Google Git
Sign in
go / vuln / 5a637d0b4292a360fc2d641aa87422fe8213208b^! / .
commit5a637d0b4292a360fc2d641aa87422fe8213208b[log] [tgz]
authorZvonimir Pavlinovic <zpavlinovic@google.com>Wed Feb 01 13:54:17 2023 -0800
committerZvonimir Pavlinovic <zpavlinovic@google.com>Wed Feb 01 22:23:15 2023 +0000
tree3a8f6e9daeda13ac399b952c4ce3bfd0ae02c5a7
parentdd534eeddf33556da7d61c8651a641b5e87be9d3 [diff]
cmd/govulncheck/integration: change expectations for selinux and crypto

Due to https://go-review.git.corp.google.com/c/vulndb/+/463682. Before
this change, selinux had all symbols as vulnerable. That resulted in
three symbols used and hence reported by govulncheck. Now, readCon and
writeCon are designated as vulnerable, the former of which is detected.

Also, https://go-review.git.corp.google.com/c/vulndb/+/463678 changes
vulnerable symbols for crypto/elliptic.

Change-Id: I0e9a4f2f95c6736081843a724650a63755a7170c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/464023
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/cmd/govulncheck/integration/k8s/k8s.go b/cmd/govulncheck/integration/k8s/k8s.go
index fef3278..7f21b9d 100644
--- a/cmd/govulncheck/integration/k8s/k8s.go
+++ b/cmd/govulncheck/integration/k8s/k8s.go

@@ -52,9 +52,7 @@
 	want := map[vuln]bool{
 		{"github.com/containernetworking/cni/pkg/invoke", "FindInPath"}:                                    true,
 		{"github.com/evanphx/json-patch", "Patch.Apply"}:                                                   true,
-		{"github.com/opencontainers/selinux/go-selinux", "FileLabel"}:                                      true,
-		{"github.com/opencontainers/selinux/go-selinux", "GetEnabled"}:                                     true,
-		{"github.com/opencontainers/selinux/go-selinux", "SetFileLabel"}:                                   true,
+		{"github.com/opencontainers/selinux/go-selinux", "readCon"}:                                        true,
 		{"github.com/prometheus/client_golang/prometheus/promhttp", "Handler"}:                             true,
 		{"github.com/prometheus/client_golang/prometheus/promhttp", "HandlerFor"}:                          true,
 		{"github.com/prometheus/client_golang/prometheus/promhttp", "flusherDelegator.Flush"}:              true,

diff --git a/cmd/govulncheck/integration/stackrox-scanner/scanner.go b/cmd/govulncheck/integration/stackrox-scanner/scanner.go
index 9fbee98..7246ce7 100644
--- a/cmd/govulncheck/integration/stackrox-scanner/scanner.go
+++ b/cmd/govulncheck/integration/stackrox-scanner/scanner.go

@@ -69,6 +69,12 @@
 		{pkg: "archive/tar", symbol: "Reader.next"}:                                 true,
 		{pkg: "archive/tar", symbol: "parsePAX"}:                                    true,
 		{pkg: "compress/gzip", symbol: "Reader.Read"}:                               true,
+		{pkg: "crypto/elliptic", symbol: "CurveParams.ScalarBaseMult"}:              true,
+		{pkg: "crypto/elliptic", symbol: "CurveParams.ScalarMult"}:                  true,
+		{pkg: "crypto/elliptic", symbol: "p256Curve.CombinedMult"}:                  true,
+		{pkg: "crypto/elliptic", symbol: "p256Curve.ScalarBaseMult"}:                true,
+		{pkg: "crypto/elliptic", symbol: "p256Curve.ScalarMult"}:                    true,
+		{pkg: "crypto/elliptic", symbol: "p256GetScalar"}:                           true,
 		{pkg: "crypto/tls", symbol: "serverHandshakeStateTLS13.sendSessionTickets"}: true,
 		{pkg: "encoding/pem", symbol: "Decode"}:                                     true,
 		{pkg: "encoding/xml", symbol: "Decoder.DecodeElement"}:                      true,