[vuln] cmd/govulncheck: cleanup test layout
15 views
Skip to first unread message
Ian Cottrell (Gerrit)
May 18, 2023, 1:38:55 AM5/18/23
to Julie Qiu, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention is currently required from: Julie Qiu.
Ian Cottrell would like Julie Qiu to review this change.
cmd/govulncheck: cleanup test layout
Change-Id: Ib5da6c2c8a5b515d0c5e21ab494bde3281286bc7
---
D cmd/govulncheck/testdata/badmode.ct
A cmd/govulncheck/testdata/binary_fail.ct
R cmd/govulncheck/testdata/binary_json.ct
R cmd/govulncheck/testdata/binary_text.ct
D cmd/govulncheck/testdata/binarybadfile.ct
D cmd/govulncheck/testdata/binarybadfileformat.ct
D cmd/govulncheck/testdata/binarymulti.ct
D cmd/govulncheck/testdata/binarynoshow.ct
D cmd/govulncheck/testdata/binarynotags.ct
D cmd/govulncheck/testdata/binarynotest.ct
R cmd/govulncheck/testdata/convert_text.ct
D cmd/govulncheck/testdata/json.ct
D cmd/govulncheck/testdata/jsonnoshow.ct
D cmd/govulncheck/testdata/multientry.ct
D cmd/govulncheck/testdata/multientry_json.ct
D cmd/govulncheck/testdata/multientry_stacks.ct
D cmd/govulncheck/testdata/nobinaryflag.ct
D cmd/govulncheck/testdata/nogomod.ct
R cmd/govulncheck/testdata/query_fail.ct
R cmd/govulncheck/testdata/query_json.ct
R cmd/govulncheck/testdata/query_multi_json.ct
R cmd/govulncheck/testdata/query_stdlib_json.ct
R cmd/govulncheck/testdata/query_vstdlib_json.ct
D cmd/govulncheck/testdata/source.ct
A cmd/govulncheck/testdata/source_fail.ct
R cmd/govulncheck/testdata/source_informational_text.ct
R cmd/govulncheck/testdata/source_multientry_json.ct
A cmd/govulncheck/testdata/source_multientry_text.ct
R cmd/govulncheck/testdata/source_replace_text.ct
D cmd/govulncheck/testdata/source_stacks.ct
A cmd/govulncheck/testdata/source_stdlib_text.ct
A cmd/govulncheck/testdata/source_subdir_text.ct
R cmd/govulncheck/testdata/source_vuln_json.ct
A cmd/govulncheck/testdata/source_vuln_text.ct
D cmd/govulncheck/testdata/sourcebadpattern.ct
D cmd/govulncheck/testdata/stdlib.ct
D cmd/govulncheck/testdata/stdlib_stacks.ct
D cmd/govulncheck/testdata/subdi_stacks.ct
D cmd/govulncheck/testdata/subdir.ct
M cmd/govulncheck/testdata/usage.ct
A cmd/govulncheck/testdata/usage_fail.ct
41 files changed, 361 insertions(+), 763 deletions(-)
diff --git a/cmd/govulncheck/testdata/badmode.ct b/cmd/govulncheck/testdata/badmode.ct
deleted file mode 100644
index 8be09d9..0000000
--- a/cmd/govulncheck/testdata/badmode.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of invalid input to -mode
-
-$ govulncheck -mode=invalid ./... --> FAIL 2
-"invalid" is not a valid mode
diff --git a/cmd/govulncheck/testdata/binary_fail.ct b/cmd/govulncheck/testdata/binary_fail.ct
new file mode 100644
index 0000000..c953f78
--- /dev/null
+++ b/cmd/govulncheck/testdata/binary_fail.ct
@@ -0,0 +1,35 @@
+#####
+# Test of passing a non-file to -mode=binary
+$ govulncheck -mode=binary notafile --> FAIL 2
+"notafile" is not a file
+
+#####
+# Test of passing a non-binary file to -mode=binary
+$ govulncheck -mode=binary ${moddir}/vuln/go.mod --> FAIL 1
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your binary for known vulnerabilities...
+govulncheck: could not parse provided binary: unrecognized file format
+
+#####
+# Test of trying to analyze multiple binaries
+$ govulncheck -mode=binary ${vuln_binary} ${vuln_binary} --> FAIL 2
+only 1 binary can be analyzed at a time
+
+#####
+# Test of trying to run -mode=binary with -show flag
+$ govulncheck -show=traces -mode=binary ${vuln_binary} --> FAIL 2
+the -show flag is not supported in binary mode
+
+#####
+# Test of trying to run -mode=binary with -tags flag
+$ govulncheck -tags=foo -mode=binary ${vuln_binary} --> FAIL 2
+the -tags flag is not supported in binary mode
+
+#####
+# Test of trying to run -mode=binary with the -test flag
+$ govulncheck -test -mode=binary ${vuln_binary} --> FAIL 2
+the -test flag is not supported in binary mode
diff --git a/cmd/govulncheck/testdata/binaryjson.ct b/cmd/govulncheck/testdata/binary_json.ct
similarity index 98%
rename from cmd/govulncheck/testdata/binaryjson.ct
rename to cmd/govulncheck/testdata/binary_json.ct
index eda8d60..92344b8 100644
--- a/cmd/govulncheck/testdata/binaryjson.ct
+++ b/cmd/govulncheck/testdata/binary_json.ct
@@ -1,3 +1,5 @@
+#####
+# Test basic binary scanning with json output
$ govulncheck -json -mode=binary ${vuln_binary}
{
"config": {
diff --git a/cmd/govulncheck/testdata/binary.ct b/cmd/govulncheck/testdata/binary_text.ct
similarity index 96%
rename from cmd/govulncheck/testdata/binary.ct
rename to cmd/govulncheck/testdata/binary_text.ct
index fec8e05..9a57ffc 100644
--- a/cmd/govulncheck/testdata/binary.ct
+++ b/cmd/govulncheck/testdata/binary_text.ct
@@ -1,3 +1,5 @@
+#####
+# Test basic binary scanning with text output
$ govulncheck -mode=binary ${vuln_binary} --> FAIL 3
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/cmd/govulncheck/testdata/binarybadfile.ct b/cmd/govulncheck/testdata/binarybadfile.ct
deleted file mode 100644
index daa59f0..0000000
--- a/cmd/govulncheck/testdata/binarybadfile.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of passing a non-file to -mode=binary
-
-$ govulncheck -mode=binary notafile --> FAIL 2
-"notafile" is not a file
diff --git a/cmd/govulncheck/testdata/binarybadfileformat.ct b/cmd/govulncheck/testdata/binarybadfileformat.ct
deleted file mode 100644
index a55d047..0000000
--- a/cmd/govulncheck/testdata/binarybadfileformat.ct
+++ /dev/null
@@ -1,10 +0,0 @@
-# Test of passing a non-binary file to -mode=binary
-
-$ govulncheck -mode=binary ${moddir}/vuln/go.mod --> FAIL 1
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your binary for known vulnerabilities...
