Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package govulncheck for openSUSE:Factory
checked in at 2024-06-07 15:04:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/govulncheck (Old)
and /work/SRC/openSUSE:Factory/.govulncheck.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "govulncheck"
Fri Jun 7 15:04:19 2024 rev:8 rq:1179096 version:1.1.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/govulncheck/govulncheck.changes 2024-05-24
19:51:56.255257967 +0200
+++ /work/SRC/openSUSE:Factory/.govulncheck.new.24587/govulncheck.changes
2024-06-07 15:04:42.978722566 +0200
@@ -1,0 +2,22 @@
+Thu Jun 06 20:41:57 UTC 2024 - Jeff Kowalczyk <jkowalc...@suse.com>
+
+- Update to version 1.1.2:
+ * internal/osv: add review status
+ * vulncheck: update documentation for vex
+ * cmd/govulncheck/integration/stackrox-scanner: update expectations
+ * cmd/govulncheck/integration/k8s: update expectations
+ * internal/govulncheck: add more comments for emitted OSVs
+ * go.mod: update golang.org/x dependencies
+ * internal/scan: increase telemetry counter for show flag
+ * internal/scan: add format and scan level telemetry
+ * internal/cmd/govulncheck: remove unnecessary binary dependency
+ * cmd/govulncheck/integration: update go in integration tests
+ * internal/openvex: add hash for doc ID
+ * internal/openvex: add statements to handler
+ * internal/openvex: add handler
+ * all: remove test that runs govulncheck on govulncheck
+ * internal/sarif: fix a typo
+ * internal/scan: limit number of binary traces shown
+ * cmd/govulncheck: record scan mode telemetry
+
+-------------------------------------------------------------------
Old:
----
govulncheck-1.1.1.tar.gz
New:
----
govulncheck-1.1.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ govulncheck.spec ++++++
--- /var/tmp/diff_new_pack.LhdWvR/_old 2024-06-07 15:04:43.674747923 +0200
+++ /var/tmp/diff_new_pack.LhdWvR/_new 2024-06-07 15:04:43.674747923 +0200
@@ -17,7 +17,7 @@
Name: govulncheck
-Version: 1.1.1
+Version: 1.1.2
Release: 0
Summary: CLI tool to report known CVE vulnerabilities in Go source code
and binaries
License: Apache-2.0 AND BSD-3-Clause
++++++ _service ++++++
--- /var/tmp/diff_new_pack.LhdWvR/_old 2024-06-07 15:04:43.710749234 +0200
+++ /var/tmp/diff_new_pack.LhdWvR/_new 2024-06-07 15:04:43.714749381 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/golang/vuln.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v1.1.1</param>
+ <param name="revision">v1.1.2</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.LhdWvR/_old 2024-06-07 15:04:43.734750109 +0200
+++ /var/tmp/diff_new_pack.LhdWvR/_new 2024-06-07 15:04:43.738750254 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/golang/vuln.git</param>
- <param
name="changesrevision">486fd2384a39a632a0e5b003e1840d49d1db7e86</param></service></servicedata>
+ <param
name="changesrevision">3740f5cb12a3f93b18dbe200c4bcb6256f8586e2</param></service></servicedata>
(No newline at EOF)
++++++ govulncheck-1.1.1.tar.gz -> govulncheck-1.1.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/all_test.go
new/govulncheck-1.1.2/all_test.go
--- old/govulncheck-1.1.1/all_test.go 2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/all_test.go 2024-06-06 16:46:51.000000000 +0200
@@ -9,8 +9,6 @@
import (
"bufio"
- "bytes"
- "context"
"errors"
"io/fs"
"os"
@@ -21,7 +19,6 @@
"golang.org/x/mod/modfile"
"golang.org/x/vuln/internal/testenv"
- "golang.org/x/vuln/scan"
)
// excluded contains the set of modules that x/vuln should not depend on.
@@ -55,33 +52,6 @@
}
}
-func TestGovulncheck(t *testing.T) {
- skipIfShort(t)
- testenv.NeedsGoBuild(t)
-
- var o string
- out := bytes.NewBufferString(o)
- ctx := context.Background()
-
- cmd := scan.Command(ctx, "./...")
- cmd.Stdout = out
- cmd.Stderr = out
- err := cmd.Start()
- if err == nil {
- err = cmd.Wait()
- }
-
- t.Logf("govulncheck finished with std out/err:\n%s", out.String())
- switch err := err.(type) {
- case nil:
- t.Log("govulncheck: no vulnerabilities detected")
- case interface{ ExitCode() int }:
- t.Errorf("govulncheck: unexpected exit code %d and error %v",
err.ExitCode(), err)
- default:
- t.Errorf("govulncheck: abruptly failed with error %v", err)
- }
-}
-
func TestVet(t *testing.T) {
rungo(t, "vet", "-all", "./...")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/cmd/govulncheck/doc.go
new/govulncheck-1.1.2/cmd/govulncheck/doc.go
--- old/govulncheck-1.1.1/cmd/govulncheck/doc.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/cmd/govulncheck/doc.go 2024-06-06
16:46:51.000000000 +0200
@@ -67,12 +67,16 @@
format, following the specification at
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
For more details, please see [golang.org/x/vuln/internal/sarif].
+Govulncheck supports the Vulnerability EXchange (VEX) output format, following
+the specification at https://github.com/openvex/spec.
+For more details, please see [golang.org/x/vuln/internal/openvex].
+
# Exit codes
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if the
-'format -json' ('-json') or '-format sarif' is provided, regardless of the
number
-of detected vulnerabilities.
+'format -json' ('-json'), '-format sarif', or '-format openvex' is provided,
+regardless of the number of detected vulnerabilities.
# Limitations
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/integration/Dockerfile
new/govulncheck-1.1.2/cmd/govulncheck/integration/Dockerfile
--- old/govulncheck-1.1.1/cmd/govulncheck/integration/Dockerfile
2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/cmd/govulncheck/integration/Dockerfile
2024-06-06 16:46:51.000000000 +0200
@@ -1,4 +1,4 @@
-FROM golang:1.20.3-alpine
+FROM golang:1.22.3-alpine
# This Dockerfile sets up an image for repeated integration testing.
# This assumes the build context, i.e., CWD is vuln/
@@ -12,6 +12,5 @@
RUN go install golang.org/x/vuln/cmd/govulncheck
# ---- Step 2: Build other test binaries ----
-RUN go install golang.org/dl/go1.18@latest
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/k8s
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/stackrox-scanner
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/integration/k8s/k8s.go
new/govulncheck-1.1.2/cmd/govulncheck/integration/k8s/k8s.go
--- old/govulncheck-1.1.1/cmd/govulncheck/integration/k8s/k8s.go
2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/cmd/govulncheck/integration/k8s/k8s.go
2024-06-06 16:46:51.000000000 +0200
@@ -23,18 +23,30 @@
out := os.Args[1]
want := map[string]bool{
- "github.com/containernetworking/cni/pkg/invoke": true,
- "github.com/evanphx/json-patch": true,
- "github.com/opencontainers/selinux/go-selinux": true,
- "github.com/prometheus/client_golang/prometheus/promhttp": true,
- "golang.org/x/crypto/cryptobyte": true,
- "golang.org/x/crypto/salsa20/salsa": true,
- "golang.org/x/crypto/ssh": true,
- "golang.org/x/net/http/httpguts": true,
- "golang.org/x/net/http2": true,
- "golang.org/x/net/http2/hpack": true,
- "golang.org/x/text/encoding/unicode": true,
- "google.golang.org/grpc": true,
+ "github.com/containerd/containerd/api/services/containers/v1":
true,
+ "github.com/containerd/containerd/api/services/tasks/v1":
true,
+ "github.com/containerd/containerd/api/services/version/v1":
true,
+ "github.com/containerd/containerd/api/types":
true,
+ "github.com/containerd/containerd/api/types/task":
true,
+ "github.com/containerd/containerd/containers":
true,
+ "github.com/containerd/containerd/dialer":
true,
+ "github.com/containerd/containerd/errdefs":
true,
+ "github.com/containerd/containerd/namespaces":
true,
+ "github.com/containernetworking/cni/pkg/invoke":
true,
+ "github.com/evanphx/json-patch":
true,
+ "github.com/heketi/heketi/client/api/go-client":
true,
+ "github.com/heketi/heketi/pkg/glusterfs/api":
true,
+ "github.com/heketi/heketi/pkg/utils":
true,
+ "github.com/opencontainers/selinux/go-selinux":
true,
+ "github.com/prometheus/client_golang/prometheus/promhttp":
true,
+ "golang.org/x/crypto/cryptobyte":
true,
+ "golang.org/x/crypto/salsa20/salsa":
true,
+ "golang.org/x/crypto/ssh":
true,
+ "golang.org/x/net/http/httpguts":
true,
+ "golang.org/x/net/http2":
true,
+ "golang.org/x/net/http2/hpack":
true,
+ "golang.org/x/text/encoding/unicode":
true,
+ "google.golang.org/grpc":
true,
}
if err := integration.CompareNonStdVulns(out, want); err != nil {
log.Fatal(err)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/integration/stackrox-scanner/scanner.go
new/govulncheck-1.1.2/cmd/govulncheck/integration/stackrox-scanner/scanner.go
---
old/govulncheck-1.1.1/cmd/govulncheck/integration/stackrox-scanner/scanner.go
2024-05-21 23:23:08.000000000 +0200
+++
new/govulncheck-1.1.2/cmd/govulncheck/integration/stackrox-scanner/scanner.go
2024-06-06 16:46:51.000000000 +0200
@@ -28,6 +28,7 @@
"github.com/go-git/go-git/v5/plumbing/object": true,
