exp/vulndb/internal/audit: fix range var escape bug
In vulnerability querying logic, when iterating over a list of modules
with vulnerabilities for a match, the matched module is saved via &...
This can cause bugs as that will make the match evaluate to the last
element in the range. The fix is to use a temporary variable.
Change-Id: Ibfbdf4f489c193c57e536bebd9aeb3c387114a77
Reviewed-on: https://go-review.googlesource.com/c/exp/+/342689
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Trust: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/vulndb/internal/audit/detect.go b/vulndb/internal/audit/detect.go
index 3861792..5c37973 100644
--- a/vulndb/internal/audit/detect.go
+++ b/vulndb/internal/audit/detect.go
@@ -155,9 +155,10 @@
func (mv ModuleVulnerabilities) VulnsForPackage(importPath string) []*osv.Entry {
var mostSpecificMod *modVulns
for _, mod := range mv {
- if strings.HasPrefix(importPath, mod.mod.Path) {
- if mostSpecificMod == nil || len(mostSpecificMod.mod.Path) < len(mod.mod.Path) {
- mostSpecificMod = &mod
+ md := mod
+ if strings.HasPrefix(importPath, md.mod.Path) {
+ if mostSpecificMod == nil || len(mostSpecificMod.mod.Path) < len(md.mod.Path) {
+ mostSpecificMod = &md
}
}
}
diff --git a/vulndb/internal/audit/detect_test.go b/vulndb/internal/audit/detect_test.go
index b9a5ac6..43db9dc 100644
--- a/vulndb/internal/audit/detect_test.go
+++ b/vulndb/internal/audit/detect_test.go
@@ -110,6 +110,15 @@
{ID: "b", Package: osv.Package{Name: "example.mod/a/b/c"}},
},
},
+ {
+ mod: &packages.Module{
+ Path: "example.mod/d",
+ Version: "v0.0.1",
+ },
+ vulns: []*osv.Entry{
+ {ID: "d", Package: osv.Package{Name: "example.mod/d"}},
+ },
+ },
}
filtered := mv.VulnsForPackage("example.mod/a/b/c")