x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode #53741

rittneje · 2022-07-08T01:15:34Z

Reopening #51591 because the issue is still present.

What version of Go are you using (`go version`)?

$ go version
go version go1.17.11 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (`go env`)?

go env Output

$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/tmp/.gocache"
GOENV="/Users/rittneje/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/rittneje/test/pkg/mod"
GONOPROXY="REDACTED"
GONOSUMDB="REDACTED"
GOOS="darwin"
GOPATH="/Users/rittneje/test"
GOPRIVATE="REDACTED"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/rittneje/go1.17.11"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/rittneje/go1.17.11/pkg/tool/darwin_amd64"
GOVCS="REDACTED"
GOVERSION="go1.17.11"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/kf/kr7_s3xx0l12zbj3jrn082hmzy5gvy/T/go-build1950822096=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

go.mod

module cvetest

go 1.16

require (
	golang.org/x/text v0.3.0
)

main.go

package main

import (
	"golang.org/x/text/language"
)

func main() {
	language.Parse("")
}

These files are located under $GOPATH/src/cvetest.

I then ran govulncheck cvetest in $GOPATH.

What did you expect to see?

Either it should report the vulnerability, or at least it should fail with an appropriate error message if this mode of operation is not supported.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
-------------------------------------------------------

GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Call stacks in your code:
 cvetest.main calls golang.org/x/text/language.Parse

Found in:  golang.org/x/text/language@v0.3.0
Fixed in:  golang.org/x/text/language@v0.3.7
More info: https://pkg.go.dev/vuln/GO-2021-0113

What did you see instead?

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

If I run the same command in $GOPATH/src/cvetest then it works.

The text was updated successfully, but these errors were encountered:

zpavlinovic · 2022-10-05T23:31:00Z

I get the following message with the latest govulncheck version:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

I get this error everywhere except when I am in the cvetest directory.

Could you confirm you get the same or something different?

rittneje · 2022-10-09T00:27:11Z

@zpavlinovic No, I continue to get the same output as before with the latest version (v0.0.0-20221007155627-b5628b3a3e55).

In $GOPATH:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

In $GOPATH/src/cvetest:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted
language tag can cause Parse to panic via an out of bounds read.
If Parse is used to process untrusted user inputs, this may be
used as a vector for a denial of service attack.

Call stacks in your code:
main.go:8:16: cvetest.main calls golang.org/x/text/language.Parse

Found in: golang.org/x/text/language@v0.3.0
Fixed in: golang.org/x/text/language@v0.3.7
More info: https://pkg.go.dev/vuln/GO-2021-0113

zpavlinovic · 2022-10-15T00:01:31Z

What do you get when you run govulncheck cvetest outside of $GOPATH altogether?

rittneje · 2022-10-15T01:01:08Z

@zpavlinovic It gives the same output.

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

zpavlinovic · 2022-10-17T16:19:20Z

Hm, really unexpected.

What happens if you try to govulncheck some different packages, say "nonexistent" that should not exist and similar? Sorry for going back and forth with this, but I cannot reproduce the issue so I am trying to gather as much information as possible.

rittneje · 2022-10-17T17:03:09Z

A non-existent package yields this output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

Strangely, even though that implies that it first searches for the go.mod file, if I remove the go.mod file from $GOPATH/src/cvetest, it still gives me the wrong output no matter which directory I run it from.

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

rittneje · 2022-10-17T17:06:54Z

@zpavlinovic I think I figured out the issue. Somehow govulncheck is sensitive to the presence of the $GOPATH/src/cvetest/vendor folder (created via go mod vendor). If that folder exists, then it does not yield any warning message when executed in GOPATH mode. Deleting the vendor folder and running in GOPATH mode yields the following output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

This output is particularly confusing because there is a go.mod file.

gopherbot · 2022-10-17T20:39:53Z

Change https://go.dev/cl/443455 mentions this issue: internal/govulncheck: add running in GOPATH error

zpavlinovic · 2022-10-17T23:44:15Z

Thanks, that helps. I believe govulncheck is behaving correctly (at least it is consistent with golang.org/x/tools/go/packages/gopackages command), but we'll try to improve error messaging for GOPATH.

As the documentation states, govulncheck is always expected to be executed from the module directory. When in $GOPATH/src/cvetest, that is true. Also, since there exists a go.mod file, loading of packages will be done in MODULES mode despite the fact that we are somewhere in $GOPATH. This is due to GO111MODULE="auto". That is why everything works in this case regardless of vendoring.

When in $GOPATH instead, the loading of packages is done in GOPATH mode. Vendoring here plays a big role. When the dependencies are vendored, GOPATH mode can load the packages but there will be no versions. That is why the result is that there are no vulnerabilities. We'll add an error communicating when module information is not available as otherwise one can get a false sense of security.

When the dependencies are not vendored, then the module system needs to be consulted to load dependencies appropriately (as cvetest is a module) and that overrides GOPATH mode. It raises a loading error and since govulncheck then cannot find any go.mod file in the current directory , we get the "no go.mod message". This is expected. We'll update the error message to additionally hint that navigating to the module directory is also one possibility for a quick fix (instead of just suggesting to run go mod init).

Follows https://go-review.git.corp.google.com/c/vuln/+/395241 Fixes golang/go#53741 Change-Id: I9d751cd40530fd31c1d86c26dd4f718681b7719c Reviewed-on: https://go-review.googlesource.com/c/vuln/+/443455 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jul 8, 2022

gopherbot added this to the Unreleased milestone Jul 8, 2022

heschi added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 8, 2022

gopherbot added the x/vuln label Aug 31, 2022

julieqiu removed the x/vuln label Sep 2, 2022

julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022

zpavlinovic self-assigned this Oct 5, 2022

zpavlinovic added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Oct 5, 2022

zpavlinovic added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 17, 2022

gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 17, 2022

gopherbot closed this as completed in golang/vuln@da9ba2a Oct 18, 2022

golang locked and limited conversation to collaborators Oct 18, 2023

gopherbot added the FrozenDueToAge label Oct 18, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode #53741

x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode #53741

rittneje commented Jul 8, 2022

zpavlinovic commented Oct 5, 2022 •

edited

rittneje commented Oct 9, 2022

zpavlinovic commented Oct 15, 2022

rittneje commented Oct 15, 2022

zpavlinovic commented Oct 17, 2022

rittneje commented Oct 17, 2022

rittneje commented Oct 17, 2022 •

edited

gopherbot commented Oct 17, 2022

zpavlinovic commented Oct 17, 2022 •

edited

x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode #53741

x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode #53741

Comments

rittneje commented Jul 8, 2022

What version of Go are you using (go version)?

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

zpavlinovic commented Oct 5, 2022 • edited

rittneje commented Oct 9, 2022

zpavlinovic commented Oct 15, 2022

rittneje commented Oct 15, 2022

zpavlinovic commented Oct 17, 2022

rittneje commented Oct 17, 2022

rittneje commented Oct 17, 2022 • edited

gopherbot commented Oct 17, 2022

zpavlinovic commented Oct 17, 2022 • edited

What version of Go are you using (`go version`)?

What operating system and processor architecture are you using (`go env`)?

zpavlinovic commented Oct 5, 2022 •

edited

rittneje commented Oct 17, 2022 •

edited

zpavlinovic commented Oct 17, 2022 •

edited