"github.com/go-git/go-git/v5/storage/filesystem": true,
"github.com/go-git/go-git/v5/storage/filesystem/dotgit": true,
+ "github.com/mholt/archiver/v3": true,
"golang.org/x/crypto/ssh": true,
"golang.org/x/net/http2": true,
"golang.org/x/net/http2/hpack": true,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/cmd/govulncheck/main.go
new/govulncheck-1.1.2/cmd/govulncheck/main.go
--- old/govulncheck-1.1.1/cmd/govulncheck/main.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/cmd/govulncheck/main.go 2024-06-06
16:46:51.000000000 +0200
@@ -9,10 +9,13 @@
"fmt"
"os"
+ "golang.org/x/telemetry"
"golang.org/x/vuln/scan"
)
func main() {
+ telemetry.Start(telemetry.Config{ReportCrashes: true})
+
ctx := context.Background()
cmd := scan.Command(ctx, os.Args[1:]...)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/config.json
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/config.json
--- old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/config.json
2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/config.json
2024-06-06 16:46:51.000000000 +0200
@@ -35,6 +35,10 @@
{
"pattern": "\"go_version\": \"go[^\\s\"]*\"",
"replace": "\"go_version\": \"go1.18\""
+ },
+ {
+ "pattern": "\"timestamp\": (.*),",
+ "replace": "\"timestamp\": \"2024-01-01T00:00:00\","
}
]
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
---
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
1970-01-01 01:00:00.000000000 +0100
+++
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
2024-06-06 16:46:51.000000000 +0200
@@ -0,0 +1,104 @@
+#####
+# Test basic binary scanning with vex output
+$ govulncheck -format openvex -mode binary ${common_vuln_binary}
+{
+ "@context": "https://openvex.dev/ns/v0.2.0";,
+ "@id":
"govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+ "author": "Unknown Author",
+ "timestamp": "2024-01-01T00:00:00",
+ "version": 1,
+ "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck";,
+ "statements": [
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2020-0015";,
+ "name": "GO-2020-0015",
+ "description": "Infinite loop when decoding some inputs in
golang.org/x/text",
+ "aliases": [
+ "CVE-2020-14040",
+ "GHSA-5rcv-m4m3-hfh7"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "Govulncheck determined that the vulnerable code
isn't called"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0054";,
+ "name": "GO-2021-0054",
+ "description": "Due to improper bounds checking, maliciously crafted
JSON objects can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.",
+ "aliases": [
+ "CVE-2020-36067",
+ "GHSA-p64j-r5f4-pwwx"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0059";,
+ "name": "GO-2021-0059",
+ "description": "Due to improper bounds checking, maliciously crafted
JSON objects can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.",
+ "aliases": [
+ "CVE-2020-35380",
+ "GHSA-w942-gw6m-p62c"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "Govulncheck determined that the vulnerable code
isn't called"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0113";,
+ "name": "GO-2021-0113",
+ "description": "Due to improper index calculation, an incorrectly
formatted language tag can cause Parse to panic via an out of bounds read. If
Parse is used to process untrusted user inputs, this may be used as a vector
for a denial of service attack.",
+ "aliases": [
+ "CVE-2021-38561",
+ "GHSA-ppp9-7jff-5vj2"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0265";,
+ "name": "GO-2021-0265",
+ "description": "A maliciously crafted path can cause Get and other
query functions to consume excessive amounts of CPU and time.",
+ "aliases": [
+ "CVE-2021-42248",
+ "CVE-2021-42836",
+ "GHSA-c9gm-7rfj-8w5h",
+ "GHSA-ppj4-34rq-v8j9"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ }
+ ]
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
---
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
1970-01-01 01:00:00.000000000 +0100
+++
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
2024-06-06 16:46:51.000000000 +0200
@@ -0,0 +1,104 @@
+#####
+# Test vex json output
+$ govulncheck -C ${moddir}/vuln -format openvex ./...
+{
+ "@context": "https://openvex.dev/ns/v0.2.0";,
+ "@id":
"govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+ "author": "Unknown Author",
+ "timestamp": "2024-01-01T00:00:00",
+ "version": 1,
+ "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck";,
+ "statements": [
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2020-0015";,
+ "name": "GO-2020-0015",
+ "description": "Infinite loop when decoding some inputs in
golang.org/x/text",
+ "aliases": [
+ "CVE-2020-14040",
+ "GHSA-5rcv-m4m3-hfh7"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "Govulncheck determined that the vulnerable code
isn't called"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0054";,
+ "name": "GO-2021-0054",
+ "description": "Due to improper bounds checking, maliciously crafted
JSON objects can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.",
+ "aliases": [
+ "CVE-2020-36067",
+ "GHSA-p64j-r5f4-pwwx"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0059";,
+ "name": "GO-2021-0059",
+ "description": "Due to improper bounds checking, maliciously crafted
JSON objects can cause an out-of-bounds panic. If parsing user input, this may
be used as a denial of service vector.",
+ "aliases": [
+ "CVE-2020-35380",
+ "GHSA-w942-gw6m-p62c"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "Govulncheck determined that the vulnerable code
isn't called"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0113";,
+ "name": "GO-2021-0113",
+ "description": "Due to improper index calculation, an incorrectly
formatted language tag can cause Parse to panic via an out of bounds read. If
Parse is used to process untrusted user inputs, this may be used as a vector
for a denial of service attack.",
+ "aliases": [
+ "CVE-2021-38561",
+ "GHSA-ppp9-7jff-5vj2"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ },
+ {
+ "vulnerability": {
+ "@id": "https://pkg.go.dev/vuln/GO-2021-0265";,
+ "name": "GO-2021-0265",
+ "description": "A maliciously crafted path can cause Get and other
query functions to consume excessive amounts of CPU and time.",
+ "aliases": [
+ "CVE-2021-42248",
+ "CVE-2021-42836",
+ "GHSA-c9gm-7rfj-8w5h",
+ "GHSA-ppj4-34rq-v8j9"
+ ]
+ },
+ "products": [
+ {
+ "@id": "Unknown Product"
+ }
+ ],
+ "status": "affected"
+ }
+ ]
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
---
old/govulncheck-1.1.1/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
2024-05-21 23:23:08.000000000 +0200
+++
new/govulncheck-1.1.2/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
2024-06-06 16:46:51.000000000 +0200
@@ -14,7 +14,7 @@
vulnerability database url (default "https://vuln.go.dev";)
-format value
specify format output
- The supported values are 'text', 'json', and 'sarif' (default 'text')
+ The supported values are 'text', 'json', 'sarif', and 'openvex'
(default 'text')
-json
output JSON (Go compatible legacy flag, see format flag)
-mode value
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
new/govulncheck-1.1.2/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
---
old/govulncheck-1.1.1/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
2024-05-21 23:23:08.000000000 +0200
+++
new/govulncheck-1.1.2/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
2024-06-06 16:46:51.000000000 +0200
@@ -13,10 +13,12 @@
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerable symbols found:
- #1: language.MatchStrings
- #2: language.MustParse
- #3: language.Parse
- #4: language.ParseAcceptLanguage
+ #1: language.Compose
+ #2: language.Make
+ #3: language.MatchStrings
+ #4: language.MustParse
+ #5: language.Parse
+ Use '-show traces' to see the other 7 found symbols
Vulnerability #2: GO-2020-0015
Infinite loop when decoding some inputs in golang.org/x/text
@@ -31,5 +33,63 @@
Your code is affected by 2 vulnerabilities from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
+require.
+Use '-show verbose' for more details.
+
+# The same as above but with '-show traces'.
+$ govulncheck -mode=binary -show traces ${strip_vuln_binary} --> FAIL 3
+=== Symbol Results ===
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted language tag
can
+ cause Parse to panic via an out of bounds read. If Parse is used to process
+ untrusted user inputs, this may be used as a vector for a denial of service
+ attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/text@v0.3.0
+ Fixed in: golang.org/x/text@v0.3.7
+ Vulnerable symbols found:
+ #1: for function golang.org/x/text/language.Compose
+ golang.org/x/text/language.Compose
+ #2: for function golang.org/x/text/language.Make
+ golang.org/x/text/language.Make
+ #3: for function golang.org/x/text/language.MatchStrings
+ golang.org/x/text/language.MatchStrings
+ #4: for function golang.org/x/text/language.MustParse
+ golang.org/x/text/language.MustParse
+ #5: for function golang.org/x/text/language.Parse
+ golang.org/x/text/language.Parse
+ #6: for function golang.org/x/text/language.ParseAcceptLanguage
+ golang.org/x/text/language.ParseAcceptLanguage
+ #7: for function golang.org/x/text/language.Tag.Base
+ golang.org/x/text/language.Tag.Base
+ #8: for function golang.org/x/text/language.Tag.Extension
+ golang.org/x/text/language.Tag.Extension
+ #9: for function golang.org/x/text/language.Tag.IsRoot
+ golang.org/x/text/language.Tag.IsRoot
+ #10: for function golang.org/x/text/language.Tag.Parent
+ golang.org/x/text/language.Tag.Parent
+ #11: for function golang.org/x/text/language.Tag.Region
+ golang.org/x/text/language.Tag.Region
+ #12: for function golang.org/x/text/language.Tag.String
+ golang.org/x/text/language.Tag.String
+
+Vulnerability #2: GO-2020-0015
+ Infinite loop when decoding some inputs in golang.org/x/text
+ More info: https://pkg.go.dev/vuln/GO-2020-0015
+ Module: golang.org/x/text
+ Found in: golang.org/x/text@v0.3.0
+ Fixed in: golang.org/x/text@v0.3.3
+ Vulnerable symbols found:
+ #1: for function golang.org/x/text/transform.String
+ golang.org/x/text/transform.String
+ #2: for function golang.org/x/text/encoding/unicode.bomOverride.Transform
+ golang.org/x/text/encoding/unicode.bomOverride.Transform
+ #3: for function
golang.org/x/text/encoding/unicode.utf16Decoder.Transform
+ golang.org/x/text/encoding/unicode.utf16Decoder.Transform
+
+Your code is affected by 2 vulnerabilities from 1 module.
