client: handle file URI scheme on windows

A file URI takes the form of
  file://host/path

https://en.wikipedia.org/wiki/File_URI_scheme

On windows, for example, vulndb located in c:\dir\vulndb will be

  file:///c:/dir/vulndb

Previously, the code took `file://` prefix and attempted to use the
remaining as a directory of local vulndb. On windows, that caused
to os.Stat on /c:/dir/vulndb when a correctly encoded URI was passed in.

Turned out file-uri parsing is a known, complex issue.

See golang/go#32456 for context.

This CL includes the code copied from the Go project.

https://github.com/golang/go/blob/2ebe77a2fda1ee9ff6fd9a3e08933ad1ebaea039/src/cmd/go/internal/web/url.go

Updated the tests to exercise the windows-like file path correctly
when testing on windows. Previously, tests depended on relative paths
or assumed an incorrect form of windows file uri (e.g. file://C:\workdir\gopath\src\golang.org\x\vuln\cmd\govulncheck/testdata/vulndb)

Change-Id: I5fc451e5ca44649b9623daee28ee3210a7b2b96c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/438175
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
5 files changed
tree: c9753c1f8267f24ebb4bc9a98413d1da4d248e3a
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. exp/
  6. internal/
  7. osv/
  8. vulncheck/
  9. .gitignore
  10. all_test.go
  11. checks.bash
  12. CONTRIBUTING.md
  13. go.mod
  14. go.sum
  15. LICENSE
  16. PATENTS
  17. README.md
  18. tools_test.go
README.md

Go Vulnerability Management

Go Reference

This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.