From 5507063454b1b8c930db99818a88b52f1f143418 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Tue, 6 Feb 2024 18:09:38 +0000 Subject: [PATCH] cmd/govulncheck: mask line numbers and columns These can in principle change for stdlib. Although we always pretend we are running against go1.18, the actual stdlib underneath can be different. This could result in different line numbers and columns. There currently does not exist a clean way of masking line position for stdlib paths, so we mask everything with placeholders. Change-Id: I08628acbf10aa3f36b969bac5745ae3b4d52f284 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562215 LUCI-TryBot-Result: Go LUCI TryBot-Result: Gopher Robot Reviewed-by: Maceo Thompson Run-TryBot: Zvonimir Pavlinovic --- cmd/govulncheck/main_test.go | 17 ++++++ .../testfiles/convert/convert_text.ct | 4 +- .../testfiles/source-call/source_call_json.ct | 60 +++++++++---------- .../testfiles/source-call/source_call_text.ct | 32 +++++----- .../source-call/source_multientry_json.ct | 42 ++++++------- .../source-call/source_multientry_text.ct | 18 +++--- .../source-call/source_replace_text.ct | 2 +- .../source-call/source_stdlib_text.ct | 6 +- .../source-call/source_subdir_text.ct | 6 +- .../source-call/source_vendored_json.ct | 30 +++++----- .../source-call/source_vendored_text.ct | 4 +- .../source-call/source_wholemodvuln_text.ct | 4 +- 12 files changed, 121 insertions(+), 104 deletions(-) diff --git a/cmd/govulncheck/main_test.go b/cmd/govulncheck/main_test.go index 49445f3..f7f4179 100644 --- a/cmd/govulncheck/main_test.go +++ b/cmd/govulncheck/main_test.go @@ -51,6 +51,23 @@ var fixups = []fixup{ s := string(b) return []byte(fmt.Sprintf(`.../%s%c`, filepath.Base(s[:len(s)-1]), s[len(s)-1])) }, + }, { + // modifies position lines to mask actual line and column with and + // placeholders, resp. + pattern: `\.go:(\d+):(\d+):`, + replace: `.go:::`, + }, { + // modify position lines in json + pattern: `\"line\":(\s)*(\d+)`, + replace: `"line": `, + }, { + // modify position columns in json + pattern: `\"column\":(\s)*(\d+)`, + replace: `"column": `, + }, { + // modify position offset in json + pattern: `\"offset\":(\s)*(\d+)`, + replace: `"offset": `, }, { // There was a one-line change in container/heap/heap.go between 1.18 // and 1.19 that makes the stack traces different. Ignore it. diff --git a/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct b/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct index 91a175b..5102b38 100644 --- a/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct +++ b/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct @@ -14,7 +14,7 @@ Vulnerability #1: GO-2021-0265 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.9.3 Example traces found: - #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get + #1: .../vuln.go::: vuln.main calls gjson.Result.Get Vulnerability #2: GO-2021-0113 Due to improper index calculation, an incorrectly formatted language tag can @@ -26,7 +26,7 @@ Vulnerability #2: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../vuln.go:13:16: vuln.main calls language.Parse + #1: .../vuln.go::: vuln.main calls language.Parse Your code is affected by 2 vulnerabilities from 2 modules. This scan also found 1 vulnerability in packages you import and 0 diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct index 528a25d..464b268 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct @@ -252,9 +252,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "receiver": "Result", "position": { "filename": ".../gjson.go", - "offset": 5744, - "line": 296, - "column": 17 + "offset": , + "line": , + "column": } }, { @@ -263,9 +263,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "main", "position": { "filename": ".../vuln.go", - "offset": 183, - "line": 14, - "column": 20 + "offset": , + "line": , + "column": } } ] @@ -373,9 +373,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "Parse", "position": { "filename": ".../parse.go", - "offset": 5808, - "line": 228, - "column": 6 + "offset": , + "line": , + "column": } }, { @@ -384,9 +384,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "main", "position": { "filename": ".../vuln.go", - "offset": 159, - "line": 13, - "column": 16 + "offset": , + "line": , + "column": } } ] @@ -493,9 +493,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "receiver": "Result", "position": { "filename": ".../gjson.go", - "offset": 4415, - "line": 220, - "column": 17 + "offset": , + "line": , + "column": } }, { @@ -505,9 +505,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "modPretty", "position": { "filename": ".../gjson.go", - "offset": 53718, - "line": 2631, - "column": 21 + "offset": , + "line": , + "column": } }, { @@ -517,9 +517,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "execModifier", "position": { "filename": ".../gjson.go", - "offset": 52543, - "line": 2587, - "column": 21 + "offset": , + "line": , + "column": } }, { @@ -529,9 +529,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "Get", "position": { "filename": ".../gjson.go", - "offset": 38077, - "line": 1881, - "column": 36 + "offset": , + "line": , + "column": } }, { @@ -542,9 +542,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "receiver": "Result", "position": { "filename": ".../gjson.go", - "offset": 5781, - "line": 297, - "column": 12 + "offset": , + "line": , + "column": } }, { @@ -553,9 +553,9 @@ $ govulncheck -C ${moddir}/vuln -json ./... "function": "main", "position": { "filename": ".../vuln.go", - "offset": 183, - "line": 14, - "column": 20 + "offset": , + "line": , + "column": } } ] diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct index e7210f1..8cfff17 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct @@ -13,7 +13,7 @@ Vulnerability #1: GO-2021-0265 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.9.3 Example traces found: - #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get + #1: .../vuln.go::: vuln.main calls gjson.Result.Get Vulnerability #2: GO-2021-0113 Due to improper index calculation, an incorrectly formatted language tag can @@ -25,7 +25,7 @@ Vulnerability #2: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../vuln.go:13:16: vuln.main calls language.Parse + #1: .../vuln.go::: vuln.main calls language.Parse Vulnerability #3: GO-2021-0054 Due to improper bounds checking, maliciously crafted JSON objects can cause @@ -36,7 +36,7 @@ Vulnerability #3: GO-2021-0054 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.6.6 Example traces found: - #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach + #1: .../vuln.go::: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach Your code is affected by 3 vulnerabilities from 2 modules. This scan also found 0 vulnerabilities in packages you import and 2 @@ -60,8 +60,8 @@ Vulnerability #1: GO-2021-0265 Fixed in: github.com/tidwall/gjson@v1.9.3 Example traces found: #1: for function github.com/tidwall/gjson.Result.Get - .../vuln.go:14:20: golang.org/vuln.main - .../gjson.go:296:17: github.com/tidwall/gjson.Result.Get + .../vuln.go::: golang.org/vuln.main + .../gjson.go::: github.com/tidwall/gjson.Result.Get Vulnerability #2: GO-2021-0113 Due to improper index calculation, an incorrectly formatted language tag can @@ -74,8 +74,8 @@ Vulnerability #2: GO-2021-0113 Fixed in: golang.org/x/text@v0.3.7 Example traces found: #1: for function golang.org/x/text/language.Parse - .../vuln.go:13:16: golang.org/vuln.main - .../parse.go:228:6: golang.org/x/text/language.Parse + .../vuln.go::: golang.org/vuln.main + .../parse.go::: golang.org/x/text/language.Parse Vulnerability #3: GO-2021-0054 Due to improper bounds checking, maliciously crafted JSON objects can cause @@ -87,12 +87,12 @@ Vulnerability #3: GO-2021-0054 Fixed in: github.com/tidwall/gjson@v1.6.6 Example traces found: #1: for function github.com/tidwall/gjson.Result.ForEach - .../vuln.go:14:20: golang.org/vuln.main - .../gjson.go:297:12: github.com/tidwall/gjson.Result.Get - .../gjson.go:1881:36: github.com/tidwall/gjson.Get - .../gjson.go:2587:21: github.com/tidwall/gjson.execModifier - .../gjson.go:2631:21: github.com/tidwall/gjson.modPretty - .../gjson.go:220:17: github.com/tidwall/gjson.Result.ForEach + .../vuln.go::: golang.org/vuln.main + .../gjson.go::: github.com/tidwall/gjson.Result.Get + .../gjson.go::: github.com/tidwall/gjson.Get + .../gjson.go::: github.com/tidwall/gjson.execModifier + .../gjson.go::: github.com/tidwall/gjson.modPretty + .../gjson.go::: github.com/tidwall/gjson.Result.ForEach Your code is affected by 3 vulnerabilities from 2 modules. This scan also found 0 vulnerabilities in packages you import and 2 @@ -115,7 +115,7 @@ Vulnerability #1: GO-2021-0265 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.9.3 Example traces found: - #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get + #1: .../vuln.go::: vuln.main calls gjson.Result.Get Vulnerability #2: GO-2021-0113 Due to improper index calculation, an incorrectly formatted language tag can @@ -127,7 +127,7 @@ Vulnerability #2: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../vuln.go:13:16: vuln.main calls language.Parse + #1: .../vuln.go::: vuln.main calls language.Parse Vulnerability #3: GO-2021-0054 Due to improper bounds checking, maliciously crafted JSON objects can cause @@ -138,7 +138,7 @@ Vulnerability #3: GO-2021-0054 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.6.6 Example traces found: - #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach + #1: .../vuln.go::: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach === Package Results === diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct index b363eac..ca5e214 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct @@ -243,9 +243,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "MustParse", "position": { "filename": ".../tags.go", - "offset": 427, - "line": 13, - "column": 6 + "offset": , + "line": , + "column": } }, { @@ -254,9 +254,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "foobar", "position": { "filename": ".../main.go", - "offset": 1694, - "line": 99, - "column": 20 + "offset": , + "line": , + "column": } }, { @@ -265,9 +265,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "D", "position": { "filename": ".../main.go", - "offset": 705, - "line": 48, - "column": 8 + "offset": , + "line": , + "column": } }, { @@ -276,9 +276,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "main", "position": { "filename": ".../main.go", - "offset": 441, - "line": 26, - "column": 3 + "offset": , + "line": , + "column": } } ] @@ -296,9 +296,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "Parse", "position": { "filename": ".../parse.go", - "offset": 1121, - "line": 33, - "column": 6 + "offset": , + "line": , + "column": } }, { @@ -307,9 +307,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "C", "position": { "filename": ".../main.go", - "offset": 679, - "line": 44, - "column": 23 + "offset": , + "line": , + "column": } }, { @@ -318,9 +318,9 @@ $ govulncheck -json -C ${moddir}/multientry . "function": "main", "position": { "filename": ".../main.go", - "offset": 340, - "line": 22, - "column": 3 + "offset": , + "line": , + "column": } } ] diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct index 42bc78b..4c0d2b6 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct @@ -15,8 +15,8 @@ Vulnerability #1: GO-2021-0113 Found in: golang.org/x/text@v0.3.5 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../main.go:99:20: multientry.foobar calls language.MustParse - #2: .../main.go:44:23: multientry.C calls language.Parse + #1: .../main.go::: multientry.foobar calls language.MustParse + #2: .../main.go::: multientry.C calls language.Parse Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 1 @@ -42,14 +42,14 @@ Vulnerability #1: GO-2021-0113 Fixed in: golang.org/x/text@v0.3.7 Example traces found: #1: for function golang.org/x/text/language.MustParse - .../main.go:26:3: golang.org/multientry.main - .../main.go:48:8: golang.org/multientry.D - .../main.go:99:20: golang.org/multientry.foobar - .../tags.go:13:6: golang.org/x/text/language.MustParse + .../main.go::: golang.org/multientry.main + .../main.go::: golang.org/multientry.D + .../main.go::: golang.org/multientry.foobar + .../tags.go::: golang.org/x/text/language.MustParse #2: for function golang.org/x/text/language.Parse - .../main.go:22:3: golang.org/multientry.main - .../main.go:44:23: golang.org/multientry.C - .../parse.go:33:6: golang.org/x/text/language.Parse + .../main.go::: golang.org/multientry.main + .../main.go::: golang.org/multientry.C + .../parse.go::: golang.org/x/text/language.Parse === Package Results === diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct index c0cec05..aec9244 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct @@ -16,7 +16,7 @@ Vulnerability #1: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../main.go:11:16: replace.main calls language.Parse + #1: .../main.go::: replace.main calls language.Parse Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 2 diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct index 84efa96..23c283b 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_stdlib_text.ct @@ -14,7 +14,7 @@ Vulnerability #1: GO-2022-0969 Found in: net/http@go1.18 Fixed in: net/http@go1.18.6 Example traces found: - #1: .../stdlib.go:17:31: stdlib.main calls http.ListenAndServe + #1: .../stdlib.go::: stdlib.main calls http.ListenAndServe Your code is affected by 1 vulnerability from the Go standard library. This scan found no other vulnerabilities in packages you import or modules you @@ -38,8 +38,8 @@ Vulnerability #1: GO-2022-0969 Fixed in: net/http@go1.18.6 Example traces found: #1: for function net/http.ListenAndServe - .../stdlib.go:17:31: golang.org/stdlib.main - .../server.go:3439:6: net/http.ListenAndServe + .../stdlib.go::: golang.org/stdlib.main + .../server.go::: net/http.ListenAndServe Your code is affected by 1 vulnerability from the Go standard library. This scan found no other vulnerabilities in packages you import or modules you diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct index 9232c3c..3208c6d 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_subdir_text.ct @@ -15,7 +15,7 @@ Vulnerability #1: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../subdir.go:8:16: subdir.Foo calls language.Parse + #1: .../subdir.go::: subdir.Foo calls language.Parse Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 2 @@ -41,8 +41,8 @@ Vulnerability #1: GO-2021-0113 Fixed in: golang.org/x/text@v0.3.7 Example traces found: #1: for function golang.org/x/text/language.Parse - .../subdir.go:8:16: golang.org/vuln/subdir.Foo - .../parse.go:228:6: golang.org/x/text/language.Parse + .../subdir.go::: golang.org/vuln/subdir.Foo + .../parse.go::: golang.org/x/text/language.Parse Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 2 diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct index 13c89e9..01c2e16 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct @@ -252,9 +252,9 @@ $ govulncheck -C ${moddir}/vendored -json ./... "receiver": "Result", "position": { "filename": ".../gjson.go", - "offset": 81, - "line": 7, - "column": 15 + "offset": , + "line": , + "column": } }, { @@ -264,9 +264,9 @@ $ govulncheck -C ${moddir}/vendored -json ./... "function": "Leave", "position": { "filename": ".../mod.go", - "offset": 86, - "line": 6, - "column": 20 + "offset": , + "line": , + "column": } }, { @@ -275,9 +275,9 @@ $ govulncheck -C ${moddir}/vendored -json ./... "function": "main", "position": { "filename": ".../vendored.go", - "offset": 137, - "line": 12, - "column": 15 + "offset": , + "line": , + "column": } } ] @@ -385,9 +385,9 @@ $ govulncheck -C ${moddir}/vendored -json ./... "function": "Parse", "position": { "filename": ".../language.go", - "offset": 53, - "line": 5, - "column": 6 + "offset": , + "line": , + "column": } }, { @@ -396,9 +396,9 @@ $ govulncheck -C ${moddir}/vendored -json ./... "function": "main", "position": { "filename": ".../vendored.go", - "offset": 155, - "line": 13, - "column": 16 + "offset": , + "line": , + "column": } } ] diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct index 4341085..199bd3d 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct @@ -13,7 +13,7 @@ Vulnerability #1: GO-2021-0265 Found in: github.com/tidwall/gjson@v1.6.5 Fixed in: github.com/tidwall/gjson@v1.9.3 Example traces found: - #1: .../vendored.go:12:15: vendored.main calls fakemod.Leave, which calls gjson.Result.Get + #1: .../vendored.go::: vendored.main calls fakemod.Leave, which calls gjson.Result.Get Vulnerability #2: GO-2021-0113 Due to improper index calculation, an incorrectly formatted language tag can @@ -25,7 +25,7 @@ Vulnerability #2: GO-2021-0113 Found in: golang.org/x/text@v0.3.0 Fixed in: golang.org/x/text@v0.3.7 Example traces found: - #1: .../vendored.go:13:16: vendored.main calls language.Parse + #1: .../vendored.go::: vendored.main calls language.Parse === Package Results === diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct index 3a2ab0b..4994c2b 100644 --- a/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct +++ b/cmd/govulncheck/testdata/testfiles/source-call/source_wholemodvuln_text.ct @@ -13,8 +13,8 @@ Vulnerability #1: GO-2022-0956 Found in: gopkg.in/yaml.v2@v2.2.3 Fixed in: gopkg.in/yaml.v2@v2.2.4 Example traces found: - #1: .../whole_mod_vuln.go:8:21: wholemodvuln.main calls yaml.Marshal - #2: .../whole_mod_vuln.go:4:2: wholemodvuln.init calls yaml.init + #1: .../whole_mod_vuln.go::: wholemodvuln.main calls yaml.Marshal + #2: .../whole_mod_vuln.go::: wholemodvuln.init calls yaml.init Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 1