-govulncheck: could not parse provided binary: unrecognized file format
diff --git a/cmd/govulncheck/testdata/binarymulti.ct b/cmd/govulncheck/testdata/binarymulti.ct
deleted file mode 100644
index aa56273..0000000
--- a/cmd/govulncheck/testdata/binarymulti.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of trying to analyze multiple binaries
-
-$ govulncheck -mode=binary ${vuln_binary} ${vuln_binary} --> FAIL 2
-only 1 binary can be analyzed at a time
diff --git a/cmd/govulncheck/testdata/binarynoshow.ct b/cmd/govulncheck/testdata/binarynoshow.ct
deleted file mode 100644
index e86f972..0000000
--- a/cmd/govulncheck/testdata/binarynoshow.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of trying to run -mode=binary with -show flag
-
-$ govulncheck -show=traces -mode=binary ${vuln_binary} --> FAIL 2
-the -show flag is not supported in binary mode
diff --git a/cmd/govulncheck/testdata/binarynotags.ct b/cmd/govulncheck/testdata/binarynotags.ct
deleted file mode 100644
index c8a37d3..0000000
--- a/cmd/govulncheck/testdata/binarynotags.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of trying to run -mode=binary with -tags flag
-
-$ govulncheck -tags=foo -mode=binary ${vuln_binary} --> FAIL 2
-the -tags flag is not supported in binary mode
diff --git a/cmd/govulncheck/testdata/binarynotest.ct b/cmd/govulncheck/testdata/binarynotest.ct
deleted file mode 100644
index 4242299..0000000
--- a/cmd/govulncheck/testdata/binarynotest.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of trying to run -mode=binary with the -test flag
-
-$ govulncheck -test -mode=binary ${vuln_binary} --> FAIL 2
-the -test flag is not supported in binary mode
diff --git a/cmd/govulncheck/testdata/convert.ct b/cmd/govulncheck/testdata/convert_text.ct
similarity index 96%
rename from cmd/govulncheck/testdata/convert.ct
rename to cmd/govulncheck/testdata/convert_text.ct
index 931bf16..41ac6bb 100644
--- a/cmd/govulncheck/testdata/convert.ct
+++ b/cmd/govulncheck/testdata/convert_text.ct
@@ -1,3 +1,5 @@
+#####
+# Test using the conversion from json on stdin to text on stdout
$ govulncheck -mode=convert < convert_input.json
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/cmd/govulncheck/testdata/json.ct b/cmd/govulncheck/testdata/json.ct
deleted file mode 100644
index bf3ed0b..0000000
--- a/cmd/govulncheck/testdata/json.ct
+++ /dev/null
@@ -1,281 +0,0 @@
-$ govulncheck -C ${moddir}/vuln -json .
-{
- "config": {
- "protocol_version": "v0.1.0",
- "scanner_name": "govulncheck",
- "scanner_version": "v0.0.0-00000000000-20000101010101",
- "db": "testdata/vulndb-v1",
- "db_last_modified": "2023-04-03T15:57:51Z",
- "go_version": "go1.18"
- }
-}
-{
- "progress": {
- "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
- }
-}
-{
- "osv": {
- "schema_version": "1.3.1",
- "id": "GO-2021-0265",
- "modified": "2023-04-03T15:57:51Z",
- "published": "2022-08-15T18:06:07Z",
- "aliases": [
- "CVE-2021-42248",
- "CVE-2021-42836",
- "GHSA-c9gm-7rfj-8w5h",
- "GHSA-ppj4-34rq-v8j9"
- ],
- "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.",
- "affected": [
- {
- "package": {
- "name": "github.com/tidwall/gjson",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.9.3"
- }
- ]
- }
- ],
- "ecosystem_specific": {
- "imports": [
- {
- "path": "github.com/tidwall/gjson",
- "symbols": [
- "Get",
- "GetBytes",
- "GetMany",
- "GetManyBytes",
- "Result.Get",
- "parseObject",
- "queryMatches"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/237"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/236"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0265"
- }
- }
-}
-{
- "finding": {
- "osv": "GO-2021-0265",
- "fixed_version": "v1.9.3",
- "trace": [
- {
- "module": "github.com/tidwall/gjson",
- "version": "v1.6.5",
- "package": "github.com/tidwall/gjson",
- "function": "Get",
- "receiver": "Result"
- },
- {
- "module": "golang.org/vuln",
- "package": "golang.org/vuln",
