Google Git
Sign in
go / vuln / f3137a66416d24e06f1bd985aa007caa19d9d55d^! / .
commitf3137a66416d24e06f1bd985aa007caa19d9d55d[log] [tgz]
authorJonathan Amsterdam <jba@google.com>Fri Apr 08 06:08:53 2022 -0400
committerJonathan Amsterdam <jba@google.com>Tue Apr 12 11:49:56 2022 +0000
treeab9384f09a59cce16c5242a6af3fb15075a99bfa
parent3b8a5f69d17947abaab7e3723c42fc198ec32e55 [diff]
cmd/govulncheck: don't skip vulns with no CallSink for binaries

When we analyze a binary, we don't have call stacks. The code that
skipped vulns with CallSink==0 was skipping all vulns in binaries.
Now we filter out those vulns only when we run on source.

Fixes golang/go#51412.

Change-Id: If11b079fd771ccfb05360da4a1db64102e0db182
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/399114
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>

diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 3c79af4..1a9a07a 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go

@@ -98,6 +98,7 @@
 		r              *vulncheck.Result
 		pkgs           []*packages.Package
 		moduleVersions map[string]string
+		vulns          []*vulncheck.Vuln
 	)
 	if len(patterns) == 1 && isFile(patterns[0]) {
 		f, err := os.Open(patterns[0])
@@ -109,6 +110,7 @@
 		if err != nil {
 			die("govulncheck: %v", err)
 		}
+		vulns = r.Vulns
 	} else {
 		cfg := &packages.Config{
 			Mode:       packages.NeedName | packages.NeedFiles | packages.NeedCompiledGoFiles | packages.NeedImports | packages.NeedTypes | packages.NeedTypesSizes | packages.NeedSyntax | packages.NeedTypesInfo | packages.NeedDeps | packages.NeedModule,
@@ -134,6 +136,12 @@
 		if err != nil {
 			die("govulncheck: %v", err)
 		}
+		// Skip vulns that are in the import graph but have no calls to them.
+		for _, v := range r.Vulns {
+			if v.CallSink != 0 {
+				vulns = append(vulns, v)
+			}
+		}
 	}
 	if *jsonFlag {
 		writeJSON(r)
@@ -144,7 +152,7 @@
 		for _, p := range pkgs {
 			topPackages[p.PkgPath] = true
 		}
-		vulnGroups := groupByIDAndPackage(r.Vulns)
+		vulnGroups := groupByIDAndPackage(vulns)
 		if *htmlFlag {
 			if err := html(os.Stdout, r, callStacks, moduleVersions, topPackages, vulnGroups); err != nil {
 				die("writing HTML: %v", err)
@@ -155,7 +163,7 @@
 	}
 	exitCode := 0
 	// Following go vet, fail with 3 if there are findings (in this case, vulns).
-	if len(r.Vulns) > 0 {
+	if len(vulns) > 0 {
 		exitCode = 3
 	}
 	os.Exit(exitCode)
@@ -214,11 +222,6 @@
 func groupByIDAndPackage(vs []*vulncheck.Vuln) [][]*vulncheck.Vuln {
 	groups := map[[2]string][]*vulncheck.Vuln{}
 	for _, v := range vs {
-		if v.CallSink == 0 {
-			// Skip this vuln because although it appears in the
-			// import graph, there are no calls to it.
-			continue
-		}
 		key := [2]string{v.OSV.ID, v.PkgPath}
 		groups[key] = append(groups[key], v)
 	}