cmd/govulncheck: refactor unit tests
Removes most of the command tests and leaves just a few: (verbose)
source analysis, binary analysis, errors, and usage. The removed tests
are replaces with regular unit tests that directly check printing logic.
This makes tests easier to maintain.
Change-Id: I8be813509ed6ee955425ec3f5b24b721098a57c1
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/462795
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/cmd/govulncheck/main_command_118_test.go b/cmd/govulncheck/main_command_118_test.go
index 9a0516c..122e17d 100644
--- a/cmd/govulncheck/main_command_118_test.go
+++ b/cmd/govulncheck/main_command_118_test.go
@@ -60,11 +60,9 @@
if err != nil {
return nil, fmt.Errorf("failed to create GOVULNDB env var: %v", err)
}
- // We set TEST_GOVERSION to always get the same results regardless of the underlying Go build system.
- cmd.Env = append(os.Environ(), "GOVULNDB="+govulndbURI.String(), "TEST_GOVERSION=go1.18")
+ cmd.Env = append(os.Environ(), "GOVULNDB="+govulndbURI.String())
out, err := cmd.CombinedOutput()
out = filterGoFilePaths(out)
- out = filterStdlibVersions(out)
out = filterHeapGo(out)
return out, err
}
@@ -75,17 +73,10 @@
t.Fatal(err)
}
- // skipBuild contains names of module directories
- // that should not be Go built. For instance, they
- // might contain expected build errors.
- skipBuild := map[string]bool{
- "nogomod": true,
- "nogosum": true,
- }
-
os.Setenv("moddir", filepath.Join(testDir, "testdata", "modules"))
for _, md := range moduleDirs {
- if skipBuild[filepath.Base(md)] {
+ // Skip nogomod module. It has intended build issues.
+ if filepath.Base(md) == "nogomod" {
continue
}
@@ -104,9 +95,8 @@
}
var (
- goFileRegexp = regexp.MustCompile(`[^\s"]*\.go[\s":]`)
- stdlibVersionRegexp = regexp.MustCompile(`("Path": "stdlib",\s*"Version": ")v[^\s]+"`)
- heapGoRegexp = regexp.MustCompile(`heap\.go:(\d+)`)
+ goFileRegexp = regexp.MustCompile(`[^\s"]*\.go[\s":]`)
+ heapGoRegexp = regexp.MustCompile(`heap\.go:(\d+)`)
)
// filterGoFilePaths modifies paths to Go files by replacing their directory with "...".
@@ -120,14 +110,6 @@
})
}
-// filterStdlibVersions removes Go standard library versions from JSON output,
-// since they depend on the system running the test. Some have different
-// versions than others, and on some we are unable to extract a version from
-// the binary so the version is empty.
-func filterStdlibVersions(data []byte) []byte {
- return stdlibVersionRegexp.ReplaceAll(data, []byte(`${1}"`))
-}
-
// There was a one-line change in container/heap/heap.go between 1.18
// and 1.19 that makes the stack traces different. Ignore it.
func filterHeapGo(data []byte) []byte {
diff --git a/cmd/govulncheck/print_test.go b/cmd/govulncheck/print_test.go
index 3b22420..a44bcfc 100644
--- a/cmd/govulncheck/print_test.go
+++ b/cmd/govulncheck/print_test.go
@@ -5,9 +5,14 @@
package main
import (
+ "bytes"
+ "io"
+ "os"
"testing"
"github.com/google/go-cmp/cmp"
+ "golang.org/x/vuln/exp/govulncheck"
+ "golang.org/x/vuln/internal"
"golang.org/x/vuln/osv"
)
@@ -120,3 +125,278 @@
})
}
}
+
+// testVuln1 is a test third-party vulnerability.
+var testVuln1 = &osv.Entry{
+ ID: "GO-0000-0001",
+ Details: "Third-party vulnerability",
+ Affected: []osv.Affected{{
+ Package: osv.Package{Name: "golang.org/vmod"},
+ EcosystemSpecific: osv.EcosystemSpecific{
+ Imports: []osv.EcosystemSpecificImport{{
+ GOOS: []string{"amd"},
+ }},
+ },
+ }}}
+
+// testVuln1 is a test stdlib vulnerability
+var testVuln2 = &osv.Entry{
+ ID: "GO-0000-0002",
+ Details: "Stdlib vulnerability",
+ Affected: []osv.Affected{{
+ Package: osv.Package{Name: internal.GoStdModulePath},
+ }}}
+
+// testPrintText calls printText, redirects
+// its output, and returns it as a string.
+func testPrintText(r *govulncheck.Result, verbose, source bool) string {
+ old := os.Stdout
+ read, write, _ := os.Pipe()
+ os.Stdout = write
+
+ printText(r, verbose, source)
+
+ write.Close()
+ os.Stdout = old
+
+ var buf bytes.Buffer
+ io.Copy(&buf, read)
+ return buf.String()
+}
+
+// testPrintJSON calls printJSON, redirects
+// its output, and returns it as a string.
+func testPrintJSON(r *govulncheck.Result) string {
+ old := os.Stdout
+ read, write, _ := os.Pipe()
+ os.Stdout = write
+
+ printJSON(r)
+
+ write.Close()
+ os.Stdout = old
+
+ var buf bytes.Buffer
+ io.Copy(&buf, read)
+ return buf.String()
+}
+
+func TestPrintTextNoVulns(t *testing.T) {
+ r := &govulncheck.Result{Vulns: []*govulncheck.Vuln{
+ {
+ OSV: testVuln1,
+ Modules: []*govulncheck.Module{
+ {
+ Path: "golang.org/vmod",
+ FoundVersion: "v0.0.1",
+ FixedVersion: "v0.1.3",
+ },
+ },
+ },
+ }}
+
+ got := testPrintText(r, false, true)
+ want := `No vulnerabilities found.
+
+=== Informational ===
+
+Found 1 vulnerability in packages that you import, but there are no call
+stacks leading to the use of this vulnerability. You may not need to
+take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-0000-0001
+ Third-party vulnerability
+ More info: https://pkg.go.dev/vuln/GO-0000-0001
+ Found in: golang.org/vmod@v0.0.1
+ Fixed in: golang.org/vmod@v0.1.3
+ Platforms: amd
+`
+ if diff := cmp.Diff(want, got); diff != "" {
+ t.Fatalf("mismatch (-want, +got):\n%s", diff)
+ }
+}
+
+func TestPrintTextSource(t *testing.T) {
+ r := &govulncheck.Result{Vulns: []*govulncheck.Vuln{
+ {
+ OSV: testVuln1,
+ Modules: []*govulncheck.Module{
+ {
+ Path: "golang.org/vmod",
+ FoundVersion: "v0.0.1",
+ FixedVersion: "v0.1.3",
+ Packages: []*govulncheck.Package{
+ {
+ CallStacks: []govulncheck.CallStack{{Summary: "main calls vmod.Vuln"}},
+ },
+ },
+ },
+ },
+ },
+ {
+ OSV: testVuln2,
+ Modules: []*govulncheck.Module{
+ {
+ Path: internal.GoStdModulePath,
+ FoundVersion: "v0.0.1",
+ Packages: []*govulncheck.Package{
+ {
+ Path: "net/http",
+ },
+ },
+ },
+ },
+ }}}
+
+ got := testPrintText(r, false, true)
+ want := `Your code is affected by 1 vulnerability from 1 module.
+
+Vulnerability #1: GO-0000-0001
+ Third-party vulnerability
+
+ More info: https://pkg.go.dev/vuln/GO-0000-0001
+
+ Module: golang.org/vmod
+ Found in: golang.org/vmod@v0.0.1
+ Fixed in: golang.org/vmod@v0.1.3
+ Platforms: amd
+
+ Call stacks in your code:
+ main calls vmod.Vuln
+
+=== Informational ===
+
+Found 1 vulnerability in packages that you import, but there are no call
+stacks leading to the use of this vulnerability. You may not need to
+take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-0000-0002
+ Stdlib vulnerability
+ More info: https://pkg.go.dev/vuln/GO-0000-0002
+ Found in: net/http@v0.0.1
+ Fixed in: N/A
+`
+ if diff := cmp.Diff(want, got); diff != "" {
+ t.Fatalf("mismatch (-want, +got):\n%s", diff)
+ }
+}
+
+func TestPrintTextBinary(t *testing.T) {
+ r := &govulncheck.Result{Vulns: []*govulncheck.Vuln{
+ {
+ OSV: testVuln1,
+ Modules: []*govulncheck.Module{
+ {
+ Path: "golang.org/vmod",
+ FoundVersion: "v0.0.1",
+ FixedVersion: "v0.1.3",
+ // We can omit package info since in binary mode
+ // there are no call stacks and we don't show symbols.
+ },
+ },
+ },
+ {
+ OSV: testVuln2,
+ Modules: []*govulncheck.Module{
+ {
+ Path: internal.GoStdModulePath,
+ FoundVersion: "v0.0.1",
+ Packages: []*govulncheck.Package{
+ {
+ Path: "net/http",
+ },
+ },
+ },
+ },
+ }}}
+
+ got := testPrintText(r, false, false)
+ want := `Your code is affected by 2 vulnerabilities from 1 module and the Go standard library.
+
+Vulnerability #1: GO-0000-0001
+ Third-party vulnerability
+
+ More info: https://pkg.go.dev/vuln/GO-0000-0001
+
+ Module: golang.org/vmod
+ Found in: golang.org/vmod@v0.0.1
+ Fixed in: golang.org/vmod@v0.1.3
+ Platforms: amd
+
+Vulnerability #2: GO-0000-0002
+ Stdlib vulnerability
+
+ More info: https://pkg.go.dev/vuln/GO-0000-0002
+
+ Standard library
+ Found in: net/http@v0.0.1
+ Fixed in: N/A
+`
+ if diff := cmp.Diff(want, got); diff != "" {
+ t.Fatalf("mismatch (-want, +got):\n%s", diff)
+ }
+}
+
+func TestPrintTextMultiModuleAndStacks(t *testing.T) {
+ r := &govulncheck.Result{Vulns: []*govulncheck.Vuln{
+ {
+ OSV: testVuln1,
+ Modules: []*govulncheck.Module{
+ {
+ Path: "golang.org/vmod",
+ FoundVersion: "v0.0.1",
+ FixedVersion: "v0.1.3",
+ Packages: []*govulncheck.Package{
+ {
+ CallStacks: []govulncheck.CallStack{{Summary: "main calls vmod.Vuln"}, {Summary: "main calls vmod.VulnFoo"}},
+ },
+ },
+ },
+ {
+ Path: "golang.org/vmod1",
+ FoundVersion: "v0.0.3",
+ FixedVersion: "v0.0.4",
+ Packages: []*govulncheck.Package{
+ {
+ CallStacks: []govulncheck.CallStack{{Summary: "Foo calls vmod1.Vuln"}},
+ },
+ {
+ CallStacks: []govulncheck.CallStack{{Summary: "Bar calls vmod1.VulnFoo"}},
+ },
+ },
+ },
+ },
+ }}}
+
+ got := testPrintText(r, false, true)
+ want := `Your code is affected by 1 vulnerability from 2 modules.
