diff --git a/README.md b/README.md index 9952ad6..eea67b3 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,9 @@ This action uses govulncheck to perform a scan of the code, afterwards it will p For a full list of currently known limitations please head over to [here](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations). Listed below are an important overview. -* Govulncheck only reads binaries compiled with Go 1.18 and later. -* Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings). +* Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases. +* Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported. +* There is no support for silencing vulnerability findings. ## :books: Useful links & resources on govulncheck :books: @@ -18,6 +19,19 @@ For a full list of currently known limitations please head over to [here](https: ## Usage +
+ + Where can I find the scan results of this action ? + + +Please be aware there will be no direct output to the console, all found vulnerabilities will be reported to Github via an Sarif Report. Therefore all findings should be located in the *Security*-Tab under the *Code Scanning*-Section. + +![Locating Code Scanning](docs/locate_results.png) + +![Result List](docs/results.png) + +
+ ### Example Workflows
diff --git a/action.yml b/action.yml index 46bd7ae..462aac8 100644 --- a/action.yml +++ b/action.yml @@ -34,7 +34,7 @@ runs: run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH shell: bash - id: run - run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local + run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local shell: bash branding: diff --git a/docs/locate_results.png b/docs/locate_results.png new file mode 100644 index 0000000..57e3e76 Binary files /dev/null and b/docs/locate_results.png differ diff --git a/docs/results.png b/docs/results.png new file mode 100644 index 0000000..b1a315e Binary files /dev/null and b/docs/results.png differ diff --git a/go.mod b/go.mod index 86c5942..c3e0b17 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/Templum/govulncheck-action go 1.19 -require golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81 +require golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc require ( github.com/davecgh/go-spew v1.1.1 // indirect @@ -12,8 +12,8 @@ require ( github.com/mattn/go-isatty v0.0.14 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/stretchr/objx v0.5.0 // indirect - golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect - golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect + golang.org/x/crypto v0.1.0 // indirect + golang.org/x/net v0.1.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect @@ -24,9 +24,7 @@ require ( github.com/owenrumney/go-sarif/v2 v2.1.2 github.com/rs/zerolog v1.28.0 github.com/stretchr/testify v1.8.1 - golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/mod v0.6.0 // indirect golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 - golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect - golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 // indirect + golang.org/x/sys v0.1.0 // indirect ) diff --git a/go.sum b/go.sum index c01ad45..ad8a145 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,4 @@ -github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= -github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -50,31 +48,27 @@ github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+ github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= -golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 h1:aE4T3aJwdCNz+s35ScSQYUzeGu7BOLDHZ1bBHVurqqY= -golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81 h1:PlNfGv/lMyN1WatEzczf4kNOrjQ0dg3KFuqJIo+18Tw= -golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ= +golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc h1:/LBdtEOGH9HDO8+sj6+oU/QnYUMwc8MyO6Jd8oYh+D4= +golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc/go.mod h1:8nFLBv8KFyZ2VuczUYssYKh+fcBR3BuXDG/HIWcxlwM= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -89,5 +83,3 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk= -mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio= diff --git a/hack/found.json b/hack/found.json index 76a340c..2dc067c 100644 --- a/hack/found.json +++ b/hack/found.json @@ -1,3526 +1,18 @@ { - "Calls": { - "Functions": { - "1": { - "ID": 1, - "Name": "main", - "RecvType": "", - "PkgPath": "github.com/Templum/playground", - "Pos": { - "Filename": "/workspaces/govulncheck-action/main.go", - "Offset": 232, - "Line": 11, - "Column": 6 - }, - "CallSites": null - }, - "10": { - "ID": 10, - "Name": "yaml_parser_roll_indent", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 27804, - "Line": 931, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 57, - "Name": "yaml_parser_roll_indent", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 34648, - "Line": 1196, - "Column": 30 - }, - "Resolved": true - }, - { - "Parent": 58, - "Name": "yaml_parser_roll_indent", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 37172, - "Line": 1283, - "Column": 30 - }, - "Resolved": true - }, - { - "Parent": 58, - "Name": "yaml_parser_roll_indent", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 37897, - "Line": 1308, - "Column": 31 - }, - "Resolved": true - }, - { - "Parent": 59, - "Name": "yaml_parser_roll_indent", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 35945, - "Line": 1239, - "Column": 30 - }, - "Resolved": true - } - ] - }, - "11": { - "ID": 11, - "Name": "yaml_parser_fetch_more_tokens", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 17667, - "Line": 626, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 27, - "Name": "yaml_parser_fetch_more_tokens", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 2220, - "Line": 47, - "Column": 60 - }, - "Resolved": true - } - ] - }, - "12": { - "ID": 12, - "Name": "Get", - "RecvType": "", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 37859, - "Line": 1873, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 3, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 7, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 5781, - "Line": 297, - "Column": 12 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 38198, - "Line": 1885, - "Column": 17 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 38654, - "Line": 1905, - "Column": 17 - }, - "Resolved": true - }, - { - "Parent": 2, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/json/testcase.go", - "Offset": 162, - "Line": 11, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "13": { - "ID": 13, - "Name": "yaml_parser_increase_flow_level", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 27111, - "Line": 910, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 55, - "Name": "yaml_parser_increase_flow_level", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 32293, - "Line": 1106, - "Column": 37 - }, - "Resolved": true - } - ] - }, - "14": { - "ID": 14, - "Name": "MustParse", - "RecvType": "", - "PkgPath": "golang.org/x/text/language", - "Pos": { - "Filename": "/go/pkg/mod/golang.org/x/text@v0.3.6/language/tags.go", - "Offset": 427, - "Line": 13, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 3, - "Name": "MustParse", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/seconds/mixer.go", - "Offset": 204, - "Line": 12, - "Column": 29 - }, - "Resolved": true - }, - { - "Parent": 4, - "Name": "MustParse", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/text/testcase.go", - "Offset": 102, - "Line": 8, - "Column": 29 - }, - "Resolved": true - } - ] - }, - "15": { - "ID": 15, - "Name": "queryMatches", - "RecvType": "", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 25066, - "Line": 1265, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 18, - "Name": "queryMatches", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 27271, - "Line": 1377, - "Column": 18 - }, - "Resolved": true - } - ] - }, - "16": { - "ID": 16, - "Name": "parseObject", - "RecvType": "", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 21927, - "Line": 1114, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 17, - "Name": "parseObject", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 28823, - "Line": 1462, - "Column": 26 - }, - "Resolved": true - }, - { - "Parent": 16, - "Name": "parseObject", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 24057, - "Line": 1212, - "Column": 26 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "parseObject", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 39894, - "Line": 1963, - "Column": 16 - }, - "Resolved": true - } - ] - }, - "17": { - "ID": 17, - "Name": "parseArray", - "RecvType": "", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 26587, - "Line": 1341, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 12, - "Name": "parseArray", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 39788, - "Line": 1958, - "Column": 13 - }, - "Resolved": true - }, - { - "Parent": 16, - "Name": "parseArray", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 24326, - "Line": 1226, - "Column": 25 - }, - "Resolved": true - }, - { - "Parent": 17, - "Name": "parseArray", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 29286, - "Line": 1486, - "Column": 25 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "parseArray", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 39969, - "Line": 1968, - "Column": 15 - }, - "Resolved": true - } - ] - }, - "18": { - "ID": 18, - "Name": "parseArray$1", - "RecvType": "", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 26982, - "Line": 1362, - "Column": 15 - }, - "CallSites": [ - { - "Parent": 17, - "Name": "t21", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 28463, - "Line": 1444, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 17, - "Name": "t21", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 29015, - "Line": 1472, - "Column": 19 - }, - "Resolved": true - }, - { - "Parent": 17, - "Name": "t21", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 29478, - "Line": 1496, - "Column": 19 - }, - "Resolved": true - }, - { - "Parent": 17, - "Name": "t21", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 29937, - "Line": 1515, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 17, - "Name": "t21", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 30419, - "Line": 1539, - "Column": 18 - }, - "Resolved": true - } - ] - }, - "19": { - "ID": 19, - "Name": "unmarshal", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", - "Offset": 4340, - "Line": 137, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 8, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", - "Offset": 2826, - "Line": 81, - "Column": 18 - }, - "Resolved": true - } - ] - }, - "2": { - "ID": 2, - "Name": "Testcase", - "RecvType": "", - "PkgPath": "github.com/Templum/playground/pkg/json", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/json/testcase.go", - "Offset": 130, - "Line": 10, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 1, - "Name": "Testcase", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/main.go", - "Offset": 255, - "Line": 12, - "Column": 15 - }, - "Resolved": true - } - ] - }, - "20": { - "ID": 20, - "Name": "merge", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 17803, - "Line": 744, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 21, - "Name": "merge", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 16710, - "Line": 705, - "Column": 11 - }, - "Resolved": true - }, - { - "Parent": 22, - "Name": "merge", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 14719, - "Line": 621, - "Column": 11 - }, - "Resolved": true - }, - { - "Parent": 23, - "Name": "merge", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 15783, - "Line": 665, - "Column": 