[vuln] cmd/govulncheck/govulnchecklib: add "summary" output mode
0 views
Skip to first unread message
Hyang-Ah Hana Kim (Gerrit)
Sep 23, 2022, 2:16:04 PM9/23/22
to Hyang-Ah Hana Kim, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Gopher Robot, Zvonimir Pavlinovic, Jonathan Amsterdam, golang-co...@googlegroups.com
Hyang-Ah Hana Kim submitted this change.
3 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: cmd/govulncheck/govulnchecklib/main.go
Insertions: 1, Deletions: 0.
@@ -15,9 +15,11 @@
"fmt"
"os"
"os/exec"
+ "path/filepath"
"sort"
"strings"
+ "golang.org/x/exp/maps"
"golang.org/x/tools/go/packages"
"golang.org/x/vuln/client"
"golang.org/x/vuln/cmd/govulncheck/internal/govulncheck"
@@ -88,9 +90,9 @@
pkgs, err = govulncheck.LoadPackages(cfg, patterns...)
if err != nil {
// Try to provide a meaningful and actionable error message.
- if !fileExists("go.mod") {
+ if !fileExists(filepath.Join(cfg.Dir, "go.mod")) {
die(noGoModErrorMessage)
- } else if !fileExists("go.sum") {
+ } else if !fileExists(filepath.Join(cfg.Dir, "go.sum")) {
die(noGoSumErrorMessage)
}
die("govulncheck: %v", err)
@@ -122,6 +124,7 @@
case "summary":
ci := govulncheck.GetCallInfo(r, pkgs)
writeJSON(summary(ci, unaffected))
+ os.Exit(0)
default:
die("govulncheck: unrecognized output type %q", cfg.OutputFormat)
}
@@ -238,7 +241,7 @@
b.WriteString(indent("\n\nCall stacks in your code:\n", 2))
b.WriteString(indent(stacks, 6))
}
- writeVulnerability(idx+1, id, details, b.String(), found, fixed)
+ writeVulnerability(idx+1, id, details, b.String(), found, fixed, platforms(v0.OSV))
}
if len(unaffected) > 0 {
fmt.Printf(`
@@ -253,21 +256,24 @@
found := foundVersion(vuln.ModPath, vuln.PkgPath, ci)
fixed := fixedVersion(vuln.PkgPath, vuln.OSV.Affected)
fmt.Println()
- writeVulnerability(idx+1, vuln.OSV.ID, vuln.OSV.Details, "", found, fixed)
+ writeVulnerability(idx+1, vuln.OSV.ID, vuln.OSV.Details, "", found, fixed, platforms(vuln.OSV))
}
}
}
-func writeVulnerability(idx int, id, details, callstack, found, fixed string) {
+func writeVulnerability(idx int, id, details, callstack, found, fixed, platforms string) {
if fixed == "" {
fixed = "N/A"
}
+ if platforms != "" {
+ platforms = " Platforms: " + platforms + "\n"
+ }
fmt.Printf(`Vulnerability #%d: %s
%s%s
Found in: %s
Fixed in: %s
- More info: https://pkg.go.dev/vuln/%s
-`, idx, id, indent(details, 2), callstack, found, fixed, id)
+%s More info: https://pkg.go.dev/vuln/%s
+`, idx, id, indent(details, 2), callstack, found, fixed, platforms, id)
}
func foundVersion(modulePath, pkgPath string, ci *govulncheck.CallInfo) string {
@@ -334,6 +340,24 @@
return b.String()
}
+// platforms returns a string describing the GOOS/GOARCH pairs that the vuln affects.
+// If it affects all of them, it returns the empty string.
+func platforms(e *osv.Entry) string {
+ platforms := map[string]bool{}
+ for _, a := range e.Affected {
+ for _, p := range a.EcosystemSpecific.Imports {
+ for _, os := range p.GOOS {
+ for _, arch := range p.GOARCH {
+ platforms[os+"/"+arch] = true
+ }
+ }
+ }
+ }
+ keys := maps.Keys(platforms)
+ sort.Strings(keys)
+ return strings.Join(keys, ", ")
+}
+
func isFile(path string) bool {
s, err := os.Stat(path)
if err != nil {
```
```
The name of the file: cmd/govulncheck/main_testmode.go
Insertions: 14, Deletions: 0.
@@ -0,0 +1,14 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build testmode
+
+package main
+
+import "flag"
+
+func init() {
+ flag.StringVar(&dirFlag, "dir", "", "directory to use for loading source files")
+ flag.BoolVar(&summaryJSONFlag, "summary-json", false, "output govulnchecklib.Summary JSON")
+}
```
```
The name of the file: cmd/govulncheck/govulnchecklib/summary.go
Insertions: 3, Deletions: 3.
@@ -16,7 +16,7 @@
Affecting []Vuln
// Vulnerabilities that may be imported but the vulnerable symbols are
// not called. For binary analysis, this will be always empty.
- Unaffecting []Vuln
+ NonAffecting []Vuln
}
// Vuln represents a vulnerability relevant to a (module, package).
@@ -74,8 +74,8 @@
})
}
return Summary{
- Affecting: affecting,
- Unaffecting: unaffecting,
+ Affecting: affecting,
+ NonAffecting: unaffecting,
}
}
```
```
The name of the file: cmd/govulncheck/main.go
Insertions: 7, Deletions: 6.
@@ -7,8 +7,8 @@
import (
"flag"
"fmt"
- "go/build"
"os"
+ "path/filepath"
"strings"
"golang.org/x/tools/go/buildutil"
@@ -20,11 +20,15 @@
jsonFlag = flag.Bool("json", false, "output JSON")
verboseFlag = flag.Bool("v", false, "print a full call stack for each vulnerability")
testFlag = flag.Bool("test", false, "analyze test files. Only valid for source code.")
+ tagsFlag buildutil.TagsFlag
+
+ // testmode flags. See main_testmode.go.
+ dirFlag string
+ summaryJSONFlag bool
)
func init() {
- flag.Var((*buildutil.TagsFlag)(&build.Default.BuildTags), "tags",
- "comma-separated `list` of build tags")
+ flag.Var(&tagsFlag, "tags", "comma-separated `list` of build tags")
}
func main() {
@@ -57,21 +61,16 @@
outputType := "text"
if *jsonFlag {
outputType = "json"
+ } else if summaryJSONFlag { // accessible only in testmode.
+ outputType = "summary"
}
-
if outputType == "text" && *verboseFlag {
outputType = "verbose"
}
- // For testing purpose, we use the less visible environment variable
- // to generate JSON of govulnchecklib.Summary.
- if outputType == "json" && os.Getenv("GOVULNCHECK_JSON") == "Summary" {
- outputType = "summary"
- }
var buildFlags []string
- if build.Default.BuildTags != nil {
- buildFlags = []string{fmt.Sprintf("-tags=%s", strings.Join(build.Default.BuildTags, ","))}
- // TODO(hyangah): why is this program mutating the build.Default.BuildTags?
+ if tagsFlag != nil {
+ buildFlags = []string{fmt.Sprintf("-tags=%s", strings.Join(tagsFlag, ","))}
}
govulnchecklib.Main(govulnchecklib.Config{
@@ -79,6 +78,7 @@
OutputFormat: outputType,
Patterns: patterns,
SourceLoadConfig: packages.Config{
+ Dir: filepath.FromSlash(dirFlag),
Tests: *testFlag,
BuildFlags: buildFlags,
},
@@ -91,30 +91,12 @@
if *testFlag {
die("govulncheck: the -test flag is invalid for binaries")
}
- if build.Default.BuildTags != nil {
+ if tagsFlag != nil {
die("govulncheck: the -tags flag is invalid for binaries")
}
}
}
-// Config is the configuration for Main.
-type Config struct {
- // Analysis specifies the vulncheck analysis type. Valid types are "source" and "binary"
- Analysis string
- // OutputFormat specifies the result type. Valid types are:
- // "text": print human readable compact text output to STDOUT.
- // "verbose": print human readable verbose text output to STDOUT.
- // "json": print JSON-encoded vulncheck.Result.
- OutputFormat string
-
- // Patterns are either the binary path for "binary" analysis mode, or
- // go package patterns for "source" analysis mode.
- Patterns []string
-
- // SourceLoadConfig specifies the package loading configuration.
- SourceLoadConfig packages.Config
-}
-
func isFile(path string) bool {
s, err := os.Stat(path)
if err != nil {
```
```
The name of the file: cmd/govulncheck/testdata/json-summary.ct
Insertions: 11, Deletions: 10.
@@ -2,17 +2,13 @@
# TODO(zpavlinovic): add test for stdlib that works
# on all underlying Go build systems.
-$ setenv GOVULNCHECK_JSON Summary
-
-$ cdmodule novuln
-$ govulncheck -json .
+$ govulncheck -dir ${moddir}/novuln -summary-json .
{
"Affecting": null,
- "Unaffecting": null
+ "NonAffecting": null
}
-$ cdmodule vuln
-$ govulncheck -json . --> FAIL 3
+$ govulncheck -dir ${moddir}/vuln -summary-json .
{
"Affecting": [
{
@@ -99,7 +95,7 @@
]
}
],
- "Unaffecting": [
+ "NonAffecting": [
{
"OSV": {
"id": "GO-2022-0592",
@@ -212,6 +208,13 @@
"imports": [
{
"path": "github.com/tidwall/gjson",
+ "goos": [
+ "linux",
+ "windows"
+ ],
+ "goarch": [
+ "amd64"
+ ],
"symbols": [
"match.Match"
]
@@ -263,5 +266,3 @@
}
]
}
-
-$ setenv GOVULNCHECK_JSON ""
```
```
The name of the file: cmd/govulncheck/testdata/usage.ct
Insertions: 4, Deletions: 0.
@@ -3,8 +3,12 @@
govulncheck [flags] package...
govulncheck [flags] binary
+ -dir string
+ directory to use for loading source files
-json
output JSON
+ -summary-json
+ output govulnchecklib.Summary JSON
-tags list
comma-separated list of build tags
-test
@@ -20,8 +24,12 @@
govulncheck [flags] package...
govulncheck [flags] binary
+ -dir string
+ directory to use for loading source files
-json
output JSON
+ -summary-json
+ output govulnchecklib.Summary JSON
-tags list
comma-separated list of build tags
-test
```
Approvals:
Zvonimir Pavlinovic: Looks good to me, approved
Jonathan Amsterdam: Looks good to me, but someone else must approve
Hyang-Ah Hana Kim: Run TryBots
Gopher Robot: TryBots succeeded
cmd/govulncheck/govulnchecklib: add "summary" output mode
This CL adds a type Summary that represents typical govulncheck
command output format, and lets Main print JSON-encoded Summary
when the output mode is "summary".
In order to reuse the test setup of the govulncheck command
while not surfacing this option to govulncheck users, we add
a testmode-only flag `--summary-json` that makes govulncheck
output JSON of Summary struct.
Change-Id: I10dcfd35836d4eb37ab907b958b73432ed8a249b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/432181
Run-TryBot: Hyang-Ah Hana Kim <hya...@gmail.com>
Reviewed-by: Jonathan Amsterdam <j...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavl...@google.com>
---
M cmd/govulncheck/govulnchecklib/main.go
A cmd/govulncheck/govulnchecklib/summary.go
M cmd/govulncheck/main.go
M cmd/govulncheck/main_testmode.go
A cmd/govulncheck/testdata/json-summary.ct
M cmd/govulncheck/testdata/usage.ct
6 files changed, 413 insertions(+), 2 deletions(-)
diff --git a/cmd/govulncheck/govulnchecklib/main.go b/cmd/govulncheck/govulnchecklib/main.go
index 9ed974b..67da64c 100644
--- a/cmd/govulncheck/govulnchecklib/main.go
+++ b/cmd/govulncheck/govulnchecklib/main.go
@@ -35,6 +35,7 @@
// "text": print human readable compact text output to STDOUT.
// "verbose": print human readable verbose text output to STDOUT.
// "json": print JSON-encoded vulncheck.Result.
+ // "summary": print JSON-encoded Summary.
OutputFormat string
// Patterns are either the binary path for "binary" analysis mode, or
@@ -120,6 +121,10 @@
// set of top-level packages, used to find representative symbols
ci := govulncheck.GetCallInfo(r, pkgs)
writeText(r, ci, unaffected, format == "verbose")
+ case "summary":
+ ci := govulncheck.GetCallInfo(r, pkgs)
+ writeJSON(summary(ci, unaffected))
+ os.Exit(0)
default:
die("govulncheck: unrecognized output type %q", cfg.OutputFormat)
}
@@ -188,7 +193,7 @@
}
}
-func writeJSON(r *vulncheck.Result) {
+func writeJSON(r any) {
b, err := json.MarshalIndent(r, "", "\t")
if err != nil {
die("govulncheck: %s", err)
diff --git a/cmd/govulncheck/govulnchecklib/summary.go b/cmd/govulncheck/govulnchecklib/summary.go
new file mode 100644
index 0000000..6cc0b9b
--- /dev/null
+++ b/cmd/govulncheck/govulnchecklib/summary.go
@@ -0,0 +1,105 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package govulnchecklib
+
+import (
+ "golang.org/x/vuln/cmd/govulncheck/internal/govulncheck"
+ "golang.org/x/vuln/osv"
+ "golang.org/x/vuln/vulncheck"
+)
+
+// Summary is the govulncheck result.
+type Summary struct {
+ // Vulnerabilities affecting the analysis target binary or source code.
+ Affecting []Vuln
+ // Vulnerabilities that may be imported but the vulnerable symbols are
+ // not called. For binary analysis, this will be always empty.
+ NonAffecting []Vuln
+}
+
+// Vuln represents a vulnerability relevant to a (module, package).
+type Vuln struct {
+ OSV *osv.Entry
+ PkgPath string // Package path.
+ ModPath string // Module path.
+ FoundIn string // <package path>@<version> if we know when it was introduced. Empty otherwise.
+ FixedIn string // <package path>@<version> if fix is available. Empty otherwise.
+ // Trace contains a call stack for each affecting symbol.
+ // For vulnerabilities found from binary analysis, and vulnerabilities
+ // that are reported as Unaffecting ones, this will be always empty.
+ Trace []Trace
+}
+
+// Trace represents a sample trace for a vulnerable symbol.
+type Trace struct {
+ Symbol string // Name of the detected vulnerable function or method.
+ Desc string // One-line description of the callstack.
+ Stack []StackEntry // Call stack.
+ Seen int // Number of similar call stacks.
+}
+
+// StackEntry represents a call stack entry.
+type StackEntry struct {
+ FuncName string // Function name is the function name, adjusted to remove pointer annotation.
+ CallSite string // Position of the call/reference site. It is one of the formats token.Pos.String() returns or empty if unknown.
+}
+
+// summary summarize the analysis result.
+func summary(ci *govulncheck.CallInfo, unaffected []*vulncheck.Vuln) Summary {
+ var affecting, unaffecting []Vuln
+ for _, vg := range ci.VulnGroups {
+ // All the vulns in vg have the same PkgPath, ModPath and OSV.
+ // All have a non-zero CallSink.
+ v0 := vg[0]
+ stacks := summarizeCallStacks(vg, ci)
+
+ affecting = append(affecting, Vuln{
+ OSV: vg[0].OSV,
+ PkgPath: v0.PkgPath,
+ ModPath: v0.ModPath,
+ FoundIn: foundVersion(v0.ModPath, v0.PkgPath, ci),
+ FixedIn: fixedVersion(v0.PkgPath, v0.OSV.Affected),
+ Trace: stacks,
+ })
+ }
+ for _, vuln := range unaffected {
+ unaffecting = append(unaffecting, Vuln{
+ OSV: vuln.OSV,
+ PkgPath: vuln.PkgPath,
+ ModPath: vuln.ModPath,
+ FoundIn: foundVersion(vuln.ModPath, vuln.PkgPath, ci),
+ FixedIn: fixedVersion(vuln.PkgPath, vuln.OSV.Affected),
+ })
+ }
+ return Summary{
+ Affecting: affecting,
+ NonAffecting: unaffecting,
+ }
+}
+
+func summarizeCallStacks(vg []*vulncheck.Vuln, ci *govulncheck.CallInfo) []Trace {
+ cs := make([]Trace, 0, len(vg))
+ // report one full call stack for each vuln.
+ for _, v := range vg {
+ css := ci.CallStacks[v]
+ if len(css) == 0 {
+ continue
+ }
+ stack := make([]StackEntry, 0, len(css))
+ for _, e := range css[0] {
+ stack = append(stack, StackEntry{
+ FuncName: govulncheck.FuncName(e.Function),
+ CallSite: govulncheck.FuncPos(e.Call),
+ })
+ }
+ cs = append(cs, Trace{
+ Symbol: v.Symbol,
+ Desc: govulncheck.SummarizeCallStack(css[0], ci.TopPackages, v.PkgPath),
+ Stack: stack,
+ Seen: len(css),
+ })
+ }
+ return cs
+}
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 2b3dc10..5a7ab45 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -21,7 +21,10 @@
verboseFlag = flag.Bool("v", false, "print a full call stack for each vulnerability")
testFlag = flag.Bool("test", false, "analyze test files. Only valid for source code.")
tagsFlag buildutil.TagsFlag
- dirFlag string
+
+ // testmode flags. See main_testmode.go.
+ dirFlag string
+ summaryJSONFlag bool
)
func init() {
@@ -58,6 +61,8 @@
outputType := "text"
if *jsonFlag {
outputType = "json"
+ } else if summaryJSONFlag { // accessible only in testmode.
+ outputType = "summary"
}
if outputType == "text" && *verboseFlag {
outputType = "verbose"
diff --git a/cmd/govulncheck/main_testmode.go b/cmd/govulncheck/main_testmode.go
index 0ac803b..78c00d4 100644
--- a/cmd/govulncheck/main_testmode.go
+++ b/cmd/govulncheck/main_testmode.go
@@ -10,4 +10,5 @@
func init() {
flag.StringVar(&dirFlag, "dir", "", "directory to use for loading source files")
+ flag.BoolVar(&summaryJSONFlag, "summary-json", false, "output govulnchecklib.Summary JSON")
}
diff --git a/cmd/govulncheck/testdata/json-summary.ct b/cmd/govulncheck/testdata/json-summary.ct
new file mode 100644
index 0000000..bc1fb7a
--- /dev/null
+++ b/cmd/govulncheck/testdata/json-summary.ct
@@ -0,0 +1,268 @@
+# Test of the -json flag.
+# TODO(zpavlinovic): add test for stdlib that works
+# on all underlying Go build systems.
+
+$ govulncheck -dir ${moddir}/novuln -summary-json .
+{
+ "Affecting": null,
+ "NonAffecting": null
+}
+
+$ govulncheck -dir ${moddir}/vuln -summary-json .
