blob: a2723f7d69eb0fb9a508360ea8f87d80712608d1 [file] [log] [blame]
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package audit
import (
func TestSymbolVulnDetectionVTA(t *testing.T) {
pkgs, env := testProgAndEnv(t)
got := projectFindings(VulnerableSymbols(pkgs, env))
// There should be four call chains reported with VTA-VTA version, in the following order:
// T:T1() -> vuln.VG [use of global at line 4]
// T:T1() -> A:A1() -> vuln.VulnData.Vuln() [call at A.go:14]
// T:T2() -> vuln.Vuln() [approx.resolved] -> vuln.VG [use of global at vuln.go:4]
// T:T1() -> vuln.VulnData.Vuln() [approx. resolved] [call at testdata.go:13]
// Without VTA-VTA, we would alse have the following false positive:
// T:T2() -> vuln.VulnData.Vuln() [approx. resolved] [call at testdata.go:26]
want := []Finding{
Symbol: "",
Trace: []TraceElem{
{Description: "command-line-arguments.T1(...)", Position: &token.Position{Line: 11, Filename: "T.go"}},
Type: GlobalType,
Position: &token.Position{Line: 5, Filename: "vuln.go"},
Vulns: []osv.Entry{{Package: osv.Package{Name: ""}}},
weight: 0,
Symbol: "",
Trace: []TraceElem{
{Description: "command-line-arguments.T1(...)", Position: &token.Position{Line: 11, Filename: "T.go"}},
{Description: "", Position: &token.Position{Line: 14, Filename: "T.go"}}},
Type: FunctionType,
Position: &token.Position{Line: 15, Filename: "A.go"},
Vulns: []osv.Entry{{Package: osv.Package{Name: ""}}},
weight: 0,
Symbol: "",
Trace: []TraceElem{
{Description: "command-line-arguments.T2(...)", Position: &token.Position{Line: 20, Filename: "T.go"}},
{Description: "command-line-arguments.t0(...) [approx. resolved to]", Position: &token.Position{Line: 22, Filename: "T.go"}},
Type: GlobalType,
Position: &token.Position{Line: 5, Filename: "vuln.go"},
Vulns: []osv.Entry{{Package: osv.Package{Name: ""}}},
weight: 1,
Symbol: "",
Trace: []TraceElem{
{Description: "command-line-arguments.T1(...)", Position: &token.Position{Line: 11, Filename: "T.go"}},
{Description: " [approx. resolved to (]", Position: &token.Position{Line: 14, Filename: "T.go"}}},
Type: FunctionType,
Position: &token.Position{Line: 14, Filename: "T.go"},
Vulns: []osv.Entry{{Package: osv.Package{Name: ""}}},
weight: 1,
if len(want) != len(got) {
t.Errorf("want %d findings; got %d", len(want), len(got))
sort.SliceStable(got, func(i int, j int) bool { return FindingCompare(got[i], got[j]) })
if !reflect.DeepEqual(want, got) {
t.Errorf("want %v findings (projected); got %v", want, got)