whatcanGOwrong

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/affects.go

@@ -0,0 +1,94 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import (
+	"sort"
+
+	"golang.org/x/vuln/internal/osv"
+)
+
+func Affects(a []osv.Range, v string) bool {
+	if len(a) == 0 {
+		// No ranges implies all versions are affected
+		return true
+	}
+	var semverRangePresent bool
+	for _, r := range a {
+		if r.Type != osv.RangeTypeSemver {
+			continue
+		}
+		semverRangePresent = true
+		if ContainsSemver(r, v) {
+			return true
+		}
+	}
+	// If there were no semver ranges present we
+	// assume that all semvers are affected, similarly
+	// to how to we assume all semvers are affected
+	// if there are no ranges at all.
+	return !semverRangePresent
+}
+
+// ContainsSemver checks if semver version v is in the
+// range encoded by ar. If ar is not a semver range,
+// returns false. A range is interpreted as a left-closed
+// and right-open interval.
+//
+// Assumes that
+//   - exactly one of Introduced or Fixed fields is set
+//   - ranges in ar are not overlapping
+//   - beginning of time is encoded with .Introduced="0"
+//   - no-fix is not an event, as opposed to being an
+//     event where Introduced="" and Fixed=""
+func ContainsSemver(ar osv.Range, v string) bool {
+	if ar.Type != osv.RangeTypeSemver {
+		return false
+	}
+	if len(ar.Events) == 0 {
+		return true
+	}
+
+	// Strip and then add the semver prefix so we can support bare versions,
+	// versions prefixed with 'v', and versions prefixed with 'go'.
+	v = canonicalizeSemverPrefix(v)
+
+	// Sort events by semver versions. Event for beginning
+	// of time, if present, always comes first.
+	sort.SliceStable(ar.Events, func(i, j int) bool {
+		e1 := ar.Events[i]
+		v1 := e1.Introduced
+		if v1 == "0" {
+			// -inf case.
+			return true
+		}
+		if e1.Fixed != "" {
+			v1 = e1.Fixed
+		}
+
+		e2 := ar.Events[j]
+		v2 := e2.Introduced
+		if v2 == "0" {
+			// -inf case.
+			return false
+		}
+		if e2.Fixed != "" {
+			v2 = e2.Fixed
+		}
+
+		return Less(v1, v2)
+	})
+
+	var affected bool
+	for _, e := range ar.Events {
+		if !affected && e.Introduced != "" {
+			affected = e.Introduced == "0" || !Less(v, e.Introduced)
+		} else if affected && e.Fixed != "" {
+			affected = Less(v, e.Fixed)
+		}
+	}
+
+	return affected
+}

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/affects_test.go

@@ -0,0 +1,137 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import (
+	"testing"
+
+	"golang.org/x/vuln/internal/osv"
+)
+
+func TestAffectsSemver(t *testing.T) {
+	cases := []struct {
+		affects []osv.Range
+		version string
+		want    bool
+	}{
+		{
+			// empty []Range indicates everything is affected
+			affects: []osv.Range{},
+			version: "v0.0.0",
+			want:    true,
+		},
+		{
+			// []Range containing an empty SEMVER range also indicates
+			// everything is affected
+			affects: []osv.Range{{Type: osv.RangeTypeSemver}},
+			version: "v0.0.0",
+			want:    true,
+		},
+		{
+			// []Range containing a SEMVER range with only an "introduced":"0"
+			// also indicates everything is affected
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}}}},
+			version: "v0.0.0",
+			want:    true,
+		},
+		{
+			// v1.0.0 < v2.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "2.0.0"}}}},
+			version: "v1.0.0",
+			want:    true,
+		},
+		{
+			// v0.0.1 <= v1.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}}}},
+			version: "v1.0.0",
+			want:    true,
+		},
+		{
+			// v1.0.0 <= v1.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}}}},
+			version: "v1.0.0",
+			want:    true,
+		},
+		{
+			// v1.0.0 <= v1.0.0 < v2.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
+			version: "v1.0.0",
+			want:    true,
+		},
+		{
+			// v0.0.1 <= v1.0.0 < v2.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}, {Fixed: "2.0.0"}}}},
+			version: "v1.0.0",
+			want:    true,
+		},
+		{
+			// v2.0.0 < v3.0.0
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
+			version: "v3.0.0",
+			want:    false,
+		},
+		{
+			// Multiple ranges
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}, {Introduced: "3.0.0"}}}},
+			version: "v3.0.0",
+			want:    true,
+		},
+		{
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.18.6"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
+			version: "v1.18.6",
+			want:    false,
+		},
+		{
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
+			version: "v1.18.6",
+			want:    true,
+		},
+		{
+			// Multiple non-sorted ranges.
+			affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.19.0"}, {Fixed: "1.19.1"}, {Introduced: "0"}, {Fixed: "1.18.6"}}}},
+			version: "v1.18.1",
+			want:    true,
+		},
+		{
+			// Wrong type range
+			affects: []osv.Range{{Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}}},
+			version: "v3.0.0",
+			want:    true,
+		},
+		{
+			// Semver ranges don't match
+			affects: []osv.Range{
+				{Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+				{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "4.0.0"}}},
+			},
+			version: "v3.0.0",
+			want:    false,
+		},
+		{
+			// Semver ranges do match
+			affects: []osv.Range{
+				{Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+				{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+			},
+			version: "v3.0.0",
+			want:    true,
+		},
+		{
+			// Semver ranges match (go prefix)
+			affects: []osv.Range{
+				{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+			},
+			version: "go3.0.1",
+			want:    true,
+		},
+	}
+
+	for _, c := range cases {
+		got := Affects(c.affects, c.version)
+		if c.want != got {
+			t.Errorf("%#v.AffectsSemver(%s): want %t, got %t", c.affects, c.version, c.want, got)
+		}
+	}
+}