+This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json
new/govulncheck-1.1.2/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json
---
old/govulncheck-1.1.1/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json
2024-05-21 23:23:08.000000000 +0200
+++
new/govulncheck-1.1.2/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json
2024-06-06 16:46:51.000000000 +0200
@@ -1 +1 @@
-{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due
to improper index calculation, an incorrectly formatted language tag can cause
Parse to panic via an out of bounds read. If Parse is used to process untrusted
user inputs, this may be used as a vector for a denial of service
attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido
Vranken"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}
\ No newline at end of file
+{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due
to improper index calculation, an incorrectly formatted language tag can cause
Parse to panic via an out of bounds read. If Parse is used to process untrusted
user inputs, this may be used as a vector for a denial of service
attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage","Compose","Make","Tag.Base","Tag.Extension","Tag.IsRoot","Tag.Parent","Tag.Region","Tag.String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido
Vranken"
}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}
Binary files
old/govulncheck-1.1.1/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json.gz
and
new/govulncheck-1.1.2/cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json.gz
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/go.mod new/govulncheck-1.1.2/go.mod
--- old/govulncheck-1.1.1/go.mod 2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/go.mod 2024-06-06 16:46:51.000000000 +0200
@@ -5,9 +5,13 @@
require (
github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786
github.com/google/go-cmp v0.6.0
- golang.org/x/mod v0.17.0
+ golang.org/x/mod v0.18.0
golang.org/x/sync v0.7.0
- golang.org/x/tools v0.21.1-0.20240514024235-59d9797072e7
+ golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
+ golang.org/x/tools v0.22.0
)
-require github.com/google/renameio v0.1.0 // indirect
+require (
+ github.com/google/renameio v0.1.0 // indirect
+ golang.org/x/sys v0.21.0 // indirect
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/go.sum new/govulncheck-1.1.2/go.sum
--- old/govulncheck-1.1.1/go.sum 2024-05-21 23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/go.sum 2024-06-06 16:46:51.000000000 +0200
@@ -5,9 +5,13 @@
github.com/google/go-cmp v0.6.0/go.mod
h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/renameio v0.1.0
h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
github.com/google/renameio v0.1.0/go.mod
h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/tools v0.21.1-0.20240514024235-59d9797072e7
h1:DnP3aRQn/r68glNGB8/7+3iE77jA+YZZCxpfIXx2MdA=
-golang.org/x/tools v0.21.1-0.20240514024235-59d9797072e7/go.mod
h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod
h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod
h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/govulncheck-1.1.1/internal/govulncheck/govulncheck.go
new/govulncheck-1.1.2/internal/govulncheck/govulncheck.go
--- old/govulncheck-1.1.1/internal/govulncheck/govulncheck.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/internal/govulncheck/govulncheck.go 2024-06-06
16:46:51.000000000 +0200
@@ -37,10 +37,15 @@
// Message is an entry in the output stream. It will always have exactly one
// field filled in.
type Message struct {
- Config *Config `json:"config,omitempty"`
- Progress *Progress `json:"progress,omitempty"`
- OSV *osv.Entry `json:"osv,omitempty"`
- Finding *Finding `json:"finding,omitempty"`
+ Config *Config `json:"config,omitempty"`
+ Progress *Progress `json:"progress,omitempty"`
+ // OSV is emitted for every vulnerability in the current database
+ // that applies to user modules regardless of their version. If a
+ // module is being used at a vulnerable version, the corresponding
+ // OSV will be referenced in Findings depending on the type of usage
+ // and the desired scan level.
+ OSV *osv.Entry `json:"osv,omitempty"`
+ Finding *Finding `json:"finding,omitempty"`
}
// Config must occur as the first message of a stream and informs the client
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/openvex/handler.go
new/govulncheck-1.1.2/internal/openvex/handler.go
--- old/govulncheck-1.1.1/internal/openvex/handler.go 1970-01-01
01:00:00.000000000 +0100
+++ new/govulncheck-1.1.2/internal/openvex/handler.go 2024-06-06
16:46:51.000000000 +0200
@@ -0,0 +1,183 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openvex
+
+import (
+ "crypto/sha256"
+ "encoding/json"
+ "fmt"
+ "io"
+ "slices"
+ "time"
+
+ "golang.org/x/vuln/internal/govulncheck"
+ "golang.org/x/vuln/internal/osv"
+)
+
+type findingLevel int
+
+const (
+ invalid findingLevel = iota
+ required
+ imported
+ called
+)
+
+type handler struct {
+ w io.Writer
+ cfg *govulncheck.Config
+ osvs map[string]*osv.Entry
+ levels map[string]findingLevel
+}
+
+func NewHandler(w io.Writer) *handler {
+ return &handler{
+ w: w,
+ osvs: make(map[string]*osv.Entry),
+ levels: make(map[string]findingLevel),
+ }
+}
+
+func (h *handler) Config(cfg *govulncheck.Config) error {
+ h.cfg = cfg
+ return nil
+}
+
+func (h *handler) Progress(progress *govulncheck.Progress) error {
+ return nil
+}
+
+func (h *handler) OSV(e *osv.Entry) error {
+ h.osvs[e.ID] = e
+ return nil
+}
+
+// foundAtLevel returns the level at which a specific finding is present in the
+// scanned product.
+func foundAtLevel(f *govulncheck.Finding) findingLevel {
+ frame := f.Trace[0]
+ if frame.Function != "" {
+ return called
+ }
+ if frame.Package != "" {
+ return imported
+ }
+ return required
+}
+
+func (h *handler) Finding(f *govulncheck.Finding) error {
+ fLevel := foundAtLevel(f)
+ if fLevel > h.levels[f.OSV] {
+ h.levels[f.OSV] = fLevel
+ }
+ return nil
+}
+
+// Flush is used to print the vex json to w.
+// This is needed as vex is not streamed.
+func (h *handler) Flush() error {
+ doc := toVex(h)
+ out, err := json.MarshalIndent(doc, "", " ")
+ if err != nil {
+ return err
+ }
+ _, err = h.w.Write(out)
+ return err
+}
+
+func toVex(h *handler) Document {
+ doc := Document{
+ Context: ContextURI,
+ Author: DefaultAuthor,
+ Timestamp: time.Now().UTC(),
+ Version: 1,
+ Tooling: Tooling,
+ Statements: statements(h),
+ }
+
+ id := hashVex(doc)
+ doc.ID = "govulncheck/vex:" + id
+ return doc
+}
+
+// statements combines all OSVs found by govulncheck and generates the list of
+// vex statements with the proper affected level and justification to match the
+// openVex specification.
+func statements(h *handler) []Statement {
+ var scanLevel findingLevel
+ switch h.cfg.ScanLevel {
+ case govulncheck.ScanLevelModule:
+ scanLevel = required
+ case govulncheck.ScanLevelPackage:
+ scanLevel = imported
+ case govulncheck.ScanLevelSymbol:
+ scanLevel = called
+ }
+
+ var statements []Statement
+ for id, osv := range h.osvs {
+ description := osv.Summary
+ if description == "" {
+ description = osv.Details
+ }
+ s := Statement{
+ Vulnerability: Vulnerability{
+ ID:
fmt.Sprintf("https://pkg.go.dev/vuln/%s";, id),
+ Name: id,
+ Description: description,
+ Aliases: osv.Aliases,
+ },
+ Products: []Product{
+ {
+ ID: DefaultPID,
+ },
+ },
+ }
+
+ if h.levels[id] >= scanLevel {
+ s.Status = StatusAffected
+ } else {
+ s.Status = StatusNotAffected
+ s.ImpactStatement = Impact
+ s.Justification = JustificationNotPresent
+ // We only reach this case if running in symbol mode
+ if h.levels[id] == imported {
+ s.Justification = JustificationNotExecuted
+ }
+ }
+ statements = append(statements, s)
+ }
+
+ slices.SortFunc(statements, func(a, b Statement) int {
+ if a.Vulnerability.ID > b.Vulnerability.ID {
+ return 1
+ }
+ if a.Vulnerability.ID < b.Vulnerability.ID {
+ return -1
+ }
+ // this should never happen in practice, since statements are
being
+ // populated from a map with the vulnerability IDs as keys
+ return 0
+ })
+ return statements
+}
+
+func hashVex(doc Document) string {
+ // json.Marshal should never error here (because of the structure of
Document).
+ // If an error does occur, it won't be a jsonerror, but instead a panic
+ d := Document{
+ Context: doc.Context,
+ ID: doc.ID,
+ Author: doc.Author,
+ Version: doc.Version,
+ Tooling: doc.Tooling,
+ Statements: doc.Statements,
+ }
+ out, err := json.Marshal(d)
+ if err != nil {
+ panic(err)
+ }
+ return fmt.Sprintf("%x", sha256.Sum256(out))
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/openvex/handler_test.go
new/govulncheck-1.1.2/internal/openvex/handler_test.go
--- old/govulncheck-1.1.1/internal/openvex/handler_test.go 1970-01-01
01:00:00.000000000 +0100
+++ new/govulncheck-1.1.2/internal/openvex/handler_test.go 2024-06-06
16:46:51.000000000 +0200
@@ -0,0 +1,70 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openvex
+
+import (
+ "testing"
+
+ "golang.org/x/vuln/internal/govulncheck"
+)
+
+func TestFinding(t *testing.T) {
+ const id1 = "ID1"
+ tests := []struct {
+ name string
+ id string
+ findings []*govulncheck.Finding
+ want findingLevel
+ }{
+ {
+ name: "multiple",
+ id: id1,
+ findings: []*govulncheck.Finding{
+ {
+ OSV: id1,
+ Trace: []*govulncheck.Frame{
+ {
+ Module: "mod",
+ Package: "pkg",
+ },
+ },
+ },
+ {
+ OSV: id1,
+ Trace: []*govulncheck.Frame{
+ {
+ Module: "mod",
+ Package: "pkg",
+ Function: "func",
+ },
+ },
+ },
+ {
+ OSV: id1,
+ Trace: []*govulncheck.Frame{
+ {
+ Module: "mod",
+ },
+ },
+ },
+ },
+ want: called,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ h := NewHandler(nil)
+ for _, f := range tt.findings {
+ if err := h.Finding(f); err != nil {
+ t.Errorf("handler.Finding() error =
%v", err)
+ }
+ }
+ got := h.levels[tt.id]
+ if got != tt.want {
+ t.Errorf("want %v; got %v", tt.want, got)
+ }
+ })
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/openvex/vex.go
new/govulncheck-1.1.2/internal/openvex/vex.go
--- old/govulncheck-1.1.1/internal/openvex/vex.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/internal/openvex/vex.go 2024-06-06
16:46:51.000000000 +0200
@@ -7,6 +7,9 @@
//
// These types match the OpenVEX standard. See https://github.com/openvex for
// more information on VEX and OpenVEX.
