internal/govulncheck/inits_test.go - vuln - Git at Google

 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package govulncheck

 import (
 	"context"
 	"fmt"
 	"path"
 	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/tools/go/packages/packagestest"
 	"golang.org/x/vuln/internal/test"
 	"golang.org/x/vuln/osv"
 	"golang.org/x/vuln/vulncheck"
 )

 // TestInits checks for correct positions of init functions
 // and their respective calls (see #51575).
 func TestInits(t *testing.T) {
 	testClient := &test.MockClient{
 		Ret: map[string][]*osv.Entry{
 			"golang.org/amod": []*osv.Entry{
 				{
 					ID: "A", Affected: []osv.Affected{{Package: osv.Package{Name: "golang.org/amod"}, Ranges: osv.Affects{{Type: osv.TypeSemver}},
 						EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{{
 							Path: "golang.org/amod/avuln", Symbols: []string{"A"}},
 						}},
 					}},
 				},
 			},
 			"golang.org/cmod": []*osv.Entry{
 				{
 					ID: "C", Affected: []osv.Affected{{Package: osv.Package{Name: "golang.org/cmod"}, Ranges: osv.Affects{{Type: osv.TypeSemver}},
 						EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{{
 							Path: "golang.org/cmod/cvuln", Symbols: []string{"C"}},
 						}},
 					}},
 				},
 			},
 		},
 	}
 	e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
 		{
 			Name: "golang.org/entry",
 			Files: map[string]interface{}{
 				"x/x.go": `
 			package x

 			import (
 				_ "golang.org/amod/avuln"
 				_ "golang.org/bmod/b"
 			)
 			`,
 			},
 		},
 		{
 			Name: "golang.org/amod@v0.5.0",
 			Files: map[string]interface{}{"avuln/avuln.go": `
 			package avuln

 			func init() {
 				A()
 			}

 			func A() {}
 			`},
 		},
 		{
 			Name: "golang.org/bmod@v0.5.0",
 			Files: map[string]interface{}{"b/b.go": `
 			package b

 			import _ "golang.org/cmod/cvuln"
 			`},
 		},
 		{
 			Name: "golang.org/cmod@v0.5.0",
 			Files: map[string]interface{}{"cvuln/cvuln.go": `
 			package cvuln

 			var x int = C()

 			func C() int {
 				return 0
 			}
 			`},
 		},
 	})
 	defer e.Cleanup()

 	// Load x as entry package.
 	pkgs, err := test.LoadPackages(e, path.Join(e.Temp(), "entry/x"))
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(pkgs) != 1 {
 		t.Fatal("failed to load x test package")
 	}
 	vpkgs := vulncheck.Convert(pkgs)
 	result, err := vulncheck.Source(context.Background(), vpkgs, &vulncheck.Config{Client: testClient})
 	if err != nil {
 		t.Fatal(err)
 	}

 	cs := vulncheck.CallStacks(result)
 	updateInitPositions(cs, vpkgs)

 	want := map[string][][]string{
 		"A": [][]string{{
 			// Entry init's position is the package statement.
 			// It calls avuln.init at avuln import statement.
 			"N:golang.org/entry/x.init	F:x.go:2:4	C:x.go:5:5",
 			// implicit avuln.init is calls explicit init at the avuln
 			// package statement.
 			"N:golang.org/amod/avuln.init	F:avuln.go:2:4	C:avuln.go:2:4",
 			"N:golang.org/amod/avuln.init#1	F:avuln.go:4:9	C:avuln.go:5:6",
 			"N:golang.org/amod/avuln.A	F:avuln.go:8:9	C:",
 		}},
 		"C": [][]string{{
 			"N:golang.org/entry/x.init	F:x.go:2:4	C:x.go:6:5",
 			"N:golang.org/bmod/b.init	F:b.go:2:4	C:b.go:4:11",
 			"N:golang.org/cmod/cvuln.init	F:cvuln.go:2:4	C:cvuln.go:4:17",
 			"N:golang.org/cmod/cvuln.C	F:cvuln.go:6:9	C:",
 		}},
 	}
 	if diff := cmp.Diff(want, strStacks(cs)); diff != "" {
 		t.Errorf("modules mismatch (-want, +got):\n%s", diff)
 	}
 }

 // strStacks creates a string representation of a call stacks map where
 // vulnerability is represented with its ID and stack entry is a string
 // "N:<package path.function name>  F:<function position> C:< call position>"
 // File paths in positions consists of only file names.
 func strStacks(callStacks map[*vulncheck.Vuln][]vulncheck.CallStack) map[string][][]string {
 	m := make(map[string][][]string)
 	for v, css := range callStacks {
 		var scss [][]string
 		for _, cs := range css {
 			var scs []string
 			for _, se := range cs {
 				fPos := se.Function.Pos
 				fp := fmt.Sprintf("%s:%d:%d", filepath.Base(fPos.Filename), fPos.Line, fPos.Column)

 				var cp string
 				if se.Call != nil && se.Call.Pos.IsValid() {
 					cPos := se.Call.Pos
 					cp = fmt.Sprintf("%s:%d:%d", filepath.Base(cPos.Filename), cPos.Line, cPos.Column)
 				}

 				sse := fmt.Sprintf("N:%s.%s\tF:%v\tC:%v", se.Function.PkgPath, se.Function.Name, fp, cp)
 				scs = append(scs, sse)
 			}
 			scss = append(scss, scs)
 		}
 		m[v.OSV.ID] = scss
 	}
 	return m
 }
	// Copyright 2022 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package govulncheck

	import (
	"context"
	"fmt"
	"path"
	"path/filepath"
	"testing"

