cmd/govulncheck/testdata/json.ct - vuln - Git at Google

 # Test of the -json flag.
 # TODO(zpavlinovic): add test for stdlib that works
 # on all underlying Go build systems.

 $ cdmodule novuln
 $ govulncheck -json .
 {
 	"Calls": {
 		"Functions": {},
 		"Entries": null
 	},
 	"Imports": {
 		"Packages": {},
 		"Entries": null
 	},
 	"Requires": {
 		"Modules": {},
 		"Entries": null
 	},
 	"Vulns": null,
 	"Modules": [
 		{
 			"Path": "golang.org/novuln",
 			"Version": "",
 			"Dir": "",
 			"Replace": null
 		},
 		{
 			"Path": "golang.org/x/text",
 			"Version": "v0.3.7",
 			"Dir": "",
 			"Replace": null
 		},
 		{
 			"Path": "stdlib",
 			"Version": "",
 			"Dir": "",
 			"Replace": null
 		}
 	]
 }

 $ cdmodule vuln
 $ govulncheck -json . --> FAIL 3
 {
 	"Calls": {
 		"Functions": {
 			"1": {
 				"ID": 1,
 				"Name": "main",
 				"RecvType": "",
 				"PkgPath": "golang.org/vuln",
 				"Pos": {
 					"Filename": ".../vuln.go",
 					"Offset": 69,
 					"Line": 9,
 					"Column": 6
 				},
 				"CallSites": null
 			},
 			"2": {
 				"ID": 2,
 				"Name": "Parse",
 				"RecvType": "",
 				"PkgPath": "golang.org/x/text/language",
 				"Pos": {
 					"Filename": ".../parse.go",
 					"Offset": 5808,
 					"Line": 228,
 					"Column": 6
 				},
 				"CallSites": [
 					{
 						"Parent": 1,
 						"Name": "Parse",
 						"RecvType": "",
 						"Pos": {
 							"Filename": ".../vuln.go",
 							"Offset": 115,
 							"Line": 11,
 							"Column": 16
 						},
 						"Resolved": true
 					}
 				]
 			}
 		},
 		"Entries": [
 			1
 		]
 	},
 	"Imports": {
 		"Packages": {
 			"1": {
 				"ID": 1,
 				"Name": "language",
 				"Path": "golang.org/x/text/language",
 				"Module": 1,
 				"ImportedBy": [
 					2
 				]
 			},
 			"2": {
 				"ID": 2,
 				"Name": "main",
 				"Path": "golang.org/vuln",
 				"Module": 2,
 				"ImportedBy": null
 			}
 		},
 		"Entries": [
 			2
 		]
 	},
 	"Requires": {
 		"Modules": {
 			"1": {
 				"ID": 1,
 				"Path": "golang.org/x/text",
 				"Version": "v0.3.0",
 				"Replace": 0,
 				"RequiredBy": [
 					2
 				]
 			},
 			"2": {
 				"ID": 2,
 				"Path": "golang.org/vuln",
 				"Version": "",
 				"Replace": 0,
 				"RequiredBy": null
 			}
 		},
 		"Entries": [
 			2
 		]
 	},
 	"Vulns": [
 		{
 			"OSV": {
 				"id": "GO-2021-0113",
 				"published": "2021-10-06T17:51:21Z",
 				"modified": "2021-10-06T17:51:21Z",
 				"aliases": [
 					"CVE-2021-38561"
 				],
 				"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
 				"affected": [
 					{
 						"package": {
 							"name": "golang.org/x/text/language",
 							"ecosystem": "Go"
 						},
 						"ranges": [
 							{
 								"type": "SEMVER",
 								"events": [
 									{
 										"introduced": "0"
 									},
 									{
 										"fixed": "0.3.7"
 									}
 								]
 							}
 						],
 						"database_specific": {
 							"url": "https://pkg.go.dev/vuln/GO-2021-0113"
 						},
 						"ecosystem_specific": {
 							"symbols": [
 								"Parse",
 								"MatchStrings",
 								"MustParse",
 								"ParseAcceptLanguage"
 							]
 						}
 					}
 				],
 				"references": [
 					{
 						"type": "FIX",
 						"url": "https://go-review.googlesource.com/c/text/+/340830"
 					},
 					{
 						"type": "FIX",
 						"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
 					}
 				]
 			},
 			"Symbol": "Parse",
 			"PkgPath": "golang.org/x/text/language",
 			"ModPath": "golang.org/x/text",
 			"CallSink": 2,
 			"ImportSink": 1,
 			"RequireSink": 1
 		}
 	],
 	"Modules": [
 		{
 			"Path": "golang.org/vuln",
 			"Version": "",
 			"Dir": "",
 			"Replace": null
 		},
 		{
 			"Path": "golang.org/x/text",
 			"Version": "v0.3.0",
 			"Dir": "",
 			"Replace": null
 		},
 		{
 			"Path": "stdlib",
 			"Version": "",
 			"Dir": "",
 			"Replace": null
 		}
 	]
 }
	# Test of the -json flag.
	# TODO(zpavlinovic): add test for stdlib that works
	# on all underlying Go build systems.