11 - }, - "Resolved": true - } - ] - }, - "21": { - "ID": 21, - "Name": "mappingStruct", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 16136, - "Line": 682, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 22, - "Name": "mappingStruct", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 13978, - "Line": 584, - "Column": 25 - }, - "Resolved": true - } - ] - }, - "22": { - "ID": 22, - "Name": "mapping", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 13861, - "Line": 581, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 9, - "Name": "mapping", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7743, - "Line": 332, - "Column": 19 - }, - "Resolved": true - } - ] - }, - "23": { - "ID": 23, - "Name": "mappingSlice", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 15467, - "Line": 651, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 22, - "Name": "mappingSlice", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 14031, - "Line": 586, - "Column": 24 - }, - "Resolved": true - }, - { - "Parent": 22, - "Name": "mappingSlice", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 14278, - "Line": 596, - "Column": 22 - }, - "Resolved": true - } - ] - }, - "24": { - "ID": 24, - "Name": "document", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7917, - "Line": 341, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 9, - "Name": "document", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7511, - "Line": 320, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "25": { - "ID": 25, - "Name": "sequence", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 13038, - "Line": 543, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 9, - "Name": "sequence", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7791, - "Line": 334, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "26": { - "ID": 26, - "Name": "alias", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 8093, - "Line": 350, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 9, - "Name": "alias", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7553, - "Line": 322, - "Column": 17 - }, - "Resolved": true - } - ] - }, - "27": { - "ID": 27, - "Name": "peek_token", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 2111, - "Line": 46, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 28, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 31112, - "Line": 971, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 28, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 31376, - "Line": 981, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 40, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 12542, - "Line": 362, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 40, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 13239, - "Line": 391, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 40, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 13503, - "Line": 402, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 40, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 13805, - "Line": 415, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 40, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 13988, - "Line": 423, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 41, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 23280, - "Line": 734, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 41, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 23428, - "Line": 741, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 42, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 26456, - "Line": 834, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 29084, - "Line": 906, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 29194, - "Line": 911, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 29390, - "Line": 920, - "Column": 23 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 29819, - "Line": 935, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 44, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 24637, - "Line": 772, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 44, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 24746, - "Line": 776, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 44, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 24942, - "Line": 784, - "Column": 23 - }, - "Resolved": true - }, - { - "Parent": 45, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 21536, - "Line": 677, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 45, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 21646, - "Line": 682, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 45, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 21793, - "Line": 690, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 46, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 20086, - "Line": 632, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 46, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 20241, - "Line": 640, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 47, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 27253, - "Line": 855, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 47, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 27377, - "Line": 861, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 48, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 9755, - "Line": 283, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 49, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 18526, - "Line": 581, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 49, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 18636, - "Line": 586, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 49, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 18791, - "Line": 594, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 50, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 28119, - "Line": 879, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 51, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 7443, - "Line": 200, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 51, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 7635, - "Line": 209, - "Column": 22 - }, - "Resolved": true - }, - { - "Parent": 51, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 8577, - "Line": 241, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 52, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 32571, - "Line": 1020, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 52, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 33523, - "Line": 1053, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 53, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 10591, - "Line": 306, - "Column": 21 - }, - "Resolved": true - }, - { - "Parent": 54, - "Name": "peek_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 6628, - "Line": 175, - "Column": 21 - }, - "Resolved": true - } - ] - }, - "28": { - "ID": 28, - "Name": "yaml_parser_parse_flow_mapping_value", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 30992, - "Line": 970, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_mapping_value", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 6200, - "Line": 161, - "Column": 46 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_mapping_value", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 6318, - "Line": 164, - "Column": 46 - }, - "Resolved": true - } - ] - }, - "29": { - "ID": 29, - "Name": "yaml_parser_state_machine", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 3588, - "Line": 93, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 30, - "Name": "yaml_parser_state_machine", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 2972, - "Line": 72, - "Column": 34 - }, - "Resolved": true - } - ] - }, - "3": { - "ID": 3, - "Name": "Testcase", - "RecvType": "", - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/seconds/mixer.go", - "Offset": 162, - "Line": 10, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 1, - "Name": "Testcase", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/main.go", - "Offset": 309, - "Line": 15, - "Column": 18 - }, - "Resolved": true - } - ] - }, - "30": { - "ID": 30, - "Name": "yaml_parser_parse", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 2611, - "Line": 62, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 31, - "Name": "yaml_parser_parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2134, - "Line": 105, - "Column": 23 - }, - "Resolved": true - }, - { - "Parent": 36, - "Name": "yaml_parser_parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 1559, - "Line": 84, - "Column": 24 - }, - "Resolved": true - } - ] - }, - "31": { - "ID": 31, - "Name": "peek", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2026, - "Line": 101, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "peek", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2928, - "Line": 143, - "Column": 15 - }, - "Resolved": true - }, - { - "Parent": 33, - "Name": "peek", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4359, - "Line": 205, - "Column": 12 - }, - "Resolved": true - }, - { - "Parent": 34, - "Name": "peek", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4624, - "Line": 216, - "Column": 12 - }, - "Resolved": true - } - ] - }, - "32": { - "ID": 32, - "Name": "parse", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2888, - "Line": 141, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 19, - "Name": "parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", - "Offset": 4508, - "Line": 142, - "Column": 17 - }, - "Resolved": true - }, - { - "Parent": 33, - "Name": "parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4432, - "Line": 206, - "Column": 42 - }, - "Resolved": true - }, - { - "Parent": 34, - "Name": "parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4696, - "Line": 217, - "Column": 42 - }, - "Resolved": true - }, - { - "Parent": 34, - "Name": "parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4707, - "Line": 217, - "Column": 53 - }, - "Resolved": true - }, - { - "Parent": 35, - "Name": "parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3703, - "Line": 175, - "Column": 41 - }, - "Resolved": true - } - ] - }, - "33": { - "ID": 33, - "Name": "sequence", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4236, - "Line": 201, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "sequence", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3126, - "Line": 151, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "34": { - "ID": 34, - "Name": "mapping", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4504, - "Line": 212, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "mapping", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3071, - "Line": 149, - "Column": 19 - }, - "Resolved": true - } - ] - }, - "35": { - "ID": 35, - "Name": "document", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3533, - "Line": 170, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "document", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3181, - "Line": 153, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "36": { - "ID": 36, - "Name": "expect", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 1471, - "Line": 82, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 33, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4320, - "Line": 204, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 33, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4448, - "Line": 208, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 34, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4586, - "Line": 215, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 34, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4723, - "Line": 219, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 35, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3635, - "Line": 174, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 35, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3716, - "Line": 176, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 37, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3964, - "Line": 187, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 38, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4186, - "Line": 197, - "Column": 10 - }, - "Resolved": true - }, - { - "Parent": 39, - "Name": "expect", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 1179, - "Line": 69, - "Column": 10 - }, - "Resolved": true - } - ] - }, - "37": { - "ID": 37, - "Name": "alias", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3772, - "Line": 180, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "alias", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 3018, - "Line": 147, - "Column": 17 - }, - "Resolved": true - } - ] - }, - "38": { - "ID": 38, - "Name": "scalar", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 4013, - "Line": 191, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "scalar", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2975, - "Line": 145, - "Column": 18 - }, - "Resolved": true - } - ] - }, - "39": { - "ID": 39, - "Name": "init", - "RecvType": "*gopkg.in/yaml.v2.parser", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 1132, - "Line": 65, - "Column": 18 - }, - "CallSites": [ - { - "Parent": 32, - "Name": "init", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 2911, - "Line": 142, - "Column": 8 - }, - "Resolved": true - } - ] - }, - "4": { - "ID": 4, - "Name": "Testcase", - "RecvType": "", - "PkgPath": "github.com/Templum/playground/pkg/text", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/text/testcase.go", - "Offset": 61, - "Line": 7, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 1, - "Name": "Testcase", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/main.go", - "Offset": 272, - "Line": 13, - "Column": 15 - }, - "Resolved": true - } - ] - }, - "40": { - "ID": 40, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 12309, - "Line": 359, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 28, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 31619, - "Line": 987, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 41, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 23697, - "Line": 749, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 42, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 26748, - "Line": 842, - "Column": 32 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 30111, - "Line": 943, - "Column": 34 - }, - "Resolved": true - }, - { - "Parent": 43, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 30461, - "Line": 950, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 44, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 25816, - "Line": 810, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 45, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 22064, - "Line": 698, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4329, - "Line": 113, - "Column": 32 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4448, - "Line": 116, - "Column": 32 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4542, - "Line": 119, - "Column": 32 - }, - "Resolved": true - }, - { - "Parent": 46, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 20560, - "Line": 649, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 47, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 27636, - "Line": 867, - "Column": 33 - }, - "Resolved": true - }, - { - "Parent": 48, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 10237, - "Line": 297, - "Column": 31 - }, - "Resolved": true - }, - { - "Parent": 49, - "Name": "yaml_parser_parse_node", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 19032, - "Line": 600, - "Column": 33 - }, - "Resolved": true - } - ] - }, - "41": { - "ID": 41, - "Name": "yaml_parser_parse_block_mapping_value", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 23171, - "Line": 733, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_block_mapping_value", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5244, - "Line": 137, - "Column": 47 - }, - "Resolved": true - } - ] - }, - "42": { - "ID": 42, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_key", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 26335, - "Line": 833, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5608, - "Line": 146, - "Column": 59 - }, - "Resolved": true - } - ] - }, - "43": { - "ID": 43, - "Name": "yaml_parser_parse_flow_mapping_key", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 28953, - "Line": 904, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_mapping_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5981, - "Line": 155, - "Column": 44 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_mapping_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 6088, - "Line": 158, - "Column": 44 - }, - "Resolved": true - } - ] - }, - "44": { - "ID": 44, - "Name": "yaml_parser_parse_flow_sequence_entry", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 24503, - "Line": 770, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_sequence_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5357, - "Line": 140, - "Column": 47 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_sequence_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5470, - "Line": 143, - "Column": 47 - }, - "Resolved": true - } - ] - }, - "45": { - "ID": 45, - "Name": "yaml_parser_parse_block_mapping_key", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 21404, - "Line": 675, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_block_mapping_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5021, - "Line": 131, - "Column": 45 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_block_mapping_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5130, - "Line": 134, - "Column": 45 - }, - "Resolved": true - } - ] - }, - "46": { - "ID": 46, - "Name": "yaml_parser_parse_indentless_sequence_entry", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 19971, - "Line": 631, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_indentless_sequence_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4912, - "Line": 128, - "Column": 53 - }, - "Resolved": true - } - ] - }, - "47": { - "ID": 47, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_value", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 27130, - "Line": 854, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_value", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5743, - "Line": 149, - "Column": 61 - }, - "Resolved": true - } - ] - }, - "48": { - "ID": 48, - "Name": "yaml_parser_parse_document_content", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 9649, - "Line": 282, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_document_content", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4153, - "Line": 107, - "Column": 44 - }, - "Resolved": true - } - ] - }, - "49": { - "ID": 49, - "Name": "yaml_parser_parse_block_sequence_entry", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 18391, - "Line": 579, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_block_sequence_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4671, - "Line": 122, - "Column": 48 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_block_sequence_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4786, - "Line": 125, - "Column": 48 - }, - "Resolved": true - } - ] - }, - "5": { - "ID": 5, - "Name": "Testcase", - "RecvType": "", - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/yaml/testcase.go", - "Offset": 306, - "Line": 26, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 1, - "Name": "Testcase", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/main.go", - "Offset": 289, - "Line": 14, - "Column": 15 - }, - "Resolved": true - } - ] - }, - "50": { - "ID": 50, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_end", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 27998, - "Line": 878, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_flow_sequence_entry_mapping_end", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 5874, - "Line": 152, - "Column": 59 - }, - "Resolved": true - } - ] - }, - "51": { - "ID": 51, - "Name": "yaml_parser_parse_document_start", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 7323, - "Line": 198, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_document_start", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 3942, - "Line": 101, - "Column": 42 - }, - "Resolved": true - }, - { - "Parent": 29, - "Name": "yaml_parser_parse_document_start", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4045, - "Line": 104, - "Column": 42 - }, - "Resolved": true - } - ] - }, - "52": { - "ID": 52, - "Name": "yaml_parser_process_directives", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 32300, - "Line": 1013, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 51, - "Name": "yaml_parser_process_directives", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 7951, - "Line": 221, - "Column": 37 - }, - "Resolved": true - }, - { - "Parent": 51, - "Name": "yaml_parser_process_directives", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 8489, - "Line": 238, - "Column": 37 - }, - "Resolved": true - } - ] - }, - "53": { - "ID": 53, - "Name": "yaml_parser_parse_document_end", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 10489, - "Line": 305, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_document_end", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 4246, - "Line": 110, - "Column": 40 - }, - "Resolved": true - } - ] - }, - "54": { - "ID": 54, - "Name": "yaml_parser_parse_stream_start", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 6526, - "Line": 174, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 29, - "Name": "yaml_parser_parse_stream_start", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/parserc.go", - "Offset": 3836, - "Line": 98, - "Column": 40 - }, - "Resolved": true - } - ] - }, - "55": { - "ID": 55, - "Name": "yaml_parser_fetch_flow_collection_start", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 32018, - "Line": 1099, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 56, - "Name": "yaml_parser_fetch_flow_collection_start", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 20412, - "Line": 722, - "Column": 49 - }, - "Resolved": true - }, - { - "Parent": 56, - "Name": "yaml_parser_fetch_flow_collection_start", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 20595, - "Line": 727, - "Column": 49 - }, - "Resolved": true - } - ] - }, - "56": { - "ID": 56, - "Name": "yaml_parser_fetch_next_token", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 18571, - "Line": 665, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 11, - "Name": "yaml_parser_fetch_next_token", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 18446, - "Line": 655, - "Column": 35 - }, - "Resolved": true - } - ] - }, - "57": { - "ID": 57, - "Name": "yaml_parser_fetch_block_entry", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 34213, - "Line": 1187, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 56, - "Name": "yaml_parser_fetch_block_entry", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 21301, - "Line": 749, - "Column": 39 - }, - "Resolved": true - } - ] - }, - "58": { - "ID": 58, - "Name": "yaml_parser_fetch_value", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 36627, - "Line": 1268, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 56, - "Name": "yaml_parser_fetch_value", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 21693, - "Line": 759, - "Column": 33 - }, - "Resolved": true - } - ] - }, - "59": { - "ID": 59, - "Name": "yaml_parser_fetch_key", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 35499, - "Line": 1229, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 56, - "Name": "yaml_parser_fetch_key", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/scannerc.go", - "Offset": 21495, - "Line": 754, - "Column": 31 - }, - "Resolved": true - } - ] - }, - "6": { - "ID": 6, - "Name": "Parse", - "RecvType": "", - "PkgPath": "golang.org/x/text/language", - "Pos": { - "Filename": "/go/pkg/mod/golang.org/x/text@v0.3.6/language/parse.go", - "Offset": 1121, - "Line": 33, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 14, - "Name": "Parse", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/golang.org/x/text@v0.3.6/language/tags.go", - "Offset": 469, - "Line": 14, - "Column": 17 - }, - "Resolved": true - } - ] - }, - "7": { - "ID": 7, - "Name": "Get", - "RecvType": "github.com/tidwall/gjson.Result", - "PkgPath": "github.com/tidwall/gjson", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 5744, - "Line": 296, - "Column": 17 - }, - "CallSites": [ - { - "Parent": 17, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 31327, - "Line": 1579, - "Column": 24 - }, - "Resolved": true - }, - { - "Parent": 18, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 27159, - "Line": 1370, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 18, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 27446, - "Line": 1385, - "Column": 19 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 39584, - "Line": 1945, - "Column": 20 - }, - "Resolved": true - }, - { - "Parent": 12, - "Name": "Get", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - "Offset": 40038, - "Line": 1974, - "Column": 21 - }, - "Resolved": true - } - ] - }, - "8": { - "ID": 8, - "Name": "Unmarshal", - "RecvType": "", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", - "Offset": 2757, - "Line": 80, - "Column": 6 - }, - "CallSites": [ - { - "Parent": 5, - "Name": "Unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/workspaces/govulncheck-action/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - }, - "Resolved": true - } - ] - }, - "9": { - "ID": 9, - "Name": "unmarshal", - "RecvType": "*gopkg.in/yaml.v2.decoder", - "PkgPath": "gopkg.in/yaml.v2", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 7403, - "Line": 317, - "Column": 19 - }, - "CallSites": [ - { - "Parent": 19, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/yaml.go", - "Offset": 4635, - "Line": 148, - "Column": 14 - }, - "Resolved": true - }, - { - "Parent": 20, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 17888, - "Line": 747, - "Column": 14 - }, - "Resolved": true - }, - { - "Parent": 20, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 18019, - "Line": 753, - "Column": 14 - }, - "Resolved": true - }, - { - "Parent": 20, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 18376, - "Line": 766, - "Column": 15 - }, - "Resolved": true - }, - { - "Parent": 21, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 16766, - "Line": 708, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 21, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 17240, - "Line": 725, - "Column": 15 - }, - "Resolved": true - }, - { - "Parent": 21, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 17440, - "Line": 731, - "Column": 15 - }, - "Resolved": true - }, - { - "Parent": 23, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 15899, - "Line": 670, - "Column": 17 - }, - "Resolved": true - }, - { - "Parent": 23, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 15981, - "Line": 672, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 22, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 14804, - "Line": 625, - "Column": 17 - }, - "Resolved": true - }, - { - "Parent": 22, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 15071, - "Line": 634, - "Column": 18 - }, - "Resolved": true - }, - { - "Parent": 24, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 8020, - "Line": 344, - "Column": 14 - }, - "Resolved": true - }, - { - "Parent": 25, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 13659, - "Line": 567, - "Column": 23 - }, - "Resolved": true - }, - { - "Parent": 26, - "Name": "unmarshal", - "RecvType": "", - "Pos": { - "Filename": "/go/pkg/mod/gopkg.in/yaml.v2@v2.2.0/decode.go", - "Offset": 8321, - "Line": 356, - "Column": 20 - }, - "Resolved": true - } - ] - } - }, - "Entries": [ - 1, - 2, - 3, - 4, - 5 - ] - }, - "Imports": { - "Packages": { - "1": { - "ID": 1, - "Name": "gjson", - "Path": "github.com/tidwall/gjson", - "Module": 1, - "ImportedBy": [ - 2, - 4 - ] - }, - "2": { - "ID": 2, - "Name": "json", - "Path": "github.com/Templum/playground/pkg/json", - "Module": 2, - "ImportedBy": [ - 8 - ] - }, - "3": { - "ID": 3, - "Name": "language", - "Path": "golang.org/x/text/language", - "Module": 3, - "ImportedBy": [ - 4, - 5, - 8 - ] - }, - "4": { - "ID": 4, - "Name": "seconds", - "Path": "github.com/Templum/playground/pkg/seconds", - "Module": 2, - "ImportedBy": [ - 8 - ] - }, - "5": { - "ID": 5, - "Name": "text", - "Path": "github.com/Templum/playground/pkg/text", - "Module": 2, - "ImportedBy": [ - 8 - ] - }, - "6": { - "ID": 6, - "Name": "yaml", - "Path": "gopkg.in/yaml.v2", - "Module": 4, - "ImportedBy": [ - 7 - ] - }, - "7": { - "ID": 7, - "Name": "yaml", - "Path": "github.com/Templum/playground/pkg/yaml", - "Module": 2, - "ImportedBy": [ - 8 - ] - }, - "8": { - "ID": 8, - "Name": "main", - "Path": "github.com/Templum/playground", - "Module": 2, - "ImportedBy": null - } - }, - "Entries": [ - 8, - 2, - 4, - 5, - 7 - ] - }, - "Requires": { - "Modules": { - "1": { - "ID": 1, - "Path": "github.com/tidwall/gjson", - "Version": "v1.6.4", - "Replace": 0, - "RequiredBy": [ - 2 - ] - }, - "2": { - "ID": 2, - "Path": "github.com/Templum/playground", - "Version": "", - "Replace": 0, - "RequiredBy": null - }, - "3": { - "ID": 3, - "Path": "golang.org/x/text", - "Version": "v0.3.6", - "Replace": 0, - "RequiredBy": [ - 2 - ] - }, - "4": { - "ID": 4, - "Path": "gopkg.in/yaml.v2", - "Version": "v2.2.0", - "Replace": 0, - "RequiredBy": [ - 2 - ] - } - }, - "Entries": [ - 2 - ] - }, - "Vulns": [ - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ] - }, - "Symbol": "Get", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 12, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ] - }, - "Symbol": "Result.Get", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 7, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ] - }, - "Symbol": "parseObject", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 16, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ] - }, - "Symbol": "queryMatches", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 15, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2022-08-30T18:28:49Z", - "aliases": [ - "CVE-2022-3064" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of\nCPU or memory.\n", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ] - }, - "Symbol": "Unmarshal", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 8, - "ImportSink": 6, - "RequireSink": 4 - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2022-08-30T18:28:49Z", - "aliases": [ - "CVE-2022-3064" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of\nCPU or memory.\n", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ] - }, - "Symbol": "yaml_parser_roll_indent", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 10, - "ImportSink": 6, - "RequireSink": 4 - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2022-08-30T18:28:49Z", - "aliases": [ - "CVE-2022-3064" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of\nCPU or memory.\n", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ] - }, - "Symbol": "yaml_parser_increase_flow_level", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 13, - "ImportSink": 6, - "RequireSink": 4 - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2022-08-30T18:28:49Z", - "aliases": [ - "CVE-2022-3064" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of\nCPU or memory.\n", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ] - }, - "Symbol": "decoder.unmarshal", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 9, - "ImportSink": 6, - "RequireSink": 4 - }, + "Vulns": [ { "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-08-29T16:50:59Z", + "id": "GO-2022-1095", + "published": "2022-11-01T23:55:57Z", + "modified": "2022-11-01T23:55:57Z", "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" + "CVE-2022-41716" ], - "details": "A maliciously crafted path can cause Get and other query functions\nto consume excessive amounts of CPU and time.\n", + "details": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.\n\nIn syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".", "affected": [ { "package": { - "name": "github.com/tidwall/gjson", + "name": "stdlib", "ecosystem": "Go" }, "ranges": [ @@ -3531,104 +23,45 @@ "introduced": "0" }, { - "fixed": "1.9.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" - } - ] - }, - "Symbol": "Result.Get", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 7, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" - ], - "details": "A maliciously crafted path can cause Get and other query functions\nto consume excessive amounts of CPU and time.\n", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ + "fixed": "1.18.8" + }, { - "introduced": "0" + "introduced": "1.19.0" }, { - "fixed": "1.9.3" + "fixed": "1.19.3" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" + "url": "https://pkg.go.dev/vuln/GO-2022-1095" }, "ecosystem_specific": { "imports": [ { - "path": "github.com/tidwall/gjson", + "path": "syscall", + "goos": [ + "windows" + ], "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" + "StartProcess" + ] + }, + { + "path": "os/exec", + "goos": [ + "windows" + ], + "symbols": [ + "Cmd.CombinedOutput", + "Cmd.Environ", + "Cmd.Output", + "Cmd.Run", + "Cmd.Start", + "Cmd.environ", + "dedupEnv", + "dedupEnvCase" ] } ] @@ -3637,46 +70,52 @@ ], "references": [ { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + "type": "REPORT", + "url": "https://go.dev/issue/56284" }, { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" + "type": "FIX", + "url": "https://go.dev/cl/446916" }, { "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" - }, + "url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ" + } + ], + "credits": [ { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + "name": "RyotaK (https://twitter.com/ryotkak)" } ] }, - "Symbol": "parseObject", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 16, - "ImportSink": 1, - "RequireSink": 1 + "Modules": [ + { + "Path": "stdlib", + "FoundVersion": "go1.19.2", + "FixedVersion": "go1.19.3", + "Packages": [ + { + "Path": "syscall", + "CallStacks": null + } + ] + } + ] }, { "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-08-29T16:50:59Z", + "id": "GO-2022-1059", + "published": "2022-10-11T18:16:24Z", + "modified": "2022-11-01T16:41:19Z", "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" + "CVE-2022-32149", + "GHSA-69ch-w2m2-3vjp" ], - "details": "A maliciously crafted path can cause Get and other query functions\nto consume excessive amounts of CPU and time.