Google Git
Sign in
go / vuln / dda25ec85f19411a34a16a0049108f74343c1ce1^! / .
commitdda25ec85f19411a34a16a0049108f74343c1ce1[log] [tgz]
authorZvonimir Pavlinovic <zpavlinovic@google.com>Fri Sep 09 10:55:28 2022 -0700
committerZvonimir Pavlinovic <zpavlinovic@google.com>Tue Sep 13 15:33:08 2022 +0000
treeef67ea2c225ae913c758a1b9342bd747355e9a19
parent0ed43f12cb05de7225f1293057fb108f80a20374 [diff]
cmd/govulncheck: show unaffected vulnerabilities for all cases

We previously jumped out when there were no affecting vulnerabilities,
thus not showing unaffacted ones. That is now changed.

Change-Id: Icaf85c8761e391cd243df72b1df4df7aaa09399d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/429598
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index ded4a48..d091ec0 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go

@@ -214,7 +214,6 @@
 	switch len(uniqueVulns) {
 	case 0:
 		fmt.Println("No vulnerabilities found.")
-		return
 	case 1:
 		fmt.Println("Found 1 known vulnerability.")
 	default:

diff --git a/cmd/govulncheck/testdata/import-no-call.ct b/cmd/govulncheck/testdata/import-no-call.ct
new file mode 100644
index 0000000..0fbe8c2
--- /dev/null
+++ b/cmd/govulncheck/testdata/import-no-call.ct

@@ -0,0 +1,25 @@
+# Test of default mode.
+
+# All vulnerabilities imported, but never called.
+$ cdmodule vuln3
+$ govulncheck .
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Scanning for dependencies with known vulnerabilities...
+No vulnerabilities found.
+
+=== Informational ===
+
+The vulnerabilities below are in packages that you import, but your code
+doesn't appear to call any vulnerable functions. You may not need to take any
+action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-2021-0113
+  Due to improper index calculation, an incorrectly formatted language tag can cause Parse
+  to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
+  this may be used as a vector for a denial of service attack.
+
+  Found in: golang.org/x/text/language@v0.3.0
+  Fixed in: golang.org/x/text/language@v0.3.7
+  More info: https://pkg.go.dev/vuln/GO-2021-0113

diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.mod b/cmd/govulncheck/testdata/modules/vuln3/go.mod
new file mode 100644
index 0000000..d19a064
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/go.mod

@@ -0,0 +1,6 @@
+module golang.org/vuln3
+
+go 1.18
+
+// This version has a vulnerability.
+require golang.org/x/text v0.3.0

diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.sum b/cmd/govulncheck/testdata/modules/vuln3/go.sum
new file mode 100644
index 0000000..6bad37b
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/go.sum

@@ -0,0 +1,2 @@
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/cmd/govulncheck/testdata/modules/vuln3/vuln.go b/cmd/govulncheck/testdata/modules/vuln3/vuln.go
new file mode 100644
index 0000000..2d24f8d
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/vuln.go

@@ -0,0 +1,11 @@
+package vuln
+
+import (
+	"fmt"
+
+	_ "golang.org/x/text/language"
+)
+
+func main() {
+	fmt.Println("hello")
+}