+//
+// This is intended to be the minimimal amount of information required to
output
+// a complete VEX document according to the specification.
package openvex
import "time"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/osv/osv.go
new/govulncheck-1.1.2/internal/osv/osv.go
--- old/govulncheck-1.1.1/internal/osv/osv.go 2024-05-21 23:23:08.000000000
+0200
+++ new/govulncheck-1.1.2/internal/osv/osv.go 2024-06-06 16:46:51.000000000
+0200
@@ -235,4 +235,6 @@
// The URL of the Go advisory for this vulnerability, of the form
// "https://pkg.go.dev/GO-YYYY-XXXX";.
URL string `json:"url,omitempty"`
+ // The review status of this report (UNREVIEWED or REVIEWED).
+ ReviewStatus ReviewStatus `json:"review_status,omitempty"`
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/osv/review_status.go
new/govulncheck-1.1.2/internal/osv/review_status.go
--- old/govulncheck-1.1.1/internal/osv/review_status.go 1970-01-01
01:00:00.000000000 +0100
+++ new/govulncheck-1.1.2/internal/osv/review_status.go 2024-06-06
16:46:51.000000000 +0200
@@ -0,0 +1,67 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package osv
+
+import (
+ "encoding/json"
+ "fmt"
+)
+
+type ReviewStatus int
+
+const (
+ ReviewStatusUnknown ReviewStatus = iota
+ ReviewStatusUnreviewed
+ ReviewStatusReviewed
+)
+
+var statusStrs = []string{
+ ReviewStatusUnknown: "",
+ ReviewStatusUnreviewed: "UNREVIEWED",
+ ReviewStatusReviewed: "REVIEWED",
+}
+
+func (r ReviewStatus) String() string {
+ if !r.IsValid() {
+ return fmt.Sprintf("INVALID(%d)", r)
+ }
+ return statusStrs[r]
+}
+
+func ReviewStatusValues() []string {
+ return statusStrs[1:]
+}
+
+func (r ReviewStatus) IsValid() bool {
+ return int(r) >= 0 && int(r) < len(statusStrs)
+}
+
+func ToReviewStatus(s string) (ReviewStatus, bool) {
+ for stat, str := range statusStrs {
+ if s == str {
+ return ReviewStatus(stat), true
+ }
+ }
+ return 0, false
+}
+
+func (r ReviewStatus) MarshalJSON() ([]byte, error) {
+ if !r.IsValid() {
+ return nil, fmt.Errorf("MarshalJSON: unrecognized review
status: %d", r)
+ }
+ return json.Marshal(r.String())
+}
+
+func (r *ReviewStatus) UnmarshalJSON(b []byte) error {
+ var s string
+ if err := json.Unmarshal(b, &s); err != nil {
+ return err
+ }
+ if rs, ok := ToReviewStatus(s); ok {
+ *r = rs
+ return nil
+ }
+ return fmt.Errorf("UnmarshalJSON: unrecognized review status: %s", s)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/sarif/sarif.go
new/govulncheck-1.1.2/internal/sarif/sarif.go
--- old/govulncheck-1.1.1/internal/sarif/sarif.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/internal/sarif/sarif.go 2024-06-06
16:46:51.000000000 +0200
@@ -39,7 +39,7 @@
// Properties field of a Tool.Driver is a govulncheck.Config used for the
// invocation of govulncheck producing the Results. Properties field of
// a Rule contains information on CVE and GHSA aliases for the corresponding
-// rule OSV. Clients can use this information to, say, supress and filter
+// rule OSV. Clients can use this information to, say, suppress and filter
// vulnerabilities.