\n", + "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", "affected": [ { "package": { - "name": "github.com/tidwall/gjson", + "name": "golang.org/x/text", "ecosystem": "Go" }, "ranges": [ @@ -3687,26 +126,21 @@ "introduced": "0" }, { - "fixed": "1.9.3" + "fixed": "0.3.8" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" + "url": "https://pkg.go.dev/vuln/GO-2022-1059" }, "ecosystem_specific": { "imports": [ { - "path": "github.com/tidwall/gjson", + "path": "golang.org/x/text/language", "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" + "MatchStrings", + "ParseAcceptLanguage" ] } ] @@ -3715,42 +149,48 @@ ], "references": [ { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + "type": "REPORT", + "url": "https://go.dev/issue/56152" }, { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" + "type": "FIX", + "url": "https://go.dev/cl/442235" }, { "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" - }, + "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + } + ], + "credits": [ { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" } ] }, - "Symbol": "queryMatches", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 15, - "ImportSink": 1, - "RequireSink": 1 + "Modules": [ + { + "Path": "golang.org/x/text", + "FoundVersion": "v0.3.6", + "FixedVersion": "v0.3.8", + "Packages": [ + { + "Path": "golang.org/x/text/language", + "CallStacks": null + } + ] + } + ] }, { "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-08-29T16:50:59Z", + "id": "GO-2022-0957", + "published": "2022-08-25T06:28:20Z", + "modified": "2022-09-20T15:16:04Z", "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" + "CVE-2020-36066", + "GHSA-wjm3-fq3r-5x46" ], - "details": "A maliciously crafted path can cause Get and other query functions\nto consume excessive amounts of CPU and time.\n", + "details": "A maliciously crafted JSON input can cause a denial of service attack.", "affected": [ { "package": { @@ -3765,13 +205,13 @@ "introduced": "0" }, { - "fixed": "1.9.3" + "fixed": "1.6.5" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" + "url": "https://pkg.go.dev/vuln/GO-2022-0957" }, "ecosystem_specific": { "imports": [ @@ -3794,106 +234,74 @@ "references": [ { "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" + "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" }, { "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" + "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" }, { "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + "url": "https://github.com/tidwall/gjson/issues/195" } ] }, - "Symbol": "Get", - "PkgPath": "github.com/tidwall/gjson", - "ModPath": "github.com/tidwall/gjson", - "CallSink": 12, - "ImportSink": 1, - "RequireSink": 1 - }, - { - "OSV": { - "id": "GO-2021-0113", - "published": "2021-10-06T17:51:21Z", - "modified": "2022-08-29T16:50:59Z", - "aliases": [ - "CVE-2021-38561" - ], - "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.7" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0113" - }, - "ecosystem_specific": { - "imports": [ + "Modules": [ + { + "Path": "github.com/tidwall/gjson", + "FoundVersion": "v1.6.4", + "FixedVersion": "v1.6.5", + "Packages": [ + { + "Path": "github.com/tidwall/gjson", + "CallStacks": [ { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "MustParse", - "Parse", - "ParseAcceptLanguage" + "Symbol": "Get", + "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/seconds", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "PkgPath": "github.com/tidwall/gjson", + "FuncName": "Get", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } ] } ] } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://go.dev/cl/340830" - }, - { - "type": "FIX", - "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" - } - ] - }, - "Symbol": "MustParse", - "PkgPath": "golang.org/x/text/language", - "ModPath": "golang.org/x/text", - "CallSink": 14, - "ImportSink": 3, - "RequireSink": 3 + ] + } + ] }, { "OSV": { - "id": "GO-2021-0113", - "published": "2021-10-06T17:51:21Z", - "modified": "2022-08-29T16:50:59Z", + "id": "GO-2022-0956", + "published": "2022-08-29T22:15:46Z", + "modified": "2022-10-26T17:44:45Z", "aliases": [ - "CVE-2021-38561" + "CVE-2022-3064" ], - "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n", + "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", "affected": [ { "package": { - "name": "golang.org/x/text", + "name": "gopkg.in/yaml.v2", "ecosystem": "Go" }, "ranges": [ @@ -3904,23 +312,25 @@ "introduced": "0" }, { - "fixed": "0.3.7" + "fixed": "2.2.4" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0113" + "url": "https://pkg.go.dev/vuln/GO-2022-0956" }, "ecosystem_specific": { "imports": [ { - "path": "golang.org/x/text/language", + "path": "gopkg.in/yaml.v2", "symbols": [ - "MatchStrings", - "MustParse", - "Parse", - "ParseAcceptLanguage" + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" ] } ] @@ -3930,34 +340,73 @@ "references": [ { "type": "FIX", - "url": "https://go.dev/cl/340830" + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" }, { - "type": "FIX", - "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" } ] }, - "Symbol": "Parse", - "PkgPath": "golang.org/x/text/language", - "ModPath": "golang.org/x/text", - "CallSink": 6, - "ImportSink": 3, - "RequireSink": 3 + "Modules": [ + { + "Path": "gopkg.in/yaml.v2", + "FoundVersion": "v2.2.0", + "FixedVersion": "v2.2.4", + "Packages": [ + { + "Path": "gopkg.in/yaml.v2", + "CallStacks": [ + { + "Symbol": "Unmarshal", + "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/yaml", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "PkgPath": "gopkg.in/yaml.v2", + "FuncName": "Unmarshal", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] }, { "OSV": { - "id": "GO-2021-0061", - "published": "2021-04-14T20:04:52Z", - "modified": "2022-08-29T16:50:59Z", + "id": "GO-2021-0265", + "published": "2022-08-15T18:06:07Z", + "modified": "2022-10-26T17:44:45Z", "aliases": [ - "CVE-2021-4235" + "CVE-2021-42248", + "CVE-2021-42836", + "GHSA-c9gm-7rfj-8w5h", + "GHSA-ppj4-34rq-v8j9" ], - "details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n", + "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", "affected": [ { "package": { - "name": "gopkg.in/yaml.v2", + "name": "github.com/tidwall/gjson", "ecosystem": "Go" }, "ranges": [ @@ -3968,31 +417,107 @@ "introduced": "0" }, { - "fixed": "2.2.3" + "fixed": "1.9.3" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" + "url": "https://pkg.go.dev/vuln/GO-2021-0265" }, "ecosystem_specific": { "imports": [ { - "path": "gopkg.in/yaml.v2", + "path": "github.com/tidwall/gjson", "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" ] } ] } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/237" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/236" }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + } + ] + }, + "Modules": [ + { + "Path": "github.com/tidwall/gjson", + "FoundVersion": "v1.6.4", + "FixedVersion": "v1.9.3", + "Packages": [ + { + "Path": "github.com/tidwall/gjson", + "CallStacks": [ + { + "Symbol": "Get", + "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/seconds", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "PkgPath": "github.com/tidwall/gjson", + "FuncName": "Get", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + }, + { + "OSV": { + "id": "GO-2021-0113", + "published": "2021-10-06T17:51:21Z", + "modified": "2022-10-26T17:44:45Z", + "aliases": [ + "CVE-2021-38561" + ], + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ { "package": { - "name": "github.com/go-yaml/yaml", + "name": "golang.org/x/text", "ecosystem": "Go" }, "ranges": [ @@ -4001,22 +526,25 @@ "events": [ { "introduced": "0" + }, + { + "fixed": "0.3.7" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" + "url": "https://pkg.go.dev/vuln/GO-2021-0113" }, "ecosystem_specific": { "imports": [ { - "path": "github.com/go-yaml/yaml", + "path": "golang.org/x/text/language", "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" ] } ] @@ -4026,30 +554,71 @@ "references": [ { "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/375" + "url": "https://go.dev/cl/340830" }, { "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" } ] }, - "Symbol": "decoder.unmarshal", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 9, - "ImportSink": 6, - "RequireSink": 4 + "Modules": [ + { + "Path": "golang.org/x/text", + "FoundVersion": "v0.3.6", + "FixedVersion": "v0.3.7", + "Packages": [ + { + "Path": "golang.org/x/text/language", + "CallStacks": [ + { + "Symbol": "MustParse", + "Summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/seconds", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 204, + "Line": 12, + "Column": 29 + } + }, + { + "PkgPath": "golang.org/x/text/language", + "FuncName": "MustParse", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] }, { "OSV": { "id": "GO-2021-0061", "published": "2021-04-14T20:04:52Z", - "modified": "2022-08-29T16:50:59Z", + "modified": "2022-10-26T17:44:45Z", "aliases": [ "CVE-2021-4235" ], - "details": "Due to unbounded alias chasing, a maliciously crafted YAML file\ncan cause the system to consume significant system resources. If\nparsing user input, this may be used as a denial of service vector.\n", + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", "affected": [ { "package": { @@ -4085,38 +654,6 @@ } ] } - }, - { - "package": { - "name": "github.com/go-yaml/yaml", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/go-yaml/yaml", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" - ] - } - ] - } } ], "references": [ @@ -4128,29 +665,69 @@ "type": "FIX", "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" } + ], + "credits": [ + { + "name": "@simonferquel" + } ] }, - "Symbol": "Unmarshal", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 8, - "ImportSink": 6, - "RequireSink": 4 + "Modules": [ + { + "Path": "gopkg.in/yaml.v2", + "FoundVersion": "v2.2.0", + "FixedVersion": "v2.2.3", + "Packages": [ + { + "Path": "gopkg.in/yaml.v2", + "CallStacks": [ + { + "Symbol": "Unmarshal", + "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/yaml", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "PkgPath": "gopkg.in/yaml.v2", + "FuncName": "Unmarshal", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] }, { "OSV": { - "id": "GO-2020-0036", + "id": "GO-2021-0054", "published": "2021-04-14T20:04:52Z", - "modified": "2022-08-29T16:50:59Z", + "modified": "2022-10-26T17:44:45Z", "aliases": [ - "CVE-2019-11254", - "GHSA-wxc4-f4m6-wwqv" + "CVE-2020-36067" ], - "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n", + "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", "affected": [ { "package": { - "name": "gopkg.in/yaml.v2", + "name": "github.com/tidwall/gjson", "ecosystem": "Go" }, "ranges": [ @@ -4161,55 +738,21 @@ "introduced": "0" }, { - "fixed": "2.2.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_fetch_more_tokens" - ] - } - ] - } - }, - { - "package": { - "name": "github.com/go-yaml/yaml", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" + "fixed": "1.6.6" } ] } ], "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" + "url": "https://pkg.go.dev/vuln/GO-2021-0054" }, "ecosystem_specific": { "imports": [ { - "path": "github.com/go-yaml/yaml", + "path": "github.com/tidwall/gjson", "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_fetch_more_tokens" + "Result.ForEach", + "unwrap" ] } ] @@ -4219,35 +762,43 @@ "references": [ { "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/555" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" }, { "type": "WEB", - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + "url": "https://github.com/tidwall/gjson/issues/196" + } + ], + "credits": [ + { + "name": "@toptotu" } ] }, - "Symbol": "yaml_parser_fetch_more_tokens", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 11, - "ImportSink": 6, - "RequireSink": 4 + "Modules": [ + { + "Path": "github.com/tidwall/gjson", + "FoundVersion": "v1.6.4", + "FixedVersion": "v1.6.6", + "Packages": [ + { + "Path": "github.com/tidwall/gjson", + "CallStacks": null + } + ] + } + ] }, { "OSV": { "id": "GO-2020-0036", "published": "2021-04-14T20:04:52Z", - "modified": "2022-08-29T16:50:59Z", + "modified": "2022-10-26T17:44:45Z", "aliases": [ "CVE-2019-11254", "GHSA-wxc4-f4m6-wwqv" ], - "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption\nof significant system resources. If parsing user supplied input, this\nmay be used as a denial of service vector.\n", + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", "affected": [ { "package": { @@ -4283,38 +834,6 @@ } ] } - }, - { - "package": { - "name": "github.com/go-yaml/yaml", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/go-yaml/yaml", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_fetch_more_tokens" - ] - } - ] - } } ], "references": [ @@ -4332,56 +851,48 @@ } ] }, - "Symbol": "Unmarshal", - "PkgPath": "gopkg.in/yaml.v2", - "ModPath": "gopkg.in/yaml.v2", - "CallSink": 8, - "ImportSink": 6, - "RequireSink": 4 - } - ], - "Modules": [ - { - "Path": "github.com/Templum/playground", - "Version": "", - "Dir": "", - "Replace": null - }, - { - "Path": "github.com/tidwall/gjson", - "Version": "v1.6.4", - "Dir": "", - "Replace": null - }, - { - "Path": "github.com/tidwall/match", - "Version": "v1.0.1", - "Dir": "", - "Replace": null - }, - { - "Path": "github.com/tidwall/pretty", - "Version": "v1.0.2", - "Dir": "", - "Replace": null - }, - { - "Path": "golang.org/x/text", - "Version": "v0.3.6", - "Dir": "", - "Replace": null - }, - { - "Path": "gopkg.in/yaml.v2", - "Version": "v2.2.0", - "Dir": "", - "Replace": null - }, - { - "Path": "stdlib", - "Version": "v1.19.1", - "Dir": "", - "Replace": null + "Modules": [ + { + "Path": "gopkg.in/yaml.v2", + "FoundVersion": "v2.2.0", + "FixedVersion": "v2.2.8", + "Packages": [ + { + "Path": "gopkg.in/yaml.v2", + "CallStacks": [ + { + "Symbol": "Unmarshal", + "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "Frames": [ + { + "PkgPath": "github.com/Templum/playground/pkg/yaml", + "FuncName": "Testcase", + "RecvType": "", + "Position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "PkgPath": "gopkg.in/yaml.v2", + "FuncName": "Unmarshal", + "RecvType": "", + "Position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] } ] -} +} \ No newline at end of file diff --git a/main.go b/main.go index 596598a..2f687d7 100644 --- a/main.go +++ b/main.go @@ -4,7 +4,6 @@ import ( "os" "runtime" - "github.com/Templum/govulncheck-action/pkg/action" "github.com/Templum/govulncheck-action/pkg/github" "github.com/Templum/govulncheck-action/pkg/sarif" "github.com/Templum/govulncheck-action/pkg/vulncheck" @@ -23,7 +22,6 @@ func main() { github := github.NewSarifUploader(logger) reporter := sarif.NewSarifReporter(logger, workDir) scanner := vulncheck.NewScanner(logger, workDir) - processor := action.NewVulncheckProcessor(workDir) if os.Getenv("DEBUG") == "true" { zerolog.SetGlobalLevel(zerolog.DebugLevel) @@ -53,10 +51,7 @@ func main() { os.Exit(2) } - vulnerableStacks := vulncheck.Resolve(result) - vulnerableStacks = processor.RemoveDuplicates(vulnerableStacks) - - err = reporter.Convert(vulnerableStacks) + err = reporter.Convert(result) if err != nil { logger.Error().Err(err).Msg("Conversion of Scan yielded error") os.Exit(2) @@ -95,7 +90,7 @@ func main() { if os.Getenv("STRICT") == "true" { logger.Debug().Msg("Action is running in strict mode") - if len(vulnerableStacks) > 0 { + if len(result.Vulns) > 0 { logger.Info().Msg("Encountered at least one vulnerability while running in strict mode, will mark outcome as failed") os.Exit(2) } diff --git a/pkg/action/preprocessor.go b/pkg/action/preprocessor.go deleted file mode 100644 index d877883..0000000 --- a/pkg/action/preprocessor.go +++ /dev/null @@ -1,76 +0,0 @@ -package action - -import ( - "strings" - - "github.com/Templum/govulncheck-action/pkg/types" - "golang.org/x/vuln/vulncheck" -) - -type VulncheckProcessor struct { - workDir string -} - -func NewVulncheckProcessor(workDir string) *VulncheckProcessor { - return &VulncheckProcessor{ - workDir: workDir, - } -} - -func (p *VulncheckProcessor) RemoveDuplicates(vulnerableStacks types.VulnerableStacks) types.VulnerableStacks { - // Will hold all unique items and there stacks - uniqueVulnStacks := make(types.VulnerableStacks) - // Sometimes vulnerabilities are included for each affected symbol - lookupTable := make(map[string]map[string]bool) - - for vuln, stacks := range vulnerableStacks { - ref := findRef(vuln.OSV.ID, uniqueVulnStacks) - if ref == nil { - uniqueVulnStacks[vuln] = make([]vulncheck.CallStack, 0) - ref = vuln - } - - if _, ok := lookupTable[vuln.OSV.ID]; !ok { - lookupTable[vuln.OSV.ID] = make(map[string]bool) - } - - for _, current := range stacks { - entry := FindVulnerableCallSite(p.workDir, current) - - if entry.Function != nil && entry.Call != nil { - callLocation := entry.Call.Pos.String() - - if _, ok := lookupTable[vuln.OSV.ID][callLocation]; !ok { - lookupTable[vuln.OSV.ID][callLocation] = true - uniqueVulnStacks[ref] = append(uniqueVulnStacks[ref], current) - } - } - - } - } - - return uniqueVulnStacks -} - -func FindVulnerableCallSite(workDir string, stack vulncheck.CallStack) vulncheck.StackEntry { - // We start from the back as that is the entrypoint for the reported vulnerability - for i := range stack { - current := stack[len(stack)-1-i] - - if current.Call != nil && strings.Contains(current.Call.Pos.Filename, workDir) { - return current - } - } - - return vulncheck.StackEntry{Function: nil, Call: nil} -} - -func findRef(osvID string, lookup types.VulnerableStacks) *vulncheck.Vuln { - for key := range lookup { - if key.OSV.ID == osvID { - return key - } - } - - return nil -} diff --git a/pkg/action/preprocessor_test.go b/pkg/action/preprocessor_test.go deleted file mode 100644 index 500f8f5..0000000 --- a/pkg/action/preprocessor_test.go +++ /dev/null @@ -1,152 +0,0 @@ -package action - -import ( - "go/token" - "path" - "testing" - - "github.com/Templum/govulncheck-action/pkg/types" - helper "github.com/Templum/govulncheck-action/pkg/vulncheck" - "github.com/rs/zerolog" - "github.com/stretchr/testify/assert" - "golang.org/x/vuln/vulncheck" -) - -func TestFindVulnerableCallSite(t *testing.T) { - userCallSite := vulncheck.StackEntry{ - Function: &vulncheck.FuncNode{ - ID: 2, - Name: "Testcase", - RecvType: "", - PkgPath: "github.com/Templum/playground/pkg/json", - Pos: &token.Position{ - Filename: "/workspaces/unit/pkg/json/testcase.go", - Offset: 130, - Line: 10, - Column: 6, - }, - CallSites: []*vulncheck.CallSite{}, // Not needed for this function - }, - Call: &vulncheck.CallSite{ - Parent: 2, - Name: "Get", - RecvType: "", - Resolved: true, - Pos: &token.Position{ - Filename: "/workspaces/unit/pkg/json/testcase.go", - Offset: 162, - Line: 11, - Column: 20, - }, - }, - } - - stack := []vulncheck.StackEntry{ - userCallSite, - { - Function: &vulncheck.FuncNode{ - ID: 12, - Name: "Get", - RecvType: "", - PkgPath: "github.com/tidwall/gjson", - Pos: &token.Position{ - Filename: "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - Offset: 37859, - Line: 1873, - Column: 6, - }, - CallSites: []*vulncheck.CallSite{}, // Not needed for this function - }, - Call: &vulncheck.CallSite{ - Parent: 12, - Name: "parseObject", - RecvType: "", - Resolved: true, - Pos: &token.Position{ - Filename: "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - Offset: 39894, - Line: 1963, - Column: 16, - }, - }, - }, - { - Function: &vulncheck.FuncNode{ - ID: 16, - Name: "parseObject", - RecvType: "", - PkgPath: "github.com/tidwall/gjson", - Pos: &token.Position{ - Filename: "/go/pkg/mod/github.com/tidwall/gjson@v1.6.4/gjson.go", - Offset: 21927, - Line: 1114, - Column: 2, - }, - CallSites: []*vulncheck.CallSite{}, // Not needed for this function - }, - Call: nil, - }, // Vulnerability - } - - t.Run("should return empty entry if nothing is found", func(t *testing.T) { - callSite := FindVulnerableCallSite("/workspaces/other", stack) - - assert.Nil(t, callSite.Call, "should have no call") - assert.Nil(t, callSite.Function, "should have no function") - }) - - t.Run("should return first calling site located in user code", func(t *testing.T) { - callSite := FindVulnerableCallSite("/workspaces/unit", stack) - - assert.NotNil(t, callSite.Call, "should have a call") - assert.NotNil(t, callSite.Function, "should have a function") - assert.Equal(t, userCallSite, callSite, "should find the correct call site") - }) -} - -func CalculateTotalFindings(input types.VulnerableStacks) int { - output := 0 - - for _, findings := range input { - output += len(findings) - } - - return output -} - -func TestVulncheckProcessor_RemoveDuplicates(t *testing.T) { - scanner := helper.NewLocalScanner(zerolog.Nop(), path.Join("..", "..", "hack", "found.json")) - result, _ := scanner.Scan() - input := helper.Resolve(result) - - hasDuplicateCallsites := make(types.VulnerableStacks) - hasDuplicateVuln := make(types.VulnerableStacks) - - for key, value := range input { - if key.OSV.ID == "GO-2021-0113" { - hasDuplicateVuln[key] = value - } - - if key.OSV.ID == "GO-2021-0061" && key.Symbol == "decoder.unmarshal" { - hasDuplicateCallsites[key] = value - } - } - - t.Run("should remove duplicates which are called from the same site", func(t *testing.T) { - target := NewVulncheckProcessor("/workspaces/govulncheck-action") - reduced := target.RemoveDuplicates(hasDuplicateCallsites) - - assert.NotNil(t, reduced, "should not be nil") - assert.Equal(t, len(reduced), len(hasDuplicateCallsites), "should have same amount of entries") - assert.Less(t, CalculateTotalFindings(reduced), CalculateTotalFindings(hasDuplicateCallsites), "reduced should be less after removal of duplicates") - }) - - t.Run("should remove duplicates which are for the same vulnerability", func(t *testing.T) { - target := NewVulncheckProcessor("/workspaces/govulncheck-action") - reduced := target.RemoveDuplicates(hasDuplicateVuln) - - assert.NotNil(t, reduced, "should not be nil") - assert.Less(t, len(reduced), len(hasDuplicateVuln), "should only have one entry now") - assert.Less(t, CalculateTotalFindings(reduced), CalculateTotalFindings(hasDuplicateVuln), "reduced should be less after removal of duplicates") - }) -} diff --git a/pkg/github/sarif_report_test.go b/pkg/github/sarif_report_test.go index 64042c8..752d6dd 100644 --- a/pkg/github/sarif_report_test.go +++ b/pkg/github/sarif_report_test.go @@ -27,7 +27,7 @@ type MockReport struct { mock.Mock } -func (m *MockReport) Convert(result types.VulnerableStacks) error { +func (m *MockReport) Convert(result *types.Result) error { args := m.Called(result) return args.Error(0) } diff --git a/pkg/sarif/reporter.go b/pkg/sarif/reporter.go index 885bab4..dc746a3 100644 --- a/pkg/sarif/reporter.go +++ b/pkg/sarif/reporter.go @@ -3,15 +3,12 @@ package sarif import ( "fmt" "io" - "os" "strings" - "github.com/Templum/govulncheck-action/pkg/action" "github.com/Templum/govulncheck-action/pkg/types" "github.com/owenrumney/go-sarif/v2/sarif" "github.com/rs/zerolog" "golang.org/x/vuln/osv" - "golang.org/x/vuln/vulncheck" ) const ( @@ -36,25 +33,30 @@ func NewSarifReporter(logger zerolog.Logger, workDir string) types.Reporter { return &SarifReporter{report: nil, run: nil, log: logger, workDir: workDir} } -func (sr *SarifReporter) Convert(result types.VulnerableStacks) error { +func (sr *SarifReporter) Convert(result *types.Result) error { sr.createEmptyReport("initial") - sr.log.Debug().Msgf("Scan showed code being impacted by %d vulnerabilities", len(result)) - for vuln, callStacks := range result { - sr.addRule(vuln) - - for _, current := range callStacks { - // callSite can never have Call=nil Function=nil as the curator is using - // the same method and filtering out those cases - callSite := action.FindVulnerableCallSite(sr.workDir, current) - - text, markdown := sr.generateResultMessage(vuln, callSite, current) - sr.addResult(vuln, callSite.Call, text, markdown) + sr.log.Debug().Msgf("Scan result shows the code is affected by %d vulnerabilities", len(result.Vulns)) + for _, vuln := range result.Vulns { + sr.addRule(vuln.Osv) + + for _, mods := range vuln.Modules { + for _, pkg := range mods.Packages { + if len(pkg.CallStacks) > 0 { + for _, callStack := range pkg.CallStacks { + // Vulnerable code is directly called + sr.addDirectCallResult(vuln.Osv.ID, pkg, callStack) + } + } else { + // Vulnerable code is direct or indirect imported + sr.addImportResult(vuln.Osv.ID, pkg) + } + } } } - sr.log.Info().Int("Vulnerabilities", len(result)).Int("Call Sites", len(sr.run.Results)).Msg("Conversion yielded following stats") + sr.log.Info().Int("Vulnerabilities", len(sr.run.Tool.Driver.Rules)).Int("Call Sites", len(sr.run.Results)).Msg("Conversion yielded following stats") return nil } @@ -76,14 +78,14 @@ func (sr *SarifReporter) createEmptyReport(vulncheckVersion string) { sr.run = run } -func (sr *SarifReporter) addRule(vuln *vulncheck.Vuln) { +func (sr *SarifReporter) addRule(vuln *osv.Entry) { text, markdown := sr.generateRuleHelp(vuln) // sr.run.AddRule does check if the rule is present prior to adding it - sr.run.AddRule(vuln.OSV.ID). + sr.run.AddRule(vuln.ID). WithName(ruleName). - WithDescription(vuln.OSV.ID). - WithFullDescription(sarif.NewMultiformatMessageString(vuln.OSV.Details)). + WithDescription(vuln.ID). + WithFullDescription(sarif.NewMultiformatMessageString(vuln.Details)). WithHelp(sarif.NewMultiformatMessageString(text).WithMarkdown(markdown)). WithDefaultConfiguration(sarif.NewReportingConfiguration().WithLevel(severity)). WithProperties(sarif.Properties{ @@ -94,40 +96,66 @@ func (sr *SarifReporter) addRule(vuln *vulncheck.Vuln) { "security", }, "precision": "very-high", - "aliases": vuln.OSV.Aliases, + "aliases": vuln.Aliases, }). - WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID)) + WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.ID)) } -func (sr *SarifReporter) addResult(vuln *vulncheck.Vuln, call *vulncheck.CallSite, text string, markdown string) { - result := sarif.NewRuleResult(vuln.OSV.ID). +func (sr *SarifReporter) addDirectCallResult(vulnID string, pkg *types.Package, callStack types.CallStack) { + entry := callStack.Frames[0] + + result := sarif.NewRuleResult(vulnID). WithLevel(severity). - WithMessage(sarif.NewMessage().WithMarkdown(markdown).WithText(text)) + WithMessage(sarif.NewMessage().WithText(callStack.Summary)) + + sr.log.Debug(). + Str("Symbol", callStack.Symbol). + Msgf("Adding a result for %s called from %s", vulnID, entry.Position) - if call != nil { - sr.log.Debug(). - Str("Symbol", vuln.Symbol). - Msgf("Add result for %s called from %s", vuln.OSV.ID, call.Pos) + region := sarif.NewRegion(). + WithStartLine(entry.Position.Line). + WithEndLine(entry.Position.Line). + WithStartColumn(entry.Position.Column). + WithEndColumn(entry.Position.Column). + WithCharOffset(entry.Position.Offset) - region := sarif.NewRegion(). - WithStartLine(call.Pos.Line). - WithEndLine(call.Pos.Line). - WithStartColumn(call.Pos.Column). - WithEndColumn(call.Pos.Column). - WithCharOffset(call.Pos.Offset) + location := sarif.NewPhysicalLocation(). + WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(entry.Position.Filename)).WithUriBaseId(baseURI)). + WithRegion(region) - location := sarif.NewPhysicalLocation(). - WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(call.Pos.Filename)).WithUriBaseId(baseURI)). - WithRegion(region) + result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) - result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) + if ruleIdx := sr.getRule(vulnID); ruleIdx >= 0 { + result.WithRuleIndex(ruleIdx) + sr.run.AddResult(result) } +} + +func (sr *SarifReporter) addImportResult(vulnID string, pkg *types.Package) { + message := fmt.Sprintf("Package %s is vulnerable to %s, but your code doesn't appear to call any vulnerable function directly. You may not need to take any action.", pkg.Path, vulnID) + + result := sarif.NewRuleResult(vulnID). + WithLevel(severity). + WithMessage(sarif.NewMessage().WithText(message).WithMarkdown(message)) + + sr.log.Debug(). + Str("Path", pkg.Path). + Msgf("Adding a result related to an import exposed to %s", vulnID) + + region := sarif.NewRegion(). + WithStartLine(0). + WithEndLine(0). + WithStartColumn(0). + WithEndColumn(0). + WithCharOffset(0) - // TODO: Research option to provide fix instructions - // result.Fixes = append(result.Fixes, sarif.NewFix().WithDescription(fmt.Sprintf("Was fixed with version %s"))) + location := sarif.NewPhysicalLocation(). + WithArtifactLocation(sarif.NewSimpleArtifactLocation("go.mod").WithUriBaseId(baseURI)). + WithRegion(region) - ruleIdx := sr.getRule(vuln.OSV.ID) - if ruleIdx >= 0 { + result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) + + if ruleIdx := sr.getRule(vulnID); ruleIdx >= 0 { result.WithRuleIndex(ruleIdx) sr.run.AddResult(result) } @@ -143,7 +171,8 @@ func (sr *SarifReporter) getRule(ruleId string) int { } func (sr *SarifReporter) makePathRelative(absolute string) string { - return strings.ReplaceAll(absolute, sr.workDir, "") + relative := strings.ReplaceAll(absolute, sr.workDir, "") + return strings.TrimPrefix(relative, "/") } func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string { @@ -160,41 +189,20 @@ func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string { return "None" } -func (sr *SarifReporter) generateRuleHelp(vuln *vulncheck.Vuln) (text string, markdown string) { - fixVersion := sr.searchFixVersion(vuln.OSV.Affected) - uri := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID) +func (sr *SarifReporter) searchPackage(versions []osv.Affected) string { + for _, current := range versions { + return current.Package.Name + } - return fmt.Sprintf("Vulnerability %s \n Module: %s \n Package: %s \n Fixed in Version: %s \n", vuln.OSV.ID, vuln.ModPath, vuln.PkgPath, fixVersion), - fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Module | Package | Fixed in Version |\n| --- | --- |:---:|\n|%s|%s|%s|\n", vuln.OSV.ID, uri, vuln.OSV.Details, vuln.ModPath, vuln.PkgPath, fixVersion) + return "N/A" } -func (sr *SarifReporter) generateResultMessage(vuln *vulncheck.Vuln, entry vulncheck.StackEntry, stack vulncheck.CallStack) (text string, markdown string) { - relativeFile := sr.makePathRelative(entry.Call.Pos.String()) - linkToFile := fmt.Sprintf("https://github.com/%s/blob/main/%s#L%d", os.Getenv(envRepo), sr.makePathRelative(entry.Call.Pos.Filename), entry.Call.Pos.Line) - linkToVuln := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID) +func (sr *SarifReporter) generateRuleHelp(vuln *osv.Entry) (text string, markdown string) { + fixVersion := sr.searchFixVersion(vuln.Affected) + pkg := sr.searchPackage(vuln.Affected) - var txtBuilder strings.Builder - var markBuilder strings.Builder - - txtBuilder.WriteString(fmt.Sprintf("%s calls %s which has vulnerability %s\n", - fmt.Sprintf("[%s] %s.%s", relativeFile, entry.Function.PkgPath, entry.Function.Name), - fmt.Sprintf("%s.%s", vuln.PkgPath, entry.Call.Name), - vuln.OSV.ID)) - txtBuilder.WriteString("Stacktrace: \n") - - markBuilder.WriteString(fmt.Sprintf("%s calls %s which has vulnerability [%s](%s)\n", - fmt.Sprintf("[%s](%s) %s.%s", relativeFile, linkToFile, entry.Function.PkgPath, entry.Function.Name), - fmt.Sprintf("%s.%s", vuln.PkgPath, entry.Call.Name), - vuln.OSV.ID, - linkToVuln, - )) - - markBuilder.WriteString("Stacktrace: \n") - - for _, line := range types.FormatCallStack(stack) { - txtBuilder.WriteString(fmt.Sprintf("%s \n", line)) - markBuilder.WriteString(fmt.Sprintf("* %s \n", line)) - } + uri := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.ID) - return txtBuilder.String(), markBuilder.String() + return fmt.Sprintf("Vulnerability %s \n Package: %s \n Fixed in Version: %s \n", vuln.ID, pkg, fixVersion), + fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Package | Fixed in Version |\n| --- |:---:|\n|%s|%s|\n", vuln.ID, uri, vuln.Details, pkg, fixVersion) } diff --git a/pkg/sarif/reporter_test.go b/pkg/sarif/reporter_test.go index fb4a42d..08a5cd7 100644 --- a/pkg/sarif/reporter_test.go +++ b/pkg/sarif/reporter_test.go @@ -7,7 +7,6 @@ import ( "path" "testing" - "github.com/Templum/govulncheck-action/pkg/action" "github.com/Templum/govulncheck-action/pkg/types" helper "github.com/Templum/govulncheck-action/pkg/vulncheck" "github.com/owenrumney/go-sarif/v2/sarif" @@ -17,22 +16,19 @@ import ( func TestSarifReporter_Convert(t *testing.T) { scanner := helper.NewLocalScanner(zerolog.Nop(), path.Join("..", "..", "hack", "found.json")) - preprocessor := action.NewVulncheckProcessor("/workspaces/govulncheck-action") result, _ := scanner.Scan() - input := helper.Resolve(result) - input = preprocessor.RemoveDuplicates(input) t.Run("Should convert a preprocessed report into sarif format", func(t *testing.T) { target := NewSarifReporter(zerolog.Nop(), "/workspaces/govulncheck-action") ref := target.(*SarifReporter) - _ = target.Convert(input) + _ = target.Convert(result) assert.NotNil(t, ref.report, "should have create an empty report") assert.NotNil(t, ref.run, "should have filled a run with details") - assert.GreaterOrEqual(t, len(ref.run.Results), 9, "example report should have 9 calls to vulnerabilities") - assert.GreaterOrEqual(t, len(ref.run.Tool.Driver.Rules), 6, "example report should have 6 vulnerabilities") + assert.Equal(t, len(ref.run.Results), 9, "example report should have 9 calls to vulnerabilities") + assert.Equal(t, len(ref.run.Tool.Driver.Rules), 9, "example report should have 9 vulnerabilities") assert.Equal(t, len(ref.report.Runs), 0, "should have not yet added the run to the report") }) @@ -40,7 +36,7 @@ func TestSarifReporter_Convert(t *testing.T) { target := NewSarifReporter(zerolog.Nop(), "/workspaces/govulncheck-action") ref := target.(*SarifReporter) - _ = target.Convert(make(types.VulnerableStacks)) + _ = target.Convert(&types.Result{Vulns: []types.Vulns{}}) assert.NotNil(t, ref.report, "should have create an empty report") assert.NotNil(t, ref.run, "should have filled a run with details") diff --git a/pkg/types/call_chain.go b/pkg/types/call_chain.go deleted file mode 100644 index 4ee046f..0000000 --- a/pkg/types/call_chain.go +++ /dev/null @@ -1,44 +0,0 @@ -package types - -import ( - "fmt" - - "golang.org/x/vuln/vulncheck" -) - -type CallChain struct { - Fn *vulncheck.FuncNode - Called *vulncheck.CallSite - Child *CallChain -} - -func NewCallChainLeave(fn *vulncheck.FuncNode, call *vulncheck.CallSite, child *CallChain) *CallChain { - return &CallChain{ - Fn: fn, - Called: call, - Child: child, - } -} - -func (c *CallChain) CreateCallStack() vulncheck.CallStack { - if c == nil { - return make(vulncheck.CallStack, 0) - } - - return append(vulncheck.CallStack{vulncheck.StackEntry{Function: c.Fn, Call: c.Called}}, c.Child.CreateCallStack()...) -} - -func FormatCallStack(stack vulncheck.CallStack) []string { - var output []string - - for i, current := range stack { - if current.Call == nil { - output = append(output, fmt.Sprintf("[%d] Vulnerability %s.