cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_text.ct - vuln - Git at Google

 #####
 # Vendored directory w text output
 $ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3
 Fetching vulnerabilities from the database...

 Checking the code against the vulnerabilities...

 The package pattern matched the following 2 root packages:
   golang.org/vendored
   golang.org/vendored/subdir
 Govulncheck scanned the following 4 modules and the go1.18 standard library:
   golang.org/vendored
   github.com/tidwall/gjson@v1.6.5
   golang.org/x/text@v0.3.0
   private.com/privateuser/fakemod@v1.0.0

 === Symbol Results ===

 Vulnerability #1: GO-2021-0265
     A maliciously crafted path can cause Get and other query functions to
     consume excessive amounts of CPU and time.
   More info: https://pkg.go.dev/vuln/GO-2021-0265
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.9.3
     Example traces found:
       #1: vendored.go:12:15: vendored.main calls fakemod.Leave, which calls gjson.Result.Get

 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
     cause Parse to panic via an out of bounds read. If Parse is used to process
     untrusted user inputs, this may be used as a vector for a denial of service
     attack.
   More info: https://pkg.go.dev/vuln/GO-2021-0113
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.7
     Example traces found:
       #1: vendored.go:13:16: vendored.main calls language.Parse

 === Package Results ===

 Vulnerability #1: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
     an out-of-bounds panic. If parsing user input, this may be used as a denial
     of service vector.
   More info: https://pkg.go.dev/vuln/GO-2021-0054
   Module: github.com/tidwall/gjson
     Found in: github.com/tidwall/gjson@v1.6.5
     Fixed in: github.com/tidwall/gjson@v1.6.6

 === Module Results ===

 Vulnerability #1: GO-2020-0015
     Infinite loop when decoding some inputs in golang.org/x/text
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.3

 Your code is affected by 2 vulnerabilities from 2 modules.
 This scan also found 1 vulnerability in packages you import and 1 vulnerability
 in modules you require, but your code doesn't appear to call these
 vulnerabilities.
	#####
	# Vendored directory w text output
	$ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3
	Fetching vulnerabilities from the database...

	Checking the code against the vulnerabilities...

	The package pattern matched the following 2 root packages:
	golang.org/vendored
	golang.org/vendored/subdir
	Govulncheck scanned the following 4 modules and the go1.18 standard library:
	golang.org/vendored
	github.com/tidwall/gjson@v1.6.5
	golang.org/x/text@v0.3.0
	private.com/privateuser/fakemod@v1.0.0

	=== Symbol Results ===

	Vulnerability #1: GO-2021-0265
	A maliciously crafted path can cause Get and other query functions to
	consume excessive amounts of CPU and time.
	More info: https://pkg.go.dev/vuln/GO-2021-0265
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.9.3
	Example traces found:
	#1: vendored.go:12:15: vendored.main calls fakemod.Leave, which calls gjson.Result.Get

	Vulnerability #2: GO-2021-0113
	Due to improper index calculation, an incorrectly formatted language tag can
	cause Parse to panic via an out of bounds read. If Parse is used to process
	untrusted user inputs, this may be used as a vector for a denial of service
	attack.
	More info: https://pkg.go.dev/vuln/GO-2021-0113
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.7
	Example traces found:
	#1: vendored.go:13:16: vendored.main calls language.Parse

	=== Package Results ===

	Vulnerability #1: GO-2021-0054
	Due to improper bounds checking, maliciously crafted JSON objects can cause
	an out-of-bounds panic. If parsing user input, this may be used as a denial
	of service vector.
	More info: https://pkg.go.dev/vuln/GO-2021-0054
	Module: github.com/tidwall/gjson
	Found in: github.com/tidwall/gjson@v1.6.5
	Fixed in: github.com/tidwall/gjson@v1.6.6

	=== Module Results ===

	Vulnerability #1: GO-2020-0015
	Infinite loop when decoding some inputs in golang.org/x/text
	More info: https://pkg.go.dev/vuln/GO-2020-0015
	Module: golang.org/x/text
	Found in: golang.org/x/text@v0.3.0
	Fixed in: golang.org/x/text@v0.3.3

	Your code is affected by 2 vulnerabilities from 2 modules.
	This scan also found 1 vulnerability in packages you import and 1 vulnerability
	in modules you require, but your code doesn't appear to call these
	vulnerabilities.