We do not need to remember which symbols are imported, only packages.
This simplifies code and future CLs. It also avoids mutating Result,
which is anyhow mostly a structure used for testing.
Change-Id: I7412785dc56c9b330138e9e8519f7d8cb79e0cd8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556675
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
The extract mode spits out a json blob representing the minimal
representation of a Go binary needed for govulncheck vulnerability
detection. binary mode accepts both a Go binary and this representation
as an input.
The contents of extract should be regarded as a blob. The users of this
flag should not rely on its representation. It might change in the
future.
Change-Id: I81027062d34609fed7541ad2092d4cbe5df0d118
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/542035
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Govulncheck previously used go list to get mod info, which does not work
in modules with a vendor directory. Therefore, module information needs
to be extracted from package information instead.
There is one change to the behavior of govulncheck ran in module mode in
a certain edge case: if one runs govulncheck with the ./... package
pattern in a subdirectory of a module, govulncheck will only show the
vulnerabilities affecting that subdirectory as opposed to the entire
module. This does not affect govulncheck default behavior nor the
behavior of govulncheck when ran from the root of a module at any scan
level.
Fixesgolang/go#65124
Change-Id: Ie3b0cb0b9486fb94efeb05ee0c76d19c9f595877
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/557495
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change is a hotfix removing the -mod=mod flag from the go list
call in LoadModules. A proper fix to support vendor directories will
be coming shortly.
Fixesgolang/go#65155Fixesgolang/go#65130
Change-Id: I3faf90227154e019ab70201c9e04a1b185bc5f3a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556775
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Generated with 'go test -update' for changes introduced by CL 555515.
For golang/go#65084.
Change-Id: I05938ce2755b6acdd42efc3fe9f51a485d8ca405
Cq-Include-Trybots: luci.golang.try:x_vuln-gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/555655
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
It might be confusing and is really not adding any value to the output.
Change-Id: Icb65714f5dd111aa875bd88c4e5925a2cab74a19
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/551378
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This is due to new vuln db entry
https://go-review.git.corp.google.com/c/vulndb/+/550858.
Change-Id: I8859deab4b16c172dbc448946492937915536c9e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/551136
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
These should not include the type parameter/argument.
Updates golang/go#63535
Change-Id: Iaae0e587d365f7e26e2361c9814fa1d288d8ad86
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/548016
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Adds package level json tests as well as text output testing fro module
and package level scans.
Change-Id: Idad6ae2214c752fef5750963e1a6c36de7717a97
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545639
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This change modifies the text output of govulncheck depending on the
scan level - specifically omitting assumptions about callstack
information when govulncheck never ran callstack analysis.
Change-Id: Id3ba3a1c97edb6140f0f00d58d9ae76737fc0ce1
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545638
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The help message for the -show flag was incorrect. It now outputs the
correct supported values for -show.
Change-Id: Ib53562f5a663e56fe9972cba75b41b8bda87e1f3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549315
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Source scanning does not accept patterns but we jump out early if
patterns are not present. We change this here.
Change-Id: I48557f6f8202b1e8409cbb5f8c91b3d48e1edaee
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/546575
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This change adds scan_level to the config of the json input to the
textHandler tests. This more closely mirrors the actual JSON that the
govulncheck text handler receives.
Change-Id: Ie7438572dffe75cb3c1e94b40c3fbc8a27715755
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545637
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change adds scan level to the text handler, which will allow us to
change messages depending on the amount of information govulncheck has
available to it. For example, it will allow govulncheck to not mention
callstacks if it never ran callstack analysis.
Change-Id: I9dccd5b0445dddfd8c071bf266ab9eecb0bd0d5e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545636
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Though this is slightly less organized (no longer dividing certain test
dirs into spearate json/text directories), it fixes a bug where those
tests weren't being ran. This is because `cmdtest.Read` globs on files
matching the pattern *.ct, meaning it doesn't search recursively for .ct
files. It also doesn't allow appending more tests to the test suite, so
it isn't possible to scan both a single directory wildcard (dir/*) and
the multiple directory case (dir/*/*).
This isn't the most ideal change, but all JSON tests end with _json.ct,
so they're still relatively human readable.
Change-Id: Ib0d55a3591535c3bb973af391359b1071722c4a0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545635
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Throws an error when the user attempts to input a package path when
running govulncheck with -scan=module.
Change-Id: I97c6dd32c027a42e1bd4b3edd8e1bea90b447888
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/544595
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fixes a bug where govulncheck would incorrectly state that there were no
packages found matching the provided pattern when ran with the
-scan=module flag.
Additionally, this change adds base regression tests to ensure that:
1. Module level scanning short circuits before emitting more granular
findings
2. Module level scanning still emits the same osvs as source level
Adds tests to ensure that module level scans behave as
expected. Further tests will be added for edge cases.
Change-Id: I144a785c416501e84c0f089c40456cebd7738456
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/543162
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
go get golang.org/x/tools@v0.15.0
go mod tidy
Change-Id: Ie77e7c0519d22e4a5d1b6d1402a64e3859f2cd87
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/544295
Run-TryBot: Tim King <taking@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This simplifies tests for binary and forces us to move other tests to
more appropriate places. Further, internal/scan will use it to load
inputs from a new binary extract mode. For the same reason, also make
the stdlib runtime copies available in internal. This also makes them
more visible.
Change-Id: If01cbdd59112609ff16f712d3968e25f4544189c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540355
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This is minimal information needed for govulncheck to analyze binaries.
This will be jsonized into the follow-up CLs.