	$ cdmodule novuln
	$ govulncheck -json .
	{
	"Calls": {
	"Functions": {},
	"Entries": null
	},
	"Imports": {
	"Packages": {},
	"Entries": null
	},
	"Requires": {
	"Modules": {},
	"Entries": null
	},
	"Vulns": null,
	"Modules": [
	{
	"Path": "golang.org/novuln",
	"Version": "",
	"Dir": "",
	"Replace": null
	},
	{
	"Path": "golang.org/x/text",
	"Version": "v0.3.7",
	"Dir": "",
	"Replace": null
	},
	{
	"Path": "stdlib",
	"Version": "",
	"Dir": "",
	"Replace": null
	}
	]
	}

	$ cdmodule vuln
	$ govulncheck -json . --> FAIL 3
	{
	"Calls": {
	"Functions": {
	"1": {
	"ID": 1,
	"Name": "main",
	"RecvType": "",
	"PkgPath": "golang.org/vuln",
	"Pos": {
	"Filename": ".../vuln.go",
	"Offset": 69,
	"Line": 9,
	"Column": 6
	},
	"CallSites": null
	},
	"2": {
	"ID": 2,
	"Name": "Parse",
	"RecvType": "",
	"PkgPath": "golang.org/x/text/language",
	"Pos": {
	"Filename": ".../parse.go",
	"Offset": 5808,
	"Line": 228,
	"Column": 6
	},
	"CallSites": [
	{
	"Parent": 1,
	"Name": "Parse",
	"RecvType": "",
	"Pos": {
	"Filename": ".../vuln.go",
	"Offset": 115,
	"Line": 11,
	"Column": 16
	},
	"Resolved": true
	}
	]
	}
	},
	"Entries": [
	1
	]
	},
	"Imports": {
	"Packages": {
	"1": {
	"ID": 1,
	"Name": "language",
	"Path": "golang.org/x/text/language",
	"Module": 1,
	"ImportedBy": [
	2
	]
	},
	"2": {
	"ID": 2,
	"Name": "main",
	"Path": "golang.org/vuln",
	"Module": 2,
	"ImportedBy": null
	}
	},
	"Entries": [
	2
	]
	},
	"Requires": {
	"Modules": {
	"1": {
	"ID": 1,
	"Path": "golang.org/x/text",
	"Version": "v0.3.0",
	"Replace": 0,
	"RequiredBy": [
	2
	]
	},
	"2": {
	"ID": 2,
	"Path": "golang.org/vuln",
	"Version": "",
	"Replace": 0,
	"RequiredBy": null
	}
	},
	"Entries": [
	2
	]
	},
	"Vulns": [
	{
	"OSV": {
	"id": "GO-2021-0113",
	"published": "2021-10-06T17:51:21Z",
	"modified": "2021-10-06T17:51:21Z",
	"aliases": [
	"CVE-2021-38561"
	],
	"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
	"affected": [
	{
	"package": {
	"name": "golang.org/x/text/language",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "0.3.7"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2021-0113"
	},
	"ecosystem_specific": {
	"symbols": [
	"Parse",
	"MatchStrings",
	"MustParse",
	"ParseAcceptLanguage"
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://go-review.googlesource.com/c/text/+/340830"
	},
	{
	"type": "FIX",
	"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
	}
	]
	},
	"Symbol": "Parse",
	"PkgPath": "golang.org/x/text/language",
	"ModPath": "golang.org/x/text",
	"CallSink": 2,
	"ImportSink": 1,
	"RequireSink": 1
	}
	],
	"Modules": [
	{
	"Path": "golang.org/vuln",
	"Version": "",
	"Dir": "",
	"Replace": null
	},
	{
	"Path": "golang.org/x/text",
	"Version": "v0.3.0",
	"Dir": "",
	"Replace": null
	},
	{
	"Path": "stdlib",
	"Version": "",
	"Dir": "",
	"Replace": null
	}
	]
	}