//
// Please see the definition of types below for more information.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/scan/flags.go
new/govulncheck-1.1.2/internal/scan/flags.go
--- old/govulncheck-1.1.1/internal/scan/flags.go 2024-05-21
23:23:08.000000000 +0200
+++ new/govulncheck-1.1.2/internal/scan/flags.go 2024-06-06
16:46:51.000000000 +0200
@@ -42,7 +42,7 @@
flags.Var(&modeFlag, "mode", "supports 'source', 'binary', and
'extract' (default 'source')")
flags.Var(&cfg.tags, "tags", "comma-separated `list` of build tags")
flags.Var(&cfg.show, "show", "enable display of additional information
specified by the comma separated `list`\nThe supported values are
'traces','color', 'version', and 'verbose'")
- flags.Var(&cfg.format, "format", "specify format output\nThe supported
values are 'text', 'json', and 'sarif' (default 'text')")
+ flags.Var(&cfg.format, "format", "specify format output\nThe supported
values are 'text', 'json', 'sarif', and 'openvex' (default 'text')")
flags.BoolVar(&version, "version", false, "print the version
information")
flags.Var(&scanFlag, "scan", "set the scanning level desired, one of
'module', 'package', or 'symbol' (default 'symbol')")
@@ -236,16 +236,18 @@
type FormatFlag string
const (
- formatUnset = ""
- formatJSON = "json"
- formatText = "text"
- formatSarif = "sarif"
+ formatUnset = ""
+ formatJSON = "json"
+ formatText = "text"
+ formatSarif = "sarif"
+ formatOpenVEX = "openvex"
)
var supportedFormats = map[string]bool{
- formatJSON: true,
- formatText: true,
- formatSarif: true,
+ formatJSON: true,
+ formatText: true,
+ formatSarif: true,
+ formatOpenVEX: true,
}
func (f *FormatFlag) Get() interface{} { return *f }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/scan/run.go
new/govulncheck-1.1.2/internal/scan/run.go
--- old/govulncheck-1.1.1/internal/scan/run.go 2024-05-21 23:23:08.000000000
+0200
+++ new/govulncheck-1.1.2/internal/scan/run.go 2024-06-06 16:46:51.000000000
+0200
@@ -15,8 +15,10 @@
"strings"
"time"
+ "golang.org/x/telemetry/counter"
"golang.org/x/vuln/internal/client"
"golang.org/x/vuln/internal/govulncheck"
+ "golang.org/x/vuln/internal/openvex"
"golang.org/x/vuln/internal/sarif"
)
@@ -41,6 +43,8 @@
handler = govulncheck.NewJSONHandler(stdout)
case formatSarif:
handler = sarif.NewHandler(stdout)
+ case formatOpenVEX:
+ handler = openvex.NewHandler(stdout)
default:
th := NewTextHandler(stdout)
cfg.show.Update(th)
@@ -51,6 +55,8 @@
return err
}
+ incTelemetryFlagCounters(cfg)
+
switch cfg.ScanMode {
case govulncheck.ScanModeSource:
dir := filepath.FromSlash(cfg.dir)
@@ -133,6 +139,19 @@
cfg.ScannerVersion = buf.String()
}
+func incTelemetryFlagCounters(cfg *config) {
+ counter.Inc(fmt.Sprintf("govulncheck/mode:%s", cfg.ScanMode))
+ counter.Inc(fmt.Sprintf("govulncheck/scan:%s", cfg.ScanLevel))
+ counter.Inc(fmt.Sprintf("govulncheck/format:%s", cfg.format))
+
+ if len(cfg.show) == 0 {
+ counter.Inc("govulncheck/show:none")
+ }
+ for _, s := range cfg.show {
+ counter.Inc(fmt.Sprintf("govulncheck/show:%s", s))
+ }
+}
+
func Flush(h govulncheck.Handler) error {
if th, ok := h.(interface{ Flush() error }); ok {
return th.Flush()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/govulncheck-1.1.1/internal/scan/text.go
new/govulncheck-1.1.2/internal/scan/text.go
--- old/govulncheck-1.1.1/internal/scan/text.go 2024-05-21 23:23:08.000000000
+0200
+++ new/govulncheck-1.1.2/internal/scan/text.go 2024-06-06 16:46:51.000000000
+0200
@@ -297,23 +297,37 @@
return symbol(traces[i].Trace[0], true) <
symbol(traces[j].Trace[0], true)
})
- first := true
- count := 1
- for _, entry := range traces {
- if entry.Compact == "" {
- continue // skip package and module level traces
+ // compacts are finding summaries with compact traces
+ // suitable for non-verbose textual output. Currently,
+ // only traces produced by symbol analysis.
+ var compacts []*findingSummary
+ for _, t := range traces {
+ if t.Compact != "" {
+ compacts = append(compacts, t)
}
- if first {
+ }
+
+ // binLimit is a limit on the number of binary traces
+ // to show. Traces for binaries are less interesting
+ // as users cannot act on them and they can hence
+ // spam users.
+ const binLimit = 5
+ for i, entry := range compacts {
+ if i == 0 {
if h.scanMode == govulncheck.ScanModeBinary {
h.style(keyStyle, " Vulnerable symbols
found:\n")
} else {
h.style(keyStyle, " Example traces found:\n")
}
}
- first = false
- h.print(" #", count, ": ")
- count++
+ // skip showing all symbols in binary mode unless '-show
traces' is on.
+ if h.scanMode == govulncheck.ScanModeBinary && (i+1) > binLimit
&& !h.showTraces {
+ h.print(" Use '-show traces' to see the other ",
len(compacts)-binLimit, " found symbols\n")
+ break
+ }
+
+ h.print(" #", i+1, ": ")
if !h.showTraces {
h.print(entry.Compact, "\n")
} else {
++++++ vendor.tar.gz ++++++
++++ 35094 lines of diff (skipped)
