Google Git
Sign in
go / exp / 0d8d4a79d87ebd9e2b8da7c1f9eb89786e75e33e^! / .
commit0d8d4a79d87ebd9e2b8da7c1f9eb89786e75e33e[log] [tgz]
authorZvonimir Pavlinovic <zpavlinovic@google.com>Tue Aug 31 16:22:37 2021 -0700
committerZvonimir Pavlinovic <zpavlinovic@google.com>Thu Sep 02 22:59:53 2021 +0000
tree213fe73528770f9ef7fe152a36be1dabb25b9047
parentbd4e8a33fc32d17070e0402b7186d2fde8ca0c1f [diff]
vulndb/internal/audit: filter out vulns for modules with "" version

When a module version is unknown (""), the current implementation assumes
that any vulnerability version range applies to it. This can lead to
false alarms, the most prominent example being when audit is run on a
top-level module (which will have "" version) that has known
vulnerabilities. This CL makes sure no vulnerabilities apply for a
module with an unavailable version.

Fixes golang/go#48079

Change-Id: Idd9f080f9037d105d86311b62de77f29ef4664a2
Reviewed-on: https://go-review.googlesource.com/c/exp/+/346609
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Trust: Zvonimir Pavlinovic <zpavlinovic@google.com>

diff --git a/vulndb/internal/audit/detect.go b/vulndb/internal/audit/detect.go
index b542c00..4a166c5 100644
--- a/vulndb/internal/audit/detect.go
+++ b/vulndb/internal/audit/detect.go

@@ -189,16 +189,16 @@
 		if module.Replace != nil {
 			modVersion = module.Replace.Version
 		}
+		// TODO: if modVersion == "", try vcs to get the version?
 		var filteredVulns []*osv.Entry
 		for _, v := range mod.vulns {
 			// A module version is affected if
-			//  - it is incuded in one of the affected version ranges
-			//  - module version is ""
-			//  The latter means the module version is not available, which
-			//  should happen only for top-level packages for which we want
-			//  to be more conservative.
+			//  - it is included in one of the affected version ranges
+			//  - and module version is not ""
+			//  The latter means the module version is not available, so
+			//  we don't want to spam users with potential false alarms.
 			//  TODO: issue warning for "" cases above?
-			affectsVersion := modVersion == "" || v.Affects.AffectsSemver(modVersion)
+			affectsVersion := modVersion != "" && v.Affects.AffectsSemver(modVersion)
 			if affectsVersion && matchesPlatform(os, arch, v.EcosystemSpecific) {
 				filteredVulns = append(filteredVulns, v)
 			}

diff --git a/vulndb/internal/audit/detect_test.go b/vulndb/internal/audit/detect_test.go
index 32cccba..dd2f16d 100644
--- a/vulndb/internal/audit/detect_test.go
+++ b/vulndb/internal/audit/detect_test.go

@@ -89,10 +89,6 @@
 			mod: &packages.Module{
 				Path: "example.mod/c",
 			},
-			vulns: []*osv.Entry{
-				{ID: "i", EcosystemSpecific: osv.GoSpecific{GOARCH: []string{"amd64"}}, Affects: osv.Affects{Ranges: []osv.AffectsRange{{Type: osv.TypeSemver, Introduced: "v0.0.0"}}}},
-				{ID: "j", EcosystemSpecific: osv.GoSpecific{GOARCH: []string{"amd64"}}, Affects: osv.Affects{Ranges: []osv.AffectsRange{{Type: osv.TypeSemver, Fixed: "v3.0.0"}}}},
-				{ID: "k"}},
 		},
 	}
 	if !reflect.DeepEqual(filtered, expected) {