cmd/govulncheck: mask line numbers and columns
These can in principle change for stdlib. Although we always pretend we
are running against go1.18, the actual stdlib underneath can be
different. This could result in different line numbers and columns.
There currently does not exist a clean way of masking line position for
stdlib paths, so we mask everything with placeholders.
Change-Id: I08628acbf10aa3f36b969bac5745ae3b4d52f284
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562215
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/cmd/govulncheck/main_test.go b/cmd/govulncheck/main_test.go
index 49445f3..f7f4179 100644
--- a/cmd/govulncheck/main_test.go
+++ b/cmd/govulncheck/main_test.go
@@ -52,6 +52,23 @@
return []byte(fmt.Sprintf(`.../%s%c`, filepath.Base(s[:len(s)-1]), s[len(s)-1]))
},
}, {
+ // modifies position lines to mask actual line and column with <l> and
+ // <c> placeholders, resp.
+ pattern: `\.go:(\d+):(\d+):`,
+ replace: `.go:<l>:<c>:`,
+ }, {
+ // modify position lines in json
+ pattern: `\"line\":(\s)*(\d+)`,
+ replace: `"line": <l>`,
+ }, {
+ // modify position columns in json
+ pattern: `\"column\":(\s)*(\d+)`,
+ replace: `"column": <c>`,
+ }, {
+ // modify position offset in json
+ pattern: `\"offset\":(\s)*(\d+)`,
+ replace: `"offset": <o>`,
+ }, {
// There was a one-line change in container/heap/heap.go between 1.18
// and 1.19 that makes the stack traces different. Ignore it.
pattern: `heap\.go:(\d+)`,
diff --git a/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct b/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
index 91a175b..5102b38 100644
--- a/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
@@ -14,7 +14,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
- #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+ #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
@@ -26,7 +26,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../vuln.go:13:16: vuln.main calls language.Parse
+ #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 0
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
index 528a25d..464b268 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
@@ -252,9 +252,9 @@
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
- "offset": 5744,
- "line": 296,
- "column": 17
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -263,9 +263,9 @@
"function": "main",
"position": {
"filename": ".../vuln.go",
- "offset": 183,
- "line": 14,
- "column": 20
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
@@ -373,9 +373,9 @@
"function": "Parse",
"position": {
"filename": ".../parse.go",
- "offset": 5808,
- "line": 228,
- "column": 6
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -384,9 +384,9 @@
"function": "main",
"position": {
"filename": ".../vuln.go",
- "offset": 159,
- "line": 13,
- "column": 16
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
@@ -493,9 +493,9 @@
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
- "offset": 4415,
- "line": 220,
- "column": 17
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -505,9 +505,9 @@
"function": "modPretty",
"position": {
"filename": ".../gjson.go",
- "offset": 53718,
- "line": 2631,
- "column": 21
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -517,9 +517,9 @@
"function": "execModifier",
"position": {
"filename": ".../gjson.go",
- "offset": 52543,
- "line": 2587,
- "column": 21
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -529,9 +529,9 @@
"function": "Get",
"position": {
"filename": ".../gjson.go",
- "offset": 38077,
- "line": 1881,
- "column": 36
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -542,9 +542,9 @@
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
- "offset": 5781,
- "line": 297,
- "column": 12
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -553,9 +553,9 @@
"function": "main",
"position": {
"filename": ".../vuln.go",
- "offset": 183,
- "line": 14,
- "column": 20
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
index e7210f1..8cfff17 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
@@ -13,7 +13,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
- #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+ #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
@@ -25,7 +25,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../vuln.go:13:16: vuln.main calls language.Parse
+ #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -36,7 +36,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
- #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
+ #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
@@ -60,8 +60,8 @@
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: for function github.com/tidwall/gjson.Result.Get
- .../vuln.go:14:20: golang.org/vuln.main
- .../gjson.go:296:17: github.com/tidwall/gjson.Result.Get
+ .../vuln.go:<l>:<c>: golang.org/vuln.main
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
@@ -74,8 +74,8 @@
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
- .../vuln.go:13:16: golang.org/vuln.main
- .../parse.go:228:6: golang.org/x/text/language.Parse
+ .../vuln.go:<l>:<c>: golang.org/vuln.main
+ .../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -87,12 +87,12 @@
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: for function github.com/tidwall/gjson.Result.ForEach
- .../vuln.go:14:20: golang.org/vuln.main
- .../gjson.go:297:12: github.com/tidwall/gjson.Result.Get
- .../gjson.go:1881:36: github.com/tidwall/gjson.Get
- .../gjson.go:2587:21: github.com/tidwall/gjson.execModifier
- .../gjson.go:2631:21: github.com/tidwall/gjson.modPretty
- .../gjson.go:220:17: github.com/tidwall/gjson.Result.ForEach
+ .../vuln.go:<l>:<c>: golang.org/vuln.main
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
+ .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
@@ -115,7 +115,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
- #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+ #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
@@ -127,7 +127,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../vuln.go:13:16: vuln.main calls language.Parse
+ #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -138,7 +138,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
- #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
+ #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
=== Package Results ===
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
index b363eac..ca5e214 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
@@ -243,9 +243,9 @@
"function": "MustParse",
"position": {
"filename": ".../tags.go",
- "offset": 427,
- "line": 13,
- "column": 6
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -254,9 +254,9 @@
"function": "foobar",
"position": {
"filename": ".../main.go",
- "offset": 1694,
- "line": 99,
- "column": 20
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -265,9 +265,9 @@
"function": "D",
"position": {
"filename": ".../main.go",
- "offset": 705,
- "line": 48,
- "column": 8
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -276,9 +276,9 @@
"function": "main",
"position": {
"filename": ".../main.go",
- "offset": 441,
- "line": 26,
- "column": 3
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
@@ -296,9 +296,9 @@
"function": "Parse",
"position": {
"filename": ".../parse.go",
- "offset": 1121,
- "line": 33,
- "column": 6
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -307,9 +307,9 @@
"function": "C",
"position": {
"filename": ".../main.go",
- "offset": 679,
- "line": 44,
- "column": 23
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -318,9 +318,9 @@
"function": "main",
"position": {
"filename": ".../main.go",
- "offset": 340,
- "line": 22,
- "column": 3
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
index 42bc78b..4c0d2b6 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
@@ -15,8 +15,8 @@
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../main.go:99:20: multientry.foobar calls language.MustParse
- #2: .../main.go:44:23: multientry.C calls language.Parse
+ #1: .../main.go:<l>:<c>: multientry.foobar calls language.MustParse
+ #2: .../main.go:<l>:<c>: multientry.C calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
@@ -42,14 +42,14 @@
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.MustParse
- .../main.go:26:3: golang.org/multientry.main
- .../main.go:48:8: golang.org/multientry.D
- .../main.go:99:20: golang.org/multientry.foobar
- .../tags.go:13:6: golang.org/x/text/language.MustParse
+ .../main.go:<l>:<c>: golang.org/multientry.main
+ .../main.go:<l>:<c>: golang.org/multientry.D
+ .../main.go:<l>:<c>: golang.org/multientry.foobar
+ .../tags.go:<l>:<c>: golang.org/x/text/language.MustParse
#2: for function golang.org/x/text/language.Parse
- .../main.go:22:3: golang.org/multientry.main
- .../main.go:44:23: golang.org/multientry.C
- .../parse.go:33:6: golang.org/x/text/language.Parse
+ .../main.go:<l>:<c>: golang.org/multientry.main
+ .../main.go:<l>:<c>: golang.org/multientry.C
+ .../parse.go:<l>:<c>: golang.org/x/text/language.Parse
=== Package Results ===
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
index c0cec05..aec9244 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
@@ -16,7 +16,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../main.go:11:16: replace.main calls language.Parse
+ #1: .../main.go:<l>:<c>: replace.main calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct
index 84efa96..23c283b 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct
@@ -14,7 +14,7 @@
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Example traces found:
- #1: .../stdlib.go:17:31: stdlib.main calls http.ListenAndServe
+ #1: .../stdlib.go:<l>:<c>: stdlib.main calls http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
@@ -38,8 +38,8 @@
Fixed in: net/http@go1.18.6
Example traces found:
#1: for function net/http.ListenAndServe
- .../stdlib.go:17:31: golang.org/stdlib.main
- .../server.go:3439:6: net/http.ListenAndServe
+ .../stdlib.go:<l>:<c>: golang.org/stdlib.main
+ .../server.go:<l>:<c>: net/http.ListenAndServe
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct
index 9232c3c..3208c6d 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct
@@ -15,7 +15,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../subdir.go:8:16: subdir.Foo calls language.Parse
+ #1: .../subdir.go:<l>:<c>: subdir.Foo calls language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
@@ -41,8 +41,8 @@
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
- .../subdir.go:8:16: golang.org/vuln/subdir.Foo
- .../parse.go:228:6: golang.org/x/text/language.Parse
+ .../subdir.go:<l>:<c>: golang.org/vuln/subdir.Foo
+ .../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
index 13c89e9..01c2e16 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
@@ -252,9 +252,9 @@
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
- "offset": 81,
- "line": 7,
- "column": 15
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -264,9 +264,9 @@
"function": "Leave",
"position": {
"filename": ".../mod.go",
- "offset": 86,
- "line": 6,
- "column": 20
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -275,9 +275,9 @@
"function": "main",
"position": {
"filename": ".../vendored.go",
- "offset": 137,
- "line": 12,
- "column": 15
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
@@ -385,9 +385,9 @@
"function": "Parse",
"position": {
"filename": ".../language.go",
- "offset": 53,
- "line": 5,
- "column": 6
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
},
{
@@ -396,9 +396,9 @@
"function": "main",
"position": {
"filename": ".../vendored.go",
- "offset": 155,
- "line": 13,
- "column": 16
+ "offset": <o>,
+ "line": <l>,
+ "column": <c>
}
}
]
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
index 4341085..199bd3d 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
@@ -13,7 +13,7 @@
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
- #1: .../vendored.go:12:15: vendored.main calls fakemod.Leave, which calls gjson.Result.Get
+ #1: .../vendored.go:<l>:<c>: vendored.main calls fakemod.Leave, which calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
@@ -25,7 +25,7 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
- #1: .../vendored.go:13:16: vendored.main calls language.Parse
+ #1: .../vendored.go:<l>:<c>: vendored.main calls language.Parse
=== Package Results ===
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
index 3a2ab0b..4994c2b 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct
@@ -13,8 +13,8 @@
Found in: gopkg.in/yaml.v2@v2.2.3
Fixed in: gopkg.in/yaml.v2@v2.2.4
Example traces found:
- #1: .../whole_mod_vuln.go:8:21: wholemodvuln.main calls yaml.Marshal
- #2: .../whole_mod_vuln.go:4:2: wholemodvuln.init calls yaml.init
+ #1: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.main calls yaml.Marshal
+ #2: .../whole_mod_vuln.go:<l>:<c>: wholemodvuln.init calls yaml.init
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
