blob: 2f9ecc8ec75ad3423ba60883169acc3efe5e8e2d [file] [log] [blame]
#####
# Test that findings with callstacks are not emitted in package mode
$ govulncheck -format json -scan package -C ${moddir}/multientry .
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "package",
"scan_mode": "source"
}
}
{
"progress": {
"message": "Fetching vulnerabilities from the database..."
}
}
{
"progress": {
"message": "Checking the code against the vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5"
}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2020-0015",
"modified": "2023-04-03T15:57:51Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
],
"summary": "Infinite loop when decoding some inputs in golang.org/x/text",
"details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/encoding/unicode",
"symbols": [
"bomOverride.Transform",
"utf16Decoder.Transform"
]
},
{
"path": "golang.org/x/text/transform",
"symbols": [
"String"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/238238"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
}
],
"credits": [
{
"name": "@abacabadabacaba and Anton Gyllenberg"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
}
}