Skip to content

x/vuln: respect GOPRIVATE env variable #55105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ArtAndreev opened this issue Sep 16, 2022 · 3 comments
Closed

x/vuln: respect GOPRIVATE env variable #55105

ArtAndreev opened this issue Sep 16, 2022 · 3 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Milestone
vuln/2022

Comments

@ArtAndreev
Copy link

ArtAndreev commented Sep 16, 2022
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.19.1 darwin/arm64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes, reproduced on latest govulncheck from go install golang.org/x/vuln/cmd/govulncheck@latest.
Actually, not from tool, but codebase.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="arm64"
GOBIN=""
GOCACHE="/Users/ar.s.andreev/Library/Caches/go-build"
GOENV="/Users/ar.s.andreev/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="arm64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/ar.s.andreev/go/pkg/mod"
GONOPROXY="" # removed because it's sensitive information.
GONOSUMDB="" # removed because it's sensitive information.
GOOS="darwin"
GOPATH="/Users/ar.s.andreev/go"
GOPRIVATE="" # removed because it's sensitive information.
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_arm64"
GOVCS=""
GOVERSION="go1.19.1"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/f5/tvc95lsd2tgfjkb489878h_40000gq/T/go-build534434502=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Walked through code in https://github.com/golang/vuln/blob/master/cmd/govulncheck/main.go, searched for usage of GOPRIVATE env variable and found nothing.

What did you expect to see?

Expected this tool to respect GOPRIVATE env variable and not run checks of dependencies with domains in this variable, like checksum checks. Don't want to exposure domains and URL-structure of deps.

From go help environment:

GOPRIVATE, GONOPROXY, GONOSUMDB
        Comma-separated list of glob patterns (in the syntax of Go's path.Match)
        of module path prefixes that should always be fetched directly
        or that should not be compared against the checksum database.
        See https://golang.org/ref/mod#private-modules.

What did you see instead?

Nothing, but it's interesting to listen for opinion on this situation. Should the tool scan all deps or not? Will be there a way to exclude some dependencies?
@ArtAndreev ArtAndreev added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 16, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 16, 2022
@cherrymui cherrymui added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Sep 19, 2022
@cherrymui
Copy link
Member

cc @golang/vulndb

@zpavlinovic zpavlinovic self-assigned this Sep 19, 2022
@zpavlinovic zpavlinovic modified the milestones: Unreleased, vuln/2022 Sep 19, 2022
@zpavlinovic
Copy link
Contributor

Currently, the only information about user code that is transmitted over the network are user module paths for which there exist known vulnerabilities in the (specified) vulnerability database: we do not query the db with a module path for which the db does not have any vulnerability info.

We haven't added support for GOPRIVATE at this moment as it is unlikely that a private package would have vulnerability info in a database. (Even if it did, such information would be already public if the database is public, or if the database is private then this information would hence stay private.)

Do you see scenarios where GOPRIVATE would be useful here? Would supporting it increase your confidence or should we perhaps document this explicitly?

@rsc @julieqiu

@ArtAndreev
Copy link
Author

Thanks for the answer, sorry, I thought my package names are sent to compare with entries in db. I'll close the issue.

@golang golang locked and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Projects
None yet
Milestone
vuln/2022
Development

No branches or pull requests
4 participants
@zpavlinovic @gopherbot @cherrymui @ArtAndreev