	"github.com/google/go-cmp/cmp"
	"golang.org/x/tools/go/packages/packagestest"
	"golang.org/x/vuln/internal/test"
	"golang.org/x/vuln/osv"
	"golang.org/x/vuln/vulncheck"
	)

	// TestInits checks for correct positions of init functions
	// and their respective calls (see #51575).
	func TestInits(t *testing.T) {
	testClient := &test.MockClient{
	Ret: map[string][]*osv.Entry{
	"golang.org/amod": []*osv.Entry{
	{
	ID: "A", Affected: []osv.Affected{{Package: osv.Package{Name: "golang.org/amod"}, Ranges: osv.Affects{{Type: osv.TypeSemver}},
	EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{{
	Path: "golang.org/amod/avuln", Symbols: []string{"A"}},
	}},
	}},
	},
	},
	"golang.org/cmod": []*osv.Entry{
	{
	ID: "C", Affected: []osv.Affected{{Package: osv.Package{Name: "golang.org/cmod"}, Ranges: osv.Affects{{Type: osv.TypeSemver}},
	EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{{
	Path: "golang.org/cmod/cvuln", Symbols: []string{"C"}},
	}},
	}},
	},
	},
	},
	}
	e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
	{
	Name: "golang.org/entry",
	Files: map[string]interface{}{
	"x/x.go": `
	package x

	import (
	_ "golang.org/amod/avuln"
	_ "golang.org/bmod/b"
	)
	`,
	},
	},
	{
	Name: "golang.org/amod@v0.5.0",
	Files: map[string]interface{}{"avuln/avuln.go": `
	package avuln

	func init() {
	A()
	}

	func A() {}
	`},
	},
	{
	Name: "golang.org/bmod@v0.5.0",
	Files: map[string]interface{}{"b/b.go": `
	package b

	import _ "golang.org/cmod/cvuln"
	`},
	},
	{
	Name: "golang.org/cmod@v0.5.0",
	Files: map[string]interface{}{"cvuln/cvuln.go": `
	package cvuln

	var x int = C()

	func C() int {
	return 0
	}
	`},
	},
	})
	defer e.Cleanup()

	// Load x as entry package.
	pkgs, err := test.LoadPackages(e, path.Join(e.Temp(), "entry/x"))
	if err != nil {
	t.Fatal(err)
	}
	if len(pkgs) != 1 {
	t.Fatal("failed to load x test package")
	}
	vpkgs := vulncheck.Convert(pkgs)
	result, err := vulncheck.Source(context.Background(), vpkgs, &vulncheck.Config{Client: testClient})
	if err != nil {
	t.Fatal(err)
	}

	cs := vulncheck.CallStacks(result)
	updateInitPositions(cs, vpkgs)

	want := map[string][][]string{
	"A": [][]string{{
	// Entry init's position is the package statement.
	// It calls avuln.init at avuln import statement.
	"N:golang.org/entry/x.init F:x.go:2:4 C:x.go:5:5",
	// implicit avuln.init is calls explicit init at the avuln
	// package statement.
	"N:golang.org/amod/avuln.init F:avuln.go:2:4 C:avuln.go:2:4",
	"N:golang.org/amod/avuln.init#1 F:avuln.go:4:9 C:avuln.go:5:6",
	"N:golang.org/amod/avuln.A F:avuln.go:8:9 C:",
	}},
	"C": [][]string{{
	"N:golang.org/entry/x.init F:x.go:2:4 C:x.go:6:5",
	"N:golang.org/bmod/b.init F:b.go:2:4 C:b.go:4:11",
	"N:golang.org/cmod/cvuln.init F:cvuln.go:2:4 C:cvuln.go:4:17",
	"N:golang.org/cmod/cvuln.C F:cvuln.go:6:9 C:",
	}},
	}
	if diff := cmp.Diff(want, strStacks(cs)); diff != "" {
	t.Errorf("modules mismatch (-want, +got):\n%s", diff)
	}
	}

	// strStacks creates a string representation of a call stacks map where
	// vulnerability is represented with its ID and stack entry is a string
	// "N:<package path.function name> F:<function position> C:< call position>"
	// File paths in positions consists of only file names.
	func strStacks(callStacks map[*vulncheck.Vuln][]vulncheck.CallStack) map[string][][]string {
	m := make(map[string][][]string)
	for v, css := range callStacks {
	var scss [][]string
	for _, cs := range css {
	var scs []string
	for _, se := range cs {
	fPos := se.Function.Pos
	fp := fmt.Sprintf("%s:%d:%d", filepath.Base(fPos.Filename), fPos.Line, fPos.Column)

	var cp string
	if se.Call != nil && se.Call.Pos.IsValid() {
	cPos := se.Call.Pos
	cp = fmt.Sprintf("%s:%d:%d", filepath.Base(cPos.Filename), cPos.Line, cPos.Column)
	}

	sse := fmt.Sprintf("N:%s.%s\tF:%v\tC:%v", se.Function.PkgPath, se.Function.Name, fp, cp)
	scs = append(scs, sse)
	}
	scss = append(scss, scs)
	}
	m[v.OSV.ID] = scss
	}
	return m
	}