-
Notifications
You must be signed in to change notification settings - Fork 59
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updates golang/go#62486 Change-Id: Ib1cd9281cf33fb84a8a3c0f3e7523cfb8d93e677 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/575858 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
- Loading branch information
Maceo Thompson
committed
Jun 3, 2024
1 parent
b6af818
commit ad5a6f8
Showing
7 changed files
with
206 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
##### | ||
# Test basic binary scanning with vex output | ||
$ govulncheck -format openvex -mode binary ${common_vuln_binary} | ||
{ | ||
"@context": "https://openvex.dev/ns/v0.2.0", | ||
"@id": "govulncheckVEX", | ||
"author": "Unknown Author", | ||
"timestamp": "2024-01-01T00:00:00", | ||
"version": 1, | ||
"tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" | ||
} |
11 changes: 11 additions & 0 deletions
11
cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
##### | ||
# Test vex json output | ||
$ govulncheck -C ${moddir}/vuln -format openvex ./... | ||
{ | ||
"@context": "https://openvex.dev/ns/v0.2.0", | ||
"@id": "govulncheckVEX", | ||
"author": "Unknown Author", | ||
"timestamp": "2024-01-01T00:00:00", | ||
"version": 1, | ||
"tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
// Copyright 2024 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package openvex | ||
|
||
import ( | ||
"encoding/json" | ||
"io" | ||
"time" | ||
|
||
"golang.org/x/vuln/internal/govulncheck" | ||
"golang.org/x/vuln/internal/osv" | ||
) | ||
|
||
type findingLevel int | ||
|
||
const ( | ||
invalid findingLevel = iota | ||
required | ||
imported | ||
called | ||
) | ||
|
||
type handler struct { | ||
w io.Writer | ||
cfg *govulncheck.Config | ||
osvs map[string]*osv.Entry | ||
levels map[string]findingLevel | ||
} | ||
|
||
func NewHandler(w io.Writer) *handler { | ||
return &handler{ | ||
w: w, | ||
osvs: make(map[string]*osv.Entry), | ||
levels: make(map[string]findingLevel), | ||
} | ||
} | ||
|
||
func (h *handler) Config(cfg *govulncheck.Config) error { | ||
h.cfg = cfg | ||
return nil | ||
} | ||
|
||
func (h *handler) Progress(progress *govulncheck.Progress) error { | ||
return nil | ||
} | ||
|
||
func (h *handler) OSV(e *osv.Entry) error { | ||
h.osvs[e.ID] = e | ||
return nil | ||
} | ||
|
||
// foundAtLevel returns the level at which a specific finding is present in the | ||
// scanned product. | ||
func foundAtLevel(f *govulncheck.Finding) findingLevel { | ||
frame := f.Trace[0] | ||
if frame.Function != "" { | ||
return called | ||
} | ||
if frame.Package != "" { | ||
return imported | ||
} | ||
return required | ||
} | ||
|
||
func (h *handler) Finding(f *govulncheck.Finding) error { | ||
fLevel := foundAtLevel(f) | ||
if fLevel > h.levels[f.OSV] { | ||
h.levels[f.OSV] = fLevel | ||
} | ||
return nil | ||
} | ||
|
||
// Flush is used to print the vex json to w. | ||
// This is needed as vex is not streamed. | ||
func (h *handler) Flush() error { | ||
doc := toVex() | ||
out, err := json.MarshalIndent(doc, "", " ") | ||
if err != nil { | ||
return err | ||
} | ||
_, err = h.w.Write(out) | ||
return err | ||
} | ||
|
||
func toVex() Document { | ||
doc := Document{ | ||
ID: "govulncheckVEX", // TODO: create hash from document for ID | ||
Context: ContextURI, | ||
Author: DefaultAuthor, | ||
Timestamp: time.Now().UTC(), | ||
Version: 1, | ||
Tooling: Tooling, | ||
//TODO: Add statements | ||
} | ||
return doc | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
// Copyright 2024 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package openvex | ||
|
||
import ( | ||
"testing" | ||
|
||
"golang.org/x/vuln/internal/govulncheck" | ||
) | ||
|
||
func TestFinding(t *testing.T) { | ||
const id1 = "ID1" | ||
tests := []struct { | ||
name string | ||
id string | ||
findings []*govulncheck.Finding | ||
want findingLevel | ||
}{ | ||
{ | ||
name: "multiple", | ||
id: id1, | ||
findings: []*govulncheck.Finding{ | ||
{ | ||
OSV: id1, | ||
Trace: []*govulncheck.Frame{ | ||
{ | ||
Module: "mod", | ||
Package: "pkg", | ||
}, | ||
}, | ||
}, | ||
{ | ||
OSV: id1, | ||
Trace: []*govulncheck.Frame{ | ||
{ | ||
Module: "mod", | ||
Package: "pkg", | ||
Function: "func", | ||
}, | ||
}, | ||
}, | ||
{ | ||
OSV: id1, | ||
Trace: []*govulncheck.Frame{ | ||
{ | ||
Module: "mod", | ||
}, | ||
}, | ||
}, | ||
}, | ||
want: called, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
h := NewHandler(nil) | ||
for _, f := range tt.findings { | ||
if err := h.Finding(f); err != nil { | ||
t.Errorf("handler.Finding() error = %v", err) | ||
} | ||
} | ||
got := h.levels[tt.id] | ||
if got != tt.want { | ||
t.Errorf("want %v; got %v", tt.want, got) | ||
} | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters