diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 84b4239..a8dcfd4 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -23,7 +23,7 @@ RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest RUN go install golang.org/x/tools/gopls@latest # Installing govulncheck -ARG VULNCHECK_VERSION="v0.1.0" +ARG VULNCHECK_VERSION="v1.0.0" RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ddb3c5f..39bb174 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -11,7 +11,7 @@ "VARIANT": "1.20-bullseye", // Options "NODE_VERSION": "none", - "VULNCHECK_VERSION": "v0.1.0" + "VULNCHECK_VERSION": "v1.0.0" } }, "runArgs": [ @@ -22,18 +22,19 @@ "customizations": { "vscode": { "settings": { - "go.gocodeAutoBuild": false, + "go.useLanguageServer": true, "files.autoSave": "afterDelay", "editor.formatOnPaste": true, "editor.formatOnSave": true, + "gopls": { + "ui.completion.usePlaceholders": true + }, "go.gopath": "/go", "go.goroot": "/usr/local/go", "go.toolsGopath": "/go/bin", - "go.buildOnSave": "workspace", "go.lintOnSave": "package", "go.vetOnSave": "package", "go.coverOnSave": false, - "go.useCodeSnippetsOnFunctionSuggest": false, "go.lintTool": "golangci-lint", "go.formatTool": "goimports", "[go]": { @@ -51,7 +52,6 @@ "extensions": [ "golang.Go", "streetsidesoftware.code-spell-checker", - "premparihar.gotestexplorer", "wayou.vscode-todo-highlight", "bierner.github-markdown-preview", "GitHub.vscode-github-actions" diff --git a/Dockerfile b/Dockerfile index b856aa2..937f013 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG GOLANG_VERSION=1.19 +ARG GOLANG_VERSION=1.20 # This golang version is for the builder only FROM golang:1.20 as builder @@ -13,7 +13,7 @@ COPY . . RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o action . # This golang version determines in which golang environment the customer code is checked FROM golang:$GOLANG_VERSION -ARG VULNCHECK_VERSION=v0.1.0 +ARG VULNCHECK_VERSION=v1.0.0 RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION # This allows private repositories hosted on Github diff --git a/action.yml b/action.yml index e06d95e..f066273 100644 --- a/action.yml +++ b/action.yml @@ -7,13 +7,13 @@ inputs: required: false default: "./..." go-version: - description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.19 is assumed" + description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.20.6 is assumed" required: false - default: "1.19" + default: "1.20.6" vulncheck-version: description: "Version of govulncheck that should be used, by default v0.0.0-20230331150530-a42f9910daf3" required: false - default: "v0.0.0-20230331150530-a42f9910daf3" + default: "v1.0.0" github-token: description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value" default: ${{ github.token }} diff --git a/go.mod b/go.mod index 342fccf..e158bf7 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/Templum/govulncheck-action -go 1.19 - -require golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc +go 1.20 require ( github.com/davecgh/go-spew v1.1.1 // indirect @@ -24,7 +22,6 @@ require ( github.com/owenrumney/go-sarif/v2 v2.2.0 github.com/rs/zerolog v1.29.1 github.com/stretchr/testify v1.8.4 - golang.org/x/mod v0.6.0 // indirect golang.org/x/oauth2 v0.10.0 golang.org/x/sys v0.10.0 // indirect ) diff --git a/go.sum b/go.sum index 87b8137..0e6d13d 100644 --- a/go.sum +++ b/go.sum @@ -50,8 +50,6 @@ github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uU golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= -golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= @@ -67,8 +65,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc h1:/LBdtEOGH9HDO8+sj6+oU/QnYUMwc8MyO6Jd8oYh+D4= -golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc/go.mod h1:8nFLBv8KFyZ2VuczUYssYKh+fcBR3BuXDG/HIWcxlwM= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= diff --git a/hack/found.stream b/hack/found.stream index 5425763..824de7a 100644 --- a/hack/found.stream +++ b/hack/found.stream @@ -1,823 +1,2205 @@ { - "preamble": { - "go_version": "go1.19.6", - "tool_version": "govulncheck@v0.0.0", + "config": { + "protocol_version": "v1.0.0", + "scanner_name": "govulncheck", + "scanner_version": "v1.0.0", "db": "https://vuln.go.dev", - "db_last_modified": "2023-03-31T20:58:11Z", - "query_kind": "Source", - "callstack_mode": "Compact" - } -} -{ - "progress": "Scanning your code and 58 packages across 6 dependent modules for known vulnerabilities..." -} -{ - "vulnerability": { - "osv": { - "id": "GO-2022-1059", - "published": "2022-10-11T18:16:24Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2022-32149", - "GHSA-69ch-w2m2-3vjp" - ], - "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-1059" - }, - "ecosystem_specific": { - "imports": [ + "db_last_modified": "2023-07-13T22:19:53Z", + "go_version": "go1.20.1", + "scan_level": "symbol" + } +} +{ + "progress": { + "message": "Scanning your code and 59 packages across 6 dependent modules for known vulnerabilities..." + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1840", + "modified": "2023-06-12T18:45:41Z", + "published": "2023-06-08T20:16:06Z", + "aliases": [ + "CVE-2023-29403" + ], + "summary": "Unsafe behavior in setuid/setgid binaries in runtime", + "details": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "ParseAcceptLanguage" - ] + "introduced": "0" + }, + { + "fixed": "1.19.10" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.5" } ] } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "runtime" + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/60272" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/501223" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ" + } + ], + "credits": [ + { + "name": "Vincent Dehors from Synacktiv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1840" + } + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "Callers" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "valueMethodName", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 5440, + "line": 178, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "mustBe", + "receiver": "flag", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 6841, + "line": 223, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "SetBool", + "receiver": "Value", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 69944, + "line": 2252, + "column": 10 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "scalar", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 12056, + "line": 500, + "column": 15 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 7697, + "line": 330, + "column": 18 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 4635, + "line": 148, + "column": 14 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 2826, + "line": 81, + "column": 18 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 } - ], - "references": [ - { - "type": "REPORT", - "url": "https://go.dev/issue/56152" - }, - { - "type": "FIX", - "url": "https://go.dev/cl/442235" - }, - { - "type": "WEB", - "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" - } - ], - "credits": [ - { - "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "golang.org/x/text", - "found_version": "v0.3.6", - "fixed_version": "v0.3.8", - "packages": [ - { - "path": "golang.org/x/text/language" - } - ] } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "CallersFrames" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "valueMethodName", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 5483, + "line": 179, + "column": 33 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "mustBe", + "receiver": "flag", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 6841, + "line": 223, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "SetBool", + "receiver": "Value", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 69944, + "line": 2252, + "column": 10 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "scalar", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 12056, + "line": 500, + "column": 15 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 7697, + "line": 330, + "column": 18 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 4635, + "line": 148, + "column": 14 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 2826, + "line": 81, + "column": 18 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "github.com/tidwall/gjson", - "found_version": "v1.6.4", - "fixed_version": "v1.6.5", - "packages": [ - { - "path": "github.com/tidwall/gjson", - "callstacks": [ - { - "symbol": "Get", - "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/seconds", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "package": "github.com/tidwall/gjson", - "function": "Get", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2022-3064", - "GHSA-6q6q-88xp-6f2r" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "Next", + "receiver": "*Frames" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "valueMethodName", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 5605, + "line": 183, + "column": 28 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "mustBe", + "receiver": "flag", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 6841, + "line": 223, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "SetBool", + "receiver": "Value", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 69944, + "line": 2252, + "column": 10 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "scalar", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 12056, + "line": 500, + "column": 15 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "receiver": "*decoder", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 7697, + "line": 330, + "column": 18 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 4635, + "line": 148, + "column": 14 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", + "offset": 2826, + "line": 81, + "column": 18 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "gopkg.in/yaml.v2", - "found_version": "v2.2.0", - "fixed_version": "v2.2.4", - "packages": [ - { - "path": "gopkg.in/yaml.v2", - "callstacks": [ - { - "symbol": "Unmarshal", - "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/yaml", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "package": "gopkg.in/yaml.v2", - "function": "Unmarshal", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" - ], - "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.9.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "GOMAXPROCS" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "sync", + "function": "pinSlow", + "receiver": "*Pool", + "position": { + "filename": "/usr/local/go/src/sync/pool.go", + "offset": 6977, + "line": 229, + "column": 28 } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "sync", + "function": "pin", + "receiver": "*Pool", + "position": { + "filename": "/usr/local/go/src/sync/pool.go", + "offset": 6451, + "line": 209, + "column": 18 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "sync", + "function": "Put", + "receiver": "*Pool", + "position": { + "filename": "/usr/local/go/src/sync/pool.go", + "offset": 3619, + "line": 107, + "column": 15 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "free", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 5475, + "line": 181, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6650, + "line": 226, + "column": 8 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Printf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6893, + "line": 233, + "column": 16 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 378, + "line": 29, + "column": 12 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "GOROOT" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "time", + "function": "loadLocation", + "position": { + "filename": "/usr/local/go/src/time/zoneinfo_read.go", + "offset": 13637, + "line": 552, + "column": 50 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "time", + "function": "initLocal", + "position": { + "filename": "/usr/local/go/src/time/zoneinfo_unix.go", + "offset": 1091, + "line": 37, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "sync", + "function": "doSlow", + "receiver": "*Once", + "position": { + "filename": "/usr/local/go/src/sync/once.go", + "offset": 2485, + "line": 74, + "column": 4 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "sync", + "function": "Do", + "receiver": "*Once", + "position": { + "filename": "/usr/local/go/src/sync/once.go", + "offset": 2349, + "line": 65, + "column": 11 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "internal/poll", + "function": "init", + "receiver": "*pollDesc", + "position": { + "filename": "/usr/local/go/src/internal/poll/fd_poll_runtime.go", + "offset": 983, + "line": 39, + "column": 15 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "internal/poll", + "function": "Init", + "receiver": "*FD", + "position": { + "filename": "/usr/local/go/src/internal/poll/fd_unix.go", + "offset": 1618, + "line": 63, + "column": 19 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "newFile", + "position": { + "filename": "/usr/local/go/src/os/file_unix.go", + "offset": 6210, + "line": 190, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "NewFile", + "position": { + "filename": "/usr/local/go/src/os/file_unix.go", + "offset": 3751, + "line": 106, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "init", + "position": { + "filename": "/usr/local/go/src/os/file.go", + "offset": 2220, + "line": 65, + "column": 18 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "init", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 209, + "line": 10, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 24, + "line": 4, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "KeepAlive" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "write", + "receiver": "*File", + "position": { + "filename": "/usr/local/go/src/os/file_posix.go", + "offset": 1401, + "line": 49, + "column": 19 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "Write", + "receiver": "*File", + "position": { + "filename": "/usr/local/go/src/os/file.go", + "offset": 5499, + "line": 175, + "column": 17 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6635, + "line": 225, + "column": 18 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Printf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6893, + "line": 233, + "column": 16 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 378, + "line": 29, + "column": 12 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "SetFinalizer" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "newFile", + "position": { + "filename": "/usr/local/go/src/os/file_unix.go", + "offset": 6373, + "line": 196, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "NewFile", + "position": { + "filename": "/usr/local/go/src/os/file_unix.go", + "offset": 3751, + "line": 106, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "os", + "function": "init", + "position": { + "filename": "/usr/local/go/src/os/file.go", + "offset": 2220, + "line": 65, + "column": 18 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "init", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 209, + "line": 10, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 24, + "line": 4, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "Error", + "receiver": "*TypeAssertionError" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "handleMethods", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 18244, + "line": 667, + "column": 24 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "printArg", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 20093, + "line": 749, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "doPrintf", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 28963, + "line": 1077, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6606, + "line": 224, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Printf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6893, + "line": 233, + "column": 16 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 378, + "line": 29, + "column": 12 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "efaceOf" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/iface.go", + "offset": 9635, + "line": 305, + "column": 29 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "findfunc" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init#6", + "position": { + "filename": "/usr/local/go/src/runtime/preempt.go", + "offset": 10566, + "line": 317, + "column": 15 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/alg.go", + "offset": 160, + "line": 5, + "column": 1 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "float64frombits" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/float.go", + "offset": 219, + "line": 9, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "forcegchelper" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init#7", + "position": { + "filename": "/usr/local/go/src/runtime/proc.go", + "offset": 9938, + "line": 293, + "column": 2 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/alg.go", + "offset": 160, + "line": 5, + "column": 1 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "funcMaxSPDelta" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init#6", + "position": { + "filename": "/usr/local/go/src/runtime/preempt.go", + "offset": 10621, + "line": 318, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/alg.go", + "offset": 160, + "line": 5, + "column": 1 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "lockInit" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init#1", + "position": { + "filename": "/usr/local/go/src/runtime/arena.go", + "offset": 9277, + "line": 219, + "column": 10 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/alg.go", + "offset": 160, + "line": 5, + "column": 1 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "Error", + "receiver": "plainError" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "handleMethods", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 18244, + "line": 667, + "column": 24 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "printArg", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 20093, + "line": 749, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "doPrintf", + "receiver": "*pp", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 28963, + "line": 1077, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6606, + "line": 224, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "fmt", + "function": "Printf", + "position": { + "filename": "/usr/local/go/src/fmt/print.go", + "offset": 6893, + "line": 233, + "column": 16 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 378, + "line": 29, + "column": 12 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "throw" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init#4", + "position": { + "filename": "/usr/local/go/src/runtime/mgcwork.go", + "offset": 738, + "line": 28, + "column": 8 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "init", + "position": { + "filename": "/usr/local/go/src/runtime/alg.go", + "offset": 160, + "line": 5, + "column": 1 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "reflect", + "function": "init", + "position": { + "filename": "/usr/local/go/src/reflect/value.go", + "offset": 282, + "line": 14, + "column": 2 + } + }, + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "init", + "position": { + "filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", + "offset": 76, + "line": 9, + "column": 2 + } + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "init", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 32, + "line": 6, + "column": 2 + } + } + ] + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0265", + "modified": "2023-06-12T18:45:41Z", + "published": "2022-08-15T18:06:07Z", + "aliases": [ + "CVE-2021-42248", + "CVE-2021-42836", + "GHSA-c9gm-7rfj-8w5h", + "GHSA-ppj4-34rq-v8j9" + ], + "summary": "Denial of service in github.com/tidwall/gjson", + "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "github.com/tidwall/gjson", - "found_version": "v1.6.4", - "fixed_version": "v1.9.3", - "packages": [ + "ranges": [ { - "path": "github.com/tidwall/gjson", - "callstacks": [ + "type": "SEMVER", + "events": [ { - "symbol": "Get", - "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/seconds", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "package": "github.com/tidwall/gjson", - "function": "Get", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] + "introduced": "0" + }, + { + "fixed": "1.9.3" } ] } - ] + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/237" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/236" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0265" + } + } +} +{ + "finding": { + "osv": "GO-2021-0265", + "fixed_version": "v1.9.3", + "trace": [ + { + "module": "github.com/tidwall/gjson", + "version": "v1.6.4", + "package": "github.com/tidwall/gjson", + "function": "Get" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/seconds/mixer.go", + "offset": 257, + "line": 15, + "column": 18 + } } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2021-0113", - "published": "2021-10-06T17:51:21Z", - "modified": "2023-02-02T17:52:29Z", - "aliases": [ - "CVE-2021-38561", - "GHSA-ppp9-7jff-5vj2" - ], - "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.7" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0113" - }, - "ecosystem_specific": { - "imports": [ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0957", + "modified": "2023-06-12T18:45:41Z", + "published": "2022-08-25T06:28:20Z", + "aliases": [ + "CVE-2020-36066", + "GHSA-wjm3-fq3r-5x46" + ], + "summary": "Denial of service in github.com/tidwall/gjson", + "details": "A maliciously crafted JSON input can cause a denial of service attack.