Other information (message, location, and stacks) will be added in
future CLs.
Updates golang/go#61347
Change-Id: I3bb78594372038817e379c16d452ff5159b26efc
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549995
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This makes config more self-contained and will help make sarif support
cleaner.
Also update help with default values for scan mode and level to be
consistent while at it.
Updates golang/go#61347
Change-Id: I6fc8d3dcd82f7843b54b704a9bdcc02352eeeeaa
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/567455
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Also add a summary to one of the vulndb entries. This actually improves
testing coverage for both govulncheck text and sarif.
Updates golang/go#61347
Change-Id: Id851d6015daf350908b433c56853daf75f1240fb
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549815
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The handler keeps track of the most precise findings for a
vulnerability.
Updates golang/go#61347
Change-Id: I8fe8183826f152d8d51d9e5b3117cd192012fdba
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549775
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
This results in a better distribution of work since validation can be
done at the point when the flags are set. As a downside, it results in
printing usage message on parse failure.
Change-Id: I7befd7ad628e2f7587ee5185cab01068c2db4610
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/564895
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Since we have IsStdPackage and we use it elsewhere, we should also use
it here. Moreover, this is a more complete check. Some stdlib packages
will have (vendor) copies of x repos and those packages will have a path
that contains a dot.
Change-Id: I029992042b4aaaf8567f0a92c0489bb4b93282da
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/568275
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
JSON output does not promise the order of messages. Text output wants
some determinism in the output. This CL makes sure then that sorting of
relevant messages is only done when creating text output. This will make
things slightly faster, and more importantly, easier to maintain.
Before, the sorting was done at several different places which is hard
to understand.
Change-Id: I6de03b9d403f8a5fe1106b5e3bdc223401385c93
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/566095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
The current values are text and json. The latter is compatible with
-json flag that is designated as a legacy flag common to Go tools. This
CL is a precursor to sarif support.
Change-Id: I5a73b224e34c6c7f2798858c818f5f8d8e2437d0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/564478
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Packages obtained by querying PackageGraph are fixed up. Most notably,
this means that stdlib packages will have stdlib module set. We should
then use these packages. We in fact do, at least for the parts that
matter, but this CL tries to refactor code so that is made explicit.
Change-Id: I194b819ec40eba6726a68be7766ec220b80ec2f8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/564155
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This creates races and is not needed. vulncheck.PackageGraph will add
stdlibModule as .Module field of packages. We hence do not need to save
it separately.
Change-Id: I9fe800d16586c31c2813c69dc1c6945e1148154a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/564018
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
As of recent changes, our tests will produce relative paths. They can be
different depending on the system. This will make builders fail and,
more importantly, make govulncheck JSON non-portable. This CL makes sure
all paths use slashes.
Change-Id: I16ef56cfbdd5d762a5dd3d5ca5d7f66bbad021b5
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/564095
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
packages.Load does not provide a path for a module if the module is
vendored. Vendored package and file paths are available so we
reconstruct the vendored module directory from them.
Change-Id: I75784a358e74c6c413b0e6d89e6bfc599a46efe0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559535
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
The paths are relative subject to their module or standard library.
Change-Id: I780589c9cf1949cc4c9545246952116f0a52876b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/558615
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
This CL addresses several issues:
- stdlib findings were never emitted on module level. The Package field
was always set. This is inconsistent and sometimes wrong. When ran in
-scan=module mode, the Package would be set to a first package path
that exists in OSV, although that package would might not even be
imported.
- stdlib findings at package level were never presented in -scan=package
mode. govulncheck text would say that the stdlib package is not
imported although in fact it might be.
This CL also puts stdlib-specific test files in their own folder.
Change-Id: Ia496f64757da194aeb2fe0c0ecdd699e87e08e4b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562778
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The only check left in checks.bash is now a check that performs static
analysis of shell scripts. But we don't really have any useful shell
scripts apart from checks.bash itself. The snapshot_vulndb.sh could be
useful but it has not been used in a long time and it does not really
need static analysis: its failure would reflect in unit tests.
We hence delete all shell scripts and code that invokes them.
Change-Id: I58570f0b65487ef31b3382ab76e110e1f2b53605
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/563055
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
These can in principle change for stdlib. Although we always pretend we
are running against go1.18, the actual stdlib underneath can be
different. This could result in different line numbers and columns.
