Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln/cmd/govulncheck: TestCommand broken by CL 381317 #52712

Closed
bcmills opened this issue May 4, 2022 · 3 comments
Closed

x/vuln/cmd/govulncheck: TestCommand broken by CL 381317 #52712

bcmills opened this issue May 4, 2022 · 3 comments
Labels
Analysis Issues related to static analysis (vet, x/tools/go/analysis) FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Go1.19

Comments

@bcmills
Copy link
Contributor

bcmills commented May 4, 2022 

--- FAIL: TestCommand (18.36s)
    cmdtest.go:444: $ govulncheck /workdir/tmp/buildtest1891374829/novuln
    cmdtest.go:475: 
    cmdtest.go:444: $ govulncheck /workdir/tmp/buildtest862171909/vuln
    cmdtest.go:475: package:        golang.org/x/text/language
        your version:   v0.3.0
        fixed version:  v0.3.7
        reference:      https://pkg.go.dev/vuln/GO-2021-0113
        description:    Due to improper index calculation, an incorrectly formatted
                        language tag can cause Parse to panic via an out of bounds read.
                        If Parse is used to process untrusted user inputs, this may be
                        used as a vector for a denial of service attack.
        
        
    cmdtest.go:444: $ cdmodule novuln
    cmdtest.go:475: 
    cmdtest.go:444: $ govulncheck .
    --- FAIL: TestCommand/testdata/default (0.72s)
        cmdtest.go:320: testdata/default.ct:5: "govulncheck ." failed with exit status 2. Output:
            panic: T
            
            goroutine 549 [running]:
            golang.org/x/tools/go/ssa.(*Program).needMethods(0xdc1a0e0, {0x8615798, 0x99f9300}, 0x0)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:237 +0x571
            golang.org/x/tools/go/ssa.(*Program).needMethods(0xdc1a0e0, {0x8615720, 0x9995ba0}, 0x0)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:193 +0x504
            golang.org/x/tools/go/ssa.(*Program).needMethods(0xdc1a0e0, {0x8615780, 0x99d2f20}, 0x0)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:233 +0x5ab
            golang.org/x/tools/go/ssa.(*Program).needMethods(0xdc1a0e0, {0x8615720, 0xaa717c0}, 0x0)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:181 +0x186
            golang.org/x/tools/go/ssa.(*Program).needMethods(0xdc1a0e0, {0x8615708, 0x998e640}, 0x0)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:215 +0x358
            golang.org/x/tools/go/ssa.(*Program).needMethodsOf(0xdc1a0e0, {0x8615708, 0x998e640})
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/methods.go:145 +0x4b
            golang.org/x/tools/go/ssa.(*Package).build(0xb040600)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2281 +0xe8
            sync.(*Once).doSlow(0xb040618, 0x95c87dc)
            	/workdir/go/src/sync/once.go:70 +0xb3
            sync.(*Once).Do(0xb040618, 0x95c87dc)
            	/workdir/go/src/sync/once.go:61 +0x3f
            golang.org/x/tools/go/ssa.(*Package).Build(...)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2269
            golang.org/x/tools/go/ssa.(*Program).Build.func1(0xb040600)
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2253 +0x54
            created by golang.org/x/tools/go/ssa.(*Program).Build
            	/workdir/gopath/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2252 +0x16c

(CC @rsc, @jba, @golang/security)
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label May 4, 2022
@gopherbot gopherbot added this to the Unreleased milestone May 4, 2022
@bcmills bcmills added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker labels May 4, 2022
@bcmills bcmills modified the milestones: Unreleased, Go1.19 May 4, 2022
@zpavlinovic zpavlinovic added the Analysis Issues related to static analysis (vet, x/tools/go/analysis) label May 4, 2022
@zpavlinovic
Copy link
Contributor

This is likely due to the previously incomplete generics support for ssa. This should be resolved now. A fix hence might be to just update the tools dependency to the newest version.

@bcmills
Copy link
Contributor Author

bcmills commented May 4, 2022

@zpavlinovic, want to send a CL? (I'd be happy to give it a quick +2.)

@bcmills
Copy link
Contributor Author

bcmills commented May 5, 2022

Fixed by https://go.dev/cl/404115.

@bcmills bcmills closed this as completed May 5, 2022
@bcmills bcmills mentioned this issue May 5, 2022
Closed
@golang golang locked and limited conversation to collaborators Jun 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Analysis Issues related to static analysis (vet, x/tools/go/analysis) FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
Go1.19
Development

No branches or pull requests
3 participants
@zpavlinovic @bcmills @gopherbot