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "MustParse", - "Parse", - "ParseAcceptLanguage" - ] + "fixed": "1.6.5" } ] } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/195" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0957" + } + } +} +{ + "finding": { + "osv": "GO-2022-0957", + "fixed_version": "v1.6.5", + "trace": [ + { + "module": "github.com/tidwall/gjson", + "version": "v1.6.4", + "package": "github.com/tidwall/gjson", + "function": "Get" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/seconds/mixer.go", + "offset": 257, + "line": 15, + "column": 18 } - ], - "references": [ - { - "type": "FIX", - "url": "https://go.dev/cl/340830" + } + ] + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0113", + "modified": "2023-06-12T18:45:41Z", + "published": "2021-10-06T17:51:21Z", + "aliases": [ + "CVE-2021-38561", + "GHSA-ppp9-7jff-5vj2" + ], + "summary": "Out-of-bounds read in golang.org/x/text/language", + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" }, - { - "type": "FIX", - "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" - } - ], - "credits": [ - { - "name": "Guido Vranken" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "golang.org/x/text", - "found_version": "v0.3.6", - "fixed_version": "v0.3.7", - "packages": [ + "ranges": [ { - "path": "golang.org/x/text/language", - "callstacks": [ + "type": "SEMVER", + "events": [ { - "symbol": "MustParse", - "summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/seconds", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 204, - "Line": 12, - "Column": 29 - } - }, - { - "package": "golang.org/x/text/language", - "function": "MustParse", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] + "introduced": "0" + }, + { + "fixed": "0.3.7" } ] } - ] + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113" + } + } +} +{ + "finding": { + "osv": "GO-2021-0113", + "fixed_version": "v0.3.7", + "trace": [ + { + "module": "golang.org/x/text", + "version": "v0.3.6", + "package": "golang.org/x/text/language", + "function": "MustParse" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/seconds/mixer.go", + "offset": 204, + "line": 12, + "column": 29 + } } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2021-0061", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2021-4235", - "GHSA-r88r-gmrh-7j83" - ], - "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" - }, - "ecosystem_specific": { - "imports": [ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0036", + "modified": "2023-06-12T18:45:41Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2019-11254", + "GHSA-wxc4-f4m6-wwqv" + ], + "summary": "Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2", + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" - ] + "fixed": "2.2.8" } ] } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_decrease_flow_level", + "yaml_parser_fetch_more_tokens", + "yaml_parser_fetch_stream_start", + "yaml_parser_fetch_value", + "yaml_parser_remove_simple_key", + "yaml_parser_save_simple_key" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/555" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036" + } + } +} +{ + "finding": { + "osv": "GO-2020-0036", + "fixed_version": "v2.2.8", + "trace": [ + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/375" + } + ] + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0061", + "modified": "2023-06-12T18:45:41Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2021-4235", + "GHSA-r88r-gmrh-7j83" + ], + "summary": "Denial of service in gopkg.in/yaml.v2", + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" - } - ], - "credits": [ - { - "name": "@simonferquel" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "gopkg.in/yaml.v2", - "found_version": "v2.2.0", - "fixed_version": "v2.2.3", - "packages": [ + "ranges": [ { - "path": "gopkg.in/yaml.v2", - "callstacks": [ + "type": "SEMVER", + "events": [ { - "symbol": "Unmarshal", - "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/yaml", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "package": "gopkg.in/yaml.v2", - "function": "Unmarshal", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] + "introduced": "0" + }, + { + "fixed": "2.2.3" } ] } - ] + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/375" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + } + ], + "credits": [ + { + "name": "@simonferquel" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061" + } + } +} +{ + "finding": { + "osv": "GO-2021-0061", + "fixed_version": "v2.2.3", + "trace": [ + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 + } } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2021-0054", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-07T21:49:49Z", - "aliases": [ - "CVE-2020-36067", - "GHSA-p64j-r5f4-pwwx" - ], - "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.6" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0054" - }, - "ecosystem_specific": { - "imports": [ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0956", + "modified": "2023-06-12T18:45:41Z", + "published": "2022-08-29T22:15:46Z", + "aliases": [ + "CVE-2022-3064", + "GHSA-6q6q-88xp-6f2r" + ], + "summary": "Excessive resource consumption in gopkg.in/yaml.v2", + "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Result.ForEach", - "unwrap" - ] + "fixed": "2.2.4" } ] } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0956" + } + } +} +{ + "finding": { + "osv": "GO-2022-0956", + "fixed_version": "v2.2.4", + "trace": [ + { + "module": "gopkg.in/yaml.v2", + "version": "v2.2.0", + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal" + }, + { + "module": "github.com/Templum/playground", + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "filename": "/workspaces/playground/pkg/yaml/testcase.go", + "offset": 348, + "line": 28, + "column": 20 } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/196" - } - ], - "credits": [ - { - "name": "@toptotu" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "github.com/tidwall/gjson", - "found_version": "v1.6.4", - "fixed_version": "v1.6.6", - "packages": [ - { - "path": "github.com/tidwall/gjson" - } - ] } ] } } { - "vulnerability": { - "osv": { - "id": "GO-2020-0036", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-01-14T00:31:02Z", - "aliases": [ - "CVE-2019-11254", - "GHSA-wxc4-f4m6-wwqv" - ], - "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" - }, - "ecosystem_specific": { - "imports": [ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0054", + "modified": "2023-06-12T18:45:41Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-36067", + "GHSA-p64j-r5f4-pwwx" + ], + "summary": "Panic due to improper input validation in github.com/tidwall/gjson", + "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_decrease_flow_level", - "yaml_parser_fetch_more_tokens", - "yaml_parser_fetch_stream_start", - "yaml_parser_fetch_value", - "yaml_parser_remove_simple_key", - "yaml_parser_save_simple_key" - ] + "introduced": "0" + }, + { + "fixed": "1.6.6" } ] } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Result.ForEach", + "unwrap" + ] + } + ] } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/555" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/196" + } + ], + "credits": [ + { + "name": "@toptotu" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0054" + } + } +} +{ + "finding": { + "osv": "GO-2021-0054", + "fixed_version": "v1.6.6", + "trace": [ + { + "module": "github.com/tidwall/gjson", + "version": "v1.6.4", + "package": "github.com/tidwall/gjson" + } + ] + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1059", + "modified": "2023-06-12T18:45:41Z", + "published": "2022-10-11T18:16:24Z", + "aliases": [ + "CVE-2022-32149", + "GHSA-69ch-w2m2-3vjp" + ], + "summary": "Denial of service via crafted Accept-Language header in golang.org/x/text/language", + "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" }, - { - "type": "WEB", - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" - } - ], - "schema_version": "1.3.1" - }, - "modules": [ - { - "path": "gopkg.in/yaml.v2", - "found_version": "v2.2.0", - "fixed_version": "v2.2.8", - "packages": [ + "ranges": [ { - "path": "gopkg.in/yaml.v2", - "callstacks": [ + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, { - "symbol": "Unmarshal", - "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "frames": [ - { - "package": "github.com/Templum/playground/pkg/yaml", - "function": "Testcase", - "position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "package": "gopkg.in/yaml.v2", - "function": "Unmarshal", - "position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] + "fixed": "0.3.8" } ] } - ] + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56152" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/442235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics)" + }, + { + "name": "OSS-Fuzz" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1059" + } + } +} +{ + "finding": { + "osv": "GO-2022-1059", + "fixed_version": "v0.3.8", + "trace": [ + { + "module": "golang.org/x/text", + "version": "v0.3.6", + "package": "golang.org/x/text/language" } ] } diff --git a/main.go b/main.go index ce802e4..cb777af 100644 --- a/main.go +++ b/main.go @@ -44,13 +44,13 @@ func main() { Str("Fail on Vulnerabilities", os.Getenv("STRICT")). Msg("Action Inputs:") - findings, err := scanner.Scan() + report, err := scanner.Scan() if err != nil { logger.Error().Err(err).Msg("Scanning yielded error") os.Exit(2) } - err = reporter.Convert(findings) + err = reporter.Convert(report) if err != nil { logger.Error().Err(err).Msg("Conversion of Scan yielded error") os.Exit(2) @@ -89,7 +89,7 @@ func main() { if os.Getenv("STRICT") == "true" { logger.Debug().Msg("Action is running in strict mode") - if len(findings) > 0 { + if len(report.Findings) > 0 { logger.Info().Msg("Encountered at least one vulnerability while running in strict mode, will mark outcome as failed") os.Exit(2) } diff --git a/pkg/github/sarif_report_test.go b/pkg/github/sarif_report_test.go index 4721ccf..c5afacf 100644 --- a/pkg/github/sarif_report_test.go +++ b/pkg/github/sarif_report_test.go @@ -27,7 +27,7 @@ type MockReport struct { mock.Mock } -func (m *MockReport) Convert(findings []types.Finding) error { +func (m *MockReport) Convert(findings *types.Report) error { args := m.Called(findings) return args.Error(0) } diff --git a/pkg/sarif/reporter.go b/pkg/sarif/reporter.go index c23fca8..469bd97 100644 --- a/pkg/sarif/reporter.go +++ b/pkg/sarif/reporter.go @@ -8,7 +8,6 @@ import ( "github.com/Templum/govulncheck-action/pkg/types" "github.com/owenrumney/go-sarif/v2/sarif" "github.com/rs/zerolog" - "golang.org/x/vuln/osv" ) const ( @@ -33,27 +32,22 @@ func NewSarifReporter(logger zerolog.Logger, workDir string) types.Reporter { return &SarifReporter{report: nil, run: nil, log: logger, workDir: workDir} } -func (sr *SarifReporter) Convert(findings []types.Finding) error { - sr.createEmptyReport("initial") +func (sr *SarifReporter) Convert(report *types.Report) error { + sr.createEmptyReport(report.Version) - sr.log.Debug().Msgf("Scan result shows the code is affected by %d vulnerabilities", len(findings)) - for _, vuln := range findings { - sr.addRule(vuln.Osv) + sr.log.Debug().Int("Number of Call Sites", len(report.Findings)).Msgf("Scan result shows the code is affected by %d vulnerabilities", len(report.Vulnerabilities)) - for _, mods := range vuln.Modules { - for _, pkg := range mods.Packages { - if len(pkg.CallStacks) > 0 { - for _, callStack := range pkg.CallStacks { - // Vulnerable code is directly called - sr.addDirectCallResult(vuln.Osv.ID, pkg, callStack) - } - } else { - // Vulnerable code is direct or indirect imported - sr.addImportResult(vuln.Osv.ID, pkg) - } - } - } + for _, vuln := range report.Vulnerabilities { + sr.addRule(vuln) + } + for _, finding := range report.Findings { + + if len(finding.Trace) > 1 { + sr.addDirectCallResult(finding) + } else { + sr.addImportResult(finding) + } } sr.log.Info().Int("Vulnerabilities", len(sr.run.Tool.Driver.Rules)).Int("Call Sites", len(sr.run.Results)).Msg("Conversion yielded following stats") @@ -70,7 +64,7 @@ func (sr *SarifReporter) createEmptyReport(vulncheckVersion string) { report, _ := sarif.New(sarif.Version210) run := sarif.NewRunWithInformationURI(shortName, uri) - run.Tool.Driver.WithVersion("0.0.1") // TODO: Get version from tag + run.Tool.Driver.WithVersion(vulncheckVersion) run.Tool.Driver.WithFullName(fullName) run.ColumnKind = "utf16CodeUnits" @@ -78,7 +72,7 @@ func (sr *SarifReporter) createEmptyReport(vulncheckVersion string) { sr.run = run } -func (sr *SarifReporter) addRule(vuln *osv.Entry) { +func (sr *SarifReporter) addRule(vuln types.Entry) { text, markdown := sr.generateRuleHelp(vuln) // sr.run.AddRule does check if the rule is present prior to adding it @@ -101,46 +95,50 @@ func (sr *SarifReporter) addRule(vuln *osv.Entry) { WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.ID)) } -func (sr *SarifReporter) addDirectCallResult(vulnID string, pkg *types.Package, callStack types.CallStack) { - entry := callStack.Frames[0] +func (sr *SarifReporter) addDirectCallResult(finding types.Finding) { + callSite := sr.extractCallSite(finding.Trace) + indirectCaller := sr.extractIndirectCaller(finding.Trace) + vulnerableSymbol := sr.extractVulnerableSymbol(finding.Trace) - result := sarif.NewRuleResult(vulnID). + result := sarif.NewRuleResult(finding.OSV). WithLevel(severity). - WithMessage(sarif.NewMessage().WithText(callStack.Summary)) + WithMessage(sarif.NewMessage().WithText(sr.generateCallSummary(callSite, indirectCaller, vulnerableSymbol))) sr.log.Debug(). - Str("Symbol", callStack.Symbol). - Msgf("Adding a result for %s called from %s", vulnID, entry.Position) + Str("Symbol", fmt.Sprintf("%s.%s", vulnerableSymbol.Package, vulnerableSymbol.Function)). + Msgf("Adding a result for %s called from %s:%d:%d", finding.OSV, sr.makePathRelative(callSite.Position.Filename), callSite.Position.Line, callSite.Position.Column) region := sarif.NewRegion(). - WithStartLine(entry.Position.Line). - WithEndLine(entry.Position.Line). - WithStartColumn(entry.Position.Column). - WithEndColumn(entry.Position.Column). - WithCharOffset(entry.Position.Offset) + WithStartLine(callSite.Position.Line). + WithEndLine(callSite.Position.Line). + WithStartColumn(callSite.Position.Column). + WithEndColumn(callSite.Position.Column). + WithCharOffset(callSite.Position.Offset) location := sarif.NewPhysicalLocation(). - WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(entry.Position.Filename)).WithUriBaseId(baseURI)). + WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(callSite.Position.Filename)).WithUriBaseId(baseURI)). WithRegion(region) result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) - if ruleIdx := sr.getRule(vulnID); ruleIdx >= 0 { + if ruleIdx := sr.getRule(finding.OSV); ruleIdx >= 0 { result.WithRuleIndex(ruleIdx) sr.run.AddResult(result) } } -func (sr *SarifReporter) addImportResult(vulnID string, pkg *types.Package) { - message := fmt.Sprintf("Package %s is vulnerable to %s, but your code doesn't appear to call any vulnerable function directly. You may not need to take any action.", pkg.Path, vulnID) +func (sr *SarifReporter) addImportResult(finding types.Finding) { + vulnerableSymbol := finding.Trace[0] + + message := fmt.Sprintf("Package %s is vulnerable to %s, but there are no call stacks leading to the use of these vulnerabilities. You may not need to take any action.", vulnerableSymbol.Package, finding.OSV) - result := sarif.NewRuleResult(vulnID). + result := sarif.NewRuleResult(finding.OSV). WithLevel(severity). WithMessage(sarif.NewMessage().WithText(message).WithMarkdown(message)) sr.log.Debug(). - Str("Path", pkg.Path). - Msgf("Adding a result related to an import exposed to %s", vulnID) + Str("Path", vulnerableSymbol.Package). + Msgf("Adding a result related to an import exposed to %s", finding.OSV) region := sarif.NewRegion(). WithStartLine(0). @@ -155,7 +153,7 @@ func (sr *SarifReporter) addImportResult(vulnID string, pkg *types.Package) { result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) - if ruleIdx := sr.getRule(vulnID); ruleIdx >= 0 { + if ruleIdx := sr.getRule(finding.OSV); ruleIdx >= 0 { result.WithRuleIndex(ruleIdx) sr.run.AddResult(result) } @@ -175,29 +173,32 @@ func (sr *SarifReporter) makePathRelative(absolute string) string { return strings.TrimPrefix(relative, "/") } -func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string { +func (sr *SarifReporter) searchFixVersion(versions []types.Affected) string { + // Maybe in the future we can return all fixedVersions, so user can look for a version closer to his semver + lastFix := "None" + for _, current := range versions { for _, r := range current.Ranges { for _, ev := range r.Events { if ev.Fixed != "" { - return ev.Fixed + lastFix = ev.Fixed } } } } - return "None" + return lastFix } -func (sr *SarifReporter) searchPackage(versions []osv.Affected) string { +func (sr *SarifReporter) searchPackage(versions []types.Affected) string { for _, current := range versions { - return current.Package.Name + return current.Module.Path } return "N/A" } -func (sr *SarifReporter) generateRuleHelp(vuln *osv.Entry) (text string, markdown string) { +func (sr *SarifReporter) generateRuleHelp(vuln types.Entry) (text string, markdown string) { fixVersion := sr.searchFixVersion(vuln.Affected) pkg := sr.searchPackage(vuln.Affected) @@ -206,3 +207,47 @@ func (sr *SarifReporter) generateRuleHelp(vuln *osv.Entry) (text string, markdow return fmt.Sprintf("Vulnerability %s \n Package: %s \n Fixed in Version: %s \n", vuln.ID, pkg, fixVersion), fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Package | Fixed in Version |\n| --- |:---:|\n|%s|%s|\n", vuln.ID, uri, vuln.Details, pkg, fixVersion) } + +// extractCallSite will go over the provided call stack and extract the call site. +// As the call stack starts with the vulnerable symbol and moves towards the users code the last call +// is where the user calls the vulnerable code (either direct or indirect) +func (sr *SarifReporter) extractCallSite(callStack []*types.Frame) *types.Frame { + return callStack[len(callStack)-1] +} + +// extractIndirectCaller will go over the provided call stack and extract the indirect call site. +// This will be nil if the call site is directly calling the vulnerable code. In other cases it +// will be the code that is directly called by the user and eventually ends up calling the vulnerable code +func (sr *SarifReporter) extractIndirectCaller(callStack []*types.Frame) *types.Frame { + if len(callStack) > 2 { + return callStack[len(callStack)-2] + } + + return nil +} + +// extractVulnerableSymbol will return the first element of the provided call stack. Following the +// assumption that the call stack starts from the vulnerable code and moves towards the call site +func (sr *SarifReporter) extractVulnerableSymbol(callStack []*types.Frame) *types.Frame { + return callStack[0] +} + +func (sr *SarifReporter) generateCallSummary(callSite *types.Frame, indirectCaller *types.Frame, vulnerableSymbol *types.Frame) string { + callingLocation := fmt.Sprintf("%s:%d:%d", sr.makePathRelative(callSite.Position.Filename), callSite.Position.Line, callSite.Position.Column) + callingCode := fmt.Sprintf("%s.%s", callSite.Package, callSite.Function) + + var vulnerableCode string + + if vulnerableSymbol.Receiver == "" { + vulnerableCode = fmt.Sprintf("%s.%s", vulnerableSymbol.Package, vulnerableSymbol.Function) + } else { + vulnerableCode = fmt.Sprintf("%s.%s.%s", vulnerableSymbol.Package, strings.TrimPrefix(vulnerableSymbol.Receiver, "*"), vulnerableSymbol.Function) + } + + if indirectCaller != nil { + indirectCalledCode := fmt.Sprintf("%s.%s", indirectCaller.Package, indirectCaller.Function) + return fmt.Sprintf("%s: %s calls %s, which eventually calls %s", callingLocation, callingCode, indirectCalledCode, vulnerableCode) + } + + return fmt.Sprintf("%s: %s calls %s", callingLocation, callingCode, vulnerableCode) +} diff --git a/pkg/sarif/reporter_test.go b/pkg/sarif/reporter_test.go index 4d82302..bdd1fcb 100644 --- a/pkg/sarif/reporter_test.go +++ b/pkg/sarif/reporter_test.go @@ -29,8 +29,8 @@ func TestSarifReporter_Convert(t *testing.T) { assert.NotNil(t, ref.report, "should have create an empty report") assert.NotNil(t, ref.run, "should have filled a run with details") - assert.Equal(t, len(ref.run.Results), 8, "example report should have 8 calls to vulnerabilities") - assert.Equal(t, len(ref.run.Tool.Driver.Rules), 8, "example report should have 8 vulnerabilities") + assert.Equal(t, len(ref.run.Results), 24, "example report should have 24 calls to vulnerabilities") + assert.Equal(t, len(ref.run.Tool.Driver.Rules), 9, "example report should have 9 vulnerabilities") assert.Equal(t, len(ref.report.Runs), 0, "should have not yet added the run to the report") }) @@ -38,7 +38,7 @@ func TestSarifReporter_Convert(t *testing.T) { target := NewSarifReporter(zerolog.Nop(), "/workspaces/govulncheck-action") ref := target.(*SarifReporter) - _ = target.Convert([]types.Finding{}) + _ = target.Convert(&types.Report{Vulnerabilities: []types.Entry{}, Findings: []types.Finding{}}) assert.NotNil(t, ref.report, "should have create an empty report") assert.NotNil(t, ref.run, "should have filled a run with details") diff --git a/pkg/types/finding.go b/pkg/types/finding.go deleted file mode 100644 index dedcf8d..0000000 --- a/pkg/types/finding.go +++ /dev/null @@ -1,108 +0,0 @@ -package types - -import ( - "go/token" - - "golang.org/x/vuln/osv" -) - -// StreamMessage links to: https://github.com/golang/vuln/blob/master/internal/govulncheck/result.go#L32-L38 -type StreamMessage struct { - Preamble *struct{} `json:"preamble,omitempty"` - Progress string `json:"progress,omitempty"` - Vulnerability *Finding `json:"vulnerability,omitempty"` -} - -// Finding links to: https://github.com/golang/vuln/blob/master/internal/govulncheck/result.go#L56-L68 -type Finding struct { - // OSV contains all data from the OSV entry for this vulnerability. - Osv *osv.Entry - // Modules contains all of the modules in the OSV entry where a - // vulnerable package is imported by the target source code or binary. - // - // For example, a module M with two packages M/p1 and M/p2, where only p1 - // is vulnerable, will appear in this list if and only if p1 is imported by - // the target source code or binary. - Modules []*Module -} - -type Module struct { - // Path is the module path of the module containing the vulnerability. - // - // Importable packages in the standard library will have the path "stdlib". - Path string - - // FoundVersion is the module version where the vulnerability was found. - FoundVersion string - - // FixedVersion is the module version where the vulnerability was - // fixed. If there are multiple fixed versions in the OSV report, this will - // be the latest fixed version. - // - // This is empty if a fix is not available. - FixedVersion string - - // Packages contains all the vulnerable packages in OSV entry that are - // imported by the target source code or binary. - // - // For example, given a module M with two packages M/p1 and M/p2, where - // both p1 and p2 are vulnerable, p1 and p2 will each only appear in this - // list they are individually imported by the target source code or binary. - Packages []*Package -} - -type Package struct { - // Path is the import path of the package containing the vulnerability. - Path string - - // CallStacks contains a representative call stack for each - // vulnerable symbol that is called. - // - // For vulnerabilities found from binary analysis, only CallStack.Symbol - // will be provided. - // - // For non-affecting vulnerabilities reported from the source mode - // analysis, this will be empty. - CallStacks []CallStack -} - -type CallStack struct { - // Symbol is the name of the detected vulnerable function - // or method. - // - // This follows the naming convention in the OSV report. - Symbol string - - // Summary is a one-line description of the callstack, used by the - // default govulncheck mode. - // - // Example: module3.main calls github.com/shiyanhui/dht.DHT.Run - Summary string - - // Frames contains an entry for each stack in the call stack. - // - // Frames are sorted starting from the entry point to the - // imported vulnerable symbol. The last frame in Frames should match - // Symbol. - Frames []*StackFrame -} - -type StackFrame struct { - // PackagePath is the import path. - PkgPath string - - // FuncName is the function name. - FuncName string - - // RecvType is the fully qualified receiver type, - // if the called symbol is a method. - // - // The client can create the final symbol name by - // prepending RecvType to FuncName. - RecvType string - - // Position describes an arbitrary source position - // including the file, line, and column location. - // A Position is valid if the line number is > 0. - Position token.Position -} diff --git a/pkg/types/reporter.go b/pkg/types/reporter.go index 15df2ef..71bfa73 100644 --- a/pkg/types/reporter.go +++ b/pkg/types/reporter.go @@ -5,6 +5,12 @@ import ( ) type Reporter interface { - Convert(result []Finding) error + Convert(result *Report) error Write(dest io.Writer) error } + +type Report struct { + Vulnerabilities []Entry + Findings []Finding + Version string +} diff --git a/pkg/types/vulncheck.go b/pkg/types/vulncheck.go new file mode 100644 index 0000000..14e10d1 --- /dev/null +++ b/pkg/types/vulncheck.go @@ -0,0 +1,213 @@ +package types + +import ( + "time" +) + +// StreamMessage (Message) links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L21 +type StreamMessage struct { + Config *Config `json:"config,omitempty"` + Progress *Progress `json:"progress,omitempty"` + OSV *Entry `json:"osv,omitempty"` + Finding *Finding `json:"finding,omitempty"` +} + +// Config links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L31C1-L58C2 +type Config struct { + // ProtocolVersion specifies the version of the JSON protocol. + ProtocolVersion string `json:"protocol_version"` + + // ScannerName is the name of the tool, for example, govulncheck. + // + // We expect this JSON format to be used by other tools that wrap + // govulncheck, which will have a different name. + ScannerName string `json:"scanner_name,omitempty"` + + // ScannerVersion is the version of the tool. + ScannerVersion string `json:"scanner_version,omitempty"` + + // DB is the database used by the tool, for example, + // vuln.go.dev. + DB string `json:"db,omitempty"` + + // LastModified is the last modified time of the data source. + DBLastModified *time.Time `json:"db_last_modified,omitempty"` + + // GoVersion is the version of Go used for analyzing standard library + // vulnerabilities. + GoVersion string `json:"go_version,omitempty"` + + // ScanLevel instructs govulncheck to analyze at a specific level of detail. + // Valid values include module, package and symbol. + ScanLevel string `json:"scan_level,omitempty"` +} + +// Progress links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L64 +type Progress struct { + // A time stamp for the message. + Timestamp *time.Time `json:"time,omitempty"` + + // Message is the progress message. + Message string `json:"message,omitempty"` +} + +// Finding links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L73 +type Finding struct { + // OSV is the id of the detected vulnerability. + OSV string `json:"osv,omitempty"` + + // FixedVersion is the module version where the vulnerability was + // fixed. This is empty if a fix is not available. + // + // If there are multiple fixed versions in the OSV report, this will + // be the fixed version in the latest range event for the OSV report. + // + // For example, if the range events are + // {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version + // will be empty. + // + // For the stdlib, we will show the fixed version closest to the + // Go version that is used. For example, if a fix is available in 1.17.5 and + // 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the + // fixed version. + FixedVersion string `json:"fixed_version,omitempty"` + + // Trace contains an entry for each frame in the trace. + // + // Frames are sorted starting from the imported vulnerable symbol + // until the entry point. The first frame in Frames should match + // Symbol. + // + // In binary mode, trace will contain a single-frame with no position + // information. + // + // When a package is imported but no vulnerable symbol is called, the trace + // will contain a single-frame with no symbol or position information. + Trace []*Frame `json:"trace,omitempty"` +} + +// Frame links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L73 +type Frame struct { + // Module is the module path of the module containing this symbol. + // + // Importable packages in the standard library will have the path "stdlib". + Module string `json:"module"` + + // Version is the module version from the build graph. + Version string `json:"version,omitempty"` + + // Package is the import path. + Package string `json:"package,omitempty"` + + // Function is the function name. + Function string `json:"function,omitempty"` + + // Receiver is the receiver type if the called symbol is a method. + // + // The client can create the final symbol name by + // prepending Receiver to FuncName. + Receiver string `json:"receiver,omitempty"` + + // Position describes an arbitrary source position + // including the file, line, and column location. + // A Position is valid if the line number is > 0. + Position *Position `json:"position,omitempty"` +} + +// Position links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L136 +type Position struct { + Filename string `json:"filename,omitempty"` // filename, if any + Offset int `json:"offset"` // byte offset, starting at 0 + Line int `json:"line"` // line number, starting at 1 + Column int `json:"column"` // column number, starting at 1 (byte count) +} + +// Entry links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L180 +type Entry struct { + // SchemaVersion is the OSV schema version used to encode this + // vulnerability. + SchemaVersion string `json:"schema_version,omitempty"` + // ID is a unique identifier for the vulnerability. Required. + // The Go vulnerability database issues IDs of the form + // GO--. + ID string `json:"id"` + // Modified is the time the entry was last modified. Required. + Modified time.Time `json:"modified,omitempty"` + // Published is the time the entry should be considered to have + // been published. + Published time.Time `json:"published,omitempty"` + // Withdrawn is the time the entry should be considered to have + // been withdrawn. If the field is missing, then the entry has + // not been withdrawn. + Withdrawn *time.Time `json:"withdrawn,omitempty"` + // Aliases is a list of IDs for the same vulnerability in other + // databases. + Aliases []string `json:"aliases,omitempty"` + // Summary gives a one-line, English textual summary of the vulnerability. + // It is recommended that this field be kept short, on the order of no more + // than 120 characters. + Summary string `json:"summary,omitempty"` + // Details contains additional English textual details about the vulnerability. + Details string `json:"details"` + // Affected contains information on the modules and versions + // affected by the vulnerability. + Affected []Affected `json:"affected"` + // References contains links to more information about the + // vulnerability. + References []struct{} `json:"references,omitempty"` + // Credits contains credits to entities that helped find or fix the + // vulnerability. + Credits []struct{} `json:"credits,omitempty"` + // DatabaseSpecific contains additional information about the + // vulnerability, specific to the Go vulnerability database. + DatabaseSpecific *struct{} `json:"database_specific,omitempty"` +} + +// Affected links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L136 +type Affected struct { + // The affected Go module. Required. + // Note that this field is called "package" in the OSV specification. + Module Module `json:"package"` + // The module version ranges affected by the vulnerability. + Ranges []Range `json:"ranges,omitempty"` + // Details on the affected packages and symbols within the module. + EcosystemSpecific *struct{} `json:"ecosystem_specific"` +} + +// Module links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L54 +type Module struct { + // The Go module path. Required. + // For the Go standard library, this is "stdlib". + // For the Go toolchain, this is "toolchain." + Path string `json:"name"` + // The ecosystem containing the module. Required. + // This should always be "Go". + Ecosystem string `json:"ecosystem"` +} + +// Range links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L85C1-L85C1 +type Range struct { + // Type is the version type that should be used to interpret the + // versions in Events. Required. + // In this implementation, only the "SEMVER" type is supported. + Type string `json:"type"` + // Events is a list of versions representing the ranges in which + // the module is vulnerable. Required. + // The events should be sorted, and MUST represent non-overlapping + // ranges. + // There must be at least one RangeEvent containing a value for + // Introduced. + // See https://ossf.github.io/osv-schema/#examples for examples. + Events []RangeEvent `json:"events"` +} + +// RangeEvent links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L72 +type RangeEvent struct { + // Introduced is a version that introduces the vulnerability. + // A special value, "0", represents a version that sorts before + // any other version, and should be used to indicate that the + // vulnerability exists from the "beginning of time". + Introduced string `json:"introduced,omitempty"` + // Fixed is a version that fixes the vulnerability. + Fixed string `json:"fixed,omitempty"` +} diff --git a/pkg/vulncheck/runner.go b/pkg/vulncheck/runner.go index 4ea9457..3777bb8 100644 --- a/pkg/vulncheck/runner.go +++ b/pkg/vulncheck/runner.go @@ -18,7 +18,7 @@ const ( ) type Scanner interface { - Scan() ([]types.Finding, error) + Scan() (*types.Report, error) } type CLIScanner struct { @@ -41,7 +41,7 @@ func NewScanner(logger zerolog.Logger, workDir string, inLocalMode bool) Scanner return &scanner } -func (r *CLIScanner) Scan() ([]types.Finding, error) { +func (r *CLIScanner) Scan() (*types.Report, error) { pkg := os.Getenv(envPackage) r.log.Info().Msgf("Running govulncheck for package %s in dir %s", pkg, r.workDir) @@ -69,8 +69,11 @@ func (r *CLIScanner) Scan() ([]types.Finding, error) { } // findFindingsInStream is going over the raw output of govulncheck which at the moment contains multiple json objects and tries to locate the report -func (r *CLIScanner) findFindingsInStream(stream []byte) []types.Finding { +func (r *CLIScanner) findFindingsInStream(stream []byte) *types.Report { + var vulnerabilities []types.Entry var findings []types.Finding + var version string + MESSAGE_SEPARATOR := "\n{\n" messages := strings.SplitN(string(stream), MESSAGE_SEPARATOR, -1) @@ -84,16 +87,34 @@ func (r *CLIScanner) findFindingsInStream(stream []byte) []types.Finding { var msg types.StreamMessage err := json.Unmarshal([]byte(rawMsg), &msg) if err != nil { - r.log.Warn().Str("Message", rawMsg).Msg("Found message in stream that could not be parsed") + r.log.Warn().Str("Message", rawMsg).Msgf("Parsing message yielded %v", err) continue } - if msg.Vulnerability != nil { - findings = append(findings, *msg.Vulnerability) + if msg.Config != nil { + r.log.Info(). + Str("Protocol Version", msg.Config.ProtocolVersion). + Str("Scanner Version", msg.Config.ScannerVersion). + Str("Database", msg.Config.DB). + Msg("govulncheck information") + + version = msg.Config.ScannerVersion + } + + if msg.Progress != nil && len(msg.Progress.Message) > 0 { + r.log.Info().Msg(msg.Progress.Message) + } + + if msg.Finding != nil { + findings = append(findings, *msg.Finding) + } + + if msg.OSV != nil { + vulnerabilities = append(vulnerabilities, *msg.OSV) } } - return findings + return &types.Report{Vulnerabilities: vulnerabilities, Findings: findings, Version: version} } // dumpRawReport takes the raw report and writes it to raw-report.json if something fails it will proceed with the regular flow