Skip to content

x/exp/vulndb/govulncheck: CVEs are not detected in GOPATH mode #51591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rittneje opened this issue Mar 10, 2022 · 5 comments
Closed

x/exp/vulndb/govulncheck: CVEs are not detected in GOPATH mode #51591

rittneje opened this issue Mar 10, 2022 · 5 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@rittneje
Copy link
Contributor

rittneje commented Mar 10, 2022
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.17.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/tmp/.gocache"
GOENV="/Users/rittneje/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/rittneje/test/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/rittneje/test"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/rittneje/go1.17.7"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/rittneje/go1.17.7/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.7"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/kf/kr7_s3xx0l12zbj3jrn082hmzy5gvy/T/go-build1057679207=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

go.mod

module cvetest

go 1.16

require (
	golang.org/x/text v0.3.0
)

main.go

package main

import (
	"golang.org/x/text/language"
)

func main() {
	language.Parse("")
}

These files are located under $GOPATH/src/cvetest.

I then ran govulncheck -verbose cvetest in $GOPATH, and again in $GOPATH/src/cvetest.

What did you expect to see?

It should report the same results both times, or it should complain that GOPATH mode is not supported.

What did you see instead?

When run from $GOPATH:

2022/03/10 09:21:12 loading packages...
2022/03/10 09:21:13 	1 loaded packages
2022/03/10 09:21:13 loading database...
2022/03/10 09:21:13 	0 known vulnerabilities.
2022/03/10 09:21:13 building ssa...
2022/03/10 09:21:13 	built ssa
2022/03/10 09:21:13 detecting vulnerabilities...

(Note that it claims to have loaded the package.)

When run from $GOPATH/src/cvetest:

2022/03/10 09:21:36 loading packages...
2022/03/10 09:21:37 	1 loaded packages
2022/03/10 09:21:37 loading database...
2022/03/10 09:21:37 	2 known vulnerabilities.
2022/03/10 09:21:37 building ssa...
2022/03/10 09:21:37 	built ssa
2022/03/10 09:21:37 detecting vulnerabilities...
Findings for vulnerability: GO-2021-0113 (CVE-2021-38561):

Trace:
golang.org/x/text/language.Parse (/Users/rittneje/test/src/cvetest/main.go:8:16)
cvetest.main(...) (/Users/rittneje/test/src/cvetest/main.go:7:6)
@gopherbot gopherbot added this to the Unreleased milestone Mar 10, 2022
@heschi heschi added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 14, 2022
@heschi
Copy link
Contributor

heschi commented Mar 14, 2022

cc @jba @zpavlinovic

@zpavlinovic
Copy link
Contributor

When in $GOPATH, it should load the package but it will not pick up the module version, which is needed to check if a vulnerability applies to the code or not. Hence, no vulnerabilities found. I believe the right solution here is to warn the user of this.

I believe the behavior in $GOPATH/src/cvetest is correct as there is a go.mod file.

@jba jba self-assigned this Mar 22, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/394774 mentions this issue: cmd/govulncheck: fail in GOPATH mode

@jba
Copy link
Contributor

jba commented Mar 22, 2022

The above CL addresses this in the new govulncheck. The existing one is no longer maintained.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/395241 mentions this issue: cmd/govulncheck: fail in GOPATH mode

gopherbot pushed a commit to golang/vuln that referenced this issue Mar 23, 2022
@jba @julieqiu
cmd/govulncheck: fail in GOPATH mode
bf43cc0 
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.

Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.

Fixes golang/go#51591

Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774

Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395241
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@rsc rsc unassigned jba Jun 22, 2022
@rittneje rittneje mentioned this issue Jul 8, 2022
Closed
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
cmd/govulncheck: fail in GOPATH mode
2aa57d2 
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.

Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.

Fixes golang/go#51591

Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774

Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395241
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
cmd/govulncheck: fail in GOPATH mode
7af906b 
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.

Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.

Fixes golang/go#51591

Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774

Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395241
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
cmd/govulncheck: fail in GOPATH mode
8155e0e 
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.

Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.

Fixes golang/go#51591

Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774

Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395241
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@zpavlinovic @julieqiu @gopherbot @jba @heschi @rittneje