Skip to content

x/tools/gopls, x/vuln: tests failing when upgrading x/vuln@v1.0.1->v1.0.4 #65942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
findleyr opened this issue Feb 26, 2024 · 2 comments
Closed

x/tools/gopls, x/vuln: tests failing when upgrading x/vuln@v1.0.1->v1.0.4 #65942

findleyr opened this issue Feb 26, 2024 · 2 comments
Assignees
@hyangah
Labels
gopls Issues related to the Go language server, gopls. Tools This label describes issues relating to any tools in the x/tools repository.
Milestone
gopls/v0.16.0

Comments

@findleyr
Copy link
Member

findleyr commented Feb 26, 2024
edited by gabyhelp
Loading

In https://go-review.googlesource.com/c/tools/+/566956/1, upgrading the x/vuln dependency from 1.0.1->1.0.4 caused test failures. This needs to be investigated to see if there is an x/vuln bug, or (more likely) an overly assertive gopls test.

CC @hyangah
@findleyr findleyr added this to the gopls/v0.16.0 milestone Feb 26, 2024
@findleyr findleyr changed the title x/tools/gopls, x/vuln: tests failing when upgrading 1.0.1->1.0.4 x/tools/gopls, x/vuln: tests failing when upgrading x/vuln@v1.0.1->v1.0.4 Feb 26, 2024
@gopherbot gopherbot added Tools This label describes issues relating to any tools in the x/tools repository. gopls Issues related to the Go language server, gopls. labels Feb 26, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/567155 mentions this issue: gopls: update x/vuln to 1.0.4

@hyangah
Copy link
Contributor

hyangah commented Feb 26, 2024

It looks like govulncheck changed the json output to include module-level vulnerability reports.
The failed tests assumed govulncheck -json output includes only symbol-level or import-level vulnerabilities.
We knew this would change in the future and had logic to handle module-level vulnerability findings in gopls, but forgot to update the tests. CL/567155 fixes the tests.

