cmd/govulncheck: show unaffected vulnerabilities for all cases
We previously jumped out when there were no affecting vulnerabilities,
thus not showing unaffacted ones. That is now changed.
Change-Id: Icaf85c8761e391cd243df72b1df4df7aaa09399d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/429598
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index ded4a48..d091ec0 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -214,7 +214,6 @@
switch len(uniqueVulns) {
case 0:
fmt.Println("No vulnerabilities found.")
- return
case 1:
fmt.Println("Found 1 known vulnerability.")
default:
diff --git a/cmd/govulncheck/testdata/import-no-call.ct b/cmd/govulncheck/testdata/import-no-call.ct
new file mode 100644
index 0000000..0fbe8c2
--- /dev/null
+++ b/cmd/govulncheck/testdata/import-no-call.ct
@@ -0,0 +1,25 @@
+# Test of default mode.
+
+# All vulnerabilities imported, but never called.
+$ cdmodule vuln3
+$ govulncheck .
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Scanning for dependencies with known vulnerabilities...
+No vulnerabilities found.
+
+=== Informational ===
+
+The vulnerabilities below are in packages that you import, but your code
+doesn't appear to call any vulnerable functions. You may not need to take any
+action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted language tag can cause Parse
+ to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
+ this may be used as a vector for a denial of service attack.
+
+ Found in: golang.org/x/text/language@v0.3.0
+ Fixed in: golang.org/x/text/language@v0.3.7
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.mod b/cmd/govulncheck/testdata/modules/vuln3/go.mod
new file mode 100644
index 0000000..d19a064
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/go.mod
@@ -0,0 +1,6 @@
+module golang.org/vuln3
+
+go 1.18
+
+// This version has a vulnerability.
+require golang.org/x/text v0.3.0
diff --git a/cmd/govulncheck/testdata/modules/vuln3/go.sum b/cmd/govulncheck/testdata/modules/vuln3/go.sum
new file mode 100644
index 0000000..6bad37b
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/cmd/govulncheck/testdata/modules/vuln3/vuln.go b/cmd/govulncheck/testdata/modules/vuln3/vuln.go
new file mode 100644
index 0000000..2d24f8d
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/vuln3/vuln.go
@@ -0,0 +1,11 @@
+package vuln
+
+import (
+ "fmt"
+
+ _ "golang.org/x/text/language"
+)
+
+func main() {
+ fmt.Println("hello")
+}