+
+Vulnerability #1: GO-0000-0001
+ Third-party vulnerability
+
+ More info: https://pkg.go.dev/vuln/GO-0000-0001
+
+ Module: golang.org/vmod
+ Found in: golang.org/vmod@v0.0.1
+ Fixed in: golang.org/vmod@v0.1.3
+ Platforms: amd
+
+ Call stacks in your code:
+ main calls vmod.Vuln
+ main calls vmod.VulnFoo
+
+ Module: golang.org/vmod1
+ Found in: golang.org/vmod1@v0.0.3
+ Fixed in: golang.org/vmod1@v0.0.4
+
+ Call stacks in your code:
+ Foo calls vmod1.Vuln
+
+ Bar calls vmod1.VulnFoo
+`
+ if diff := cmp.Diff(want, got); diff != "" {
+ t.Fatalf("mismatch (-want, +got):\n%s", diff)
+ }
+}
diff --git a/cmd/govulncheck/testdata/default-binary.ct b/cmd/govulncheck/testdata/binary.ct
similarity index 70%
rename from cmd/govulncheck/testdata/default-binary.ct
rename to cmd/govulncheck/testdata/binary.ct
index 288bd89..27a593f 100644
--- a/cmd/govulncheck/testdata/default-binary.ct
+++ b/cmd/govulncheck/testdata/binary.ct
@@ -1,12 +1,3 @@
-# Test of default mode with a binary.
-
-# No vulnerabilities, no output.
-$ govulncheck ${novuln_binary}
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-No vulnerabilities found.
-
$ govulncheck ${vuln_binary} --> FAIL 3
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/cmd/govulncheck/testdata/default.ct b/cmd/govulncheck/testdata/default.ct
deleted file mode 100644
index 7794904..0000000
--- a/cmd/govulncheck/testdata/default.ct
+++ /dev/null
@@ -1,52 +0,0 @@
-# Test of default mode.
-
-# No vulnerabilities, no output.
-$ govulncheck -dir ${moddir}/novuln .
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-No vulnerabilities found.
-
-$ govulncheck -tags=twocallstacks -dir ${moddir}/vuln . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
-
- More info: https://pkg.go.dev/vuln/GO-2021-0113
-
- Module: golang.org/x/text
- Found in: golang.org/x/text@v0.3.0
- Fixed in: golang.org/x/text@v0.3.7
-
- Call stacks in your code:
- .../vuln.go:12:16: golang.org/vuln.main calls golang.org/x/text/language.Parse
- .../vuln_extra.go:8:30: golang.org/vuln.init#1 calls golang.org/x/text/language.ParseAcceptLanguage
-
-=== Informational ===
-
-Found 2 vulnerabilities in packages that you import, but there are no call
-stacks leading to the use of these vulnerabilities. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2022-0592
- A maliciously crafted path can cause Get and other query
- functions to consume excessive amounts of CPU and time.
- More info: https://pkg.go.dev/vuln/GO-2022-0592
- Found in: github.com/tidwall/gjson@v1.9.2
- Fixed in: github.com/tidwall/gjson@v1.9.3
-
-Vulnerability #2: GO-2021-0265
- GJSON allowed a ReDoS (regular expression denial of service)
- attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0265
- Found in: github.com/tidwall/gjson@v1.9.2
- Fixed in: github.com/tidwall/gjson@v1.9.3
- Platforms: linux/amd64, windows/amd64
diff --git a/cmd/govulncheck/testdata/import-no-call.ct b/cmd/govulncheck/testdata/import-no-call.ct
deleted file mode 100644
index a97ee58..0000000
--- a/cmd/govulncheck/testdata/import-no-call.ct
+++ /dev/null
@@ -1,24 +0,0 @@
-# Test of default mode.
-
-# All vulnerabilities imported, but never called.
-$ govulncheck -dir ${moddir}/vuln3 .
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-No vulnerabilities found.
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Found in: golang.org/x/text@v0.3.0
- Fixed in: golang.org/x/text@v0.3.7
diff --git a/cmd/govulncheck/testdata/json-binary.ct b/cmd/govulncheck/testdata/json-binary.ct
deleted file mode 100644
index bad5a6c..0000000
--- a/cmd/govulncheck/testdata/json-binary.ct
+++ /dev/null
@@ -1,92 +0,0 @@
-$ govulncheck -json ${novuln_binary}
-{
- "Vulns": null
-}
-
-$ govulncheck -json ${vuln_binary}
-{
- "Vulns": [
- {
- "OSV": {
- "id": "GO-2021-0113",
- "published": "2021-10-06T17:51:21Z",
- "modified": "2021-10-06T17:51:21Z",
- "aliases": [
- "CVE-2021-38561"
- ],
- "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
- "affected": [
- {
- "package": {
- "name": "golang.org/x/text",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "0.3.7"
- }
- ]
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0113"
- },
- "ecosystem_specific": {
- "imports": [
- {
- "path": "golang.org/x/text/language",
- "symbols": [
- "MatchStrings",
- "MustParse",
- "Parse",
- "ParseAcceptLanguage"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://go.dev/cl/340830"
- },
- {
- "type": "FIX",
- "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
- },
- {
- "type": "WEB",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561"
- }
- ]
- },
- "Modules": [
- {
- "Path": "golang.org/x/text",
- "FoundVersion": "v0.3.0",
- "FixedVersion": "v0.3.7",
- "Packages": [
- {
- "Path": "golang.org/x/text/language",
- "CallStacks": [
- {
- "Symbol": "Parse",
- "Summary": "",
- "Frames": null
- }
- ]
- }
- ]
- }
- ]
- }
- ]
-}
-
diff --git a/cmd/govulncheck/testdata/json.ct b/cmd/govulncheck/testdata/json.ct
deleted file mode 100644
index c58bf67..0000000
--- a/cmd/govulncheck/testdata/json.ct
+++ /dev/null
@@ -1,302 +0,0 @@
-# Test of the -json flag.
-# TODO(zpavlinovic): add test for stdlib that works
-# on all underlying Go build systems.
-
-$ govulncheck -dir ${moddir}/novuln -json .
-{
- "Vulns": null
-}
-
-$ govulncheck -dir ${moddir}/vuln -json .
