cmd/govulncheck: update UX
The UX for govulncheck is updated based on discussions.
See testdata for the updated output.
Change-Id: I302e3d6eef77e335c29de9f04bf8e6bf35e57d9f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/409816
Run-TryBot: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 4279018..b5ed32c 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -218,30 +218,25 @@
fmt.Printf("Found %d known vulnerabilities.\n", len(uniqueVulns))
}
fmt.Println(strings.Repeat("-", lineLength))
- fmt.Println()
-
for _, vg := range ci.VulnGroups {
// All the vulns in vg have the same PkgPath, ModPath and OSV.
// All have a non-zero CallSink.
v0 := vg[0]
- writeLine("package:", v0.PkgPath)
- writeLine("your version:", ci.ModuleVersions[v0.ModPath])
- writeLine("fixed version:", "v"+govulncheck.LatestFixed(v0.OSV.Affected))
+ fmt.Printf(`
+%s
+%s
+`, v0.OSV.ID, v0.OSV.Details)
if *verboseFlag {
writeCallStacksVerbose(vg, ci)
} else {
writeCallStacksDefault(vg, ci)
}
- writeLine("reference:", fmt.Sprintf("https://pkg.go.dev/vuln/%s", v0.OSV.ID))
- desc := strings.Split(wrap(v0.OSV.Details, 80-labelWidth), "\n")
- for i, l := range desc {
- if i == 0 {
- writeLine("description:", l)
- } else {
- writeLine("", l)
- }
- }
- fmt.Println()
+ fmt.Printf(`
+Found in: %s@%s
+Fixed in: %s@v%s
+More info: https://pkg.go.dev/vuln/%s
+
+`, v0.PkgPath, ci.ModuleVersions[v0.ModPath], v0.PkgPath, govulncheck.LatestFixed(v0.OSV.Affected), v0.OSV.ID)
}
if len(unaffectedMods) > 0 {
fmt.Println()
@@ -258,7 +253,6 @@
}
func writeCallStacksDefault(vg []*vulncheck.Vuln, ci *govulncheck.CallInfo) {
-
var summaries []string
for _, v := range vg {
if css := ci.CallStacks[v]; len(css) > 0 {
@@ -270,16 +264,16 @@
if len(summaries) > 0 {
sort.Strings(summaries)
summaries = compact(summaries)
- fmt.Println("sample call stacks:")
+ fmt.Println("Call stacks in your code:")
for _, s := range summaries {
- writeLine("", s)
+ fmt.Println("", s)
}
}
}
func writeCallStacksVerbose(vg []*vulncheck.Vuln, ci *govulncheck.CallInfo) {
// Display one full call stack for each vuln.
- fmt.Println("call stacks:")
+ fmt.Println("Call stacks in your code:")
nMore := 0
i := 1
for _, v := range vg {
diff --git a/cmd/govulncheck/testdata/default-binary.ct b/cmd/govulncheck/testdata/default-binary.ct
index 2369b22..3af61fa 100644
--- a/cmd/govulncheck/testdata/default-binary.ct
+++ b/cmd/govulncheck/testdata/default-binary.ct
@@ -14,11 +14,12 @@
Found 1 known vulnerability.
-------------------------------------------------------
-package: golang.org/x/text/language
-your version: v0.3.0
-fixed version: v0.3.7
-reference: https://pkg.go.dev/vuln/GO-2021-0113
-description: Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
+GO-2021-0113
+Due to improper index calculation, an incorrectly formatted language tag can cause Parse
+to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
+this may be used as a vector for a denial of service attack.
+
+
+Found in: golang.org/x/text/language@v0.3.0
+Fixed in: golang.org/x/text/language@v0.3.7
+More info: https://pkg.go.dev/vuln/GO-2021-0113
diff --git a/cmd/govulncheck/testdata/default.ct b/cmd/govulncheck/testdata/default.ct
index e61a455..dbc9db3 100644
--- a/cmd/govulncheck/testdata/default.ct
+++ b/cmd/govulncheck/testdata/default.ct
@@ -16,13 +16,14 @@
Found 1 known vulnerability.
-------------------------------------------------------
-package: golang.org/x/text/language
-your version: v0.3.0
-fixed version: v0.3.7
-sample call stacks:
- vuln.main calls golang.org/x/text/language.Parse
-reference: https://pkg.go.dev/vuln/GO-2021-0113
-description: Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
+GO-2021-0113
+Due to improper index calculation, an incorrectly formatted language tag can cause Parse
+to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
+this may be used as a vector for a denial of service attack.
+
+Call stacks in your code:
+ vuln.main calls golang.org/x/text/language.Parse
+
+Found in: golang.org/x/text/language@v0.3.0
+Fixed in: golang.org/x/text/language@v0.3.7
+More info: https://pkg.go.dev/vuln/GO-2021-0113
diff --git a/cmd/govulncheck/testdata/verbose.ct b/cmd/govulncheck/testdata/verbose.ct
index 71a3f03..fed13df 100644
--- a/cmd/govulncheck/testdata/verbose.ct
+++ b/cmd/govulncheck/testdata/verbose.ct
@@ -16,17 +16,18 @@
Found 1 known vulnerability.
-------------------------------------------------------
-package: golang.org/x/text/language
-your version: v0.3.0
-fixed version: v0.3.7
-call stacks:
+GO-2021-0113
+Due to improper index calculation, an incorrectly formatted language tag can cause Parse
+to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
+this may be used as a vector for a denial of service attack.
+
+Call stacks in your code:
#1: for function Parse
vuln.main
.../vuln.go:11:16
golang.org/x/text/language.Parse
-reference: https://pkg.go.dev/vuln/GO-2021-0113
-description: Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
+
+Found in: golang.org/x/text/language@v0.3.0
+Fixed in: golang.org/x/text/language@v0.3.7
+More info: https://pkg.go.dev/vuln/GO-2021-0113