internal/vulncheck: support osv entries with no pkg info

These are interpreted as if all symbols of the module are vulnerable. Change-Id: I150d7a62bfdf76d1ab3de5c04c384d52484983c3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556736 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Maceo Thompson <maceothompson@google.com>
2024-01-18 20:04:21 +00:00 · 2024-01-18 20:04:21 +00:00 · ad01a21008
--- a/cmd/govulncheck/testdata/modules/wholemodvuln/go.mod
+++ b/cmd/govulncheck/testdata/modules/wholemodvuln/go.mod
@ -0,0 +1,5 @@
+module golang.org/wholemodvuln
+
+go 1.18
+
+require gopkg.in/yaml.v2 v2.2.3
--- a/cmd/govulncheck/testdata/modules/wholemodvuln/go.sum
+++ b/cmd/govulncheck/testdata/modules/wholemodvuln/go.sum
@ -0,0 +1,4 @@
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.3 h1:fvjTMHxHEw/mxHbtzPi3JCcKXQRAnQTBRo6YCJSVHKI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/cmd/govulncheck/testdata/modules/wholemodvuln/whole_mod_vuln.go
+++ b/cmd/govulncheck/testdata/modules/wholemodvuln/whole_mod_vuln.go
@ -0,0 +1,9 @@
+package main
+
+import (
+	"gopkg.in/yaml.v2"
+)
+
+func main() {
+	_, _ = yaml.Marshal(nil)
+}
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
@ -0,0 +1,34 @@
+#####
+# Test of govulncheck call analysis for vulns with no package info available.
+# All symbols of the module are vulnerable.
+$ govulncheck -C ${moddir}/wholemodvuln ./... --> FAIL 3
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+
+Vulnerability #1: GO-2022-0956
+    Excessive resource consumption in gopkg.in/yaml.v2
+  More info: https://pkg.go.dev/vuln/GO-2022-0956
+  Module: gopkg.in/yaml.v2
+    Found in: gopkg.in/yaml.v2@v2.2.3
+    Fixed in: gopkg.in/yaml.v2@v2.2.4
+    Example traces found:
+      #1: .../whole_mod_vuln.go:8:21: wholemodvuln.main calls yaml.Marshal
+      #2: .../whole_mod_vuln.go:4:2: wholemodvuln.init calls yaml.init
+
+=== Informational ===
+
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/http@go1.18
+    Fixed in: net/http@go1.18.6
+
+Your code is affected by 1 vulnerability from 1 module.
+
+Share feedback at https://go.dev/s/govulncheck-feedback.
--- a/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0956.json
+++ b/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2022-0956.json
@ -0,0 +1,46 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2022-0956",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "2022-08-29T22:15:46Z",
+  "aliases": [
+    "CVE-2022-3064",
+    "GHSA-6q6q-88xp-6f2r"
+  ],
+  "summary": "Excessive resource consumption in gopkg.in/yaml.v2",
+  "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.",
+  "affected": [
+    {
+      "package": {
+        "name": "gopkg.in/yaml.v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2022-0956"
+  }
+}
--- a/cmd/govulncheck/testdata/vulndb-v1/index/modules.json
+++ b/cmd/govulncheck/testdata/vulndb-v1/index/modules.json
@ -1 +1 @@
-[{"path":"github.com/tidwall/gjson","vulns":[{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","fixed":"1.6.6"},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","fixed":"1.6.4"},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","fixed":"1.9.3"}]},{"path":"golang.org/x/net","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"0.0.0-20220906165146-f3363e06e74c"}]},{"path":"golang.org/x/text","vulns":[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","fixed":"0.3.3"},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","fixed":"0.3.7"}]},{"path":"stdlib","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"1.19.1"}]}]
+[{"path":"github.com/tidwall/gjson","vulns":[{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","fixed":"1.6.6"},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","fixed":"1.6.4"},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","fixed":"1.9.3"}]},{"path":"golang.org/x/net","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"0.0.0-20220906165146-f3363e06e74c"}]},{"path":"golang.org/x/text","vulns":[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","fixed":"0.3.3"},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","fixed":"0.3.7"}]},{"path":"stdlib","vulns":[{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","fixed":"1.19.1"}]},{"path":"gopkg.in/yaml.v2","vulns":[{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","fixed":"2.2.4"}]}]
--- a/cmd/govulncheck/testdata/vulndb-v1/index/modules.json.gz
+++ b/cmd/govulncheck/testdata/vulndb-v1/index/modules.json.gz
--- a/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json
+++ b/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json
@ -1 +1 @@
-[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"]},{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"]},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"]},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"]},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"]},{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"]}]
+[{"id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"]},{"id":"GO-2021-0054","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"]},{"id":"GO-2021-0059","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2020-35380","GHSA-w942-gw6m-p62c"]},{"id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"]},{"id":"GO-2021-0265","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"]},{"id":"GO-2022-0969","modified":"2023-04-03T15:57:51Z","aliases":["CVE-2022-27664","GHSA-69cg-p879-7622"]},{"id":"GO-2022-0956","modified":"0001-01-01T00:00:00Z","aliases":["CVE-2022-3064","GHSA-6q6q-88xp-6f2r"]}]
--- a/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json.gz
+++ b/cmd/govulncheck/testdata/vulndb-v1/index/vulns.json.gz
--- a/internal/vulncheck/vulncheck.go
+++ b/internal/vulncheck/vulncheck.go
@ -162,6 +162,10 @@ func affectingVulnerabilities(vulns []*ModVulns, os, arch string) affectingVulns
 						filteredImports = append(filteredImports, p)
 					}
 				}
+				// If we pruned all existing Packages, then the affected is
+				// empty and we can filter it out. Note that Packages can
+				// be empty for vulnerabilities that have no package or
+				// symbol information available.
 				if len(a.EcosystemSpecific.Packages) != 0 && len(filteredImports) == 0 {
 					continue
 				}
@ -177,6 +181,7 @@ func affectingVulnerabilities(vulns []*ModVulns, os, arch string) affectingVulns
 			newV.Affected = filteredAffected
 			filteredVulns = append(filteredVulns, &newV)
 		}
+
 		filtered = append(filtered, &ModVulns{
 			Module: module,
 			Vulns:  filteredVulns,
@ -236,6 +241,12 @@ func (aff affectingVulns) ForPackage(importPath string) []*osv.Entry {
 Vuln:
 	for _, v := range vulns {
 		for _, a := range v.Affected {
+			if len(a.EcosystemSpecific.Packages) == 0 {
+				// no packages means all packages are vulnerable
+				packageVulns = append(packageVulns, v)
+				continue Vuln
+			}
+
 			for _, p := range a.EcosystemSpecific.Packages {
 				if p.Path == importPath {
 					packageVulns = append(packageVulns, v)
@ -258,6 +269,12 @@ func (aff affectingVulns) ForSymbol(importPath, symbol string) []*osv.Entry {
 vulnLoop:
 	for _, v := range vulns {
 		for _, a := range v.Affected {
+			if len(a.EcosystemSpecific.Packages) == 0 {
+				// no packages means all symbols of all packages are vulnerable
+				symbolVulns = append(symbolVulns, v)
+				continue vulnLoop
+			}
+
 			for _, p := range a.EcosystemSpecific.Packages {
 				if p.Path != importPath {
 					continue