%s", i, current.Function.PkgPath, current.Function.Name)) - } else { - output = append(output, fmt.Sprintf("[%d] %s %s => %s", i, current.Function.PkgPath, current.Function.Name, current.Call.Name)) - } - - } - - return output -} diff --git a/pkg/types/reporter.go b/pkg/types/reporter.go index 92a2def..085d07b 100644 --- a/pkg/types/reporter.go +++ b/pkg/types/reporter.go @@ -5,6 +5,6 @@ import ( ) type Reporter interface { - Convert(result VulnerableStacks) error + Convert(result *Result) error Write(dest io.Writer) error } diff --git a/pkg/types/result.go b/pkg/types/result.go index e22e3de..5de7313 100644 --- a/pkg/types/result.go +++ b/pkg/types/result.go @@ -1,5 +1,105 @@ package types -import "golang.org/x/vuln/vulncheck" +import ( + "go/token" -type VulnerableStacks map[*vulncheck.Vuln][]vulncheck.CallStack + "golang.org/x/vuln/osv" +) + +// Result links to: https://github.com/golang/vuln/blob/55c64d8e26b914d8703299302be4997b6de580d0/internal/govulncheck/result.go#L38 +type Result struct { + Vulns []Vulns +} + +type Vulns struct { + // OSV contains all data from the OSV entry for this vulnerability. + Osv *osv.Entry + // Modules contains all of the modules in the OSV entry where a + // vulnerable package is imported by the target source code or binary. + // + // For example, a module M with two packages M/p1 and M/p2, where only p1 + // is vulnerable, will appear in this list if and only if p1 is imported by + // the target source code or binary. + Modules []*Module +} + +type Module struct { + // Path is the module path of the module containing the vulnerability. + // + // Importable packages in the standard library will have the path "stdlib". + Path string + + // FoundVersion is the module version where the vulnerability was found. + FoundVersion string + + // FixedVersion is the module version where the vulnerability was + // fixed. If there are multiple fixed versions in the OSV report, this will + // be the latest fixed version. + // + // This is empty if a fix is not available. + FixedVersion string + + // Packages contains all the vulnerable packages in OSV entry that are + // imported by the target source code or binary. + // + // For example, given a module M with two packages M/p1 and M/p2, where + // both p1 and p2 are vulnerable, p1 and p2 will each only appear in this + // list they are individually imported by the target source code or binary. + Packages []*Package +} + +type Package struct { + // Path is the import path of the package containing the vulnerability. + Path string + + // CallStacks contains a representative call stack for each + // vulnerable symbol that is called. + // + // For vulnerabilities found from binary analysis, only CallStack.Symbol + // will be provided. + // + // For non-affecting vulnerabilities reported from the source mode + // analysis, this will be empty. + CallStacks []CallStack +} + +type CallStack struct { + // Symbol is the name of the detected vulnerable function + // or method. + // + // This follows the naming convention in the OSV report. + Symbol string + + // Summary is a one-line description of the callstack, used by the + // default govulncheck mode. + // + // Example: module3.main calls github.com/shiyanhui/dht.DHT.Run + Summary string + + // Frames contains an entry for each stack in the call stack. + // + // Frames are sorted starting from the entry point to the + // imported vulnerable symbol. The last frame in Frames should match + // Symbol. + Frames []*StackFrame +} + +type StackFrame struct { + // PackagePath is the import path. + PkgPath string + + // FuncName is the function name. + FuncName string + + // RecvType is the fully qualified receiver type, + // if the called symbol is a method. + // + // The client can create the final symbol name by + // prepending RecvType to FuncName. + RecvType string + + // Position describes an arbitrary source position + // including the file, line, and column location. + // A Position is valid if the line number is > 0. + Position token.Position +} diff --git a/pkg/vulncheck/resolver.go b/pkg/vulncheck/resolver.go deleted file mode 100644 index 4e68632..0000000 --- a/pkg/vulncheck/resolver.go +++ /dev/null @@ -1,177 +0,0 @@ -package vulncheck - -import ( - "container/list" - "sort" - "strings" - "sync" - - "github.com/Templum/govulncheck-action/pkg/types" - "golang.org/x/vuln/vulncheck" -) - -// Resolve is based on code from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L146-L168 -// Resolve will collect all callstacks related to a vulnerability -// This occurs in parallel with one goroutine per vulnerability -func Resolve(result *vulncheck.Result) types.VulnerableStacks { - var ( - wg sync.WaitGroup - mu sync.Mutex - ) - vulnLookup := make(types.VulnerableStacks) - for _, current := range result.Vulns { - wg.Add(1) - go func(vulnerability *vulncheck.Vuln) { - var cs []vulncheck.CallStack - if vulnerability.CallSink != 0 { - cs = resolveCallstacks(vulnerability.CallSink, result) - } - - // sort call stacks by the estimated value to the user - sort.Slice(cs, func(i, j int) bool { - return stackLess(cs[i], cs[j]) - }) - - mu.Lock() - vulnLookup[vulnerability] = cs - mu.Unlock() - wg.Done() - }(current) - } - wg.Wait() - return vulnLookup -} - -// searchUnvisitedCallSites is based on code from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L172-L211 -// resolveCallstacks fetches all callstacks based on the provided entrypoint -func resolveCallstacks(entryID int, result *vulncheck.Result) []vulncheck.CallStack { - visitedSites := make(map[int]bool) - - vulEntryPoints := make(map[int]bool) - for _, current := range result.Calls.Entries { - vulEntryPoints[current] = true - } - - var stacks []vulncheck.CallStack - - queue := list.New() - queue.PushBack(types.NewCallChainLeave(result.Calls.Functions[entryID], nil, nil)) - - for queue.Len() > 0 { - ref := queue.Front() - current := ref.Value.(*types.CallChain) - queue.Remove(ref) - - if visitedSites[current.Fn.ID] { - continue - } - visitedSites[current.Fn.ID] = true - - for _, cs := range searchUnvisitedCallSites(current.Fn.CallSites, visitedSites, result) { - caller := result.Calls.Functions[cs.Parent] - chain := types.NewCallChainLeave(caller, cs, current) - - if vulEntryPoints[caller.ID] { - stacks = append(stacks, chain.CreateCallStack()) - } - - queue.PushBack(chain) - } - } - - return stacks -} - -// searchUnvisitedCallSites is based on code from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L217-L239 -// searchUnvisitedCallSites will go through the provided input and checkout the parent, while ensuring previously visited sites are not visited again -// It finally returns a list of all new callsites based on input -func searchUnvisitedCallSites(input []*vulncheck.CallSite, visitedSites map[int]bool, result *vulncheck.Result) []*vulncheck.CallSite { - callSites := make(map[int]*vulncheck.CallSite) - for _, cs := range input { - if visitedSites[cs.Parent] { - continue - } - - callSites[cs.Parent] = cs - } - - var functions []*vulncheck.FuncNode - for id := range callSites { - functions = append(functions, result.Calls.Functions[id]) - } - - var unvisitedSites []*vulncheck.CallSite - for _, fn := range functions { - unvisitedSites = append(unvisitedSites, callSites[fn.ID]) - } - - return unvisitedSites -} - -// confidence was taken directly from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L302-L320 -// stackLess compares two call stacks in terms of their estimated -// value to the user. Shorter stacks generally come earlier in the ordering. -// -// Two stacks are lexicographically ordered by: -// 1) their estimated level of confidence in being a real call stack, -// 2) their length, and 3) the number of dynamic call sites in the stack. -func stackLess(left vulncheck.CallStack, right vulncheck.CallStack) bool { - if c1, c2 := confidence(left), confidence(right); c1 != c2 { - return c1 < c2 - } - - if len(left) != len(right) { - return len(left) < len(right) - } - - if w1, w2 := weight(left), weight(right); w1 != w2 { - return w1 < w2 - } - - return true -} - -// confidence was taken directly from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L286-L294 -// confidence computes an approximate measure of whether the stack -// is realizable in practice. Currently, it equals the number of call -// sites in stack that go through standard libraries. Such call stacks -// have been experimentally shown to often result in false positives. -func confidence(stack vulncheck.CallStack) int { - c := 0 - for _, e := range stack { - if isStdPackage(e.Function.PkgPath) { - c += 1 - } - } - return c -} - -// weight was taken directly from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L270-L280 -// isStdPackage checks if the provided pkg is a standard package -func isStdPackage(pkg string) bool { - if pkg == "" { - return false - } - // std packages do not have a "." in their path. For instance, see - // Contains in pkgsite/+/refs/heads/master/internal/stdlbib/stdlib.go. - if i := strings.IndexByte(pkg, '/'); i != -1 { - pkg = pkg[:i] - } - return !strings.Contains(pkg, ".") -} - -// weight was taken directly from the vuln package, which is released under BSD-style license: https://github.com/golang/vuln/blob/cac67f5c7c815b458cf683c41541d157d8217beb/vulncheck/witness.go#L260-L268 -// weight computes an approximate measure of how easy is to understand the call -// stack when presented to the client as a witness. The smaller the value, the more -// understandable the stack is. Currently defined as the number of unresolved -// call sites in the stack. -func weight(stack vulncheck.CallStack) int { - // - w := 0 - for _, e := range stack { - if e.Call != nil && !e.Call.Resolved { - w += 1 - } - } - return w -} diff --git a/pkg/vulncheck/runner.go b/pkg/vulncheck/runner.go index 3093f0d..8d988a7 100644 --- a/pkg/vulncheck/runner.go +++ b/pkg/vulncheck/runner.go @@ -6,8 +6,8 @@ import ( "os" "os/exec" + "github.com/Templum/govulncheck-action/pkg/types" "github.com/rs/zerolog" - "golang.org/x/vuln/vulncheck" ) const ( @@ -17,7 +17,7 @@ const ( ) type Scanner interface { - Scan() (*vulncheck.Result, error) + Scan() (*types.Result, error) } type CmdScanner struct { @@ -29,7 +29,7 @@ func NewScanner(logger zerolog.Logger, workDir string) Scanner { return &CmdScanner{log: logger, workDir: workDir} } -func (r *CmdScanner) Scan() (*vulncheck.Result, error) { +func (r *CmdScanner) Scan() (*types.Result, error) { pkg := os.Getenv(envPackage) r.log.Info().Msgf("Running govulncheck for package %s in dir %s", pkg, r.workDir) @@ -49,7 +49,7 @@ func (r *CmdScanner) Scan() (*vulncheck.Result, error) { return nil, cmdErr } - var result vulncheck.Result + var result types.Result err := json.Unmarshal(out, &result) if err != nil { r.log.Error().Err(err).Msg("parsing govulncheck output yielded error") @@ -57,5 +57,25 @@ func (r *CmdScanner) Scan() (*vulncheck.Result, error) { } r.log.Info().Msg("Successfully scanned project") + + if os.Getenv("DEBUG") == "true" { + fileName := "raw-report.json" + reportFile, err := os.Create(fileName) + + r.log.Debug().Str("fileName", fileName).Msg("Making a copy of the raw vulncheck json report which can be exposed for debugging") + + if err != nil { + r.log.Debug().Err(err).Msg("Failed to create copy will proceed with normal flow") + return &result, nil + } + + defer reportFile.Close() + + _, err = reportFile.Write(out) + if err != nil { + r.log.Debug().Err(err).Msg("Failed to write copy to disk will proceed with normal flow") + } + } + return &result, nil } diff --git a/pkg/vulncheck/static_runner.go b/pkg/vulncheck/static_runner.go index e9d2070..c2241e9 100644 --- a/pkg/vulncheck/static_runner.go +++ b/pkg/vulncheck/static_runner.go @@ -5,8 +5,8 @@ import ( "errors" "os" + "github.com/Templum/govulncheck-action/pkg/types" "github.com/rs/zerolog" - "golang.org/x/vuln/vulncheck" ) type StaticScanner struct { @@ -18,10 +18,10 @@ func NewLocalScanner(logger zerolog.Logger, pathToFile string) Scanner { return &StaticScanner{log: logger, path: pathToFile} } -func (r *StaticScanner) Scan() (*vulncheck.Result, error) { +func (r *StaticScanner) Scan() (*types.Result, error) { out, _ := os.ReadFile(r.path) - var result vulncheck.Result + var result types.Result err := json.Unmarshal(out, &result) if err != nil { return nil, errors.New("scan failed to produce proper report")