Set gotypesalias=1 when using >=1.23 toolchain on all of
the main packages in x/tools that use go/types.
This effectively upgrades commit https://go.dev/cl/617095.
For golang/go#69772
Change-Id: I9f3e64d348f6bffc75321a08145fde07fb4024a6
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/627715
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Sarif specification requires that some slice elements explicitly exist
in the JSON output even if they are empty. For instance, results should
be an empty array if the sarif handler finished but found nothing.
Another example is tags. Each rule in govulncheck sarif has tags
property that can sometimes be empty. If so, JSON should contain an
empty slice of tags.
Fixesgolang/go#70157
Change-Id: I112181e4efa5bc0a1577ff98f1b9eab912ed814c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/625656
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
An example is a multi-word release candidate.
Change-Id: Id5ef9ebd1ba94dad692d5ae8a74f03cb513f24a9
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/625576
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Updates the sbom text output to include the number of root packages and
number of found/scanned modules in the sbom text output.
Change-Id: I3dd03031d3f8dbd348c3b807c661b4bb0b1b268b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/621596
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Removes the "Scanning N packages across M dependent modules" progress
message, as it is superseded by the new SBOM message.
Change-Id: I53629e9b47b147399c65f15d7eb7ef3365b2730e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/618296
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds the SBOM message to the text output, hidden behind the -verbose
flag.
Change-Id: I15c808df1e15bd339cf27912c9afed04d7146ef8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/618295
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Passes the SBOM message to the handlers when in source and binary mode.
Change-Id: Id3ef03eb4294f731a18739477e710edd85ab755e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/616935
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Add SemverToGoTag, which reverses GoTagToSemver.
The exception is when converting a go tag to the semver would have
resulted in an invalid semver (such as go RC versions). GoTagToSemver
returns an empty string in that case, and as such is not reversible.
Change-Id: I8d68c2372261b1ec7ec8b72354ac1919ad24d6f6
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/617396
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Adds a minimal SBOM message to govulncheck output. This message contains
information about the code that govulncheck is scanning, like the go
version used for the standard library, modules and their version, and
the root packages gathered from the user inputted package patterns.
Change-Id: I5db597ffaaa654394faea8dda82e1f18c5f5975a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/616061
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This changes the internal representation of a PURL to a struct that is
converted to a string. It will make other "purlFromX" functions less
redundant to write in the future.
Change-Id: I278f13ef175878c85b07341be510050f8d7f2c5d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/615795
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Populates the "subcomponent" field of a outputted vex statement with the
PURL to the vulnerable dependency.
updates golang/go#68152
Change-Id: I9e7b9a6686744496b3409ee9d4d0f3d70917db45
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598956
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
There are no stacks so the trace just contains the vulnerable symbol
that is anyhow communicated to the user.
Change-Id: I8a8ebcf3864f91150449dafe812f474a4a59bda8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/614456
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
As paths are relative, it is not immediately evident to what module
symbols belong to in traces mode. We hence reorganize things to make
that explicit while avoiding clutter.
Fixesgolang/go#69490
Change-Id: Ic43e22954cbe3ff0ac458f75ee3a07706295fb5d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/614135
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This function was used to prune out the forward slice of functions
starting from roots. There weren't a lot of functions being pruned.
Measured on a few large projects, at most 0.08% of functions were
pruned. Keeping those functions is not expected to affect precision
or performance. Calling VTA two times will very likely get rid of
these functions anyhow.
Updates golang/go#69231
Change-Id: Id57f9697c5a5550b4d15fbeb88de30b8bee220da
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/611216
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
As of https://go-review.git.corp.google.com/c/go/+/596035, go command
adds a version for a Go binary, not always defaulting to devel. That
causes a devel test to fail at go tip builders. This CL adds an explicit
binary with devel version rather than the test building its own binary.
Once the new Go version with the above fix is released, we'll add
another test.
Change-Id: I409d18c85a0fad9b424771bd330067ac987d4830
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/605855
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
This only applies to binaries.
Change-Id: Ia499e823a08a1b039cba72d5c06b5f3b2cd2f942
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/603575
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Previously, unit tests using the "vuln" module did not have a
vulnerability that was imported but not called (a "package-level"
vulnerability). This change modifies main.go in the vuln module to
directly call a vulnerable function instead of using a function that
eventually was affected by multiple vulns.
Change-Id: Ic77a9c8efe3fd6dd2a2e76c230b3c4f67421e2fc
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/599476
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
For now, "(devel)" should never be matched.
