Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: consider encoding known false positive paths in reports #51574

Open
rolandshoemaker opened this issue Mar 9, 2022 · 0 comments
Open
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@rolandshoemaker
Copy link
Member

Looking at #51565, this is an obvious case of a false positive. Any package that imports x/text will be immediately marked as vulnerable, since there is a (non-vulnerable) usage of the vulnerable symbol in an init function.

This seems like something we should be able to avoid, since it creates noise that is likely to irritate users and maintainers. Possibly including some metadata in the report could help vulncheck ignore these kinds of cases. One option is to include call chain fragments which vulncheck can use to ignore specific chains during analysis. For example in this case any chain terminating in x/text/cases.init#1 -> x/text/language.MustParse can be safely ignored, since we know that particular invocation is not vulnerable.

Also, we should look into tooling that detects, or at least surfaces, this kind of issue during report ingestion.

cc @golang/vulndb

@rolandshoemaker rolandshoemaker added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 9, 2022
@rolandshoemaker rolandshoemaker self-assigned this Mar 9, 2022
@gopherbot gopherbot added this to the Unreleased milestone Mar 9, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Status: No status
Development

No branches or pull requests

3 participants