v1.0.1 
{
  "config": {
    "protocol_version": "v1.0.0",
    "scanner_name": "govulncheck",
    "scanner_version": "v1.0.1",
    "db": "file:///var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/vulndb-test1522237982/ID",
    "db_last_modified": "2024-02-26T13:31:05.912147-05:00",
    "go_version": "go1.22.0",
    "scan_level": "symbol"
  }
}
{
  "progress": {
    "message": "Scanning your code and 3 packages across 3 dependent modules for known vulnerabilities..."
  }
}
{
  "osv": {
    "id": "GO-2022-01",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "vuln in amod",
    "details": "vuln in amod is found\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/amod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.4"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/amod/avuln",
              "symbols": [
                "VulnData.Vuln1",
                "VulnData.Vuln2"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "HREF",
        "url": "pkg.go.dev/vuln/GO-2022-01"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-01"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-01",
    "fixed_version": "v1.0.4",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln",
        "function": "Vuln1",
        "receiver": "VulnData"
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/x",
        "function": "X",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/x/x.go",
          "offset": 95,
          "line": 9,
          "column": 14
        }
      }
    ]
  }
}
{
  "finding": {
    "osv": "GO-2022-01",
    "fixed_version": "v1.0.4",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln",
        "function": "Vuln2",
        "receiver": "VulnData"
      },
      {
        "module": "golang.org/cmod",
        "version": "v1.1.3",
        "package": "golang.org/cmod/c",
        "function": "C1",
        "position": {
          "filename": "/Users/hakim/go/pkg/mod/golang.org/cmod@v1.1.3/c/c.go",
          "offset": 149,
          "line": 14,
          "column": 9
        }
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/x",
        "function": "X",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/x/x.go",
          "offset": 87,
          "line": 9,
          "column": 6
        }
      }
    ]
  }
}
{
  "osv": {
    "id": "GO-2022-02",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "vuln in bmod (no fix)",
    "details": "vuln in bmod is found.\n\nThis is a long description\nof this vulnerability.\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/bmod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "0"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/bmod/bvuln",
              "symbols": [
                "Vuln"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "HREF",
        "url": "pkg.go.dev/vuln/GO-2022-03"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-02"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-02",
    "trace": [
      {
        "module": "golang.org/bmod",
        "version": "v0.5.0",
        "package": "golang.org/bmod/bvuln",
        "function": "Vuln"
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/y",
        "function": "Y",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/y/y.go",
          "offset": 57,
          "line": 6,
          "column": 8
        }
      }
    ]
  }
}
{
  "osv": {
    "id": "GO-2022-03",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "unaffecting vulnerability",
    "details": "unaffecting vulnerability is found\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/amod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.6"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/amod/avuln",
              "symbols": [
                "nonExisting"
              ]
            }
          ]
        }
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-03"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-03",
    "fixed_version": "v1.0.6",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln"
      }
    ]
  }
}
v1.0.4 
{
  "config": {
    "protocol_version": "v1.0.0",
    "scanner_name": "govulncheck",
    "scanner_version": "v1.0.1",
    "db": "file:///var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/vulndb-test1522237982/ID",
    "db_last_modified": "2024-02-26T13:31:05.912147-05:00",
    "go_version": "go1.22.0",
    "scan_level": "symbol"
  }
}
{
  "progress": {
    "message": "Scanning your code and 3 packages across 3 dependent modules for known vulnerabilities..."
  }
}
{
  "osv": {
    "id": "GO-2022-01",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "vuln in amod",
    "details": "vuln in amod is found\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/amod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.4"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/amod/avuln",
              "symbols": [
                "VulnData.Vuln1",
                "VulnData.Vuln2"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "HREF",
        "url": "pkg.go.dev/vuln/GO-2022-01"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-01"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-01",
    "fixed_version": "v1.0.4",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln",
        "function": "Vuln1",
        "receiver": "VulnData"
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/x",
        "function": "X",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/x/x.go",
          "offset": 95,
          "line": 9,
          "column": 14
        }
      }
    ]
  }
}
{
  "finding": {
    "osv": "GO-2022-01",
    "fixed_version": "v1.0.4",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln",
        "function": "Vuln2",
        "receiver": "VulnData"
      },
      {
        "module": "golang.org/cmod",
        "version": "v1.1.3",
        "package": "golang.org/cmod/c",
        "function": "C1",
        "position": {
          "filename": "/Users/hakim/go/pkg/mod/golang.org/cmod@v1.1.3/c/c.go",
          "offset": 149,
          "line": 14,
          "column": 9
        }
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/x",
        "function": "X",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/x/x.go",
          "offset": 87,
          "line": 9,
          "column": 6
        }
      }
    ]
  }
}
{
  "osv": {
    "id": "GO-2022-02",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "vuln in bmod (no fix)",
    "details": "vuln in bmod is found.\n\nThis is a long description\nof this vulnerability.\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/bmod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "0"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/bmod/bvuln",
              "symbols": [
                "Vuln"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "HREF",
        "url": "pkg.go.dev/vuln/GO-2022-03"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-02"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-02",
    "trace": [
      {
        "module": "golang.org/bmod",
        "version": "v0.5.0",
        "package": "golang.org/bmod/bvuln",
        "function": "Vuln"
      },
      {
        "module": "golang.org/entry",
        "package": "golang.org/entry/y",
        "function": "Y",
        "position": {
          "filename": "/var/folders/5p/zn7ykc111kn3lm09h_47mz2w001py5/T/gopls-test-289628643/TestRunVulncheckWarning/default/work/y/y.go",
          "offset": 57,
          "line": 6,
          "column": 8
        }
      }
    ]
  }
}
{
  "osv": {
    "id": "GO-2022-03",
    "modified": "2024-02-26T13:31:05.912147-05:00",
    "published": "0001-01-01T00:00:00Z",
    "summary": "unaffecting vulnerability",
    "details": "unaffecting vulnerability is found\n",
    "affected": [
      {
        "package": {
          "name": "golang.org/amod",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.6"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/amod/avuln",
              "symbols": [
                "nonExisting"
              ]
            }
          ]
        }
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-03"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-03",
    "fixed_version": "v1.0.6",
    "trace": [
      {
        "module": "golang.org/amod",
        "version": "v1.0.0",
        "package": "golang.org/amod/avuln"
      }
    ]
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hyangah hyangah

Labels
gopls Issues related to the Go language server, gopls. Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Milestone
gopls/v0.16.0
Development

No branches or pull requests
3 participants
@hyangah @gopherbot @findleyr