Change-Id: I52f71ad66ea7e5004d4ced388c488eff5e686fd6
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540235
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change does not modify any tests, but organizes the preexisting
tests into subdirectories.
Change-Id: Id0634f646eae0aa9eceb98269acec2a76bbb2a6c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/539662
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change changes the text output to only include messages relating to
vulnerabilities that actually appear. This means that if there is a
package level vuln but no module level vulnerabilities, govulncheck will
no longer say "There are also 0 vulnerabilities in modules that you
import".
Additionally, this change cleans up how the informational section
actually builds the string, using strings.Builder and automatically
wrapping text with handler.wrap() instead of manually wrapping the text.
Change-Id: Ia933ee777d87004ec94918954619e916ec307dd7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540315
Reviewed-by: Ian Cottrell <iancottrell@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
The choose function previously returned an "any" type. It will now
return the type of the inputs.
Change-Id: I6d6bd1e02d0b184ba4916ff53960ca1930e367eb
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540275
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Emitting one by one does not provide much benefits as traversal of
package import graphs is done fast. Emitting all at once makes the code
more consistent.
Change-Id: I9cb2617aeb60efa85c584bb41286d247af4d78c1
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/539735
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
We are not computing a proper slice of vulnerable imports graph, so we
update the documentation to reflect that. Also, we never don't really
have a need to maintain package entry points, so we get rid of them.
Some related cleaning and renaming is done as well.
This CL is part of a series of changes cleaning up the code a bit.
Change-Id: I3b530c0a74b65933ec0c20f6f86a0a9c11b66929
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/539340
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
This CL is part of a series of changes cleaning up the code a bit.
Change-Id: Id5a2d644a5b3a2f8a79994ad270d4ee4c9b69e67
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/539037
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Removes the "fileExists" function which is no longer used.
Fixesgolang/go#63967
Change-Id: I7ac9eb5537f4419c22774a43ba955d2191c2fe84
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540195
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Previously, govulncheck would check for the existence of a go.mod file
using os.Stat only after loading packages or modules failed. Instead,
this change has govulncheck check using go env GOMOD, which returns a
specific string if no go mod is found. This allows us to also check
for a go mod file before attempting to load modules/packages.
Change-Id: I6302f226e1e7641e805838d959959170a442e0d3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538765
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This change copies the nogomod "module" to a temp dir. This allows us to
change how we check for a god mod file existing without worrying about
the file structure of our test suite.
Change-Id: I0cc2b24c6cbd6631abde37809a4e976397f8fc2a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538764
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
The new name is affectingVulns which more closely resembles what this
type contains. The main purpose is to differentiate between the vulns
that affect the current program+platform from those that are actually
pulled from the db and emitted to handler.OSV.
Some other cleaning is also performed related to the tests.
This CL is part of a series of changes cleaning up the code a bit.
Change-Id: I68619f31f7b0e6082d14334cd2bce02d193ea59b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/539036
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This CL is part of a series of changes cleaning up the code a bit.
Change-Id: Ica5890efe0ff46d4afe651355baec147d0557cc1
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538789
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
We omit raw unfiltered OSVs the moment we fetch them from the database.
In practice, findings will be linked to a proper subset of these, making
more explicit govulncheck strengths of taking into account:
- module versions
- platform information
- symbols and their reachability via call graph
Change-Id: I3330535938ac037ccc9fae84562fa4270fd00d0e
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538788
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Some emit logic for findings is already in vulncheck and more will be
added. Might as well keep everything in the same place.
This also moves some call stack computation code for binaries to
vulncheck where anyhow call stack computation for source is located.
Finally, this also gets rid of redundant code and reduce API surface of
vulncheck.
Change-Id: I23317680369a14115b4c928c8a5445c696ca33e8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538875
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Loads modules using go list instead of inferring through packages. This
fixes a few module-level edge cases where a vuln wouldn't be counted.
Change-Id: I24e0ffa73f47451806d88aa672ca8ef7a72fc2bb
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/529278
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
When the provided scan level is invalid, govulncheck now errors before
attempting to analyze the given pattern. Previously, it would run with
the default scan level (source).
Change-Id: I3d73aaede55ec6cd58a04b3e128732316726affb
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538677
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Updates the documentation for the Finding struct to better reflect
govulncheck's behavior.
Change-Id: I66b1f0aa7725697980d67623e84c220be1c311d0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538757
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Source function is internal so it can make certain assumptions about how
it is called. This assumptions (now documented) allow us to avoid
computing and validating file sets, resulting in simplified code.
Fixesgolang/go#59729
Change-Id: Iea7e5c91d51a8243451f13a3d13fa0672cca77cd
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/532215
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
When a provided pattern is invalid, govulncheck returns the error
produced by Go. But when the pattern is valid and no packages match,
govulncheck proceeds to analyze 0 packages and produces usual progress
messages. This can be confusing. We hence generate a better progress
message.
Fixesgolang/go#59623
Change-Id: Ida8cd61635dc1a2082ce428f5c1ae48f1715e4ce
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/532056
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This change updates govulncheck to emit findings and osvs as they are
found, which allows for quicker short circuiting depending on scan
level. It will also simplify implementing module level scanning.
Change-Id: I8cdc7492d76a9a21d5a0e9d9355ff4407d5f3864
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/528216
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Fixes a case where (in emit result) modPath was passed as the mod
version arg to a call to fixedVersion() instead of modVersion.
Change-Id: Ib77046739b6b9c32ae593971b9a7422fa0db39ca
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/534860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Zvonimir Pavlinovic
Maceo Thompson
Dmitri Shuralyov
Gopher Robot
cui fliter
Tim King