-{
- "Vulns": [
- {
- "OSV": {
- "id": "GO-2022-0592",
- "published": "2022-08-15T18:06:07Z",
- "modified": "2022-08-19T22:21:47Z",
- "aliases": [
- "CVE-2021-42248",
- "GHSA-c9gm-7rfj-8w5h"
- ],
- "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
- "affected": [
- {
- "package": {
- "name": "github.com/tidwall/gjson",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.9.3"
- }
- ]
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2022-0592"
- },
- "ecosystem_specific": {
- "imports": [
- {
- "path": "github.com/tidwall/gjson",
- "symbols": [
- "Get",
- "GetBytes",
- "GetMany",
- "GetManyBytes",
- "Result.Get",
- "queryMatches"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/237"
- },
- {
- "type": "WEB",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42248"
- },
- {
- "type": "WEB",
- "url": "https://github.com/advisories/GHSA-c9gm-7rfj-8w5h"
- }
- ]
- },
- "Modules": [
- {
- "Path": "github.com/tidwall/gjson",
- "FoundVersion": "v1.9.2",
- "FixedVersion": "v1.9.3",
- "Packages": [
- {
- "Path": "github.com/tidwall/gjson",
- "CallStacks": null
- }
- ]
- }
- ]
- },
- {
- "OSV": {
- "id": "GO-2021-0265",
- "published": "2022-01-14T17:30:24Z",
- "modified": "2022-08-19T22:21:47Z",
- "aliases": [
- "CVE-2020-36066",
- "CVE-2021-42836",
- "GHSA-ppj4-34rq-v8j9",
- "GHSA-wjm3-fq3r-5x46"
- ],
- "details": "GJSON allowed a ReDoS (regular expression denial of service) attack.",
- "affected": [
- {
- "package": {
- "name": "github.com/tidwall/gjson",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.9.3"
- }
- ]
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0265"
- },
- "ecosystem_specific": {
- "imports": [
- {
- "path": "github.com/tidwall/gjson",
- "goos": [
- "linux",
- "windows"
- ],
- "goarch": [
- "amd64"
- ],
- "symbols": [
- "match.Match"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/236"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/237"
- },
- {
- "type": "WEB",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36066"
- },
- {
- "type": "WEB",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42836"
- },
- {
- "type": "WEB",
- "url": "https://github.com/advisories/GHSA-ppj4-34rq-v8j9"
- },
- {
- "type": "WEB",
- "url": "https://github.com/advisories/GHSA-wjm3-fq3r-5x46"
- }
- ]
- },
- "Modules": [
- {
- "Path": "github.com/tidwall/gjson",
- "FoundVersion": "v1.9.2",
- "FixedVersion": "v1.9.3",
- "Packages": [
- {
- "Path": "github.com/tidwall/gjson",
- "CallStacks": null
- }
- ]
- }
- ]
- },
- {
- "OSV": {
- "id": "GO-2021-0113",
- "published": "2021-10-06T17:51:21Z",
- "modified": "2021-10-06T17:51:21Z",
- "aliases": [
- "CVE-2021-38561"
- ],
- "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
- "affected": [
- {
- "package": {
- "name": "golang.org/x/text",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "0.3.7"
- }
- ]
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0113"
- },
- "ecosystem_specific": {
- "imports": [
- {
- "path": "golang.org/x/text/language",
- "symbols": [
- "MatchStrings",
- "MustParse",
- "Parse",
- "ParseAcceptLanguage"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://go.dev/cl/340830"
- },
- {
- "type": "FIX",
- "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
- },
- {
- "type": "WEB",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561"
- }
- ]
- },
- "Modules": [
- {
- "Path": "golang.org/x/text",
- "FoundVersion": "v0.3.0",
- "FixedVersion": "v0.3.7",
- "Packages": [
- {
- "Path": "golang.org/x/text/language",
- "CallStacks": [
- {
- "Symbol": "Parse",
- "Summary": ".../vuln.go:12:16: golang.org/vuln.main calls golang.org/x/text/language.Parse",
- "Frames": [
- {
- "PkgPath": "golang.org/vuln",
- "FuncName": "main",
- "RecvType": "",
- "Position": {
- "Filename": ".../vuln.go",
- "Offset": 143,
- "Line": 12,
- "Column": 16
- }
- },
- {
- "PkgPath": "golang.org/x/text/language",
- "FuncName": "Parse",
- "RecvType": "",
- "Position": {
- "Filename": "",
- "Offset": 0,
- "Line": 0,
- "Column": 0
- }
- }
- ]
- }
- ]
- }
- ]
- }
- ]
- }
- ]
-}
diff --git a/cmd/govulncheck/testdata/manystacks-verbose.ct b/cmd/govulncheck/testdata/manystacks-verbose.ct
deleted file mode 100644
index 1ac829e..0000000
--- a/cmd/govulncheck/testdata/manystacks-verbose.ct
+++ /dev/null
@@ -1,49 +0,0 @@
-$ govulncheck -dir ${moddir}/manystacks -v . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2020-0040
- Due to unchecked type assertions, maliciously crafted messages
- can cause panics, which may be used as a denial of service
- vector.
-
- More info: https://pkg.go.dev/vuln/GO-2020-0040
-
- Module: github.com/shiyanhui/dht
- Found in: github.com/shiyanhui/dht@v0.0.0-20201219151056-5a20f3199263
- Fixed in: N/A
-
- Call stacks in your code:
- #1: for function DHT.GetPeers
- example.com/manystacks.main
- .../main.go:27:2
- example.com/manystacks.main$2
- .../main.go:30:28
- example.com/manystacks/otherpkg.GetPeers
- .../otherpkg.go:6:19
- github.com/shiyanhui/dht.DHT.GetPeers
- #2: for function DHT.Run
- example.com/manystacks.main
- .../main.go:44:7
- github.com/shiyanhui/dht.DHT.Run
- #3: for function New
- example.com/manystacks.main
- .../main.go:16:14
- github.com/shiyanhui/dht.New
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2022-0969
- HTTP/2 server connections can hang forever waiting for a clean
- shutdown that was preempted by a fatal error. This condition can
- be exploited by a malicious client to cause a denial of service.
- More info: https://pkg.go.dev/vuln/GO-2022-0969
- Found in: net/http@go1.18
- Fixed in: net/http@go1.19.1
diff --git a/cmd/govulncheck/testdata/manystacks.ct b/cmd/govulncheck/testdata/manystacks.ct
deleted file mode 100644
index 6f2119a..0000000
--- a/cmd/govulncheck/testdata/manystacks.ct
+++ /dev/null
@@ -1,36 +0,0 @@
-$ govulncheck -dir ${moddir}/manystacks . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2020-0040
- Due to unchecked type assertions, maliciously crafted messages
- can cause panics, which may be used as a denial of service
- vector.
