| ##### |
| # Test for multiple call stacks in source mode |
| $ govulncheck -json -C ${moddir}/multientry . |
| { |
| "config": { |
| "protocol_version": "v1.0.0", |
| "scanner_name": "govulncheck", |
| "scanner_version": "v0.0.0-00000000000-20000101010101", |
| "db": "testdata/vulndb-v1", |
| "db_last_modified": "2023-04-03T15:57:51Z", |
| "go_version": "go1.18", |
| "scan_level": "symbol" |
| } |
| } |
| { |
| "progress": { |
| "message": "Scanning your code and P packages across M dependent module for known vulnerabilities..." |
| } |
| } |
| { |
| "osv": { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0969", |
| "modified": "2023-04-03T15:57:51Z", |
| "published": "2022-09-12T20:23:06Z", |
| "aliases": [ |
| "CVE-2022-27664", |
| "GHSA-69cg-p879-7622" |
| ], |
| "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.", |
| "affected": [ |
| { |
| "package": { |
| "name": "stdlib", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.18.6" |
| }, |
| { |
| "introduced": "1.19.0" |
| }, |
| { |
| "fixed": "1.19.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "net/http", |
| "symbols": [ |
| "ListenAndServe", |
| "ListenAndServeTLS", |
| "Serve", |
| "ServeTLS", |
| "Server.ListenAndServe", |
| "Server.ListenAndServeTLS", |
| "Server.Serve", |
| "Server.ServeTLS", |
| "http2Server.ServeConn", |
| "http2serverConn.goAway" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/54658" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/428735" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0969" |
| } |
| } |
| } |
| { |
| "finding": { |
| "osv": "GO-2022-0969", |
| "fixed_version": "v1.18.6", |
| "trace": [ |
| { |
| "module": "stdlib", |
| "version": "v1.18.0", |
| "package": "net/http" |
| } |
| ] |
| } |
| } |
| { |
| "osv": { |
| "schema_version": "1.3.1", |
| "id": "GO-2021-0113", |
| "modified": "2023-04-03T15:57:51Z", |
| "published": "2021-10-06T17:51:21Z", |
| "aliases": [ |
| "CVE-2021-38561", |
| "GHSA-ppp9-7jff-5vj2" |
| ], |
| "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", |
| "affected": [ |
| { |
| "package": { |
| "name": "golang.org/x/text", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.3.7" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "golang.org/x/text/language", |
| "symbols": [ |
| "MatchStrings", |
| "MustParse", |
| "Parse", |
| "ParseAcceptLanguage" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/340830" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Guido Vranken" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0113" |
| } |
| } |
| } |
| { |
| "finding": { |
| "osv": "GO-2021-0113", |
| "fixed_version": "v0.3.7", |
| "trace": [ |
| { |
| "module": "golang.org/x/text", |
| "version": "v0.3.5" |
| } |
| ] |
| } |
| } |
| { |
| "finding": { |
| "osv": "GO-2021-0113", |
| "fixed_version": "v0.3.7", |
| "trace": [ |
| { |
| "module": "golang.org/x/text", |
| "version": "v0.3.5", |
| "package": "golang.org/x/text/language" |
| } |
| ] |
| } |
| } |
| { |
| "finding": { |
| "osv": "GO-2021-0113", |
| "fixed_version": "v0.3.7", |
| "trace": [ |
| { |
| "module": "golang.org/x/text", |
| "version": "v0.3.5", |
| "package": "golang.org/x/text/language", |
| "function": "MustParse" |
| }, |
| { |
| "module": "golang.org/multientry", |
| "package": "golang.org/multientry", |
| "function": "foobar", |
| "position": { |
| "filename": ".../main.go", |
| "offset": 1694, |
| "line": 99, |
| "column": 20 |
| } |
| }, |
| { |
| "module": "golang.org/multientry", |
| "package": "golang.org/multientry", |
| "function": "D", |
| "position": { |
| "filename": ".../main.go", |
| "offset": 705, |
| "line": 48, |
| "column": 8 |
| } |
| }, |
| { |
| "module": "golang.org/multientry", |
| "package": "golang.org/multientry", |
| "function": "main", |
| "position": { |
| "filename": ".../main.go", |
| "offset": 441, |
| "line": 26, |
| "column": 3 |
| } |
| } |
| ] |
| } |
| } |
| { |
| "finding": { |
| "osv": "GO-2021-0113", |
| "fixed_version": "v0.3.7", |
| "trace": [ |
| { |
| "module": "golang.org/x/text", |
| "version": "v0.3.5", |
| "package": "golang.org/x/text/language", |
| "function": "Parse" |
| }, |
| { |
| "module": "golang.org/multientry", |
| "package": "golang.org/multientry", |
| "function": "C", |
| "position": { |
| "filename": ".../main.go", |
| "offset": 679, |
| "line": 44, |
| "column": 23 |
| } |
| }, |
| { |
| "module": "golang.org/multientry", |
| "package": "golang.org/multientry", |
| "function": "main", |
| "position": { |
| "filename": ".../main.go", |
| "offset": 340, |
| "line": 22, |
| "column": 3 |
| } |
| } |
| ] |
| } |
| } |
