cmd/govulncheck: adds proper check for k8s output in integration testing
This CL checks for 1) the total number of vulncheck.Vulns found and 2)
the actual symbols called.
Change-Id: I7b788d7f79ff58c91a5d493c72a9eedf11922d0d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/402755
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
diff --git a/cmd/govulncheck/integration/Dockerfile b/cmd/govulncheck/integration/Dockerfile
index 6fa55f6..5b65690 100644
--- a/cmd/govulncheck/integration/Dockerfile
+++ b/cmd/govulncheck/integration/Dockerfile
@@ -10,3 +10,6 @@
COPY . /go/src/golang.org/x/vuln
WORKDIR /go/src/golang.org/x/vuln/cmd/govulncheck/integration
RUN go install golang.org/x/vuln/cmd/govulncheck
+
+# ---- Step 2: Build other test binaries ----
+RUN go install golang.org/x/vuln/cmd/govulncheck/integration/k8s
diff --git a/cmd/govulncheck/integration/integration_run.sh b/cmd/govulncheck/integration/integration_run.sh
index f620291..8ad23e5 100755
--- a/cmd/govulncheck/integration/integration_run.sh
+++ b/cmd/govulncheck/integration/integration_run.sh
@@ -16,16 +16,13 @@
pushd $dir
cd pkg
git checkout tags/v1.15.11
-govulncheck ./...
+govulncheck --json ./... &> govulncheck.txt
+k8s govulncheck.txt
exitcode=$?
popd
-# There should be some findings, which govulncheck
-# indicates by exit code 3.
-#
-# TODO(zpavlinovic): check if findings are as expected.
-if [ ${exitcode} -ne 3 ]; then
- echo "FAIL: got exit code $exitcode, want 3"
+if [ ${exitcode} -ne 0 ]; then
+ echo "FAIL: got exit code $exitcode, want 0"
exit 1
fi
echo PASS
diff --git a/cmd/govulncheck/integration/k8s/k8s.go b/cmd/govulncheck/integration/k8s/k8s.go
new file mode 100644
index 0000000..6f36ee1
--- /dev/null
+++ b/cmd/govulncheck/integration/k8s/k8s.go
@@ -0,0 +1,78 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+ "encoding/json"
+ "io/ioutil"
+ "log"
+ "os"
+
+ "github.com/google/go-cmp/cmp"
+ "golang.org/x/vuln/vulncheck"
+)
+
+const usage = `test helper for examining the output of running govulncheck on k8s@v1.15.11.
+
+Example usage: ./k8s [path to output file]
+`
+
+func main() {
+ if len(os.Args) != 2 {
+ log.Fatal("Incorrect number of expected command line arguments", usage)
+ }
+ out := os.Args[1]
+
+ outJson, err := ioutil.ReadFile(out)
+ if err != nil {
+ log.Fatal("Failed to read:", out)
+ }
+
+ var r vulncheck.Result
+ if err := json.Unmarshal(outJson, &r); err != nil {
+ log.Fatal("Failed to load json into vulncheck.Result:", err)
+ }
+
+ if len(r.Vulns) != 326 {
+ log.Fatal("want 326 vulns; got", len(r.Vulns))
+ }
+
+ type vuln struct {
+ pkg string
+ symbol string
+ }
+ calledVulns := make(map[vuln]bool)
+ for _, v := range r.Vulns {
+ if v.CallSink != 0 {
+ calledVulns[vuln{v.PkgPath, v.Symbol}] = true
+ }
+ }
+
+ want := map[vuln]bool{
+ {"github.com/evanphx/json-patch", "partialArray.add"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "CurrentLabel"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "FileLabel"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "GetEnabled"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "SetFileLabel"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "getSelinuxMountPoint"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "lgetxattr"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "lsetxattr"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "readCon"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "selinuxState.getEnabled"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "selinuxState.getSELinuxfs"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "selinuxState.setEnable"}: true,
+ {"github.com/opencontainers/selinux/go-selinux", "selinuxState.setSELinuxfs"}: true,
+ {"github.com/satori/go.uuid", "init"}: true,
+ {"golang.org/x/crypto/ssh", "NewPublicKey"}: true,
+ {"golang.org/x/crypto/ssh", "ed25519PublicKey.Verify"}: true,
+ {"golang.org/x/crypto/ssh", "parseED25519"}: true,
+ {"golang.org/x/text/encoding/unicode", "bomOverride.Transform"}: true,
+ {"golang.org/x/text/encoding/unicode", "utf16Decoder.Transform"}: true,
+ }
+
+ if !cmp.Equal(calledVulns, want) {
+ log.Fatalf("want %v called symbols;\ngot%v\n", want, calledVulns)
+ }
+}