+{
+ "Affecting": [
+ {
+ "OSV": {
+ "id": "GO-2021-0113",
+ "published": "2021-10-06T17:51:21Z",
+ "modified": "2021-10-06T17:51:21Z",
+ "aliases": [
+ "CVE-2021-38561"
+ ],
+ "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
+ "affected": [
+ {
+ "package": {
+ "name": "golang.org/x/text",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.3.7"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2021-0113"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "golang.org/x/text/language",
+ "symbols": [
+ "MatchStrings",
+ "MustParse",
+ "Parse",
+ "ParseAcceptLanguage"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/340830"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38561"
+ }
+ ]
+ },
+ "PkgPath": "golang.org/x/text/language",
+ "ModPath": "golang.org/x/text",
+ "FoundIn": "golang.org/x/text/lang...@v0.3.0",
+ "FixedIn": "golang.org/x/text/lang...@v0.3.7",
+ "Trace": [
+ {
+ "Symbol": "Parse",
+ "Desc": ".../vuln.go:12:16: golang.org/vuln.main calls golang.org/x/text/language.Parse",
+ "Stack": [
+ {
+ "FuncName": "golang.org/vuln.main",
+ "CallSite": ".../vuln.go:12:16"
+ },
+ {
+ "FuncName": "golang.org/x/text/language.Parse",
+ "CallSite": ""
+ }
+ ],
+ "Seen": 1
+ }
+ ]
+ }
+ ],
+ "NonAffecting": [
+ {
+ "OSV": {
+ "id": "GO-2022-0592",
+ "published": "2022-08-15T18:06:07Z",
+ "modified": "2022-08-19T22:21:47Z",
+ "aliases": [
+ "CVE-2021-42248",
+ "GHSA-c9gm-7rfj-8w5h"
+ ],
+ "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/tidwall/gjson",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.9.3"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2022-0592"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/tidwall/gjson",
+ "symbols": [
+ "Get",
+ "GetBytes",
+ "GetMany",
+ "GetManyBytes",
+ "Result.Get",
+ "queryMatches"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tidwall/gjson/issues/237"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42248"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/advisories/GHSA-c9gm-7rfj-8w5h"
+ }
+ ]
+ },
+ "PkgPath": "github.com/tidwall/gjson",
+ "ModPath": "github.com/tidwall/gjson",
+ "FoundIn": "github.com/tidwall/gj...@v1.9.2",
+ "FixedIn": "github.com/tidwall/gj...@v1.9.3",
+ "Trace": null
+ },
+ {
+ "OSV": {
+ "id": "GO-2021-0265",
+ "published": "2022-01-14T17:30:24Z",
+ "modified": "2022-08-19T22:21:47Z",
+ "aliases": [
+ "CVE-2020-36066",
+ "CVE-2021-42836",
+ "GHSA-ppj4-34rq-v8j9",
+ "GHSA-wjm3-fq3r-5x46"
+ ],
+ "details": "GJSON allowed a ReDoS (regular expression denial of service) attack.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/tidwall/gjson",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.9.3"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2021-0265"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/tidwall/gjson",
+ "goos": [
+ "linux",
+ "windows"
+ ],
+ "goarch": [
+ "amd64"
+ ],
+ "symbols": [
+ "match.Match"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tidwall/gjson/issues/236"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tidwall/gjson/issues/237"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36066"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42836"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/advisories/GHSA-ppj4-34rq-v8j9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/advisories/GHSA-wjm3-fq3r-5x46"
+ }
+ ]
+ },
+ "PkgPath": "github.com/tidwall/gjson",
+ "ModPath": "github.com/tidwall/gjson",
+ "FoundIn": "github.com/tidwall/gj...@v1.9.2",
+ "FixedIn": "github.com/tidwall/gj...@v1.9.3",
+ "Trace": null
+ }
+ ]
+}
diff --git a/cmd/govulncheck/testdata/usage.ct b/cmd/govulncheck/testdata/usage.ct
index 72afbcc..58abd14 100644
--- a/cmd/govulncheck/testdata/usage.ct
+++ b/cmd/govulncheck/testdata/usage.ct
@@ -7,6 +7,8 @@
directory to use for loading source files
-json
output JSON
+ -summary-json
+ output govulnchecklib.Summary JSON
-tags list
comma-separated list of build tags
-test
@@ -26,6 +28,8 @@
directory to use for loading source files
-json
output JSON
+ -summary-json
+ output govulnchecklib.Summary JSON
-tags list
comma-separated list of build tags
-test
To view, visit change 432181. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages