internal/openvex: omit vulns with no findings

This change modifies govulncheck's VEX output to no longer include vulnerabilities that are not imported at a vulnerable version. This matches the text output of govulncheck, and is in line with most other vulnerability scanners. updates golang/go#68338 Change-Id: If7041fd4624d023f623db8daf35a2e76f41d1d29 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597396 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Mauri de Souza Meneguzzo <mauri870@gmail.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
golang · Jul 9, 2024 · 0f7005f · 0f7005f
1 parent f94421b
commit 0f7005f
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 40 deletions.
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -format openvex -mode binary ${common_vuln_binary}
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+ "@id": "govulncheck/vex:12f16e1541f93ab0d46d78966849d71bc20932795108f69d0df5a415a2c3a5e6",
  "author": "Unknown Author",
  "timestamp": "2024-01-01T00:00:00",
  "version": 1,
@@ -45,25 +45,6 @@ $ govulncheck -format openvex -mode binary ${common_vuln_binary}
  ],
  "status": "affected"
  },
- {
- "vulnerability": {
- "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
- "name": "GO-2021-0059",
- "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
- "aliases": [
- "CVE-2020-35380",
- "GHSA-w942-gw6m-p62c"
- ]
- },
- "products": [
- {
- "@id": "Unknown Product"
- }
- ],
- "status": "not_affected",
- "justification": "vulnerable_code_not_present",
- "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
- },
  {
  "vulnerability": {
  "@id": "https://pkg.go.dev/vuln/GO-2021-0113",

diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -C ${moddir}/vuln -format openvex ./...
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+ "@id": "govulncheck/vex:12f16e1541f93ab0d46d78966849d71bc20932795108f69d0df5a415a2c3a5e6",
  "author": "Unknown Author",
  "timestamp": "2024-01-01T00:00:00",
  "version": 1,
@@ -45,25 +45,6 @@ $ govulncheck -C ${moddir}/vuln -format openvex ./...
  ],
  "status": "affected"
  },
- {
- "vulnerability": {
- "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
- "name": "GO-2021-0059",
- "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
- "aliases": [
- "CVE-2020-35380",
- "GHSA-w942-gw6m-p62c"
- ]
- },
- "products": [
- {
- "@id": "Unknown Product"
- }
- ],
- "status": "not_affected",
- "justification": "vulnerable_code_not_present",
- "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
- },
  {
  "vulnerability": {
  "@id": "https://pkg.go.dev/vuln/GO-2021-0113",

diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go
@@ -118,6 +118,9 @@ func statements(h *handler) []Statement {
 
  var statements []Statement
  for id, osv := range h.osvs {
+ if _, found := h.levels[id]; !found {
+ continue
+ }
  description := osv.Summary
  if description == "" {
  description = osv.Details