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/fixed.go

@@ -0,0 +1,36 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import "golang.org/x/vuln/internal/osv"
+
+// NonSupersededFix returns a fixed version from ranges
+// that is not superseded by any other fix or any other
+// introduction of a vulnerability. Returns "" in case
+// there is no such fixed version.
+func NonSupersededFix(ranges []osv.Range) string {
+	var latestFixed string
+	for _, r := range ranges {
+		if r.Type == "SEMVER" {
+			for _, e := range r.Events {
+				fixed := e.Fixed
+				if fixed != "" && Less(latestFixed, fixed) {
+					latestFixed = fixed
+				}
+			}
+
+			// If the vulnerability was re-introduced after the latest fix
+			// we found, there is no latest fix for this range.
+			for _, e := range r.Events {
+				introduced := e.Introduced
+				if introduced != "" && introduced != "0" && Less(latestFixed, introduced) {
+					latestFixed = ""
+					break
+				}
+			}
+		}
+	}
+	return latestFixed
+}

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/fixed_test.go

@@ -0,0 +1,140 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import (
+	"testing"
+
+	"golang.org/x/vuln/internal/osv"
+)
+
+func TestNonSupersededFix(t *testing.T) {
+	tests := []struct {
+		name   string
+		ranges []osv.Range
+		want   string
+	}{
+		{
+			name:   "empty",
+			ranges: []osv.Range{},
+			want:   "",
+		},
+		{
+			name: "no fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{
+						Introduced: "0",
+					},
+				},
+			}},
+			want: "",
+		},
+		{
+			name: "no latest fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{Introduced: "0"},
+					{Fixed: "1.0.4"},
+					{Introduced: "1.1.2"},
+				},
+			}},
+			want: "",
+		},
+		{
+			name: "unsorted no latest fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{Fixed: "1.0.4"},
+					{Introduced: "0"},
+					{Introduced: "1.1.2"},
+					{Introduced: "1.5.0"},
+					{Fixed: "1.1.4"},
+				},
+			}},
+			want: "",
+		},
+		{
+			name: "unsorted with fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{
+						Fixed: "1.0.0",
+					},
+					{
+						Introduced: "0",
+					},
+					{
+						Fixed: "0.1.0",
+					},
+					{
+						Introduced: "0.5.0",
+					},
+				},
+			}},
+			want: "1.0.0",
+		},
+		{
+			name: "multiple ranges",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{
+						Introduced: "0",
+					},
+					{
+						Fixed: "0.1.0",
+					},
+				},
+			},
+				{
+					Type: osv.RangeTypeSemver,
+					Events: []osv.RangeEvent{
+						{
+							Introduced: "0",
+						},
+						{
+							Fixed: "0.2.0",
+						},
+					},
+				}},
+			want: "0.2.0",
+		},
+		{
+			name: "pseudoversion",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{
+						Introduced: "0",
+					},
+					{
+						Fixed: "0.0.0-20220824120805-abc",
+					},
+					{
+						Introduced: "0.0.0-20230824120805-efg",
+					},
+					{
+						Fixed: "0.0.0-20240824120805-hij",
+					},
+				},
+			}},
+			want: "0.0.0-20240824120805-hij",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := NonSupersededFix(test.ranges)
+			if got != test.want {
+				t.Errorf("want %q; got %q", test.want, got)
+			}
+		})
+	}
+}

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/semver.go

@@ -0,0 +1,95 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package semver provides shared utilities for manipulating
+// Go semantic versions.
+package semver
+
+import (
+	"regexp"
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+// addSemverPrefix adds a 'v' prefix to s if it isn't already prefixed
+// with 'v' or 'go'. This allows us to easily test go-style SEMVER
+// strings against normal SEMVER strings.
+func addSemverPrefix(s string) string {
+	if !strings.HasPrefix(s, "v") && !strings.HasPrefix(s, "go") {
+		return "v" + s
+	}
+	return s
+}
+
+// removeSemverPrefix removes the 'v' or 'go' prefixes from go-style
+// SEMVER strings, for usage in the public vulnerability format.
+func removeSemverPrefix(s string) string {
+	s = strings.TrimPrefix(s, "v")
+	s = strings.TrimPrefix(s, "go")
+	return s
+}
+
+// canonicalizeSemverPrefix turns a SEMVER string into the canonical
+// representation using the 'v' prefix, as used by the OSV format.
+// Input may be a bare SEMVER ("1.2.3"), Go prefixed SEMVER ("go1.2.3"),
+// or already canonical SEMVER ("v1.2.3").
+func canonicalizeSemverPrefix(s string) string {
+	return addSemverPrefix(removeSemverPrefix(s))
+}
+
+// Less returns whether v1 < v2, where v1 and v2 are
+// semver versions with either a "v", "go" or no prefix.
+func Less(v1, v2 string) bool {
+	return semver.Compare(canonicalizeSemverPrefix(v1), canonicalizeSemverPrefix(v2)) < 0
+}
+
+// Valid returns whether v is valid semver, allowing
+// either a "v", "go" or no prefix.
+func Valid(v string) bool {
+	return semver.IsValid(canonicalizeSemverPrefix(v))
+}
+
+var (
+	// Regexp for matching go tags. The groups are:
+	// 1  the major.minor version
+	// 2  the patch version, or empty if none
+	// 3  the entire prerelease, if present
+	// 4  the prerelease type ("beta" or "rc")
+	// 5  the prerelease number
+	tagRegexp = regexp.MustCompile(`^go(\d+\.\d+)(\.\d+|)((beta|rc|-pre)(\d+))?$`)
+)
+
+// This is a modified copy of pkgsite/internal/stdlib:VersionForTag.
+func GoTagToSemver(tag string) string {
+	if tag == "" {
+		return ""
+	}
+
+	tag = strings.Fields(tag)[0]
+	// Special cases for go1.
+	if tag == "go1" {
+		return "v1.0.0"
+	}
+	if tag == "go1.0" {
+		return ""
+	}
+	m := tagRegexp.FindStringSubmatch(tag)
+	if m == nil {
+		return ""
+	}
+	version := "v" + m[1]
+	if m[2] != "" {
+		version += m[2]
+	} else {
+		version += ".0"
+	}
+	if m[3] != "" {
+		if !strings.HasPrefix(m[4], "-") {
+			version += "-"
+		}
+		version += m[4] + "." + m[5]
+	}
+	return version
+}

go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/semver/semver_test.go

@@ -0,0 +1,40 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import (
+	"testing"
+)
+
+func TestCanonicalize(t *testing.T) {
+	for _, test := range []struct {
+		v    string
+		want string
+	}{
+		{"v1.2.3", "v1.2.3"},
+		{"1.2.3", "v1.2.3"},
+		{"go1.2.3", "v1.2.3"},
+	} {
+		got := canonicalizeSemverPrefix(test.v)
+		if got != test.want {
+			t.Errorf("want %s; got %s", test.want, got)
+		}
+	}
+}
+
+func TestGoTagToSemver(t *testing.T) {
+	for _, test := range []struct {
+		v    string
+		want string
+	}{
+		{"go1.19", "v1.19.0"},
+		{"go1.20-pre4", "v1.20.0-pre.4"},
+	} {
+		got := GoTagToSemver(test.v)
+		if got != test.want {
+			t.Errorf("want %s; got %s", test.want, got)
+		}
+	}
+}