cmd/govulncheck/integration: support new json output
Also fixes a bug in binary mode.
Change-Id: I20dd97bbbd83f553b649451a62814bbc89eb448a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/447695
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/cmd/govulncheck/integration/integration_run.sh b/cmd/govulncheck/integration/integration_run.sh
index 59caabb..42e836e 100755
--- a/cmd/govulncheck/integration/integration_run.sh
+++ b/cmd/govulncheck/integration/integration_run.sh
@@ -17,7 +17,7 @@
fi
}
-# Print go version for debugging purposes. Expected to be go1.18.7.
+# Print go version for debugging purposes. Expected to be go1.18.8.
go version
# Clone kubernetes to a dedicated directory.
@@ -48,7 +48,7 @@
pushd $dir
# We build scanner binary using go.18 as that will generate vulnerabilities;
-# go1.18.7 will not.
+# go1.18.8 will not.
go1.18 download
# Use scanner at specific commit and tag version for reproducibility.
git checkout 29b8761da747
diff --git a/cmd/govulncheck/integration/k8s/k8s.go b/cmd/govulncheck/integration/k8s/k8s.go
index 8b891be..c86f738 100644
--- a/cmd/govulncheck/integration/k8s/k8s.go
+++ b/cmd/govulncheck/integration/k8s/k8s.go
@@ -10,7 +10,7 @@
"os"
"github.com/google/go-cmp/cmp"
- "golang.org/x/vuln/vulncheck"
+ "golang.org/x/vuln/exp/govulncheck"
)
const usage = `test helper for examining the output of running govulncheck on k8s@v1.15.11.
@@ -29,13 +29,9 @@
log.Fatal("Failed to read:", out)
}
- var r vulncheck.Result
+ var r govulncheck.Result
if err := json.Unmarshal(outJson, &r); err != nil {
- log.Fatal("Failed to load json into vulncheck.Result:", err)
- }
-
- if len(r.Vulns) != 47 {
- log.Fatalf("want 47 vulns; got %d", len(r.Vulns))
+ log.Fatal("Failed to load json into exp/govulncheck.Result:", err)
}
type vuln struct {
@@ -44,56 +40,37 @@
}
calledVulns := make(map[vuln]bool)
for _, v := range r.Vulns {
- calledVulns[vuln{v.PkgPath, v.Symbol}] = true
+ for _, m := range v.Modules {
+ for _, p := range m.Packages {
+ for _, c := range p.CallStacks {
+ calledVulns[vuln{p.Path, c.Symbol}] = true
+ }
+ }
+ }
}
want := map[vuln]bool{
- {"github.com/containernetworking/cni/pkg/invoke", "FindInPath"}: true,
- {"github.com/evanphx/json-patch", "partialArray.add"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "CurrentLabel"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "FileLabel"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "GetEnabled"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "SetFileLabel"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "getSelinuxMountPoint"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "lgetxattr"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "lsetxattr"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "readCon"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "selinuxState.getEnabled"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "selinuxState.getSELinuxfs"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "selinuxState.setEnable"}: true,
- {"github.com/opencontainers/selinux/go-selinux", "selinuxState.setSELinuxfs"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.AddBytes"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.AddUint16LengthPrefixed"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.Bytes"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.add"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.addLengthPrefixed"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.callContinuation"}: true,
- {"golang.org/x/crypto/cryptobyte", "Builder.flushChild"}: true,
- {"golang.org/x/crypto/cryptobyte", "NewBuilder"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.Empty"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.PeekASN1Tag"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.ReadASN1"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.ReadAnyASN1"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.ReadBytes"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.ReadOptionalASN1"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.ReadUint16LengthPrefixed"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.Skip"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.read"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.readASN1"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.readLengthPrefixed"}: true,