-
- More info: https://pkg.go.dev/vuln/GO-2020-0040
-
- Module: github.com/shiyanhui/dht
- Found in: github.com/shiyanhui/dht@v0.0.0-20201219151056-5a20f3199263
- Fixed in: N/A
-
- Call stacks in your code:
- .../main.go:16:14: example.com/manystacks.main calls github.com/shiyanhui/dht.New
- .../main.go:27:2: example.com/manystacks.main calls example.com/manystacks/otherpkg.GetPeers, which eventually calls github.com/shiyanhui/dht.DHT.GetPeers
- .../main.go:44:7: example.com/manystacks.main calls github.com/shiyanhui/dht.DHT.Run
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2022-0969
- HTTP/2 server connections can hang forever waiting for a clean
- shutdown that was preempted by a fatal error. This condition can
- be exploited by a malicious client to cause a denial of service.
- More info: https://pkg.go.dev/vuln/GO-2022-0969
- Found in: net/http@go1.18
- Fixed in: net/http@go1.19.1
diff --git a/cmd/govulncheck/testdata/modules/manystacks/go.mod b/cmd/govulncheck/testdata/modules/manystacks/go.mod
deleted file mode 100644
index 1e62de5..0000000
--- a/cmd/govulncheck/testdata/modules/manystacks/go.mod
+++ /dev/null
@@ -1,5 +0,0 @@
-module example.com/manystacks
-
-go 1.18
-
-require github.com/shiyanhui/dht v0.0.0-20201219151056-5a20f3199263
diff --git a/cmd/govulncheck/testdata/modules/manystacks/go.sum b/cmd/govulncheck/testdata/modules/manystacks/go.sum
deleted file mode 100644
index 8895f3b..0000000
--- a/cmd/govulncheck/testdata/modules/manystacks/go.sum
+++ /dev/null
@@ -1,2 +0,0 @@
-github.com/shiyanhui/dht v0.0.0-20201219151056-5a20f3199263 h1:bn/DPt4KK08FERSZhW2ZowG2t7zcLKYBnRze+mBgOL4=
-github.com/shiyanhui/dht v0.0.0-20201219151056-5a20f3199263/go.mod h1:fw+pXaoy8a8A3OvcOLLlhr4Ty8+pWnPXs89FHHdiZBY=
diff --git a/cmd/govulncheck/testdata/modules/manystacks/main.go b/cmd/govulncheck/testdata/modules/manystacks/main.go
deleted file mode 100644
index 29509ac..0000000
--- a/cmd/govulncheck/testdata/modules/manystacks/main.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// This program prints peers in a bittorrent DHT.
-package main
-
-import (
- "fmt"
- "log"
- "os"
- "time"
-
- "example.com/manystacks/otherpkg"
-
- "github.com/shiyanhui/dht"
-)
-
-func main() {
- d := dht.New(nil)
- nPeers := 0
- d.OnGetPeersResponse = func(infoHash string, peer *dht.Peer) {
- fmt.Printf("GOT PEER: <%s:%d>\n", peer.IP, peer.Port)
- nPeers++
- if nPeers >= 10 {
- fmt.Printf("Done.\n")
- os.Exit(0)
- }
- }
-
- go func() {
- for {
- // ubuntu-14.04.2-desktop-amd64.iso
- err := otherpkg.GetPeers(d, "546cf15f724d19c4319cc17b179d7e035f89c1f4")
- if err != nil && err != dht.ErrNotReady {
- log.Fatal(err)
- }
-
- if err == dht.ErrNotReady {
- time.Sleep(time.Second * 1)
- continue
- }
-
- break
- }
- }()
-
- d.Run()
-}
diff --git a/cmd/govulncheck/testdata/modules/manystacks/otherpkg/otherpkg.go b/cmd/govulncheck/testdata/modules/manystacks/otherpkg/otherpkg.go
deleted file mode 100644
index d7938f8..0000000
--- a/cmd/govulncheck/testdata/modules/manystacks/otherpkg/otherpkg.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package otherpkg
-
-import "github.com/shiyanhui/dht"
-
-func GetPeers(d *dht.DHT, s string) error {
- return d.GetPeers(s)
-}
diff --git a/cmd/govulncheck/testdata/modules/multimodvuln/go.mod b/cmd/govulncheck/testdata/modules/multimodvuln/go.mod
deleted file mode 100644
index 81092b9..0000000
--- a/cmd/govulncheck/testdata/modules/multimodvuln/go.mod
+++ /dev/null
@@ -1,7 +0,0 @@
-module golang.org/multimodvuln
-
-go 1.18
-
-require golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
-
-require golang.org/x/text v0.3.7 // indirect
diff --git a/cmd/govulncheck/testdata/modules/multimodvuln/go.sum b/cmd/govulncheck/testdata/modules/multimodvuln/go.sum
deleted file mode 100644
index ce35e63..0000000
--- a/cmd/govulncheck/testdata/modules/multimodvuln/go.sum
+++ /dev/null
@@ -1,4 +0,0 @@
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
diff --git a/cmd/govulncheck/testdata/modules/multimodvuln/vuln.go b/cmd/govulncheck/testdata/modules/multimodvuln/vuln.go
deleted file mode 100644
index e1c5b8a..0000000
--- a/cmd/govulncheck/testdata/modules/multimodvuln/vuln.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package vuln
-
-import _ "golang.org/x/net/http2"
-
-func main() {}
diff --git a/cmd/govulncheck/testdata/modules/novuln/go.mod b/cmd/govulncheck/testdata/modules/novuln/go.mod
deleted file mode 100644
index d9dc283..0000000
--- a/cmd/govulncheck/testdata/modules/novuln/go.mod
+++ /dev/null
@@ -1,6 +0,0 @@
-module golang.org/novuln
-
-go 1.18
-
-// This version does not have a vulnerability.