There currently does not exist a clean way of masking line position for
stdlib paths, so we mask everything with placeholders.
Change-Id: I08628acbf10aa3f36b969bac5745ae3b4d52f284
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562215
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
An extra new line is added when either 1) there is no summary of "other"
vulnerabilities found or 2) no suggestion. This CL removes those lines.
Change-Id: Ic6ab8c3a4b8ab193fdcd88e4afe65ab42a9a1794
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562055
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
The sink is the vulnerable function. Before, we wouldn't show anything
as we are only showing positions of calls. Now, we include the position
where the vulnerable symbol is defined.
This will not have effect on default text output. It will though on
-show traces output. The main beneficiary of this change are integration
points that will now be able to jump to the definition of the
vulnerable symbol.
Change-Id: Ie156bf5d05dc1c743f118f4d14dba6e2c263549b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559275
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This establishes a convention where we wrap examples and mentions of
flag usage into single quotes to indicate proper usage. For instance,
this indicates that the verbose mode is triggered when both `-show`
and `verbose` are used at the same time one after another. The same goes
for other flags, such as scan.
Change-Id: I45cdc6499f9203d0ef73246cb8985c7b420cfacd
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/560815
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
No PCLN table means we just have buildinfo, which is exactly the same
scenario as when the binary is stripped. We should hence support it.
Fixesgolang/go#59731
Change-Id: Ib6dd072f4827bc98bbbe5e686c81b5d72246a58b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/560375
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Otherwise, command prompt and the summary are at the same line.
Change-Id: Ic3f132d16b918e3ac37b1284c83672c2dd1fb3c8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/560377
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This change fixes the stripped binary test - previously it was not
actually being run. The test is now updated to match the proper text
output.
Change-Id: I71d72c3eddf389a480fb2d3960e127ff5d672daf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559975
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change adds a private module to the vendored module, to better test
the edge case referenced in issue #65124
Change-Id: I54541bca826f99d609ba5801d23c3c801ee7056b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557858
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This is to make the test dir structure and naming more consistent.
Change-Id: I1a0602689c0c36eaf4863c174d104138837c1983
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559175
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
The code for binary now is structuraly the same as for source.
Change-Id: I1601bb8ccb804a39dbfb28cfe5524e9462e2f5b4
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/558879
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
This matches the agreed design where each text section is named after
the mode. Also, this makes more sense when printing results for
binaries.
Change-Id: Iaa950cf5eb1c4e07b07eb1e0f7f32b23f6b168e3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559537
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
The exit status should indicate that vulnerabilities are found if
govulncheck detects an import of a vulnerability in packages mode and
require of a vulnerability in modules mode.
Change-Id: If1e8b0c757875a2fc1bae1ed1eaa71a484dba9ef
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/558876
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
This change adds the -show verbose flag. This makes it so that by
default, govulncheck will only show vuln information for it's given scan
level. For example, by default it will only show information for called
vulnerabilities. See go/govulnchecktext for more info.
Change-Id: Ifb078780501c850f1f049278573733bbf302d752
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557738
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change updates the text output to be more organized and to better
differentiate between vulnerabilities that are definitely called and
vulnerabilities govulncheck thinks it can discard.
See go/govulnchecktext for more info
Change-Id: Ifcd25cf78447b5150cc77c49f753960ee644b6f0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557737
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Adds scan_level to the config for the json in testdata to better reflect
the structure of the json that the text handler actually receives. This
will become necessary as the text handler uses scan level in its config.
Change-Id: Ifa26b94529899d3b0f9d344d2e38adf46a8e8683
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557736
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Vuln db added entries for go-git and stackrox is using is at version
5.6.1.
Change-Id: I69a975db87ec88d7ef280eea13f74575fac8aa4c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557955
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
These are interpreted as if all symbols of the module are vulnerable.
Change-Id: I150d7a62bfdf76d1ab3de5c04c384d52484983c3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556736
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
OSV applies to a vulnerable symbol if ecosystem specific contains an
entry for the symbol's package and the symbol is affected. ForSymbol
makes that connection. We don't need to check for this again later.
Change-Id: I63f9098b74a5b6243afeea8b53c9003bc48f565f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556735
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Zvonimir Pavlinovic
Gopher Robot
Maceo Thompson