[exp] cmd/govulncheck: fail in GOPATH mode
22 views
Skip to first unread message
Jonathan Amsterdam (Gerrit)
Mar 22, 2022, 4:58:54 PM3/22/22
to Zvonimir Pavlinovic, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention is currently required from: Zvonimir Pavlinovic.
Jonathan Amsterdam would like Zvonimir Pavlinovic to review this change.
cmd/govulncheck: fail in GOPATH mode
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.
Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.
Fixes golang/go#51591
Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
---
M cmd/govulncheck/main.go
1 file changed, 37 insertions(+), 12 deletions(-)
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 8eb2794..19eeb75 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -88,8 +88,11 @@
ctx := context.Background()
patterns := flag.Args()
- var r *vulncheck.Result
- var pkgs []*packages.Package
+ var (
+ r *vulncheck.Result
+ pkgs []*packages.Package
+ moduleVersions map[string]string
+ )
if len(patterns) == 1 && isFile(patterns[0]) {
f, err := os.Open(patterns[0])
if err != nil {
@@ -110,6 +113,17 @@
if err != nil {
die("govulncheck: %v", err)
}
+ // Build a map from module paths to versions.
+ moduleVersions = map[string]string{}
+ packages.Visit(pkgs, nil, func(p *packages.Package) {
+ if m := packageModule(p); m != nil {
+ moduleVersions[m.Path] = m.Version
+ }
+ })
+
+ if len(moduleVersions) == 0 {
+ die("govulncheck: no modules found; are you in GOPATH mode? Module mode required.")
+ }
r, err = vulncheck.Source(ctx, vulncheck.Convert(pkgs), vcfg)
if err != nil {
die("govulncheck: %v", err)
@@ -118,7 +132,7 @@
if *jsonFlag {
writeJSON(r)
} else {
- writeText(r, pkgs)
+ writeText(r, pkgs, moduleVersions)
}
exitCode := 0
// Following go vet, fail with 3 if there are findings (in this case, vulns).
@@ -137,17 +151,10 @@
fmt.Println()
}
-func writeText(r *vulncheck.Result, pkgs []*packages.Package) {
+func writeText(r *vulncheck.Result, pkgs []*packages.Package, moduleVersions map[string]string) {
if len(r.Vulns) == 0 {
return
}
- // Build a map from module paths to versions.
- moduleVersions := map[string]string{}
- packages.Visit(pkgs, nil, func(p *packages.Package) {
- if m := packageModule(p); m != nil {
- moduleVersions[m.Path] = m.Version
- }
- })
callStacks := vulncheck.CallStacks(r)
const labelWidth = 16
@@ -283,7 +290,7 @@
for _, cs := range callStacks[v] {
// Find the lowest function in the stack that is in
// one of the top packages.
- for i := len(cs) - 1; i > 0; i-- {
+ for i := len(cs) - 1; i >= 0; i-- {
pkg := pkgPath(cs[i].Function)
if topPkgs[pkg] {
fns[cs[i].Function] = true
To view, visit change 394774. To unsubscribe, or for help writing mail filters, visit settings.
Zvonimir Pavlinovic (Gerrit)
Mar 22, 2022, 6:58:05 PM3/22/22
to Jonathan Amsterdam, goph...@pubsubhelper.golang.org, Gopher Robot, golang-co...@googlegroups.com
Attention is currently required from: Jonathan Amsterdam.
Patch set 1:Code-Review +2
Jonathan Amsterdam (Gerrit)
Mar 23, 2022, 8:19:50 AM3/23/22
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Zvonimir Pavlinovic, Gopher Robot, golang-co...@googlegroups.com
Jonathan Amsterdam submitted this change.
Approvals:
Zvonimir Pavlinovic: Looks good to me, approved
Jonathan Amsterdam: Trusted; Run TryBots
Gopher Robot: TryBots succeeded
cmd/govulncheck: fail in GOPATH mode
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.
Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.
Fixes golang/go#51591
Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/exp/+/394774
Trust: Jonathan Amsterdam <j...@google.com>
Run-TryBot: Jonathan Amsterdam <j...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavl...@google.com>
---
M cmd/govulncheck/main.go
1 file changed, 42 insertions(+), 12 deletions(-)
To view, visit change 394774. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
Mar 23, 2022, 3:22:47 PM3/23/22
to Zvonimir Pavlinovic, goph...@pubsubhelper.golang.org, Jonathan Amsterdam, golang-co...@googlegroups.com
Attention is currently required from: Zvonimir Pavlinovic.
Julie Qiu would like Zvonimir Pavlinovic to review this change.
cmd/govulncheck: fail in GOPATH mode
To view, visit change 395241. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
Mar 23, 2022, 3:24:20 PM3/23/22
to Jonathan Amsterdam, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention is currently required from: Zvonimir Pavlinovic.
Julie Qiu uploaded patch set #2 to this change.
cmd/govulncheck: fail in GOPATH mode
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.
Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.
Fixes golang/go#51591
Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774
Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
---
M cmd/govulncheck/main.go
1 file changed, 39 insertions(+), 12 deletions(-)
To view, visit change 395241. To unsubscribe, or for help writing mail filters, visit settings.
Jonathan Amsterdam (Gerrit)
Mar 23, 2022, 3:30:25 PM3/23/22
to Julie Qiu, goph...@pubsubhelper.golang.org, Gopher Robot, Zvonimir Pavlinovic, golang-co...@googlegroups.com
Attention is currently required from: Zvonimir Pavlinovic, Julie Qiu.
Patch set 2:Code-Review +2
Julie Qiu (Gerrit)
Mar 23, 2022, 3:33:32 PM3/23/22
to Jonathan Amsterdam, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention is currently required from: Zvonimir Pavlinovic, Julie Qiu.
Julie Qiu uploaded patch set #4 to this change.
cmd/govulncheck: fail in GOPATH mode
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.
Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.
Fixes golang/go#51591
Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774
Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
---
M cmd/govulncheck/main.go
1 file changed, 39 insertions(+), 12 deletions(-)
To view, visit change 395241. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
Mar 23, 2022, 4:32:23 PM3/23/22
to Jonathan Amsterdam, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Gopher Robot, Zvonimir Pavlinovic, golang-co...@googlegroups.com
Julie Qiu submitted this change.
2 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
Approvals:
Jonathan Amsterdam: Looks good to me, approved
Julie Qiu: Trusted; Run TryBots
Gopher Robot: TryBots succeeded
cmd/govulncheck: fail in GOPATH mode
govulncheck requires module information to find vulnerabilities.
But in GOPATH mode, there is no module information.
Instead of silently succeeding in that case, govulncheck fails with an error.
Also, fix an off-by-one bug that could result in a panic if only the top
function in a call stack is in a top package.
Fixes golang/go#51591
Cherry-picked: https://go-review.googlesource.com/c/exp/+/394774
Change-Id: I9923c1f03aa0a101de86fe03daaeeefc1d1f5bdf
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/395241
Trust: Julie Qiu <ju...@golang.org>
Run-TryBot: Julie Qiu <ju...@golang.org>
Reviewed-by: Jonathan Amsterdam <j...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
---
M cmd/govulncheck/main.go
1 file changed, 44 insertions(+), 12 deletions(-)
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 7e9afc3..25e51fd 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -91,8 +91,11 @@
ctx := context.Background()
patterns := flag.Args()
- var r *vulncheck.Result
- var pkgs []*packages.Package
+ var (
+ r *vulncheck.Result
+ pkgs []*packages.Package
+ moduleVersions map[string]string
+ )
if len(patterns) == 1 && isFile(patterns[0]) {
f, err := os.Open(patterns[0])
if err != nil {
@@ -113,6 +116,17 @@
if err != nil {
die("govulncheck: %v", err)
}
+ // Build a map from module paths to versions.
+ moduleVersions = map[string]string{}
+ packages.Visit(pkgs, nil, func(p *packages.Package) {
+ if m := packageModule(p); m != nil {
+ moduleVersions[m.Path] = m.Version
+ }
+ })
+
+ if len(moduleVersions) == 0 {
+ die("govulncheck: no modules found; are you in GOPATH mode? Module mode required.")
+ }
r, err = vulncheck.Source(ctx, vulncheck.Convert(pkgs), vcfg)
if err != nil {
die("govulncheck: %v", err)
@@ -121,7 +135,7 @@
if *jsonFlag {
writeJSON(r)
} else {
- writeText(r, pkgs)
+ writeText(r, pkgs, moduleVersions)
}
exitCode := 0
// Following go vet, fail with 3 if there are findings (in this case, vulns).
@@ -140,17 +154,10 @@
fmt.Println()
}
-func writeText(r *vulncheck.Result, pkgs []*packages.Package) {
+func writeText(r *vulncheck.Result, pkgs []*packages.Package, moduleVersions map[string]string) {
if len(r.Vulns) == 0 {
return
}
- // Build a map from module paths to versions.
- moduleVersions := map[string]string{}
- packages.Visit(pkgs, nil, func(p *packages.Package) {
- if m := packageModule(p); m != nil {
- moduleVersions[m.Path] = m.Version
- }
- })
callStacks := vulncheck.CallStacks(r)
const labelWidth = 16
@@ -286,7 +293,7 @@
for _, cs := range callStacks[v] {
// Find the lowest function in the stack that is in
// one of the top packages.
- for i := len(cs) - 1; i > 0; i-- {
+ for i := len(cs) - 1; i >= 0; i-- {
pkg := pkgPath(cs[i].Function)
if topPkgs[pkg] {
fns[cs[i].Function] = true
To view, visit change 395241. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages