cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct - vuln - Git at Google

 #####
 # Test of basic govulncheck in source mode
 $ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
 Scanning your code and P packages across M dependent modules for known vulnerabilities...

 === Symbol Results ===

 Vulnerability #1: GO-2021-0265
     A maliciously crafted path can cause Get and other query functions to
     consume excessive amounts of CPU and time.
   More info: https://pkg.go.dev/vuln/GO-2021-0265
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.9.3
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get

 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse

 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
     an out-of-bounds panic. If parsing user input, this may be used as a denial
     of service vector.
   More info: https://pkg.go.dev/vuln/GO-2021-0054
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.6.6
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach

 Your code is affected by 3 vulnerabilities from 2 modules.
 This scan also found 0 vulnerabilities in packages you import and 2
 vulnerabilities in modules you require, but your code doesn't appear to call
 these vulnerabilities.
 Use '-show verbose' for more details.

 #####
 # Test of basic govulncheck in source mode with expanded traces
 $ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
 Scanning your code and P packages across M dependent modules for known vulnerabilities...

 === Symbol Results ===

 Vulnerability #1: GO-2021-0265
     A maliciously crafted path can cause Get and other query functions to
     consume excessive amounts of CPU and time.
   More info: https://pkg.go.dev/vuln/GO-2021-0265
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.9.3
     Example traces found:
       #1: for function github.com/tidwall/gjson.Result.Get
         .../vuln.go:<l>:<c>: golang.org/vuln.main
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get

 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: for function golang.org/x/text/language.Parse
         .../vuln.go:<l>:<c>: golang.org/vuln.main
         .../parse.go:<l>:<c>: golang.org/x/text/language.Parse

 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
     an out-of-bounds panic. If parsing user input, this may be used as a denial
     of service vector.
   More info: https://pkg.go.dev/vuln/GO-2021-0054
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.6.6
     Example traces found:
       #1: for function github.com/tidwall/gjson.Result.ForEach
         .../vuln.go:<l>:<c>: golang.org/vuln.main
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
         .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach

 Your code is affected by 3 vulnerabilities from 2 modules.
 This scan also found 0 vulnerabilities in packages you import and 2
 vulnerabilities in modules you require, but your code doesn't appear to call
 these vulnerabilities.
 Use '-show verbose' for more details.

 #####
 # Test of basic govulncheck in source mode with the -show verbose flag
 $ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3
 Scanning your code and P packages across M dependent modules for known vulnerabilities...

 === Symbol Results ===

 Vulnerability #1: GO-2021-0265
     A maliciously crafted path can cause Get and other query functions to
     consume excessive amounts of CPU and time.
   More info: https://pkg.go.dev/vuln/GO-2021-0265
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.9.3
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get

 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse

 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
     an out-of-bounds panic. If parsing user input, this may be used as a denial
     of service vector.
   More info: https://pkg.go.dev/vuln/GO-2021-0054
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.6.6
     Example traces found:
       #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach

 === Package Results ===

 No other vulnerabilities found.

 === Module Results ===

 Vulnerability #1: GO-2022-0969
     HTTP/2 server connections can hang forever waiting for a clean shutdown that
     was preempted by a fatal error. This condition can be exploited by a
     malicious client to cause a denial of service.
   More info: https://pkg.go.dev/vuln/GO-2022-0969
   Standard library
     Found in: net/http@go1.18
     Fixed in: net/http@go1.18.6

 Vulnerability #2: GO-2020-0015
     An attacker could provide a single byte to a UTF16 decoder instantiated with
     UseBOM or ExpectBOM to trigger an infinite loop if the String function on
     the Decoder is called, or the Decoder is passed to transform.String. If used
     to parse user supplied input, this may be used as a denial of service
     vector.
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.3

 Your code is affected by 3 vulnerabilities from 2 modules.
 This scan also found 0 vulnerabilities in packages you import and 2
 vulnerabilities in modules you require, but your code doesn't appear to call
 these vulnerabilities.
	#####
	# Test of basic govulncheck in source mode
	$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
	Scanning your code and P packages across M dependent modules for known vulnerabilities...

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0265
	A maliciously crafted path can cause Get and other query functions to
	consume excessive amounts of CPU and time.
	More info: https://pkg.go.dev/vuln/GO-2021-0265
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.9.3
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get

	Vulnerability #2: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse

	Vulnerability #3: GO-2021-0054
	Due to improper bounds checking, maliciously crafted JSON objects can cause
	an out-of-bounds panic. If parsing user input, this may be used as a denial
	of service vector.
	More info: https://pkg.go.dev/vuln/GO-2021-0054
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.6.6
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach

	Your code is affected by 3 vulnerabilities from 2 modules.
	This scan also found 0 vulnerabilities in packages you import and 2
	vulnerabilities in modules you require, but your code doesn't appear to call
	these vulnerabilities.
	Use '-show verbose' for more details.

	#####
	# Test of basic govulncheck in source mode with expanded traces
	$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
	Scanning your code and P packages across M dependent modules for known vulnerabilities...

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0265
	A maliciously crafted path can cause Get and other query functions to
	consume excessive amounts of CPU and time.
	More info: https://pkg.go.dev/vuln/GO-2021-0265
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.9.3
	Example traces found:
	#1: for function github.com/tidwall/gjson.Result.Get
	.../vuln.go:<l>:<c>: golang.org/vuln.main
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get

	Vulnerability #2: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: for function golang.org/x/text/language.Parse
	.../vuln.go:<l>:<c>: golang.org/vuln.main
	.../parse.go:<l>:<c>: golang.org/x/text/language.Parse

	Vulnerability #3: GO-2021-0054
	Due to improper bounds checking, maliciously crafted JSON objects can cause
	an out-of-bounds panic. If parsing user input, this may be used as a denial
	of service vector.
	More info: https://pkg.go.dev/vuln/GO-2021-0054
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.6.6
	Example traces found:
	#1: for function github.com/tidwall/gjson.Result.ForEach
	.../vuln.go:<l>:<c>: golang.org/vuln.main
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
	.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach

	Your code is affected by 3 vulnerabilities from 2 modules.
	This scan also found 0 vulnerabilities in packages you import and 2
	vulnerabilities in modules you require, but your code doesn't appear to call
	these vulnerabilities.
	Use '-show verbose' for more details.

	#####
	# Test of basic govulncheck in source mode with the -show verbose flag
	$ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3
	Scanning your code and P packages across M dependent modules for known vulnerabilities...

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0265
	A maliciously crafted path can cause Get and other query functions to
	consume excessive amounts of CPU and time.
	More info: https://pkg.go.dev/vuln/GO-2021-0265
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.9.3
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get

	Vulnerability #2: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse

	Vulnerability #3: GO-2021-0054
	Due to improper bounds checking, maliciously crafted JSON objects can cause
	an out-of-bounds panic. If parsing user input, this may be used as a denial
	of service vector.
	More info: https://pkg.go.dev/vuln/GO-2021-0054
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.6.6
	Example traces found:
	#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach

	=== Package Results ===

	No other vulnerabilities found.

	=== Module Results ===

	Vulnerability #1: GO-2022-0969
	HTTP/2 server connections can hang forever waiting for a clean shutdown that
	was preempted by a fatal error. This condition can be exploited by a
	malicious client to cause a denial of service.
	More info: https://pkg.go.dev/vuln/GO-2022-0969
	Standard library
	Found in: net/http@go1.18
	Fixed in: net/http@go1.18.6

	Vulnerability #2: GO-2020-0015
	An attacker could provide a single byte to a UTF16 decoder instantiated with
	UseBOM or ExpectBOM to trigger an infinite loop if the String function on
	the Decoder is called, or the Decoder is passed to transform.String. If used
	to parse user supplied input, this may be used as a denial of service
	vector.
	More info: https://pkg.go.dev/vuln/GO-2020-0015
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.3

	Your code is affected by 3 vulnerabilities from 2 modules.
	This scan also found 0 vulnerabilities in packages you import and 2
	vulnerabilities in modules you require, but your code doesn't appear to call
	these vulnerabilities.