
$ govulncheck -show verbose -C ${moddir}/multientry -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.MustParse
.../main.go:<l>:<c>: golang.org/multientry.main
.../main.go:<l>:<c>: golang.org/multientry.D
.../main.go:<l>:<c>: golang.org/multientry.foobar
.../tags.go:<l>:<c>: golang.org/x/text/language.MustParse
#2: for function golang.org/x/text/language.Parse
.../main.go:<l>:<c>: golang.org/multientry.main
.../main.go:<l>:<c>: golang.org/multientry.C
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
Vendored
+25
View File
@@ -0,0 +1,25 @@
#####
# Test of source mode on a module with a replace directive.
$ govulncheck -C ${moddir}/replace ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../main.go:<l>:<c>: replace.main calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct
Vendored
+47
View File
@@ -0,0 +1,47 @@
#####
# Test finding stdlib vulnerability in source mode
$ govulncheck -C ${moddir}/stdlib . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Example traces found:
#1: .../stdlib.go:<l>:<c>: stdlib.main calls http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
#####
# Test finding stdlib vulnerability in source mode with expanded traces
$ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Example traces found:
#1: for function net/http.ListenAndServe
.../stdlib.go:<l>:<c>: golang.org/stdlib.main
.../server.go:<l>:<c>: net/http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct
Vendored
+51
View File
@@ -0,0 +1,51 @@
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../subdir.go:<l>:<c>: subdir.Foo calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../subdir.go:<l>:<c>: golang.org/vuln/subdir.Foo
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
Vendored
+653
View File
@@ -0,0 +1,653 @@
#####
#
$ govulncheck -C ${moddir}/vendored -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0265",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-08-15T18:06:07Z",
"aliases": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
],
"details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Get",
"parseObject",
"queryMatches"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0265",
"fixed_version": "v1.9.3",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "private.com/privateuser/fakemod",
"version": "v1.0.0",
"package": "private.com/privateuser/fakemod",
"function": "Leave",
"position": {
"filename": ".../mod.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vendored",
"package": "golang.org/vendored",
"function": "main",
"position": {
"filename": ".../vendored.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": ".../language.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
},
{
"module": "golang.org/vendored",
"package": "golang.org/vendored",
"function": "main",
"position": {
"filename": ".../vendored.go",
"offset": <o>,
"line": <l>,
"column": <c>
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0054",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Result.ForEach",
"unwrap"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/196"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0054"
}
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
{
"finding": {
"osv": "GO-2020-0015",
"fixed_version": "v0.3.3",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0059",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-35380",
"GHSA-w942-gw6m-p62c"
],
"details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/tidwall/gjson",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/tidwall/gjson",
"symbols": [
"Get",
"GetBytes",
"GetMany",
"GetManyBytes",
"Result.Array",
"Result.Get",
"Result.Map",
"Result.Value",
"squash"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/192"
}
],
"credits": [
{
"name": "@toptotu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0059"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
Vendored
+66
View File
@@ -0,0 +1,66 @@
#####
# Vendored directory w text output
$ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vendored.go:<l>:<c>: vendored.main calls fakemod.Leave, which calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vendored.go:<l>:<c>: vendored.main calls language.Parse
=== Package Results ===
Vulnerability #1: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
Vendored
+23
View File
@@ -0,0 +1,23 @@
#####
# Test of govulncheck call analysis for vulns with no package info available.
# All symbols of the module are vulnerable.
$ govulncheck -C ${moddir}/wholemodvuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2022-0956
Excessive resource consumption in gopkg.in/yaml.v2
More info: https://pkg.go.dev/vuln/GO-2022-0956
Module: gopkg.in/yaml.v2
Found in: gopkg.in/yaml.v2@v2.2.3
Fixed in: gopkg.in/yaml.v2@v2.2.4
Example traces found:
#1: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.main calls yaml.Marshal
#2: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.init calls yaml.init
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct
Vendored
+297
View File
@@ -0,0 +1,297 @@
#####
# Test that findings with callstacks or packages are not emitted in module mode
$ govulncheck -json -scan module -C ${moddir}/multientry
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "module"
}
}
{
"progress": {
"message": "Scanning your code across 2 dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-module/source_module_text.ct
Vendored
+58
View File
@@ -0,0 +1,58 @@
#####
# Testing that govulncheck doesn't mention calls when it doesn't
# have callstack information
$ govulncheck -scan module -C ${moddir}/multientry --> FAIL 3
Scanning your code across 2 dependent modules for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 2 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
#####
# -show verbose flag should only show module results with scan level module
$ govulncheck -scan module -show verbose -C ${moddir}/multientry --> FAIL 3
Scanning your code across 2 dependent modules for known vulnerabilities...
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 2 vulnerabilities.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct
Vendored
+310
View File
@@ -0,0 +1,310 @@
#####
# Test that findings with callstacks are not emitted in package mode
$ govulncheck -json -scan package -C ${moddir}/multientry .
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "package"
}
}
{
"progress": {
"message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-0969",
"modified": "2023-04-03T15:57:51Z",
"published": "2022-09-12T20:23:06Z",
"aliases": [
"CVE-2022-27664",
"GHSA-69cg-p879-7622"
],
"details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.6"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.goAway"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220906165146-f3363e06e74c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.goAway"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/54658"
},
{
"type": "FIX",
"url": "https://go.dev/cl/428735"
}
],
"credits": [
{
"name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0969"
}
}
}
{
"finding": {
"osv": "GO-2022-0969",
"fixed_version": "v1.18.6",
"trace": [
{
"module": "stdlib",
"version": "v1.18.0",
"package": "net/http"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/source-package/source_package_text.ct
Vendored
+53
View File
@@ -0,0 +1,53 @@
#####
# Testing that govulncheck doesn't mention calls when it doesn't have the relevant info
$ govulncheck -scan package -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Your code may be affected by 1 vulnerability.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection and '-show
verbose' for more details.
#####
# Test for package level scan with the -show verbose flag
$ govulncheck -show verbose -scan package -C ${moddir}/multientry . --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Package Results ===
Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Your code may be affected by 1 vulnerability.
This scan also found 1 vulnerability in modules you require.
Use '-scan symbol' for more fine grained vulnerability detection.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/usage/source_no_packages.ct
Vendored
+6
View File
@@ -0,0 +1,6 @@
#####
# Test message when there are no packages matching the provided pattern (#59623).
$ govulncheck -C ${moddir}/vuln pkg/no-govulncheck/...
No packages matching the provided pattern.
No vulnerabilities found.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/testfiles/usage/usage.ct
Vendored
+46
View File
@@ -0,0 +1,46 @@
#####
# Test of govulncheck help output
$ govulncheck -h
Govulncheck reports known vulnerabilities in dependencies.
Usage:
govulncheck [flags] [patterns]
govulncheck -mode=binary [flags] [binary]
-C dir
change to dir before running govulncheck
-db url
vulnerability database url (default "https://vuln.go.dev")
-json
output JSON
-mode string
supports source or binary (default "source")
-scan string
set the scanning level desired, one of module, package or symbol (default "symbol")
-show list
enable display of additional information specified by the comma separated list
The supported values are 'traces','color', 'version', and 'verbose'
-tags list
comma-separated list of build tags
-test
analyze test files (only valid for source mode, default false)
-version
print the version information
For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
#####
# Not scanning anything.
$ govulncheck
No vulnerabilities found.
#####
# Reporting version without scanning anything.
$ govulncheck -version
Go: go1.18
Scanner: govulncheck@v1.0.0
DB: testdata/vulndb-v1
DB updated: 2023-04-03 15:57:51 +0000 UTC
No vulnerabilities found.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"],"details":"An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.3"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/encoding/unicode","symbols":["bomOverride.Transform","utf16Decoder.Transform"]},{"path":"golang.org/x/text/transform","symbols":["String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/238238"},{"type":"FIX","url":"https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"},{"type":"REPORT","url":"https://go.dev/issue/39491"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"}],"credits":[{"name":"@abacabadabacaba and Anton Gyllenberg"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0015"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0054.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"],"details":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.6"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Result.ForEach","unwrap"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/196"}],"credits":[{"name":"@toptotu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0054"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0054.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0059.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"],"details":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.4"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Get","GetBytes","GetMany","GetManyBytes","Result.Array","Result.Get","Result.Map","Result.Value","squash"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/192"}],"credits":[{"name":"@toptotu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0059"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0059.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0113.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido Vranken"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0113.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0265.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","published":"2022-08-15T18:06:07Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"],"details":"A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.","affected":[{"package":{"name":"github.com/tidwall/gjson","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.3"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/tidwall/gjson","symbols":["Get","GetBytes","GetMany","GetManyBytes","Result.Get","parseObject","queryMatches"]}]}}],"references":[{"type":"FIX","url":"https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/237"},{"type":"WEB","url":"https://github.com/tidwall/gjson/issues/236"},{"type":"WEB","url":"https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0265"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2021-0265.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0956.json
Vendored
+46
View File
@@ -0,0 +1,46 @@
{
"schema_version": "1.3.1",
"id": "GO-2022-0956",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-08-29T22:15:46Z",
"aliases": [
"CVE-2022-3064",
"GHSA-6q6q-88xp-6f2r"
],
"summary": "Excessive resource consumption in gopkg.in/yaml.v2",
"details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.",
"affected": [
{
"package": {
"name": "gopkg.in/yaml.v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4"
}
]
}
]
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"type": "WEB",
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
}
}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0969.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"schema_version":"1.3.1","id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","published":"2022-09-12T20:23:06Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"],"details":"HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.18.6"},{"introduced":"1.19.0"},{"fixed":"1.19.1"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["ListenAndServe","ListenAndServeTLS","Serve","ServeTLS","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","http2Server.ServeConn","http2serverConn.goAway"]}]}},{"package":{"name":"golang.org/x/net","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220906165146-f3363e06e74c"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["Server.ServeConn","serverConn.goAway"]}]}}],"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"},{"type":"REPORT","url":"https://go.dev/issue/54658"},{"type":"FIX","url":"https://go.dev/cl/428735"}],"credits":[{"name":"Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"}}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0969.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/db.json
Vendored
+1
View File
@@ -0,0 +1 @@
{"modified":"2023-04-03T15:57:51Z"}
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/db.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/modules.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"path":"github.com/tidwall/gjson","vulns":[{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","fixed":"1.6.6"},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","fixed":"1.6.4"},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","fixed":"1.9.3"}]},{"path":"golang.org/x/net","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"0.0.0-20220906165146-f3363e06e74c"}]},{"path":"golang.org/x/text","vulns":[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","fixed":"0.3.3"},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","fixed":"0.3.7"}]},{"path":"stdlib","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"1.19.1"}]},{"path":"gopkg.in/yaml.v2","vulns":[{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","fixed":"2.2.4"}]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/modules.json.gz
Vendored
BIN
View File
Binary file not shown.
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json
Vendored
+1
View File
@@ -0,0 +1 @@
[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"]},{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"]},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"]},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"]},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"]},{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"]},{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","aliases":["CVE-2022-3064","GHSA-6q6q-88xp-6f2r"]}]
go/pkg/mod/golang.org/x/vuln@v1.0.4/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json.gz
Vendored
BIN
View File
Binary file not shown.