-require golang.org/x/text v0.3.7
diff --git a/cmd/govulncheck/testdata/modules/novuln/go.sum b/cmd/govulncheck/testdata/modules/novuln/go.sum
deleted file mode 100644
index 1f78e03..0000000
--- a/cmd/govulncheck/testdata/modules/novuln/go.sum
+++ /dev/null
@@ -1,2 +0,0 @@
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
diff --git a/cmd/govulncheck/testdata/modules/novuln/novuln.go b/cmd/govulncheck/testdata/modules/novuln/novuln.go
deleted file mode 100644
index e479a37..0000000
--- a/cmd/govulncheck/testdata/modules/novuln/novuln.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package main
-
-import (
- "fmt"
-
- "golang.org/x/text/language"
-)
-
-func main() {
- fmt.Println("hello")
- language.Parse("")
-}
diff --git a/cmd/govulncheck/testdata/modules/stdvuln/go.mod b/cmd/govulncheck/testdata/modules/stdvuln/go.mod
deleted file mode 100644
index 26c8aba..0000000
--- a/cmd/govulncheck/testdata/modules/stdvuln/go.mod
+++ /dev/null
@@ -1,3 +0,0 @@
-module golang.org/stdvuln
-
-go 1.17
diff --git a/cmd/govulncheck/testdata/modules/stdvuln/stdvuln.go b/cmd/govulncheck/testdata/modules/stdvuln/stdvuln.go
deleted file mode 100644
index 332373e..0000000
--- a/cmd/govulncheck/testdata/modules/stdvuln/stdvuln.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package main
-
-import (
- "archive/zip"
- "fmt"
-)
-
-func main() {
- _, err := zip.OpenReader("file.zip")
- fmt.Println(err)
-}
diff --git a/cmd/govulncheck/testdata/modules/vuln2/go.mod b/cmd/govulncheck/testdata/modules/vuln2/go.mod
deleted file mode 100644
index 64547be..0000000
--- a/cmd/govulncheck/testdata/modules/vuln2/go.mod
+++ /dev/null
@@ -1,15 +0,0 @@
-module golang.org/vuln2
-
-go 1.18
-
-require (
- // This version has a vulnerability that is imported.
- github.com/tidwall/gjson v1.9.2
- // This version has a vulnerability that is called.
- golang.org/x/text v0.3.0
-)
-
-require (
- github.com/tidwall/match v1.1.0 // indirect
- github.com/tidwall/pretty v1.2.0 // indirect
-)
diff --git a/cmd/govulncheck/testdata/modules/vuln2/go.sum b/cmd/govulncheck/testdata/modules/vuln2/go.sum
deleted file mode 100644
index 74e54c6..0000000
--- a/cmd/govulncheck/testdata/modules/vuln2/go.sum
+++ /dev/null
@@ -1,8 +0,0 @@
-github.com/tidwall/gjson v1.9.2 h1:SJQc2IgWWKL5V+YGJrr95hjNXFeZzHT2L9Wv1aAb51Q=
-github.com/tidwall/gjson v1.9.2/go.mod h1:2tcKM/KQ/GjiTN7mfTL/HdNmef9Q6AZLaSK2RdfvSjw=
-github.com/tidwall/match v1.1.0 h1:VfI2e2aXLvytih7WUVyO9uvRC+RcXlaTrMbHuQWnFmk=
-github.com/tidwall/match v1.1.0/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
-github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/cmd/govulncheck/testdata/modules/vuln2/vuln.go b/cmd/govulncheck/testdata/modules/vuln2/vuln.go
deleted file mode 100644
index e93dc67..0000000
--- a/cmd/govulncheck/testdata/modules/vuln2/vuln.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package main
-
-import (
- "fmt"
-
- "github.com/tidwall/gjson"
- "golang.org/x/text/language"
-)
-
-func main() {
- fmt.Println("hello")
- language.Parse("")
- gjson.Valid("{hello: world}")
- _ = gjson.Get("json", "path")
- _ = gjson.GetBytes([]byte("json"), "path")
-}
diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.mod b/cmd/govulncheck/testdata/modules/vuln3/go.mod
deleted file mode 100644
index d19a064..0000000
--- a/cmd/govulncheck/testdata/modules/vuln3/go.mod
+++ /dev/null
@@ -1,6 +0,0 @@
-module golang.org/vuln3
-
-go 1.18
-
-// This version has a vulnerability.
-require golang.org/x/text v0.3.0
diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.sum b/cmd/govulncheck/testdata/modules/vuln3/go.sum
deleted file mode 100644
index 6bad37b..0000000
--- a/cmd/govulncheck/testdata/modules/vuln3/go.sum
+++ /dev/null
@@ -1,2 +0,0 @@
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/cmd/govulncheck/testdata/modules/vuln3/vuln.go b/cmd/govulncheck/testdata/modules/vuln3/vuln.go
deleted file mode 100644
index 2d24f8d..0000000
--- a/cmd/govulncheck/testdata/modules/vuln3/vuln.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package vuln
-
-import (
- "fmt"
-
- _ "golang.org/x/text/language"
-)
-
-func main() {
- fmt.Println("hello")
-}
diff --git a/cmd/govulncheck/testdata/multi-module.ct b/cmd/govulncheck/testdata/multi-module.ct
deleted file mode 100644
index 6a3785a..0000000
--- a/cmd/govulncheck/testdata/multi-module.ct
+++ /dev/null
@@ -1,22 +0,0 @@
-# Test fix correctness for vulns affecting multiple modules
-
-$ govulncheck -dir ${moddir}/multimodvuln .
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-No vulnerabilities found.
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2022-0969
- HTTP/2 server connections can hang forever waiting for a clean
- shutdown that was preempted by a fatal error. This condition can
- be exploited by a malicious client to cause a denial of service.
- More info: https://pkg.go.dev/vuln/GO-2022-0969
- Found in: golang.org/x/net@v0.0.0-20220425223048-2871e0cb64e4
- Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c
diff --git a/cmd/govulncheck/testdata/verbose.ct b/cmd/govulncheck/testdata/source.ct
similarity index 85%
rename from cmd/govulncheck/testdata/verbose.ct
rename to cmd/govulncheck/testdata/source.ct
index bd05da7..51559fa 100644
--- a/cmd/govulncheck/testdata/verbose.ct
+++ b/cmd/govulncheck/testdata/source.ct
@@ -1,12 +1,3 @@
-# Test of verbose mode.
-
-# No vulnerabilities, no output.
-$ govulncheck -dir ${moddir}/novuln -v .
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-No vulnerabilities found.
-
$ govulncheck -dir ${moddir}/vuln -v . --> FAIL 3
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/cmd/govulncheck/testdata/stdlib.ct b/cmd/govulncheck/testdata/stdlib.ct
deleted file mode 100644
index 4065a72..0000000
--- a/cmd/govulncheck/testdata/stdlib.ct
+++ /dev/null
@@ -1,19 +0,0 @@
-# Test of stdlib vuln detection.
-
-$ govulncheck -dir ${moddir}/stdvuln . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-Your code is affected by 1 vulnerability from the Go standard library.
-
-Vulnerability #1: STD
-
-
- More info: https://pkg.go.dev/vuln/STD
-
- Standard library
- Found in: archive/zip@go1.18
- Fixed in: N/A
-
- Call stacks in your code:
- .../stdvuln.go:9:26: golang.org/stdvuln.main calls archive/zip.OpenReader
diff --git a/cmd/govulncheck/testdata/two-symbols.ct b/cmd/govulncheck/testdata/two-symbols.ct
deleted file mode 100644
index 79af32a..0000000
--- a/cmd/govulncheck/testdata/two-symbols.ct
+++ /dev/null
@@ -1,49 +0,0 @@
-$ govulncheck -dir ${moddir}/vuln2 . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Scanning for dependencies with known vulnerabilities...
-Your code is affected by 2 vulnerabilities from 2 modules.
-
-Vulnerability #1: GO-2022-0592
- A maliciously crafted path can cause Get and other query
- functions to consume excessive amounts of CPU and time.
-
- More info: https://pkg.go.dev/vuln/GO-2022-0592
-
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gjson@v1.9.2
- Fixed in: github.com/tidwall/gjson@v1.9.3
-
- Call stacks in your code:
- .../vuln.go:14:15: golang.org/vuln2.main calls github.com/tidwall/gjson.Get
- .../vuln.go:15:20: golang.org/vuln2.main calls github.com/tidwall/gjson.GetBytes
-
-Vulnerability #2: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
-
- More info: https://pkg.go.dev/vuln/GO-2021-0113
-
- Module: golang.org/x/text
- Found in: golang.org/x/text@v0.3.0
- Fixed in: golang.org/x/text@v0.3.7
-
- Call stacks in your code:
- .../vuln.go:12:16: golang.org/vuln2.main calls golang.org/x/text/language.Parse
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2021-0265
- GJSON allowed a ReDoS (regular expression denial of service)
- attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0265
- Found in: github.com/tidwall/gjson@v1.9.2
- Fixed in: github.com/tidwall/gjson@v1.9.3
- Platforms: linux/amd64, windows/amd64
diff --git a/cmd/govulncheck/testdata/vulndb/github.com/shiyanhui/dht.json b/cmd/govulncheck/testdata/vulndb/github.com/shiyanhui/dht.json
deleted file mode 100644
index 93f069d..0000000
--- a/cmd/govulncheck/testdata/vulndb/github.com/shiyanhui/dht.json
+++ /dev/null
@@ -1 +0,0 @@
-[{"id":"GO-2020-0040","published":"2021-04-14T20:04:52Z","modified":"2022-08-29T16:50:59Z","aliases":["CVE-2020-36562"],"details":"Due to unchecked type assertions, maliciously crafted messages can\ncause panics, which may be used as a denial of service vector.\n","affected":[{"package":{"name":"github.com/shiyanhui/dht","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0040"},"ecosystem_specific":{"imports":[{"path":"github.com/shiyanhui/dht"}]}}],"references":[{"type":"WEB","url":"https://github.com/shiyanhui/dht/issues/57"}]}]
diff --git a/cmd/govulncheck/testdata/vulndb/golang.org/x/crypto.json b/cmd/govulncheck/testdata/vulndb/golang.org/x/crypto.json
deleted file mode 100644
index 7af60bb..0000000
--- a/cmd/govulncheck/testdata/vulndb/golang.org/x/crypto.json
+++ /dev/null
@@ -1 +0,0 @@
-[{"id":"GO-2020-0012","published":"2021-04-14T20:04:52Z","modified":"2021-04-14T20:04:52Z","aliases":["CVE-2020-9283","GHSA-ffhg-7mh4-33c4"],"details":"An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public\nkey, such that the library will panic when trying to verify a signature\nwith it. If verifying signatures using user supplied public keys, this\nmay be used as a denial of service vector.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20200220183623-bac4c82f6975"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0012"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["NewPublicKey","ed25519PublicKey.Verify","parseED25519","parseSKEd25519","skEd25519PublicKey.Verify"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/220357"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/3L45YRc91SY"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9283"},{"type":"WEB","url":"https://github.com/advisories/GHSA-ffhg-7mh4-33c4"}]},{"id":"GO-2020-0013","published":"2021-04-14T20:04:52Z","modified":"2021-04-14T20:04:52Z","aliases":["CVE-2017-3204"],"details":"By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\nClientConfig.HostKeyCallback is not set.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20170330155735-e4e2799dd7aa"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0013"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["NewClientConn"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991"},{"type":"WEB","url":"https://go.dev/issue/19767"},{"type":"WEB","url":"https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-3204"}]},{"id":"GO-2021-0227","published":"2022-02-17T17:35:32Z","modified":"2022-02-17T17:35:32Z","aliases":["CVE-2020-29652"],"details":"Clients can cause a panic in SSH servers. An attacker can craft\nan authentication request message for the “gssapi-with-mic” method\nwhich will cause NewServerConn to panic via a nil pointer dereference\nif ServerConfig.GSSAPIWithMICConfig is nil.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20201216223049-8b5274cf687f"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0227"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["connection.serverAuthenticate"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/278852"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29652"}]},{"id":"GO-2021-0356","published":"2022-04-25T20:38:40Z","modified":"2022-08-18T20:22:13Z","aliases":["CVE-2022-27191","GHSA-8c26-wmh5-6g9v"],"details":"Attackers can cause a crash in SSH servers when the server has been\nconfigured by passing a Signer to ServerConfig.AddHostKey such that\n 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its\n PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are\nunaffected.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220314234659-1baeb1ce4c0b"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0356"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["ServerConfig.AddHostKey","ServerConfig.AddHostKey"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/392355"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27191"},{"type":"WEB","url":"https://github.com/advisories/GHSA-8c26-wmh5-6g9v"}]},{"id":"GO-2022-0209","published":"2022-07-01T20:15:25Z","modified":"2022-08-18T20:22:13Z","aliases":["CVE-2019-11840"],"details":"XORKeyStream generates incorrect and insecure output for very\nlarge inputs.\n\nIf more than 256 GiB of keystream is generated, or if the counter\notherwise grows greater than 32 bits, the amd64 implementation will\nfirst generate incorrect output, and then cycle back to previously\ngenerated keystream. Repeated keystream bytes can lead to loss of\nconfidentiality in encryption applications, or to predictability\nin CSPRNG applications.\n\nThe issue might affect uses of golang.org/x/crypto/nacl with extremely\nlarge messages.\n\nArchitectures other than amd64 and uses that generate less than 256 GiB\nof keystream for a single salsa20.XORKeyStream invocation are unaffected.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20190320223903-b7391e95e576"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0209"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/salsa20/salsa","goarch":["amd64"],"symbols":["XORKeyStream"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/168406"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d"},{"type":"WEB","url":"https://go.dev/issue/30965"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11840"}]},{"id":"GO-2022-0229","published":"2022-07-06T18:23:48Z","modified":"2022-08-18T20:22:13Z","aliases":["CVE-2020-7919","GHSA-cjjc-xp8v-855w"],"details":"On 32-bit architectures, a malformed input to crypto/x509 or\nthe ASN.1 parsing functions of golang.org/x/crypto/cryptobyte\ncan lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls\nconnection to a client, or to a server that accepts client\ncertificates. net/http clients can be made to crash by an HTTPS\nserver, while net/http servers that accept client certificates\nwill recover the panic and are unaffected.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.12.16"},{"introduced":"1.13.0"},{"fixed":"1.13.7"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0229"},"ecosystem_specific":{"imports":[{"path":"crypto/x509"}]}},{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20200124225646-8b5121be2f68"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0229"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/cryptobyte"}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/216680"},{"type":"FIX","url":"https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574"},{"type":"WEB","url":"https://go.dev/cl/216677"},{"type":"WEB","url":"https://go.dev/issue/36837"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Hsw4mHYc470"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7919"},{"type":"WEB","url":"https://github.com/advisories/GHSA-cjjc-xp8v-855w"}]}]
\ No newline at end of file
diff --git a/cmd/govulncheck/testdata/vulndb/golang.org/x/net.json b/cmd/govulncheck/testdata/vulndb/golang.org/x/net.json
deleted file mode 100644
index 093054d..0000000
--- a/cmd/govulncheck/testdata/vulndb/golang.org/x/net.json
+++ /dev/null
@@ -1 +0,0 @@
-[{"id":"GO-2022-0969","published":"2022-09-12T20:23:06Z","modified":"2022-09-12T20:23:06Z","aliases":["CVE-2022-27664"],"details":"HTTP/2 server connections can hang forever waiting for a clean shutdown\nthat was preempted by a fatal error. This condition can be exploited\nby a malicious client to cause a denial of service.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.18.6"},{"introduced":"1.19.0"},{"fixed":"1.19.1"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"},"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["ListenAndServe","ListenAndServeTLS","Serve","ServeTLS","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","http2Server.ServeConn","http2serverConn.goAway"]}]}},{"package":{"name":"golang.org/x/net","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220906165146-f3363e06e74c"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["Server.ServeConn","serverConn.goAway"]}]}}],"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"},{"type":"REPORT","url":"https://go.dev/issue/54658"},{"type":"FIX","url":"https://go.dev/cl/428735"}]}]
diff --git a/cmd/govulncheck/testdata/vulndb/stdlib.json b/cmd/govulncheck/testdata/vulndb/stdlib.json
deleted file mode 100644
index 7a1de40..0000000
--- a/cmd/govulncheck/testdata/vulndb/stdlib.json
+++ /dev/null
@@ -1 +0,0 @@
-[{"id":"STD","affected":[{"package":{"name":"stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.18.0"}]}],"ecosystem_specific":{"imports":[{"path":"archive/zip","symbols":["OpenReader"]}]}}]},{"id":"GO-2022-0969","published":"2022-09-12T20:23:06Z","modified":"2022-09-12T20:23:06Z","aliases":["CVE-2022-27664"],"details":"HTTP/2 server connections can hang forever waiting for a clean shutdown\nthat was preempted by a fatal error. This condition can be exploited\nby a malicious client to cause a denial of service.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.18.6"},{"introduced":"1.19.0"},{"fixed":"1.19.1"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"},"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["ListenAndServe","ListenAndServeTLS","Serve","ServeTLS","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","http2Server.ServeConn","http2serverConn.goAway"]}]}},{"package":{"name":"golang.org/x/net","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220906165146-f3363e06e74c"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0969"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["Server.ServeConn","serverConn.goAway"]}]}}],"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"},{"type":"REPORT","url":"https://go.dev/issue/54658"},{"type":"FIX","url":"https://go.dev/cl/428735"}]}]
