cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct - vuln - Git at Google

 #####
 # Test for multiple call stacks in source mode
 $ govulncheck -C ${moddir}/multientry . --> FAIL 3
 Scanning your code and P packages across M dependent modules for known vulnerabilities...

 === Symbol Results ===

 Vulnerability #1: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.5
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: .../main.go:99:20: multientry.foobar calls language.MustParse
       #2: .../main.go:44:23: multientry.C calls language.Parse

 Your code is affected by 1 vulnerability from 1 module.
 This scan also found 0 vulnerabilities in packages you import and 1
 vulnerability in modules you require, but your code doesn't appear to call these
 vulnerabilities.
 Use '-show verbose' for more details.

 #####
 # Test for multple call stacks in source mode with expanded traces
 $ govulncheck -show verbose -C ${moddir}/multientry -show=traces ./... --> FAIL 3
 Scanning your code and P packages across M dependent modules for known vulnerabilities...

 === Symbol Results ===

 Vulnerability #1: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.5
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: for function golang.org/x/text/language.MustParse
         .../main.go:26:3: golang.org/multientry.main
         .../main.go:48:8: golang.org/multientry.D
         .../main.go:99:20: golang.org/multientry.foobar
         .../tags.go:13:6: golang.org/x/text/language.MustParse
       #2: for function golang.org/x/text/language.Parse
         .../main.go:22:3: golang.org/multientry.main
         .../main.go:44:23: golang.org/multientry.C
         .../parse.go:33:6: golang.org/x/text/language.Parse

 === Package Results ===

 No other vulnerabilities found.

 === Module Results ===

 Vulnerability #1: GO-2022-0969
     HTTP/2 server connections can hang forever waiting for a clean shutdown that
     was preempted by a fatal error. This condition can be exploited by a
     malicious client to cause a denial of service.
   More info: https://pkg.go.dev/vuln/GO-2022-0969
   Standard library
     Found in: net/http@go1.18
     Fixed in: net/http@go1.18.6

 Your code is affected by 1 vulnerability from 1 module.
 This scan also found 0 vulnerabilities in packages you import and 1
 vulnerability in modules you require, but your code doesn't appear to call these
 vulnerabilities.
	#####
	# Test for multiple call stacks in source mode
	$ govulncheck -C ${moddir}/multientry . --> FAIL 3
	Scanning your code and P packages across M dependent modules for known vulnerabilities...

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.5
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: .../main.go:99:20: multientry.foobar calls language.MustParse
	#2: .../main.go:44:23: multientry.C calls language.Parse

	Your code is affected by 1 vulnerability from 1 module.
	This scan also found 0 vulnerabilities in packages you import and 1
	vulnerability in modules you require, but your code doesn't appear to call these
	vulnerabilities.
	Use '-show verbose' for more details.

	#####
	# Test for multple call stacks in source mode with expanded traces
	$ govulncheck -show verbose -C ${moddir}/multientry -show=traces ./... --> FAIL 3
	Scanning your code and P packages across M dependent modules for known vulnerabilities...

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.5
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: for function golang.org/x/text/language.MustParse
	.../main.go:26:3: golang.org/multientry.main
	.../main.go:48:8: golang.org/multientry.D
	.../main.go:99:20: golang.org/multientry.foobar
	.../tags.go:13:6: golang.org/x/text/language.MustParse
	#2: for function golang.org/x/text/language.Parse
	.../main.go:22:3: golang.org/multientry.main
	.../main.go:44:23: golang.org/multientry.C
	.../parse.go:33:6: golang.org/x/text/language.Parse

	=== Package Results ===

	No other vulnerabilities found.

	=== Module Results ===

	Vulnerability #1: GO-2022-0969
	HTTP/2 server connections can hang forever waiting for a clean shutdown that
	was preempted by a fatal error. This condition can be exploited by a
	malicious client to cause a denial of service.
	More info: https://pkg.go.dev/vuln/GO-2022-0969
	Standard library
	Found in: net/http@go1.18
	Fixed in: net/http@go1.18.6

	Your code is affected by 1 vulnerability from 1 module.
	This scan also found 0 vulnerabilities in packages you import and 1
	vulnerability in modules you require, but your code doesn't appear to call these
	vulnerabilities.