- {"golang.org/x/crypto/cryptobyte", "String.readUnsigned"}: true,
- {"golang.org/x/crypto/salsa20/salsa", "XORKeyStream"}: true,
- {"golang.org/x/crypto/ssh", "NewClientConn"}: true,
- {"golang.org/x/crypto/ssh", "NewPublicKey"}: true,
- {"golang.org/x/crypto/ssh", "ed25519PublicKey.Verify"}: true,
- {"golang.org/x/crypto/ssh", "parseED25519"}: true,
- {"golang.org/x/net/http/httpguts", "HeaderValuesContainsToken"}: true,
- {"golang.org/x/net/http/httpguts", "headerValueContainsToken"}: true,
- {"golang.org/x/net/http2", "Server.ServeConn"}: true,
- {"golang.org/x/net/http2", "serverConn.canonicalHeader"}: true,
- {"golang.org/x/net/http2", "serverConn.goAway"}: true,
- {"golang.org/x/text/encoding/unicode", "bomOverride.Transform"}: true,
- {"golang.org/x/text/encoding/unicode", "utf16Decoder.Transform"}: true,
+ {"github.com/containernetworking/cni/pkg/invoke", "FindInPath"}: true,
+ {"github.com/evanphx/json-patch", "partialArray.add"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "FileLabel"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "GetEnabled"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "SetFileLabel"}: true,
+ {"golang.org/x/crypto/cryptobyte", "Builder.AddBytes"}: true,
+ {"golang.org/x/crypto/cryptobyte", "Builder.AddUint16LengthPrefixed"}: true,
+ {"golang.org/x/crypto/cryptobyte", "Builder.Bytes"}: true,
+ {"golang.org/x/crypto/cryptobyte", "NewBuilder"}: true,
+ {"golang.org/x/crypto/cryptobyte", "String.Empty"}: true,
+ {"golang.org/x/crypto/cryptobyte", "String.ReadASN1"}: true,
+ {"golang.org/x/crypto/cryptobyte", "String.ReadOptionalASN1"}: true,
+ {"golang.org/x/crypto/cryptobyte", "String.ReadUint16LengthPrefixed"}: true,
+ {"golang.org/x/crypto/salsa20/salsa", "XORKeyStream"}: true,
+ {"golang.org/x/crypto/ssh", "NewClientConn"}: true,
+ {"golang.org/x/crypto/ssh", "NewPublicKey"}: true,
+ {"golang.org/x/crypto/ssh", "ed25519PublicKey.Verify"}: true,
+ {"golang.org/x/crypto/ssh", "parseED25519"}: true,
+ {"golang.org/x/net/http/httpguts", "HeaderValuesContainsToken"}: true,
+ {"golang.org/x/net/http2", "Server.ServeConn"}: true,
+ {"golang.org/x/text/encoding/unicode", "bomOverride.Transform"}: true,
}
if diff := cmp.Diff(want, calledVulns); diff != "" {
diff --git a/cmd/govulncheck/integration/stackrox-scanner/scanner.go b/cmd/govulncheck/integration/stackrox-scanner/scanner.go
index e420e8c..8589d47 100644
--- a/cmd/govulncheck/integration/stackrox-scanner/scanner.go
+++ b/cmd/govulncheck/integration/stackrox-scanner/scanner.go
@@ -10,7 +10,7 @@
"os"
"github.com/google/go-cmp/cmp"
- "golang.org/x/vuln/vulncheck"
+ "golang.org/x/vuln/exp/govulncheck"
)
const usage = `test helper for examining the output of running govulncheck on
@@ -30,13 +30,9 @@
log.Fatal("Failed to read:", out)
}
- var r vulncheck.Result
+ var r govulncheck.Result
if err := json.Unmarshal(outJson, &r); err != nil {
- log.Fatal("Failed to load json into vulncheck.Result:", err)
- }
-
- if len(r.Vulns) != 36 {
- log.Fatalf("want 36 vulns; got %d", len(r.Vulns))
+ log.Fatal("Failed to load json into exp/govulncheck.Result:", err)
}
type vuln struct {
@@ -45,7 +41,13 @@
}
symbolVulns := make(map[vuln]bool)
for _, v := range r.Vulns {
- symbolVulns[vuln{v.PkgPath, v.Symbol}] = true
+ for _, m := range v.Modules {
+ for _, p := range m.Packages {
+ for _, c := range p.CallStacks {
+ symbolVulns[vuln{p.Path, c.Symbol}] = true
+ }
+ }
+ }
}
want := map[vuln]bool{
diff --git a/cmd/govulncheck/testdata/json-binary.ct b/cmd/govulncheck/testdata/json-binary.ct
index 1c9b0af..bad5a6c 100644
--- a/cmd/govulncheck/testdata/json-binary.ct
+++ b/cmd/govulncheck/testdata/json-binary.ct
@@ -75,7 +75,13 @@
"Packages": [
{
"Path": "golang.org/x/text/language",
- "CallStacks": null
+ "CallStacks": [
+ {
+ "Symbol": "Parse",
+ "Summary": "",
+ "Frames": null
+ }
+ ]
}
]
}
diff --git a/internal/govulncheck/run.go b/internal/govulncheck/run.go
index 2bc98c5..dc5c962 100644
--- a/internal/govulncheck/run.go
+++ b/internal/govulncheck/run.go
@@ -114,6 +114,8 @@
r := &Result{}
for _, vv := range vr.Vulns {
p := &Package{Path: vv.PkgPath}
+ // in binary mode, call stacks contain just the symbol data
+ p.CallStacks = []CallStack{{Symbol: vv.Symbol}}
m := &Module{
Path: vv.ModPath,
FoundVersion: foundVersion(vv.ModPath, modVersions),