commit | 639cf364ac7b77fba2da391c839ed2cc6d6591a8 | [log] [tgz] |
---|---|---|
author | Malte Isberner <malte.isberner@gmail.com> | Fri Sep 30 12:40:47 2022 +0000 |
committer | Jonathan Amsterdam <jba@google.com> | Fri Sep 30 19:09:18 2022 +0000 |
tree | c3d235118128190cc10f6b05bc9923ca76f5ccd5 | |
parent | cabc70cc795b2392201cabfc3cc5f384a74f850d [diff] |
vulncheck: cache executable symbols in a map Currently, `lookupSymbol` for the various executable formats is implemented in terms of a linear search. This is inefficient and makes `govulncheck` not scale on larger binaries. You can test this with a large binary. I took the main binary from StackRox Scanner: ```sh $ docker export "$(docker create quay.io/stackrox-io/scanner:3.72.0)" | tar -C /tmp -x scanner ``` On my machine (MacOS, Intel Core i9 8x2.4GHz), the results are the following: ```sh $ time /tmp/govulncheck-orig /tmp/scanner govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback. [...] real 19m7.105s user 21m4.712s sys 1m50.733s ``` With this patch, it looks vastly different: ```sh $ time /tmp/govulncheck-patched /tmp/scanner govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback. [...] real 0m2.315s user 0m0.307s sys 0m0.126s ``` Note: I ran experiments only for ELF binaries; however, I do not see a reason why PE and Mach-O executables should have substantially fewer symbols, so it should have a similar effect there. Change-Id: Ibd58a53a4718ce668b46add0a8f5e1d6f75952cd GitHub-Last-Rev: 13c85caa6f35289e38d6696a8864c940814ffd10 GitHub-Pull-Request: golang/vuln#2 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/435123 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Reviewed-by: Jonathan Amsterdam <jba@google.com>
This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:
Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.
The privacy policy for govulncheck
can be found at https://vuln.go.dev/privacy.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.