Skip to content

x/vuln: fails to run in monorepo with non-go programming language files #54895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lbhdc opened this issue Sep 6, 2022 · 6 comments
Closed

x/vuln: fails to run in monorepo with non-go programming language files #54895

lbhdc opened this issue Sep 6, 2022 · 6 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
vuln/2022

Comments

@lbhdc
Copy link

lbhdc commented Sep 6, 2022

What version of Go are you using (go version)?

$ go version
go version go1.18.5 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home//.cache/go-build"
GOENV="/home//.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home//go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home//go"
GOPRIVATE=""
GOPROXY="direct"
GOROOT="/usr/lib/golang"
GOSUMDB="off"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.5"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home///go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3715058208=/tmp/go-build -gno-record-gcc-switches"

What did you do?

cd <repo root>
ovulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: Packages contain errors:
-: C++ source files not allowed when not using cgo or SWIG:

What did you expect to see?

govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

What did you see instead?

cd <repo root>
ovulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: Packages contain errors:
-: C++ source files not allowed when not using cgo or SWIG: <cpp files>

In my monorepo most of the code is separated by language, but some of it isn't (code generated from protobufs live next to the protos used to generate them). When I attempt to run with a more limited scope to only hit my go code dir, I still run into the same issue. go vuln check walks the directory to where those generated sources are, but chokes on the c++ files there. Those c++ files aren't used by any of the go programs.

govulncheck ./<gocode>/...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: Packages contain errors:
-: C++ source files not allowed when not using cgo or SWIG: ...
@lbhdc lbhdc added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 6, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 6, 2022
@julieqiu julieqiu removed the x/vuln label Sep 6, 2022
@mknyszek mknyszek added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. x/vuln labels Sep 6, 2022
@mknyszek
Copy link
Contributor

mknyszek commented Sep 6, 2022

CC @golang/vulndb

@julieqiu julieqiu removed the x/vuln label Sep 6, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/2022 Sep 6, 2022
@lbhdc
Copy link
Author

lbhdc commented Sep 6, 2022
edited
Loading

I found a workaround. Setting the CGO_ENABLED var to false prevents the toolchain from looking for c files. Still not sure why cgo cares about c++ files when it can't use them.

CGO_ENABLED=0 govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

@zpavlinovic
Copy link
Contributor

Thanks for bringing this up. Do you have a reproducible example we can work with?

@zpavlinovic zpavlinovic self-assigned this Sep 6, 2022
@lbhdc
Copy link
Author

lbhdc commented Sep 7, 2022

@zpavlinovic here is a reproduction
https://github.com/lbhdc/go_cgo_error_reporoduction

This is a little harder to reproduce than I was originally thinking. I first tried recreating the problem by creating a simple h, cc, and go files, but I didn't encounter the same problem.

Generating cc and go protobuf/grpc sources was able to reproduce the error. I am not sure what is breaking here.

@zpavlinovic
Copy link
Contributor

I can confirm that the message appears for the reproduction module. But I get the same message when running go test ./... or go build . What happens when you run these two go commands for the original repo?

@zpavlinovic
Copy link
Contributor

Still not sure why cgo cares about c++ files when it can't use them.

Go does recognize C++ files in the sense that it will try to compile them

When the Go tool sees that one or more Go files use the special import "C", it will look for other non-Go files in the directory and compile them as part of the Go package. ...  Any .cc, .cpp, or .cxx files will be compiled with the C++ compiler.

@zpavlinovic zpavlinovic added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 14, 2022
@zpavlinovic zpavlinovic moved this to Done in Go Security Oct 3, 2022
@golang golang locked and limited conversation to collaborators Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
Go Security
Status: Done
Milestone
vuln/2022
Development

No branches or pull requests
5 participants
@zpavlinovic @mknyszek @julieqiu @gopherbot @lbhdc