Skip to content

Commit

Permalink
cmd/govulncheck: update unit tests
Browse files Browse the repository at this point in the history 
Previously, unit tests using the "vuln" module did not have a
vulnerability that was imported but not called (a "package-level"
vulnerability). This change modifies main.go in the vuln module to
directly call a vulnerable function instead of using a function that
eventually was affected by multiple vulns.

Change-Id: Ic77a9c8efe3fd6dd2a2e76c230b3c4f67421e2fc
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/599476
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
  • Loading branch information
Maceo Thompson committed Jul 22, 2024
1 parent 03865b6 commit 8579d86
Show file tree
Hide file tree
Showing 12 changed files with 99 additions and 299 deletions.
7 changes: 4 additions & 3 deletions cmd/govulncheck/testdata/common/modules/vuln/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@ module golang.org/vuln
go 1.18

require (
// This version has one vulnerability that is imported, and
// one that is called.
// This version has two vulnerabilities that are called:
// one directly and one indirectly.
github.com/tidwall/gjson v1.6.5
// This version has a vulnerability that is called.
// This version has a vulnerability that is called and one
// vulnerability that is imported but not called.
golang.org/x/text v0.3.0
)

Expand Down
4 changes: 2 additions & 2 deletions cmd/govulncheck/testdata/common/modules/vuln/subdir/subdir.go
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
package subdir

import (
"golang.org/x/text/language"
"github.com/tidwall/gjson"
)

func Foo() {
language.Parse("")
gjson.Result{}.Get("")
}
2 changes: 1 addition & 1 deletion cmd/govulncheck/testdata/common/modules/vuln/vuln.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (

func main() {
fmt.Println("hello")
language.Parse("")
language.CompactIndex(language.English)
gjson.Result{}.Get("")
_, _ = pem.Decode([]byte("test"))
}
14 changes: 0 additions & 14 deletions cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,20 +244,6 @@ $ govulncheck -format json -mode binary ${common_vuln_binary}
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse"
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
Expand Down
20 changes: 4 additions & 16 deletions cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,7 @@ Vulnerability #1: GO-2021-0265
#1: gjson.Get
#2: gjson.Result.Get

Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Vulnerable symbols found:
#1: language.Parse

Vulnerability #3: GO-2021-0054
Vulnerability #2: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
Expand All @@ -37,8 +25,8 @@ Vulnerability #3: GO-2021-0054
Vulnerable symbols found:
#1: gjson.Result.ForEach

Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
Your code is affected by 2 vulnerabilities from 1 module.
This scan also found 1 vulnerability in packages you import and 1 vulnerability
in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
52 changes: 3 additions & 49 deletions cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,56 +165,10 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
},
{
"ruleId": "GO-2021-0113",
"level": "error",
"level": "warning",
"message": {
"text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)."
},
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function golang.org/x/text/language.Parse"
}
}
],
"stacks": [
{
"message": {
"text": "A call stack for vulnerable function golang.org/x/text/language.Parse"
},
"frames": [
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
]
"text": "Your code imports 1 vulnerable package (golang.org/x/text/language), but doesn’t appear to call any of the vulnerable symbols."
}
},
{
"ruleId": "GO-2021-0265",
Expand Down
6 changes: 4 additions & 2 deletions cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
$ govulncheck -format openvex -mode binary ${common_vuln_binary}
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "govulncheck/vex:12f16e1541f93ab0d46d78966849d71bc20932795108f69d0df5a415a2c3a5e6",
"@id": "govulncheck/vex:b1a12e6f591b29f244e67c80a88d10539c220a04f6ca48d3fe7af2faf0189437",
"author": "Unknown Author",
"timestamp": "2024-01-01T00:00:00",
"version": 1,
Expand Down Expand Up @@ -60,7 +60,9 @@ $ govulncheck -format openvex -mode binary ${common_vuln_binary}
"@id": "Unknown Product"
}
],
"status": "affected"
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
Expand Down
35 changes: 2 additions & 33 deletions cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ $ govulncheck -C ${moddir}/vuln -format json ./...
"function": "main",
"position": {
"filename": "vuln.go",
"offset": 183,
"offset": 204,
"line": 14,
"column": 20
}
Expand Down Expand Up @@ -247,37 +247,6 @@ $ govulncheck -C ${moddir}/vuln -format json ./...
]
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.0",
"package": "golang.org/x/text/language",
"function": "Parse",
"position": {
"filename": "language/parse.go",
"offset": 5808,
"line": 228,
"column": 6
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": "vuln.go",
"offset": 159,
"line": 13,
"column": 16
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
Expand Down Expand Up @@ -439,7 +408,7 @@ $ govulncheck -C ${moddir}/vuln -format json ./...
"function": "main",
"position": {
"filename": "vuln.go",
"offset": 183,
"offset": 204,
"line": 14,
"column": 20
}
Expand Down
98 changes: 2 additions & 96 deletions cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,9 +354,9 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
},
{
"ruleId": "GO-2021-0113",
"level": "error",
"level": "warning",
"message": {
"text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)."
"text": "Your code imports 1 vulnerable package (golang.org/x/text/language), but doesn’t appear to call any of the vulnerable symbols."
},
"locations": [
{
Expand All @@ -373,100 +373,6 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"text": "Findings for vulnerability GO-2021-0113"
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function golang.org/x/text/language.Parse"
}
}
],
"stacks": [
{
"message": {
"text": "A call stack for vulnerable function golang.org/x/text/language.Parse"
},
"frames": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
]
},
{
Expand Down
Loading

0 comments on commit 8579d86

Please sign in to comment.