[vuln] cmd/govulncheck: add a message for missing or outdated go.sum

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 23, 2022, 2:23:35 PM8/23/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Zvonimir Pavlinovic has uploaded this change for review.

cmd/govulncheck: add a message for missing or outdated go.sum

Also suggest go mod tidy as a fix

Change-Id: Ib80ecfdd608f6547c1894227ee55269bc0544ce2
---
M cmd/govulncheck/main.go
1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index 584ff2b..87371e0 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -119,10 +119,13 @@
 		}
 		pkgs, err = govulncheck.LoadPackages(cfg, patterns...)
 		if err != nil {
-			// Check if the error is due to the fact that
-			// the current project is not a module.
 			if !fileExists("go.mod") {
-				die("govulncheck: missing go.mod file?")
+				// Check if the error is due to the fact that the current
+				// project is not a module.
+				die("govulncheck: not a module, missing go.mod file?")
+			} else if noOrOutdatedGoSum(err) {
+				// Suggest go mod tidy for missing or outdated go.sum file issue.
+				die("govulncheck: missing or outdated go.sum, run go mod tidy?")
 			}
 			die("govulncheck: %v", err)
 		}
@@ -349,6 +352,16 @@
 	return true
 }
 
+// noOrOutdateGoSum returns true if go.sum file is missing
+// or is outdated.
+func noOrOutdatedGoSum(err error) bool {
+	return !fileExists("go.sum") || isNoRequiredModule(err)
+}
+
+func isNoRequiredModule(err error) bool {
+	return strings.Contains(err.Error(), "no required module")
+}
+
 // compact replaces consecutive runs of equal elements with a single copy.
 // This is like the uniq command found on Unix.
 // compact modifies the contents of the slice s; it does not create a new slice.

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 23, 2022, 2:26:33 PM8/23/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Zvonimir Pavlinovic uploaded patch set #2 to this change.

View Change

cmd/govulncheck: add a message for missing or outdated go.sum

Also suggest go mod tidy as a fix

Change-Id: Ib80ecfdd608f6547c1894227ee55269bc0544ce2
---
M cmd/govulncheck/main.go
1 file changed, 27 insertions(+), 3 deletions(-)

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 23, 2022, 2:27:18 PM8/23/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Patch set 2:Run-TryBot +1

View Change

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Julie Qiu (Gerrit)

unread,

Aug 23, 2022, 3:50:46 PM8/23/22

to Zvonimir Pavlinovic, goph...@pubsubhelper.golang.org, Jonathan Amsterdam, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Jonathan Amsterdam, Zvonimir Pavlinovic.

View Change

3 comments:

File cmd/govulncheck/main.go:
- Patch Set #2, Line 125: "govulncheck: not a module, missing go.mod file?"
  give some more information in the error message, for example:
```
govulncheck: missing go.mod file
govulncheck only works Go modules. To make your project a module, run `go mod init`.
See https://go.dev/doc/modules/managing-dependencies for more information.
```
- Patch Set #2, Line 126: missingOrOutdatedGoSum
  I would split this into two errors:
```
govulncheck: missing go.sum file
Your module is missing a go.sum file. Try running `go mod tidy`.
See https://go.dev/doc/modules/managing-dependencies for more information.
```
```
govulncheck: missing required module
Your module has dependencies that are missing from the go.sum file. Try running `go mod tidy`.
See https://go.dev/doc/modules/managing-dependencies for more information.
```
- Patch Set #2, Line 122:
```
	if !fileExists("go.mod") {
```


				// Check if the error is due to the fact that the current

- ```
				// project is not a module.
```

				die("govulncheck: not a module, missing go.mod file?")

			} else if missingOrOutdatedGoSum(err) {
				// Suggest go mod tidy for missing or outdated go.sum file issue.


				die("govulncheck: missing or outdated go.sum, run go mod tidy?")
			}

- could you add a test module for this in testdata/modules?

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 23, 2022, 8:05:35 PM8/23/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Jonathan Amsterdam, Zvonimir Pavlinovic.

Zvonimir Pavlinovic uploaded patch set #3 to this change.

View Change

The following approvals got outdated and were removed: Run-TryBot+1 by Zvonimir Pavlinovic, TryBot-Result+1 by Gopher Robot

cmd/govulncheck: add a message for missing go.sum



Also suggest go mod tidy as a fix

Change-Id: Ib80ecfdd608f6547c1894227ee55269bc0544ce2
---

A cmd/govulncheck/errors.go
M cmd/govulncheck/main.go
M cmd/govulncheck/main_command_118_test.go
A cmd/govulncheck/testdata/modules/nogomod/vuln.go
A cmd/govulncheck/testdata/modules/nogosum/go.mod
A cmd/govulncheck/testdata/modules/nogosum/vuln.go
A cmd/govulncheck/testdata/nogomod.ct
A cmd/govulncheck/testdata/nogosum.ct
8 files changed, 115 insertions(+), 18 deletions(-)

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 23, 2022, 8:09:40 PM8/23/22

to goph...@pubsubhelper.golang.org, Julie Qiu, Jonathan Amsterdam, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Jonathan Amsterdam, Julie Qiu.

Patch set 3:Run-TryBot +1

View Change

3 comments:

File cmd/govulncheck/main.go:

- Patch Set #2, Line 125: "govulncheck: not a module, missing go.mod file?"

- give some more information in the error message, for example: […]
  Done

- Patch Set #2, Line 126: missingOrOutdatedGoSum
  I would split this into two errors:
```
govulncheck: missing go.sum file
Your module is missing a go.sum file. Try running `go mod tidy`.
See https://go.dev/doc/modules/managing-dependencies for more information.
```

- Done.

- ```
govulncheck: missing required module
Your module has dependencies that are missing from the go.sum file. Try running `go mod tidy`.
See https://go.dev/doc/modules/managing-dependencies for more information.
```

- I removed this message for now. This might be useful in metrics pipeline, but might be confusing for users of govulncheck. There are ways in which this message can appear that are not solveable with `go mod tidy`. See https://github.com/golang/go/issues/44961. I believe it is better to leave the original error message and let the user figure it out.

Patch Set #2, Line 122:

	if !fileExists("go.mod") {
				// Check if the error is due to the fact that the current
				// project is not a module.
				die("govulncheck: not a module, missing go.mod file?")
			} else if missingOrOutdatedGoSum(err) {
				// Suggest go mod tidy for missing or outdated go.sum file issue.
				die("govulncheck: missing or outdated go.sum, run go mod tidy?")
			}

could you add a test module for this in testdata/modules?

- Done

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Julie Qiu (Gerrit)

unread,

Aug 23, 2022, 10:58:34 PM8/23/22

to Zvonimir Pavlinovic, goph...@pubsubhelper.golang.org, Gopher Robot, Jonathan Amsterdam, golang-co...@googlegroups.com

Attention is currently required from: Jonathan Amsterdam, Zvonimir Pavlinovic.

Patch set 3:Code-Review +2

View Change

1 comment:

File cmd/govulncheck/main.go:
- Patch Set #2, Line 126: missingOrOutdatedGoSum
  > I would split this into two errors: […]
  SGTM

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Zvonimir Pavlinovic (Gerrit)

unread,

Aug 24, 2022, 10:46:11 AM8/24/22

to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Julie Qiu, Gopher Robot, Jonathan Amsterdam, golang-co...@googlegroups.com

Zvonimir Pavlinovic submitted this change.

View Change

Approvals:
  Zvonimir Pavlinovic: Run TryBots
  Gopher Robot: TryBots succeeded
  Julie Qiu: Looks good to me, approved

cmd/govulncheck: add a message for missing go.sum

Also suggest go mod tidy as a fix

Change-Id: Ib80ecfdd608f6547c1894227ee55269bc0544ce2

Reviewed-on: https://go-review.googlesource.com/c/vuln/+/425179
Run-TryBot: Zvonimir Pavlinovic <zpavl...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Julie Qiu <juli...@google.com>


---
A cmd/govulncheck/errors.go
M cmd/govulncheck/main.go
M cmd/govulncheck/main_command_118_test.go
A cmd/govulncheck/testdata/modules/nogomod/vuln.go
A cmd/govulncheck/testdata/modules/nogosum/go.mod
A cmd/govulncheck/testdata/modules/nogosum/vuln.go
A cmd/govulncheck/testdata/nogomod.ct
A cmd/govulncheck/testdata/nogosum.ct

8 files changed, 119 insertions(+), 18 deletions(-)

diff --git a/cmd/govulncheck/errors.go b/cmd/govulncheck/errors.go
new file mode 100644
index 0000000..3008df0
--- /dev/null
+++ b/cmd/govulncheck/errors.go
@@ -0,0 +1,36 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"errors"
+	"os"
+)
+
+const noGoModErrorMessage = `govulncheck: no go.mod file
+
+govulncheck only works Go with modules. To make your project a module, run go mod init.
+
+See https://go.dev/doc/modules/managing-dependencies for more information.`
+
+const noGoSumErrorMessage = `govulncheck: no go.sum file
+
+Your module is missing a go.sum file. Try running go mod tidy.
+
+See https://go.dev/doc/modules/managing-dependencies for more information.`
+
+// fileExists checks if file path exists. Returns true
+// if the file exists or it cannot prove that it does
+// not exist. Otherwise, returns false.
+func fileExists(path string) bool {
+	if _, err := os.Stat(path); err == nil {
+		return true
+	} else if errors.Is(err, os.ErrNotExist) {
+		return false
+	}
+	// Conservatively return true if os.Stat fails
+	// for some other reason.
+	return true
+}
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index ec6dd37..b45a1df 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -8,7 +8,6 @@
 	"bytes"
 	"context"
 	"encoding/json"
-	"errors"
 	"flag"
 	"fmt"
 	"go/build"
@@ -120,10 +119,11 @@


 		}
 		pkgs, err = govulncheck.LoadPackages(cfg, patterns...)
 		if err != nil {

-			// Check if the error is due to the fact that
-			// the current project is not a module.
+			// Try to provide a meaningful and actionable error message.


 			if !fileExists("go.mod") {
-				die("govulncheck: missing go.mod file?")

+				die(noGoModErrorMessage)
+			} else if !fileExists("go.sum") {
+				die(noGoSumErrorMessage)


 			}
 			die("govulncheck: %v", err)
 		}

@@ -358,20 +358,6 @@
 	return !s.IsDir()
 }
 
-// fileExists checks if file path exists. Returns true
-// if the file exists or it cannot prove that it does
-// not exist. Otherwise, returns false.
-func fileExists(path string) bool {
-	if _, err := os.Stat(path); err == nil {
-		return true
-	} else if errors.Is(err, os.ErrNotExist) {
-		return false
-	}
-	// Conservatively return true if os.Stat fails
-	// for some other reason.
-	return true
-}
-


 // compact replaces consecutive runs of equal elements with a single copy.
 // This is like the uniq command found on Unix.
 // compact modifies the contents of the slice s; it does not create a new slice.

diff --git a/cmd/govulncheck/main_command_118_test.go b/cmd/govulncheck/main_command_118_test.go
index e45c797..f22c0b6 100644
--- a/cmd/govulncheck/main_command_118_test.go
+++ b/cmd/govulncheck/main_command_118_test.go
@@ -68,7 +68,20 @@
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// skipBuild contains names of module directories
+	// that should not be Go built. For instance, they
+	// might contain expected build errors.
+	skipBuild := map[string]bool{
+		"nogomod": true,
+		"nogosum": true,
+	}
+
 	for _, md := range moduleDirs {
+		if skipBuild[filepath.Base(md)] {
+			continue
+		}
+
 		binary, cleanup := buildtest.GoBuild(t, md)
 		defer cleanup()
 		// Set an environment variable to the path to the binary, so tests
diff --git a/cmd/govulncheck/testdata/modules/nogomod/vuln.go b/cmd/govulncheck/testdata/modules/nogomod/vuln.go
new file mode 100644
index 0000000..e479a37
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/nogomod/vuln.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+func main() {
+	fmt.Println("hello")
+	language.Parse("")
+}
diff --git a/cmd/govulncheck/testdata/modules/nogosum/go.mod b/cmd/govulncheck/testdata/modules/nogosum/go.mod
new file mode 100644
index 0000000..6312ce2
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/nogosum/go.mod
@@ -0,0 +1,3 @@
+module vuln
+
+go 1.19
diff --git a/cmd/govulncheck/testdata/modules/nogosum/vuln.go b/cmd/govulncheck/testdata/modules/nogosum/vuln.go
new file mode 100644
index 0000000..e479a37
--- /dev/null
+++ b/cmd/govulncheck/testdata/modules/nogosum/vuln.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+func main() {
+	fmt.Println("hello")
+	language.Parse("")
+}
diff --git a/cmd/govulncheck/testdata/nogomod.ct b/cmd/govulncheck/testdata/nogomod.ct
new file mode 100644
index 0000000..a6b5ed3
--- /dev/null
+++ b/cmd/govulncheck/testdata/nogomod.ct
@@ -0,0 +1,12 @@
+# Test of missing go.mod error message.
+
+$ cdmodule nogomod
+$ govulncheck . --> FAIL 1
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Scanning for dependencies with known vulnerabilities...
+govulncheck: no go.mod file
+
+govulncheck only works Go with modules. To make your project a module, run go mod init.
+
+See https://go.dev/doc/modules/managing-dependencies for more information.
diff --git a/cmd/govulncheck/testdata/nogosum.ct b/cmd/govulncheck/testdata/nogosum.ct
new file mode 100644
index 0000000..f68ab95
--- /dev/null
+++ b/cmd/govulncheck/testdata/nogosum.ct
@@ -0,0 +1,12 @@
+# Test of missing go.sum error message.
+
+$ cdmodule nogosum
+$ govulncheck . --> FAIL 1
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Scanning for dependencies with known vulnerabilities...
+govulncheck: no go.sum file
+
+Your module is missing a go.sum file. Try running go mod tidy.
+
+See https://go.dev/doc/modules/managing-dependencies for more information.

To view, visit change 425179. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward