blob: 00c069ace46779c2827e005fbd81a23c50d55a8a [file] [log] [blame]
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
// TODO(zpavlinovic): improve integration tests.
// goYamlVuln contains vulnerability info for package.
var goYamlVuln string = `[{"ID":"GO-2020-0036","Published":"2021-04-14T12:00:00Z","Modified":"2021-04-14T12:00:00Z","Withdrawn":null,"Aliases":["CVE-2019-11254"],"Package":{"Name":"","Ecosystem":"go"},"Details":"An attacker can craft malicious YAML which will consume significant\nsystem resources when Unmarshalled.\n","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.8+incompatible"}]},"References":[{"Type":"code review","URL":""},{"Type":"fix","URL":""},{"Type":"misc","URL":""}],"ecosystem_specific":{"Symbols":["yaml_parser_fetch_more_tokens"],"URL":""}},{"ID":"GO-2021-0061","Published":"2021-04-14T12:00:00Z","Modified":"2021-04-14T12:00:00Z","Withdrawn":null,"Package":{"Name":"","Ecosystem":"go"},"Details":"A maliciously crafted input can cause resource exhaustion due to\nalias chasing.\n","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.3+incompatible"}]},"References":[{"Type":"code review","URL":""},{"Type":"fix","URL":""}],"ecosystem_specific":{"Symbols":["decoder.unmarshal"],"URL":""}}]`
// cryptoSSHVuln contains vulnerability info for
var cryptoSSHVuln string = `[{"ID":"GO-2020-0012","Published":"2021-04-14T12:00:00Z","Modified":"2021-04-14T12:00:00Z","Withdrawn":null,"Aliases":["CVE-2020-9283"],"Package":{"Name":"","Ecosystem":"go"},"Details":"An attacker can craft an ssh-ed25519 or public\nkey, such that the library will panic when trying to verify a signature\nwith it.\n","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v0.0.0-20200220183623-bac4c82f6975"}]},"References":[{"Type":"code review","URL":""},{"Type":"fix","URL":""},{"Type":"misc","URL":""}],"ecosystem_specific":{"Symbols":["parseED25519","ed25519PublicKey.Verify","parseSKEd25519","skEd25519PublicKey.Verify","NewPublicKey"],"URL":""}},{"ID":"GO-2020-0013","Published":"2021-04-14T12:00:00Z","Modified":"2021-04-14T12:00:00Z","Withdrawn":null,"Aliases":["CVE-2017-3204"],"Package":{"Name":"","Ecosystem":"go"},"Details":"By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\n[ClientConfig.HostKeyCallback] is not set.\n","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v0.0.0-20170330155735-e4e2799dd7aa"}]},"References":[{"Type":"code review","URL":""},{"Type":"fix","URL":""},{"Type":"misc","URL":""},{"Type":"misc","URL":""}],"ecosystem_specific":{"Symbols":["NewClientConn"],"URL":""}}]`
// k8sAPIServerVuln contains vulnerability info for
var k8sAPIServerVuln string = `[{"ID":"GO-2021-0062","Published":"2021-04-14T12:00:00Z","Modified":"2021-04-14T12:00:00Z","Withdrawn":null,"Aliases":["CVE-2019-11253"],"Package":{"Name":"","Ecosystem":"go"},"Details":"A maliciously crafted YAML or JSON message can cause resource\nexhaustion.\n","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v0.17.0"}]},"References":[{"Type":"code review","URL":""},{"Type":"fix","URL":""},{"Type":"misc","URL":""},{"Type":"misc","URL":""}],"ecosystem_specific":{"Symbols":["NewCustomResourceDefinitionHandler"],"URL":""}}]`
// index for dbs containing some entries for each vuln package.
// The timestamp for package is set to random moment in the past.
var index string = `{
"": "2021-01-01T12:00:00.000000000-08:00",
"": "2021-01-01T12:00:00.000000000-08:00",
"": "2021-01-01T12:00:00.000000000-08:00"
var vulns = map[string]string{
"": goYamlVuln,
"": cryptoSSHVuln,
"": k8sAPIServerVuln,
// addToLocalDb adds vuln for package p to local db at path db.
func addToLocalDb(db, p, vuln string) error {
if err := os.MkdirAll(path.Join(db, filepath.Dir(p)), fs.ModePerm); err != nil {
return err
f, err := os.Create(path.Join(db, p))
if err != nil {
return err
defer f.Close()
return nil
// addToServerDb adds vuln for package p to localhost server identified by its handler.
func addToServerDb(handler *http.ServeMux, p, vuln string) {
handler.HandleFunc("/"+p, func(w http.ResponseWriter, req *http.Request) { fmt.Fprint(w, vuln) })
// envUpdate updates an environment e by setting the key to value.
func envUpdate(e []string, key, value string) []string {
var nenv []string
for _, kv := range e {
if strings.HasPrefix(kv, key+"=") {
nenv = append(nenv, key+"="+value)
} else {
nenv = append(nenv, kv)
return nenv
// cmd type encapsulating a shell command and its context.
type cmd struct {
dir string
env []string
name string
args []string
// execAll executes a sequence of commands cmd. Exits on a first
// encountered error returning the error and the accumulated output.
func execAll(cmds []cmd) ([]byte, error) {
var out []byte
for _, c := range cmds {
o, err := execCmd(c.dir, c.env,, c.args...)
out = append(out, o...)
if err != nil {
return o, err
return out, nil
// execCmd runs the command name with arg in dir location with the env environment.
func execCmd(dir string, env []string, name string, arg ...string) ([]byte, error) {
cmd := exec.Command(name, arg...)
cmd.Dir = dir
cmd.Env = env
return cmd.CombinedOutput()
// finding abstraction of Finding, for test purposes.
type finding struct {
symbol string
traceLen int
func testFindings(finds []audit.Finding) []finding {
var fs []finding
for _, f := range finds {
fs = append(fs, finding{symbol: f.Symbol, traceLen: len(f.Trace)})
return fs
func subset(finds1, finds2 []finding) bool {
fs2 := make(map[finding]bool)
for _, f := range finds2 {
fs2[f] = true
for _, f := range finds1 {
if !fs2[f] {
return false
return true
func allFindings(r *audit.Results) []audit.Finding {
var findings []audit.Finding
for _, v := range r.Vulnerabilities {
for _, f := range r.VulnFindings[v.ID] {
findings = append(findings, f)
return findings
func TestHashicorpVault(t *testing.T) {
if testing.Short() {
t.Skip("skipping test in short mode.")
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
Name: "foo",
defer e.Cleanup()
hashiVaultOkta := ""
// Go get hashicorp-vault okta package v1.6.3.
env := envUpdate(e.Config.Env, "GOPROXY", ",direct")
if out, err := execCmd(e.Config.Dir, env, "go", "get", hashiVaultOkta+"@v1.6.3"); err != nil {
t.Logf("failed to get %s: %s", hashiVaultOkta+"@v1.6.3", out)
// if out, err := execCmd(e.Config.Dir, env, "go", "mod", "tidy"); err != nil {
// t.Logf("failed to mod tidy: %s", out)
// t.Fatal(err)
// }
// run goaudit.
cfg := &packages.Config{
Mode: packages.LoadAllSyntax | packages.NeedModule,
Tests: false,
Dir: e.Config.Dir,
// Create a local filesystem db.
dbPath := path.Join(e.Config.Dir, "db")
addToLocalDb(dbPath, "index.json", index)
// Create a local server db.
sMux := http.NewServeMux()
s := http.Server{Addr: ":8080", Handler: sMux}
go func() { s.ListenAndServe() }()
defer func() { s.Shutdown(context.Background()) }()
addToServerDb(sMux, "index.json", index)
for _, test := range []struct {
source string
// list of packages whose vulns should be addded to source
toAdd []string
want []finding
// test local db without yaml, which should result in no findings.
{source: "file://" + dbPath, want: nil,
toAdd: []string{"", ""}},
// add yaml to the local db, which should produce 2 findings.
{source: "file://" + dbPath, toAdd: []string{""},
want: []finding{
{"", 6},
{"", 12}},
// repeat the similar experiment with a server db.
{source: "http://localhost:8080", toAdd: []string{""}, want: nil},
{source: "http://localhost:8080", toAdd: []string{"", ""},
want: []finding{
{"", 6},
{"", 12}},
} {
for _, add := range test.toAdd {
if strings.HasPrefix(test.source, "file://") {
addToLocalDb(dbPath, add, vulns[add])
} else {
addToServerDb(sMux, add, vulns[add])
r, err := run(cfg, []string{hashiVaultOkta}, false, []string{test.source})
if err != nil {
if fs := testFindings(allFindings(r)); !subset(test.want, fs) {
t.Errorf("want %v subset of findings; got %v", test.want, fs)
// isSecure checks if http resp was made over a secure connection.
func isSecure(resp *http.Response) bool {
if resp.TLS == nil {
return false
// Check the final URL scheme too for good measure.
if resp.Request.URL.Scheme != "https" {
return false
return true
// download fetches the content at url and stores it at destination location.
func download(url, destination string) error {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
client := &http.Client{Transport: tr}
resp, err := client.Get(url)
if err != nil {
return err
defer resp.Body.Close()
if !isSecure(resp) {
return fmt.Errorf("insecure connection to %s", url)
out, err := os.Create(destination)
if err != nil {
return err
defer out.Close()
_, err = io.Copy(out, resp.Body)
return err
// TestKubernetes requires the following system dependencies:
// - make, tar, unzip, and gcc.
// More information on installing kubernetes:
// Note that the whole installation will require roughly 5GB of disk.
func TestKubernetes(t *testing.T) {
if testing.Short() {
t.Skip("skipping test in short mode.")
// make sure the dependencies are present
if _, err := exec.LookPath("tar"); err != nil {
t.Skip("tar needed for this test.")
if _, err := exec.LookPath("unzip"); err != nil {
t.Skip("unzip needed for this test.")
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
Name: "foo",
defer e.Cleanup()
// Environments and directories to build and download both k8s and go.
env := envUpdate(e.Config.Env, "GOPROXY", ",direct")
dir := e.Config.Dir
k8sDir := path.Join(e.Config.Dir, "kubernetes-1.15.11")
k8sEnv := envUpdate(env, "PATH", path.Join(e.Config.Dir, "go/bin")+":"+os.Getenv("PATH"))
// Download kubernetes v1.15.11 and the go version 1.12 needed to build it.
if err := download("", path.Join(dir, "v1.15.11")); err != nil {
goZip := "go1.12.17." + runtime.GOOS + "-" + runtime.GOARCH + ".tar.gz"
if err := download(""+goZip, path.Join(dir, goZip)); err != nil {
// Unzip k8s and go, and then build the k8s.
if out, err := execAll([]cmd{
{dir, env, "unzip", []string{"v1.15.11"}},
{dir, env, "tar", []string{"-xf", goZip}},
{k8sDir, k8sEnv, "make", nil},
}); err != nil {
t.Logf("failed to build k8s: %s", out)
// Create a local filesystem db.
dbPath := path.Join(e.Config.Dir, "db")
addToLocalDb(dbPath, "index.json", index)
// Create a local server db.
sMux := http.NewServeMux()
s := http.Server{Addr: ":8080", Handler: sMux}
go func() { s.ListenAndServe() }()
defer func() { s.Shutdown(context.Background()) }()
addToServerDb(sMux, "index.json", index)
// run goaudit.
cfg := &packages.Config{
Mode: packages.LoadAllSyntax | packages.NeedModule,
Tests: false,
Dir: path.Join(e.Config.Dir, "kubernetes-1.15.11"),
for _, test := range []struct {
source string
// list of packages whose vulns should be addded to source
toAdd []string
want []finding
// test local db with only apiserver vuln, which should result in a single finding.
{source: "file://" + dbPath, toAdd: []string{"", ""},
want: []finding{{"", 3}}},
// add the rest of the vulnerabilites, resulting in more findings.
{source: "file://" + dbPath, toAdd: []string{""},
want: []finding{
{"", 1},
{"", 3},
{"", 4},
{"", 9},
// repeat similar experiment with a server db.
{source: "http://localhost:8080", toAdd: []string{""}, want: nil},
{source: "http://localhost:8080", toAdd: []string{"", ""},
want: []finding{
{"", 1},
{"", 3},
{"", 4},
{"", 9},
} {
for _, add := range test.toAdd {
if strings.HasPrefix(test.source, "file://") {
addToLocalDb(dbPath, add, vulns[add])
} else {
addToServerDb(sMux, add, vulns[add])
r, err := run(cfg, []string{"./..."}, false, []string{test.source})
if err != nil {
if fs := testFindings(allFindings(r)); !subset(test.want, fs) {
t.Errorf("want %v subset of findings; got %v", test.want, fs)