From 1a5d3d8790ffc1f33876533129dcfb28cd9825b9 Mon Sep 17 00:00:00 2001 From: Julie Qiu Date: Tue, 18 Apr 2023 13:53:19 -0400 Subject: [PATCH] cmd/govulncheck/testdata: add test for json mode for multiple entry points When govulncheck finds that the same vulnerable symbol is called more than once, only one invocation is displayed to the user in -json mode. Add a test for this behavior, before it is changed in a later CL. For golang/go#59485 Change-Id: I667e3e3c9c113991383b040191edb25858f992bb Reviewed-on: https://go-review.googlesource.com/c/vuln/+/485898 Auto-Submit: Julie Qiu Run-TryBot: Julie Qiu Reviewed-by: Julie Qiu Reviewed-by: Tatiana Bradley TryBot-Result: Gopher Robot Reviewed-by: Zvonimir Pavlinovic --- cmd/govulncheck/testdata/multientry_json.ct | 165 ++++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 cmd/govulncheck/testdata/multientry_json.ct diff --git a/cmd/govulncheck/testdata/multientry_json.ct b/cmd/govulncheck/testdata/multientry_json.ct new file mode 100644 index 00000000..d0109b41 --- /dev/null +++ b/cmd/govulncheck/testdata/multientry_json.ct @@ -0,0 +1,165 @@ +$ govulncheck -json -C ${moddir}/multientry . +{ + "config": { + "version": govulncheck@v0.0.0-00000000000-20000101010101 + "data_source": "testdata/vulndb-v1", + "last_modified": "2023-04-03T15:57:51Z", + "go_version": "go1.18" + } +} +{ + "progress": { + "message": "Scanning your code and P packages across M dependent module for known vulnerabilities..." + } +} +{ + "vulnerability": { + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0113", + "modified": "2023-04-03T15:57:51Z", + "published": "2021-10-06T17:51:21Z", + "aliases": [ + "CVE-2021-38561", + "GHSA-ppp9-7jff-5vj2" + ], + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113" + } + }, + "modules": [ + { + "path": "golang.org/x/text", + "found_version": "v0.3.5", + "fixed_version": "v0.3.7", + "packages": [ + { + "path": "golang.org/x/text/language", + "callstacks": [ + { + "symbol": "MustParse", + "summary": ".../main.go:99:20: golang.org/multientry.foobar calls golang.org/x/text/language.MustParse", + "frames": [ + { + "package": "golang.org/multientry", + "function": "main", + "position": { + "filename": ".../main.go", + "offset": 441, + "line": 26, + "column": 3 + } + }, + { + "package": "golang.org/multientry", + "function": "D", + "position": { + "filename": ".../main.go", + "offset": 705, + "line": 48, + "column": 8 + } + }, + { + "package": "golang.org/multientry", + "function": "foobar", + "position": { + "filename": ".../main.go", + "offset": 1694, + "line": 99, + "column": 20 + } + }, + { + "package": "golang.org/x/text/language", + "function": "MustParse" + } + ] + }, + { + "symbol": "Parse", + "summary": ".../main.go:44:23: golang.org/multientry.C calls golang.org/x/text/language.Parse", + "frames": [ + { + "package": "golang.org/multientry", + "function": "main", + "position": { + "filename": ".../main.go", + "offset": 340, + "line": 22, + "column": 3 + } + }, + { + "package": "golang.org/multientry", + "function": "C", + "position": { + "filename": ".../main.go", + "offset": 679, + "line": 44, + "column": 23 + } + }, + { + "package": "golang.org/x/text/language", + "function": "Parse" + } + ] + } + ] + } + ] + } + ] + } +}