Change-Id: Ia6b001caef1a1faf093b6757f3fb89d27e160bb2
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598715
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
When checking if a go version is ancient, exclude invalid go versions
such as "devel 12343...." This are considered earlier than go1.18.
Change-Id: Ifbd7bd2834284b8e7fd109ec34fa4a2b9c297e24
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598716
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Updates handler tests to have more accurate package paths.
This doesn't affect anything right now, but will be relevant for
future features/testing.
Change-Id: Ia72c749cdaf263d2a425f349f72630cda576b5f0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598593
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Very minor tweaks:
- Remove (c) pseudosymbol.
- Remove "All Rights Reserved."
- Change "Google Inc." (no longer exists) to "Google LLC".
[git-generate]
echo '
,s/\(c\) //
,s/ All rights reserved.//
,s/Google Inc./Google LLC/
w
q
' | sam -d LICENSE
Change-Id: Ie92bd7efd420f65bea524a6998c3d4c4e81a7274
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598615
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
We emit a warning message for Go binaries built with an ancient Go
version.
Change-Id: I9c7037cb1710181786a7c063ae2a253f880dc6ad
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597516
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
govulncheck's go.mod file explicitly requires go1.21 and it can analyze
binaries built before go1.18. There is no need to have these build
restrictions.
Change-Id: I50a80da2490fd4bd8fb3d5b7a68f8796ff3ffe18
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597575
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
They only apply to source mode.
Change-Id: I288adf8eac2075bb32b301b4ffe668f453352a77
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597515
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This change modifies govulncheck's VEX output to no longer include
vulnerabilities that are not imported at a vulnerable version.
This matches the text output of govulncheck, and is in line with most
other vulnerability scanners.
updates golang/go#68338
Change-Id: If7041fd4624d023f623db8daf35a2e76f41d1d29
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597396
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mauri de Souza Meneguzzo <mauri870@gmail.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
We don't have any tests using it.
Change-Id: I72b24d505c0d9ec5cf9fce883bc04ed10f6bfd4f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/595455
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
This also makes the code cleaner.
Change-Id: Ia59ed7dbf6487ee1ddcb67ffb05bd57668268e62
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/594217
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
As a result, govulncheck will report only stdlib vulnerabilities.
Change-Id: Ib9dd2445de41690b3e3122ad3789871b5d632441
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/595615
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
This package will be mainly used to check ancient Go binaries.
Change-Id: Ie0bd6b2c4fc0610941905c93cdb63ed7260b66ba
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/595015
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Use the go directive in go.mod as the single source of truth
for the required Go version for installing golvulncheck.
Updates golang/go#68034Fixesgolang/go#68256
Change-Id: Ief445ffa40282feff6a97419b48dc6290071d971
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/595935
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
And refactor some code.
Change-Id: I658954d8670861cc36413c78c763cc2225716f15
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/594218
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
When searching if (a symbol of a) package is vulnerable, we would try to
identify the module from package path. (The module information is needed
because we save vulns per module.) This can cause problems when module
paths are prefixes of each other. In all cases except binary mode, we
know the exact module of a symbol or a package, so we simply use that.
Change-Id: I21c220e485522dda1bc1fe0a9025e73846b6fd6f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/592135
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
For some binaries, a symbol can end in ".", so this CL handles that
case.
Change-Id: I7c3634eb9cc13ee4cd18d6787460e645dbbfdfae
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/594355
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
When checking test expectations (packages of called vulnerabilities), we
would use equality. Given that a requirement of integration checking is
to query the Go vulnerability database, the expectations need to change
from time to time. With the new support for UNREVIEWED, this is
happening more and more.
To address this, the CL here checks that the expected packages are a
subset of what is detected with govulncheck. This will make the test
more robust. The list of expected packages is anyhow long, so the
coverage is good and we are still testing against the same live db.
Change-Id: I49f73dc2094686253ae222bbe92144f87b2637a5
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/593155
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Otherwise, code won't compile due to the use of slices package.
Fixesgolang/go#68034
Change-Id: Id6fb27d2f213e5a665a2bcd6d07b15f80702975b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/593235
Reviewed-by: Mauri de Souza Meneguzzo <mauri870@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Adds documentation/updates some tests & comments to reflect the
introduction of the openVEX standard as a valid output format for
govulncheck.
fixesgolang/go#62486
Change-Id: I88c6fc830439606441bb1855ba8b36642007738c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/590575
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Commit-Queue: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tim King
Gopher Robot
Zvonimir Pavlinovic
Maceo Thompson
Russ Cox
Sean Liao