- "function": "main",
- "position": {
- "filename": ".../vuln.go",
- "offset": 183,
- "line": 14,
- "column": 20
- }
- }
- ]
- }
-}
-{
- "osv": {
- "schema_version": "1.3.1",
- "id": "GO-2021-0113",
- "modified": "2023-04-03T15:57:51Z",
- "published": "2021-10-06T17:51:21Z",
- "aliases": [
- "CVE-2021-38561",
- "GHSA-ppp9-7jff-5vj2"
- ],
- "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
- "affected": [
- {
- "package": {
- "name": "golang.org/x/text",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "0.3.7"
- }
- ]
- }
- ],
- "ecosystem_specific": {
- "imports": [
- {
- "path": "golang.org/x/text/language",
- "symbols": [
- "MatchStrings",
- "MustParse",
- "Parse",
- "ParseAcceptLanguage"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://go.dev/cl/340830"
- },
- {
- "type": "FIX",
- "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
- }
- ],
- "credits": [
- {
- "name": "Guido Vranken"
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0113"
- }
- }
-}
-{
- "finding": {
- "osv": "GO-2021-0113",
- "fixed_version": "v0.3.7",
- "trace": [
- {
- "module": "golang.org/x/text",
- "version": "v0.3.0",
- "package": "golang.org/x/text/language",
- "function": "Parse"
- },
- {
- "module": "golang.org/vuln",
- "package": "golang.org/vuln",
- "function": "main",
- "position": {
- "filename": ".../vuln.go",
- "offset": 159,
- "line": 13,
- "column": 16
- }
- }
- ]
- }
-}
-{
- "osv": {
- "schema_version": "1.3.1",
- "id": "GO-2021-0054",
- "modified": "2023-04-03T15:57:51Z",
- "published": "2021-04-14T20:04:52Z",
- "aliases": [
- "CVE-2020-36067",
- "GHSA-p64j-r5f4-pwwx"
- ],
- "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
- "affected": [
- {
- "package": {
- "name": "github.com/tidwall/gjson",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.6.6"
- }
- ]
- }
- ],
- "ecosystem_specific": {
- "imports": [
- {
- "path": "github.com/tidwall/gjson",
- "symbols": [
- "Result.ForEach",
- "unwrap"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tidwall/gjson/issues/196"
- }
- ],
- "credits": [
- {
- "name": "@toptotu"
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0054"
- }
- }
-}
-{
- "finding": {
- "osv": "GO-2021-0054",
- "fixed_version": "v1.6.6",
- "trace": [
- {
- "module": "github.com/tidwall/gjson",
- "version": "v1.6.5",
- "package": "github.com/tidwall/gjson"
- }
- ]
- }
-}
diff --git a/cmd/govulncheck/testdata/jsonnoshow.ct b/cmd/govulncheck/testdata/jsonnoshow.ct
deleted file mode 100644
index 0e8cc07..0000000
--- a/cmd/govulncheck/testdata/jsonnoshow.ct
+++ /dev/null
@@ -1,4 +0,0 @@
-# Test of trying to run -json with -v flag
-
-$ govulncheck -C ${moddir}/vuln -show=traces -json . --> FAIL 2
-the -show flag is not supported for JSON output
diff --git a/cmd/govulncheck/testdata/multientry.ct b/cmd/govulncheck/testdata/multientry.ct
deleted file mode 100644
index d87700e..0000000
--- a/cmd/govulncheck/testdata/multientry.ct
+++ /dev/null
@@ -1,21 +0,0 @@
-$ govulncheck -C ${moddir}/multientry . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.5
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- .../main.go:99:20: golang.org/multientry.foobar calls golang.org/x/text/language.MustParse
- .../main.go:44:23: golang.org/multientry.C calls golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/multientry_json.ct b/cmd/govulncheck/testdata/multientry_json.ct
deleted file mode 100644
index b16ef23..0000000
--- a/cmd/govulncheck/testdata/multientry_json.ct
+++ /dev/null
@@ -1,164 +0,0 @@
-$ govulncheck -json -C ${moddir}/multientry .
-{
- "config": {
- "protocol_version": "v0.1.0",
- "scanner_name": "govulncheck",
- "scanner_version": "v0.0.0-00000000000-20000101010101",
- "db": "testdata/vulndb-v1",
- "db_last_modified": "2023-04-03T15:57:51Z",
- "go_version": "go1.18"
- }
-}
-{
- "progress": {
- "message": "Scanning your code and P packages across M dependent module for known vulnerabilities..."
- }
-}
-{
- "osv": {
- "schema_version": "1.3.1",
- "id": "GO-2021-0113",
- "modified": "2023-04-03T15:57:51Z",
- "published": "2021-10-06T17:51:21Z",
- "aliases": [
- "CVE-2021-38561",
- "GHSA-ppp9-7jff-5vj2"
- ],
- "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
- "affected": [
- {
- "package": {
- "name": "golang.org/x/text",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "0.3.7"
- }
- ]
- }
- ],
- "ecosystem_specific": {
- "imports": [
- {
- "path": "golang.org/x/text/language",
- "symbols": [
- "MatchStrings",
- "MustParse",
- "Parse",
- "ParseAcceptLanguage"
- ]
- }
- ]
- }
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://go.dev/cl/340830"
- },
- {
- "type": "FIX",
- "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
- }
- ],
- "credits": [
- {
- "name": "Guido Vranken"
- }
- ],
- "database_specific": {
- "url": "https://pkg.go.dev/vuln/GO-2021-0113"
- }
- }
-}
-{
- "finding": {
- "osv": "GO-2021-0113",
- "fixed_version": "v0.3.7",
- "trace": [
- {
- "module": "golang.org/x/text",
- "version": "v0.3.5",
- "package": "golang.org/x/text/language",
- "function": "MustParse"
- },
- {
- "module": "golang.org/multientry",
- "package": "golang.org/multientry",
- "function": "foobar",
- "position": {
- "filename": ".../main.go",
- "offset": 1694,
- "line": 99,
- "column": 20
- }
- },
- {
- "module": "golang.org/multientry",
- "package": "golang.org/multientry",
- "function": "D",
- "position": {
- "filename": ".../main.go",
- "offset": 705,
- "line": 48,
- "column": 8
- }
- },
- {
- "module": "golang.org/multientry",
- "package": "golang.org/multientry",
- "function": "main",
- "position": {
- "filename": ".../main.go",
- "offset": 441,
- "line": 26,
- "column": 3
- }
- }
- ]
- }
-}
-{
- "finding": {
- "osv": "GO-2021-0113",
- "fixed_version": "v0.3.7",
- "trace": [
- {
- "module": "golang.org/x/text",
- "version": "v0.3.5",
- "package": "golang.org/x/text/language",
- "function": "Parse"
- },
- {
- "module": "golang.org/multientry",
- "package": "golang.org/multientry",
- "function": "C",
- "position": {
- "filename": ".../main.go",
- "offset": 679,
- "line": 44,
- "column": 23
- }
- },
- {
- "module": "golang.org/multientry",
- "package": "golang.org/multientry",
- "function": "main",
- "position": {
- "filename": ".../main.go",
- "offset": 340,
- "line": 22,
- "column": 3
- }
- }
- ]
- }
-}
diff --git a/cmd/govulncheck/testdata/multientry_stacks.ct b/cmd/govulncheck/testdata/multientry_stacks.ct
deleted file mode 100644
index 43d80e5..0000000
--- a/cmd/govulncheck/testdata/multientry_stacks.ct
+++ /dev/null
@@ -1,33 +0,0 @@
-$ govulncheck -C ${moddir}/multientry -show=traces ./... --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.5
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- #1: for function MustParse
- golang.org/multientry.main
- .../main.go:26:3
- golang.org/multientry.D
- .../main.go:48:8
- golang.org/multientry.foobar
- .../main.go:99:20
- golang.org/x/text/language.MustParse
- #2: for function Parse
- golang.org/multientry.main
- .../main.go:22:3
- golang.org/multientry.C
- .../main.go:44:23
- golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/nobinaryflag.ct b/cmd/govulncheck/testdata/nobinaryflag.ct
deleted file mode 100644
index e712675..0000000
--- a/cmd/govulncheck/testdata/nobinaryflag.ct
+++ /dev/null
@@ -1,8 +0,0 @@
-$ govulncheck ${vuln_binary} --> FAIL 2
-govulncheck: myfile is a file.
-
-By default, govulncheck runs source analysis on Go modules.
-
-Did you mean to run govulncheck with -mode=binary?
-
-For details, run govulncheck -h.
diff --git a/cmd/govulncheck/testdata/nogomod.ct b/cmd/govulncheck/testdata/nogomod.ct
deleted file mode 100644
index ad97b96..0000000
--- a/cmd/govulncheck/testdata/nogomod.ct
+++ /dev/null
@@ -1,13 +0,0 @@
-# Test of missing go.mod error message.
-
-$ govulncheck -C ${moddir}/nogomod . --> FAIL 1
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-govulncheck: no go.mod file
-
-govulncheck only works with Go modules. Try navigating to your module directory.
-Otherwise, run go mod init to make your project a module.
-
-See https://go.dev/doc/modules/managing-dependencies for more information.
diff --git a/cmd/govulncheck/testdata/querymode_badinput.ct b/cmd/govulncheck/testdata/query_fail.ct
similarity index 96%
rename from cmd/govulncheck/testdata/querymode_badinput.ct
rename to cmd/govulncheck/testdata/query_fail.ct
index ae9d932..cac8242 100644
--- a/cmd/govulncheck/testdata/querymode_badinput.ct
+++ b/cmd/govulncheck/testdata/query_fail.ct
@@ -1,4 +1,4 @@
+#####
# Test of query mode with invalid input.
-
$ govulncheck -mode=query -json example.com/module@ --> FAIL 2
invalid query example.com/module@: must be of the form module@version
diff --git a/cmd/govulncheck/testdata/querymode.ct b/cmd/govulncheck/testdata/query_json.ct
similarity index 99%
rename from cmd/govulncheck/testdata/querymode.ct
rename to cmd/govulncheck/testdata/query_json.ct
index 28a51bf..4428e9a 100644
--- a/cmd/govulncheck/testdata/querymode.ct
+++ b/cmd/govulncheck/testdata/query_json.ct
@@ -1,5 +1,5 @@
+#####
# Test of query mode for a third party module.
-
$ govulncheck -mode=query -json github.com/tidwall/gj...@v1.6.5
{
"config": {
diff --git a/cmd/govulncheck/testdata/querymode_multi.ct b/cmd/govulncheck/testdata/query_multi_json.ct
similarity index 99%
rename from cmd/govulncheck/testdata/querymode_multi.ct
rename to cmd/govulncheck/testdata/query_multi_json.ct
index b10014e..45b3f02 100644
--- a/cmd/govulncheck/testdata/querymode_multi.ct
+++ b/cmd/govulncheck/testdata/query_multi_json.ct
@@ -1,5 +1,5 @@
+#####
# Test of query mode with multiple inputs.
-
$ govulncheck -mode=query -json std...@go1.17 github.com/tidwall/gj...@v1.6.5
{
"config": {
diff --git a/cmd/govulncheck/testdata/querymode_stdlib.ct b/cmd/govulncheck/testdata/query_stdlib_json.ct
similarity index 99%
rename from cmd/govulncheck/testdata/querymode_stdlib.ct
rename to cmd/govulncheck/testdata/query_stdlib_json.ct
index 2c90839..dbf0bc4 100644
--- a/cmd/govulncheck/testdata/querymode_stdlib.ct
+++ b/cmd/govulncheck/testdata/query_stdlib_json.ct
@@ -1,5 +1,5 @@
+#####
# Test of query mode with the standard library.
-
$ govulncheck -mode=query -json std...@go1.17
{
"config": {
diff --git a/cmd/govulncheck/testdata/querymode_stdlib_vprefix.ct b/cmd/govulncheck/testdata/query_vstdlib_json.ct
similarity index 99%
rename from cmd/govulncheck/testdata/querymode_stdlib_vprefix.ct
rename to cmd/govulncheck/testdata/query_vstdlib_json.ct
index f38de28..d6e3ff0 100644
--- a/cmd/govulncheck/testdata/querymode_stdlib_vprefix.ct
+++ b/cmd/govulncheck/testdata/query_vstdlib_json.ct
@@ -1,5 +1,5 @@
+#####
# Test of query mode with the standard library (with a v prefix on the version).
-
$ govulncheck -mode=query -json std...@v1.17.0
{
"config": {
diff --git a/cmd/govulncheck/testdata/source.ct b/cmd/govulncheck/testdata/source.ct
deleted file mode 100644
index d93e601..0000000
--- a/cmd/govulncheck/testdata/source.ct
+++ /dev/null
@@ -1,47 +0,0 @@
-$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-Your code is affected by 2 vulnerabilities from 2 modules.
-
-Vulnerability #1: GO-2021-0265
- A maliciously crafted path can cause Get and other query
- functions to consume excessive amounts of CPU and time.
- More info: https://pkg.go.dev/vuln/GO-2021-0265
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gj...@v1.6.5
- Fixed in: github.com/tidwall/gj...@v1.9.3
- Call stacks in your code:
- .../vuln.go:14:20: golang.org/vuln.main calls github.com/tidwall/gjson.Result.Get
-
-
-Vulnerability #2: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.0
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- .../vuln.go:13:16: golang.org/vuln.main calls golang.org/x/text/language.Parse
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2021-0054
- Due to improper bounds checking, maliciously crafted JSON
- objects can cause an out-of-bounds panic. If parsing user input,
- this may be used as a denial of service vector.
- More info: https://pkg.go.dev/vuln/GO-2021-0054
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gj...@v1.6.5
- Fixed in: github.com/tidwall/gj...@v1.6.6
diff --git a/cmd/govulncheck/testdata/source_fail.ct b/cmd/govulncheck/testdata/source_fail.ct
new file mode 100644
index 0000000..bb6adfd
--- /dev/null
+++ b/cmd/govulncheck/testdata/source_fail.ct
@@ -0,0 +1,38 @@
+#####
+# Test of missing go.mod error message.
+$ govulncheck -C ${moddir}/nogomod . --> FAIL 1
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+govulncheck: no go.mod file
+
+govulncheck only works with Go modules. Try navigating to your module directory.
+Otherwise, run go mod init to make your project a module.
+
+See https://go.dev/doc/modules/managing-dependencies for more information.
+
+#####
+# Test of handing a binary to source mode
+$ govulncheck ${vuln_binary} --> FAIL 2
+govulncheck: myfile is a file.
+
+By default, govulncheck runs source analysis on Go modules.
+
+Did you mean to run govulncheck with -mode=binary?
+
+For details, run govulncheck -h.
+
+#####
+# Test of handing an invalid package pattern to source mode
+$ govulncheck -C ${moddir}/vuln blah --> FAIL 1
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+govulncheck: loading packages:
+There are errors with the provided package patterns:
+
+-: package foo is not in GOROOT (/tmp/foo)
+
+For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
diff --git a/cmd/govulncheck/testdata/informational.ct b/cmd/govulncheck/testdata/source_informational_text.ct
similarity index 95%
rename from cmd/govulncheck/testdata/informational.ct
rename to cmd/govulncheck/testdata/source_informational_text.ct
index 22569c0..20c9040 100644
--- a/cmd/govulncheck/testdata/informational.ct
+++ b/cmd/govulncheck/testdata/source_informational_text.ct
@@ -1,3 +1,5 @@
+#####
+# Test souce mode with no callstacks
$ govulncheck -C ${moddir}/informational -show=traces .
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/cmd/govulncheck/testdata/binarymultientryjson.ct b/cmd/govulncheck/testdata/source_multientry_json.ct
similarity index 98%
rename from cmd/govulncheck/testdata/binarymultientryjson.ct
rename to cmd/govulncheck/testdata/source_multientry_json.ct
index b16ef23..6cfc746 100644
--- a/cmd/govulncheck/testdata/binarymultientryjson.ct
+++ b/cmd/govulncheck/testdata/source_multientry_json.ct
@@ -1,3 +1,5 @@
+#####
+# Test for multiple call stacks in source mode
$ govulncheck -json -C ${moddir}/multientry .
{
"config": {
diff --git a/cmd/govulncheck/testdata/source_multientry_text.ct b/cmd/govulncheck/testdata/source_multientry_text.ct
new file mode 100644
index 0000000..7deeccc
--- /dev/null
+++ b/cmd/govulncheck/testdata/source_multientry_text.ct
@@ -0,0 +1,59 @@
+#####
+# Test for multiple call stacks in source mode with expanded traces
+$ govulncheck -C ${moddir}/multientry . --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent module for known vulnerabilities...
+Your code is affected by 1 vulnerability from 1 module.
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.5
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ .../main.go:99:20: golang.org/multientry.foobar calls golang.org/x/text/language.MustParse
+ .../main.go:44:23: golang.org/multientry.C calls golang.org/x/text/language.Parse
+
+#####
+# Test for multple call stacks in source mode with expanded traces
+$ govulncheck -C ${moddir}/multientry -show=traces ./... --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent module for known vulnerabilities...
+Your code is affected by 1 vulnerability from 1 module.
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.5
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ #1: for function MustParse
+ golang.org/multientry.main
+ .../main.go:26:3
+ golang.org/multientry.D
+ .../main.go:48:8
+ golang.org/multientry.foobar
+ .../main.go:99:20
+ golang.org/x/text/language.MustParse
+ #2: for function Parse
+ golang.org/multientry.main
+ .../main.go:22:3
+ golang.org/multientry.C
+ .../main.go:44:23
+ golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/source_replace.ct b/cmd/govulncheck/testdata/source_replace_text.ct
similarity index 98%
rename from cmd/govulncheck/testdata/source_replace.ct
rename to cmd/govulncheck/testdata/source_replace_text.ct
index b8c3377..13ece50 100644
--- a/cmd/govulncheck/testdata/source_replace.ct
+++ b/cmd/govulncheck/testdata/source_replace_text.ct
@@ -1,3 +1,4 @@
+#####
# Test of source mode on a module with a multi-layer replace directive.
# TODO(iancottrell): Update this test once govulncheck can robustly handle
# replace directives.
diff --git a/cmd/govulncheck/testdata/source_stacks.ct b/cmd/govulncheck/testdata/source_stacks.ct
deleted file mode 100644
index f60a52f..0000000
--- a/cmd/govulncheck/testdata/source_stacks.ct
+++ /dev/null
@@ -1,53 +0,0 @@
-$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-Your code is affected by 2 vulnerabilities from 2 modules.
-
-Vulnerability #1: GO-2021-0265
- A maliciously crafted path can cause Get and other query
- functions to consume excessive amounts of CPU and time.
- More info: https://pkg.go.dev/vuln/GO-2021-0265
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gj...@v1.6.5
- Fixed in: github.com/tidwall/gj...@v1.9.3
- Call stacks in your code:
- #1: for function Result.Get
- golang.org/vuln.main
- .../vuln.go:14:20
- github.com/tidwall/gjson.Result.Get
-
-
-Vulnerability #2: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.0
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- #1: for function Parse
- golang.org/vuln.main
- .../vuln.go:13:16
- golang.org/x/text/language.Parse
-
-=== Informational ===
-
-Found 1 vulnerability in packages that you import, but there are no call
-stacks leading to the use of this vulnerability. You may not need to
-take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
-for details.
-
-Vulnerability #1: GO-2021-0054
- Due to improper bounds checking, maliciously crafted JSON
- objects can cause an out-of-bounds panic. If parsing user input,
- this may be used as a denial of service vector.
- More info: https://pkg.go.dev/vuln/GO-2021-0054
- Module: github.com/tidwall/gjson
- Found in: github.com/tidwall/gj...@v1.6.5
- Fixed in: github.com/tidwall/gj...@v1.6.6
diff --git a/cmd/govulncheck/testdata/source_stdlib_text.ct b/cmd/govulncheck/testdata/source_stdlib_text.ct
new file mode 100644
index 0000000..0d821e8
--- /dev/null
+++ b/cmd/govulncheck/testdata/source_stdlib_text.ct
@@ -0,0 +1,46 @@
+#####
+# Test finding stdlib vulnerability in source mode
+$ govulncheck -C ${moddir}/stdlib . --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+Your code is affected by 1 vulnerability from the Go standard library.
+
+Vulnerability #1: GO-2022-0969
+ HTTP/2 server connections can hang forever waiting for a clean
+ shutdown that was preempted by a fatal error. This condition can
+ be exploited by a malicious client to cause a denial of service.
+ More info: https://pkg.go.dev/vuln/GO-2022-0969
+ Standard library
+ Found in: net/ht...@go1.18
+ Fixed in: net/ht...@go1.19.1
+ Call stacks in your code:
+ .../stdlib.go:17:31: golang.org/stdlib.main calls net/http.ListenAndServe
+
+#####
+# Test finding stdlib vulnerability in source mode with expanded traces
+$ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+Your code is affected by 1 vulnerability from the Go standard library.
+
+Vulnerability #1: GO-2022-0969
+ HTTP/2 server connections can hang forever waiting for a clean
+ shutdown that was preempted by a fatal error. This condition can
+ be exploited by a malicious client to cause a denial of service.
+ More info: https://pkg.go.dev/vuln/GO-2022-0969
+ Standard library
+ Found in: net/ht...@go1.18
+ Fixed in: net/ht...@go1.19.1
+ Call stacks in your code:
+ #1: for function ListenAndServe
+ golang.org/stdlib.main
+ .../stdlib.go:17:31
+ net/http.ListenAndServe
diff --git a/cmd/govulncheck/testdata/source_subdir_text.ct b/cmd/govulncheck/testdata/source_subdir_text.ct
new file mode 100644
index 0000000..d97f9cb
--- /dev/null
+++ b/cmd/govulncheck/testdata/source_subdir_text.ct
@@ -0,0 +1,48 @@
+#####
+# Test govulncheck runs on the subdirectory of a module
+$ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent module for known vulnerabilities...
+Your code is affected by 1 vulnerability from 1 module.
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.0
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ .../subdir.go:8:16: golang.org/vuln/subdir.Foo calls golang.org/x/text/language.Parse
+
+#####
+# Test govulncheck runs on the subdirectory of a module
+$ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent module for known vulnerabilities...
+Your code is affected by 1 vulnerability from 1 module.
+
+Vulnerability #1: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.0
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ #1: for function Parse
+ golang.org/vuln/subdir.Foo
+ .../subdir.go:8:16
+ golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/source_json.ct b/cmd/govulncheck/testdata/source_vuln_json.ct
similarity index 99%
rename from cmd/govulncheck/testdata/source_json.ct
rename to cmd/govulncheck/testdata/source_vuln_json.ct
index 827758b..606fdb7 100644
--- a/cmd/govulncheck/testdata/source_json.ct
+++ b/cmd/govulncheck/testdata/source_vuln_json.ct
@@ -1,3 +1,5 @@
+#####
+#
$ govulncheck -C ${moddir}/vuln -json ./...
{
"config": {
diff --git a/cmd/govulncheck/testdata/source_vuln_text.ct b/cmd/govulncheck/testdata/source_vuln_text.ct
new file mode 100644
index 0000000..5c17243
--- /dev/null
+++ b/cmd/govulncheck/testdata/source_vuln_text.ct
@@ -0,0 +1,105 @@
+#####
+# Test of basic govulncheck in source mode
+$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+Your code is affected by 2 vulnerabilities from 2 modules.
+
+Vulnerability #1: GO-2021-0265
+ A maliciously crafted path can cause Get and other query
+ functions to consume excessive amounts of CPU and time.
+ More info: https://pkg.go.dev/vuln/GO-2021-0265
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gj...@v1.6.5
+ Fixed in: github.com/tidwall/gj...@v1.9.3
+ Call stacks in your code:
+ .../vuln.go:14:20: golang.org/vuln.main calls github.com/tidwall/gjson.Result.Get
+
+
+Vulnerability #2: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.0
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ .../vuln.go:13:16: golang.org/vuln.main calls golang.org/x/text/language.Parse
+
+=== Informational ===
+
+Found 1 vulnerability in packages that you import, but there are no call
+stacks leading to the use of this vulnerability. You may not need to
+take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-2021-0054
+ Due to improper bounds checking, maliciously crafted JSON
+ objects can cause an out-of-bounds panic. If parsing user input,
+ this may be used as a denial of service vector.
+ More info: https://pkg.go.dev/vuln/GO-2021-0054
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gj...@v1.6.5
+ Fixed in: github.com/tidwall/gj...@v1.6.6
+
+#####
+# Test of basic govulncheck in source mode with expanded traces
+$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
+govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
+
+Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
+vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
+
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+Your code is affected by 2 vulnerabilities from 2 modules.
+
+Vulnerability #1: GO-2021-0265
+ A maliciously crafted path can cause Get and other query
+ functions to consume excessive amounts of CPU and time.
+ More info: https://pkg.go.dev/vuln/GO-2021-0265
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gj...@v1.6.5
+ Fixed in: github.com/tidwall/gj...@v1.9.3
+ Call stacks in your code:
+ #1: for function Result.Get
+ golang.org/vuln.main
+ .../vuln.go:14:20
+ github.com/tidwall/gjson.Result.Get
+
+
+Vulnerability #2: GO-2021-0113
+ Due to improper index calculation, an incorrectly formatted
+ language tag can cause Parse to panic via an out of bounds read.
+ If Parse is used to process untrusted user inputs, this may be
+ used as a vector for a denial of service attack.
+ More info: https://pkg.go.dev/vuln/GO-2021-0113
+ Module: golang.org/x/text
+ Found in: golang.org/x/te...@v0.3.0
+ Fixed in: golang.org/x/te...@v0.3.7
+ Call stacks in your code:
+ #1: for function Parse
+ golang.org/vuln.main
+ .../vuln.go:13:16
+ golang.org/x/text/language.Parse
+
+=== Informational ===
+
+Found 1 vulnerability in packages that you import, but there are no call
+stacks leading to the use of this vulnerability. You may not need to
+take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+for details.
+
+Vulnerability #1: GO-2021-0054
+ Due to improper bounds checking, maliciously crafted JSON
+ objects can cause an out-of-bounds panic. If parsing user input,
+ this may be used as a denial of service vector.
+ More info: https://pkg.go.dev/vuln/GO-2021-0054
+ Module: github.com/tidwall/gjson
+ Found in: github.com/tidwall/gj...@v1.6.5
+ Fixed in: github.com/tidwall/gj...@v1.6.6
diff --git a/cmd/govulncheck/testdata/sourcebadpattern.ct b/cmd/govulncheck/testdata/sourcebadpattern.ct
deleted file mode 100644
index a8496f9..0000000
--- a/cmd/govulncheck/testdata/sourcebadpattern.ct
+++ /dev/null
@@ -1,11 +0,0 @@
-$ govulncheck -C ${moddir}/vuln blah --> FAIL 1
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-govulncheck: loading packages:
-There are errors with the provided package patterns:
-
--: package foo is not in GOROOT (/tmp/foo)
-
-For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
diff --git a/cmd/govulncheck/testdata/stdlib.ct b/cmd/govulncheck/testdata/stdlib.ct
deleted file mode 100644
index b3271d7..0000000
--- a/cmd/govulncheck/testdata/stdlib.ct
+++ /dev/null
@@ -1,19 +0,0 @@
-$ govulncheck -C ${moddir}/stdlib . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-Your code is affected by 1 vulnerability from the Go standard library.
-
-Vulnerability #1: GO-2022-0969
- HTTP/2 server connections can hang forever waiting for a clean
- shutdown that was preempted by a fatal error. This condition can
- be exploited by a malicious client to cause a denial of service.
- More info: https://pkg.go.dev/vuln/GO-2022-0969
- Standard library
- Found in: net/ht...@go1.18
- Fixed in: net/ht...@go1.19.1
- Call stacks in your code:
- .../stdlib.go:17:31: golang.org/stdlib.main calls net/http.ListenAndServe
diff --git a/cmd/govulncheck/testdata/stdlib_stacks.ct b/cmd/govulncheck/testdata/stdlib_stacks.ct
deleted file mode 100644
index 74fcb52..0000000
--- a/cmd/govulncheck/testdata/stdlib_stacks.ct
+++ /dev/null
@@ -1,22 +0,0 @@
-$ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-Your code is affected by 1 vulnerability from the Go standard library.
-
-Vulnerability #1: GO-2022-0969
- HTTP/2 server connections can hang forever waiting for a clean
- shutdown that was preempted by a fatal error. This condition can
- be exploited by a malicious client to cause a denial of service.
- More info: https://pkg.go.dev/vuln/GO-2022-0969
- Standard library
- Found in: net/ht...@go1.18
- Fixed in: net/ht...@go1.19.1
- Call stacks in your code:
- #1: for function ListenAndServe
- golang.org/stdlib.main
- .../stdlib.go:17:31
- net/http.ListenAndServe
diff --git a/cmd/govulncheck/testdata/subdi_stacks.ct b/cmd/govulncheck/testdata/subdi_stacks.ct
deleted file mode 100644
index c94738c..0000000
--- a/cmd/govulncheck/testdata/subdi_stacks.ct
+++ /dev/null
@@ -1,25 +0,0 @@
-# Test govulncheck runs on the subdirectory of a module
-
-$ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.0
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- #1: for function Parse
- golang.org/vuln/subdir.Foo
- .../subdir.go:8:16
- golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/subdir.ct b/cmd/govulncheck/testdata/subdir.ct
deleted file mode 100644
index d924b57..0000000
--- a/cmd/govulncheck/testdata/subdir.ct
+++ /dev/null
@@ -1,22 +0,0 @@
-# Test govulncheck runs on the subdirectory of a module
-
-$ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
-govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
-
-Using go1.18 and govul...@v0.0.0-00000000000-20000101010101 with
-vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC).
-
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-Your code is affected by 1 vulnerability from 1 module.
-
-Vulnerability #1: GO-2021-0113
- Due to improper index calculation, an incorrectly formatted
- language tag can cause Parse to panic via an out of bounds read.
- If Parse is used to process untrusted user inputs, this may be
- used as a vector for a denial of service attack.
- More info: https://pkg.go.dev/vuln/GO-2021-0113
- Module: golang.org/x/text
- Found in: golang.org/x/te...@v0.3.0
- Fixed in: golang.org/x/te...@v0.3.7
- Call stacks in your code:
- .../subdir.go:8:16: golang.org/vuln/subdir.Foo calls golang.org/x/text/language.Parse
diff --git a/cmd/govulncheck/testdata/usage.ct b/cmd/govulncheck/testdata/usage.ct
index 60e284b..c4b02fa 100644
--- a/cmd/govulncheck/testdata/usage.ct
+++ b/cmd/govulncheck/testdata/usage.ct
@@ -1,3 +1,5 @@
+#####
+# Test of govulncheck help output
$ govulncheck -h
Govulncheck reports known vulnerabilities in dependencies.
@@ -23,7 +25,7 @@
For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
-
+#####
# Same output as -h, but failure.
$ govulncheck --> FAIL 2
Govulncheck reports known vulnerabilities in dependencies.
diff --git a/cmd/govulncheck/testdata/usage_fail.ct b/cmd/govulncheck/testdata/usage_fail.ct
new file mode 100644
index 0000000..1143157
--- /dev/null
+++ b/cmd/govulncheck/testdata/usage_fail.ct
@@ -0,0 +1,9 @@
+#####
+# Test of invalid input to -mode
+$ govulncheck -mode=invalid ./... --> FAIL 2
+"invalid" is not a valid mode
+
+#####
+# Test of trying to run -json with -v flag
+$ govulncheck -C ${moddir}/vuln -show=traces -json . --> FAIL 2
+the -show flag is not supported for JSON output
To view, visit change 495860. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
May 18, 2023, 9:57:49 AM5/18/23
to Ian Cottrell, goph...@pubsubhelper.golang.org, Gopher Robot, Julie Qiu, golang-co...@googlegroups.com
Attention is currently required from: Ian Cottrell, Julie Qiu.
2 comments:
Commit Message:
Patch Set #1, Line 7:
cmd/govulncheck: cleanup test layoutwhat is the principle behind the change?
File cmd/govulncheck/testdata/binary_fail.ct:
Patch Set #1, Line 1:
#####what's the reason for adding this to the top of every file?
To view, visit change 495860. To unsubscribe, or for help writing mail filters, visit settings.
Ian Cottrell (Gerrit)
May 18, 2023, 12:47:21 PM5/18/23
to goph...@pubsubhelper.golang.org, Julie Qiu, Gopher Robot, Julie Qiu, golang-co...@googlegroups.com
Patch Set #1, Line 7:
cmd/govulncheck: cleanup test layoutwhat is the principle behind the change?
There were too many test files, it was very hard to tests, or to see if something was being tested.
I particularly wanted all the error conditions in a single file, as I was trying to verify that we were checking them all, but having the text variants in a single file helps look at the differences.
File cmd/govulncheck/testdata/binary_fail.ct:
Patch Set #1, Line 1:
#####what's the reason for adding this to the top of every file?
I added it to all the test comments to make it easy to see the boundary between tests
To view, visit change 495860. To unsubscribe, or for help writing mail filters, visit settings.
Julie Qiu (Gerrit)
May 19, 2023, 12:33:34 AM5/19/23
to Ian Cottrell, goph...@pubsubhelper.golang.org, Gopher Robot, Julie Qiu, golang-co...@googlegroups.com
Attention is currently required from: Ian Cottrell, Julie Qiu.
Patch set 1:Code-Review +2
2 comments:
Commit Message:
Patch Set #1, Line 7:
cmd/govulncheck: cleanup test layout
There were too many test files, it was very hard to tests, or to see if something was being tested. […]
Acknowledged
File cmd/govulncheck/testdata/binary_fail.ct:
Patch Set #1, Line 1:
#####
I added it to all the test comments to make it easy to see the boundary between tests
Acknowledged
To view, visit change 495860. To unsubscribe, or for help writing mail filters, visit settings.
Gopher Robot (Gerrit)
May 19, 2023, 12:33:50 AM5/19/23
to Ian Cottrell, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Julie Qiu, Julie Qiu, golang-co...@googlegroups.com
Gopher Robot submitted this change.
Approvals:
Ian Cottrell: Run TryBots; Automatically submit change
Julie Qiu: Looks good to me, approved
Gopher Robot: TryBots succeeded
cmd/govulncheck: cleanup test layout
Change-Id: Ib5da6c2c8a5b515d0c5e21ab494bde3281286bc7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/495860
Auto-Submit: Ian Cottrell <ianco...@google.com>
Run-TryBot: Ian Cottrell <ianco...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Julie Qiu <juli...@google.com>
To view, visit change 495860. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages