Google Git
Sign in
go / vuln / 639cf364ac7b77fba2da391c839ed2cc6d6591a8
commit639cf364ac7b77fba2da391c839ed2cc6d6591a8[log] [tgz]
authorMalte Isberner <malte.isberner@gmail.com>Fri Sep 30 12:40:47 2022 +0000
committerJonathan Amsterdam <jba@google.com>Fri Sep 30 19:09:18 2022 +0000
treec3d235118128190cc10f6b05bc9923ca76f5ccd5
parentcabc70cc795b2392201cabfc3cc5f384a74f850d [diff]
vulncheck: cache executable symbols in a map

Currently, `lookupSymbol` for the various executable formats is implemented in terms of a linear search. This is inefficient and makes `govulncheck` not scale on larger binaries.

You can test this with a large binary. I took the main binary from StackRox Scanner:
```sh
$ docker export "$(docker create quay.io/stackrox-io/scanner:3.72.0)" | tar -C /tmp -x scanner
```

On my machine (MacOS, Intel Core i9 8x2.4GHz), the results are the following:
```sh
$ time /tmp/govulncheck-orig /tmp/scanner
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
[...]
real    19m7.105s
user    21m4.712s
sys     1m50.733s
```

With this patch, it looks vastly different:
```sh
$ time /tmp/govulncheck-patched /tmp/scanner
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
[...]
real    0m2.315s
user    0m0.307s
sys     0m0.126s
```

Note: I ran experiments only for ELF binaries; however, I do not see a reason why PE and Mach-O executables should have substantially fewer symbols, so it should have a similar effect there.

Change-Id: Ibd58a53a4718ce668b46add0a8f5e1d6f75952cd
GitHub-Last-Rev: 13c85caa6f35289e38d6696a8864c940814ffd10
GitHub-Pull-Request: golang/vuln#2
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/435123
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
1 file changed
tree: c3d235118128190cc10f6b05bc9923ca76f5ccd5
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  10. checks.bash
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. PATENTS
  16. README.md
  17. tools_test.go
README.md

Go Vulnerability Management

Go Reference

This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.