cmd/govulncheck: update test data
Generated with 'go test -update' for changes introduced by CL 555515.
For golang/go#65084.
Change-Id: I05938ce2755b6acdd42efc3fe9f51a485d8ca405
Cq-Include-Trybots: luci.golang.try:x_vuln-gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/555655
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct
index d275d11..324161c 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct
@@ -469,6 +469,81 @@
}
}
{
+ "finding": {
+ "osv": "GO-2021-0054",
+ "fixed_version": "v1.6.6",
+ "trace": [
+ {
+ "module": "github.com/tidwall/gjson",
+ "version": "v1.6.5",
+ "package": "github.com/tidwall/gjson",
+ "function": "ForEach",
+ "receiver": "Result"
+ },
+ {
+ "module": "github.com/tidwall/gjson",
+ "version": "v1.6.5",
+ "package": "github.com/tidwall/gjson",
+ "function": "modPretty",
+ "position": {
+ "filename": ".../gjson.go",
+ "offset": 53718,
+ "line": 2631,
+ "column": 21
+ }
+ },
+ {
+ "module": "github.com/tidwall/gjson",
+ "version": "v1.6.5",
+ "package": "github.com/tidwall/gjson",
+ "function": "execModifier",
+ "position": {
+ "filename": ".../gjson.go",
+ "offset": 52543,
+ "line": 2587,
+ "column": 21
+ }
+ },
+ {
+ "module": "github.com/tidwall/gjson",
+ "version": "v1.6.5",
+ "package": "github.com/tidwall/gjson",
+ "function": "Get",
+ "position": {
+ "filename": ".../gjson.go",
+ "offset": 38077,
+ "line": 1881,
+ "column": 36
+ }
+ },
+ {
+ "module": "github.com/tidwall/gjson",
+ "version": "v1.6.5",
+ "package": "github.com/tidwall/gjson",
+ "function": "Get",
+ "receiver": "Result",
+ "position": {
+ "filename": ".../gjson.go",
+ "offset": 5781,
+ "line": 297,
+ "column": 12
+ }
+ },
+ {
+ "module": "golang.org/vuln",
+ "package": "golang.org/vuln",
+ "function": "main",
+ "position": {
+ "filename": ".../vuln.go",
+ "offset": 183,
+ "line": 14,
+ "column": 20
+ }
+ }
+ ]
+ }
+}
+{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct
index 52e3c5b..70bc6b6 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct
@@ -25,12 +25,21 @@
Example traces found:
#1: .../vuln.go:13:16: vuln.main calls language.Parse
+Vulnerability #3: GO-2021-0054
+ Due to improper bounds checking, maliciously crafted JSON objects can cause
+ an out-of-bounds panic. If parsing user input, this may be used as a denial
+ of service vector.
+ More info: https://pkg.go.dev/vuln/GO-2021-0054
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gjson@v1.6.5
+ Fixed in: github.com/tidwall/gjson@v1.6.6
+ Example traces found:
+ #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
+
=== Informational ===
-Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. There are also 2
-vulnerabilities in modules that you require that are neither imported
-nor called. You may not need to take any action.
+There are 2 vulnerabilities in modules that you require that are
+neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2022-0969
@@ -42,16 +51,7 @@
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
-Vulnerability #2: GO-2021-0054
- Due to improper bounds checking, maliciously crafted JSON objects can cause
- an out-of-bounds panic. If parsing user input, this may be used as a denial
- of service vector.
- More info: https://pkg.go.dev/vuln/GO-2021-0054
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gjson@v1.6.5
- Fixed in: github.com/tidwall/gjson@v1.6.6
-
-Vulnerability #3: GO-2020-0015
+Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
@@ -62,7 +62,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
-Your code is affected by 2 vulnerabilities from 2 modules.
+Your code is affected by 3 vulnerabilities from 2 modules.
Share feedback at https://go.dev/s/govulncheck-feedback.
@@ -97,12 +97,27 @@
.../vuln.go:13:16: golang.org/vuln.main
golang.org/x/text/language.Parse
+Vulnerability #3: GO-2021-0054
+ Due to improper bounds checking, maliciously crafted JSON objects can cause
+ an out-of-bounds panic. If parsing user input, this may be used as a denial
+ of service vector.
+ More info: https://pkg.go.dev/vuln/GO-2021-0054
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gjson@v1.6.5
+ Fixed in: github.com/tidwall/gjson@v1.6.6
+ Example traces found:
+ #1: for function github.com/tidwall/gjson.Result.ForEach
+ .../vuln.go:14:20: golang.org/vuln.main
+ .../gjson.go:297:12: github.com/tidwall/gjson.Result.Get
+ .../gjson.go:1881:36: github.com/tidwall/gjson.Get
+ .../gjson.go:2587:21: github.com/tidwall/gjson.execModifier
+ .../gjson.go:2631:21: github.com/tidwall/gjson.modPretty
+ github.com/tidwall/gjson.Result.ForEach
+
=== Informational ===
-Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. There are also 2
-vulnerabilities in modules that you require that are neither imported
-nor called. You may not need to take any action.
+There are 2 vulnerabilities in modules that you require that are
+neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2022-0969
@@ -114,16 +129,7 @@
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
-Vulnerability #2: GO-2021-0054
- Due to improper bounds checking, maliciously crafted JSON objects can cause
- an out-of-bounds panic. If parsing user input, this may be used as a denial
- of service vector.
- More info: https://pkg.go.dev/vuln/GO-2021-0054
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gjson@v1.6.5
- Fixed in: github.com/tidwall/gjson@v1.6.6
-
-Vulnerability #3: GO-2020-0015
+Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
@@ -134,6 +140,6 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
-Your code is affected by 2 vulnerabilities from 2 modules.
+Your code is affected by 3 vulnerabilities from 2 modules.
Share feedback at https://go.dev/s/govulncheck-feedback.
