Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln/cmd/govulncheck: umbrella issue for govulncheck updates #56207

Closed
julieqiu opened this issue Oct 13, 2022 · 5 comments
Closed

x/vuln/cmd/govulncheck: umbrella issue for govulncheck updates #56207

julieqiu opened this issue Oct 13, 2022 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. umbrella UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Oct 13, 2022
edited

This is the umbrella issue for an upcoming changes to govulncheck:

  1. 56177: vulnerability count does not match vulnerability numbering
  2. 56176: verbose mode shows redundant call stacks
  3. 56097: communicate current Go version to user when analyzing source
  4. 56206: surface a "fixed" version when the fix is in a subsequent major version
  5. 53867: provide version flag
  6. 53866: provide an option to scan multiple binaries in a directory

/cc @golang/vulndb
@julieqiu julieqiu changed the title x/vuln/cmd/govulncheck: umbrella issue for updates x/vuln/cmd/govulncheck: umbrella issue for govulncheck updates Oct 13, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo UX Issues that involve UXD/UXR input labels Oct 13, 2022
@julieqiu julieqiu added this to the vuln/2022 milestone Oct 13, 2022
@joedian joedian added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 14, 2022
@gopherbot
Copy link

Change https://go.dev/cl/461646 mentions this issue: cmd/govulncheck: show results per (vulnerability, module) grouping

@gopherbot
Copy link

Change https://go.dev/cl/463099 mentions this issue: cmd/govulncheck: add progress output

gopherbot pushed a commit to golang/vuln that referenced this issue Jan 25, 2023
@zpavlinovic
cmd/govulncheck: show results per (vulnerability, module) grouping
7ab98b4 
Instead of showing results per each package whose symbols are called, we
now show vulnerabilities instead. We also break each vulnerability by
modules whose symbols have been exercised. Explicit package info is
omitted as it can be deduced from the shown call stacks.

This also fixes the issue of incorrect vulnerability counting. Other
change involve keeping things consistent between the main part and
Informational.

Updates golang/go#56207
Fixes golang/go#56177

Change-Id: I4cc12881443938cd3eb4f581e6689e53daeb28c7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/461646
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
gopherbot pushed a commit to golang/vuln that referenced this issue Jan 25, 2023
@zpavlinovic
cmd/govulncheck: add progress output
491f34a 
There are two progress output messages: one for source and one for binaries.
The latter one is simpler since the binary analysis is almost instantaneous.

Fixes golang/go#56501
Updates golang/go#56207

Change-Id: I381c8ef3b7db9c87c52ef6b2132b79be940b8b3d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463099
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
@gopherbot
Copy link

Change https://go.dev/cl/463105 mentions this issue: cmd/govulncheck: print progress messages only in text mode

gopherbot pushed a commit to golang/vuln that referenced this issue Jan 25, 2023
@zpavlinovic @gopherbot
cmd/govulncheck: print progress messages only in text mode
6606480 
Otherwise, the JSON output is corrupted.

Updates golang/go#56501
Updates golang/go#56207

Change-Id: I97a7dff99f1a06d001280079ccccc2fed211de70
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463105
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
@gopherbot
Copy link

Change https://go.dev/cl/463106 mentions this issue: cmd/govulncheck: add environment message

gopherbot pushed a commit to golang/vuln that referenced this issue Jan 30, 2023
@zpavlinovic
cmd/govulncheck: add environment message
dd534ee 
We define environment as Go version at PATH (showed only for source
mode), govulncheck version (effectively x/vuln version), and list of
vulnerability databases with their timestamp.

The CL also moves some code around.

Fixes golang/go#56097
Fixes golang/go#56514
Updates golang/go#56207

Change-Id: I2e2f179a5421b3dfc1e1f1e4bd0ed13d16735364
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463106
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
cmd/govulncheck: show results per (vulnerability, module) grouping
0af38c4 
Instead of showing results per each package whose symbols are called, we
now show vulnerabilities instead. We also break each vulnerability by
modules whose symbols have been exercised. Explicit package info is
omitted as it can be deduced from the shown call stacks.

This also fixes the issue of incorrect vulnerability counting. Other
change involve keeping things consistent between the main part and
Informational.

Updates golang/go#56207
Fixes golang/go#56177

Change-Id: I4cc12881443938cd3eb4f581e6689e53daeb28c7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/461646
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
cmd/govulncheck: add progress output
676b09a 
There are two progress output messages: one for source and one for binaries.
The latter one is simpler since the binary analysis is almost instantaneous.

Fixes golang/go#56501
Updates golang/go#56207

Change-Id: I381c8ef3b7db9c87c52ef6b2132b79be940b8b3d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463099
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
cmd/govulncheck: print progress messages only in text mode
8c0e6b1 
Otherwise, the JSON output is corrupted.

Updates golang/go#56501
Updates golang/go#56207

Change-Id: I97a7dff99f1a06d001280079ccccc2fed211de70
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463105
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
cmd/govulncheck: add environment message
7a6dfd4 
We define environment as Go version at PATH (showed only for source
mode), govulncheck version (effectively x/vuln version), and list of
vulnerability databases with their timestamp.

The CL also moves some code around.

Fixes golang/go#56097
Fixes golang/go#56514
Updates golang/go#56207

Change-Id: I2e2f179a5421b3dfc1e1f1e4bd0ed13d16735364
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463106
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@julieqiu julieqiu modified the milestones: vuln/2022, vuln/unplanned Apr 7, 2023
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
cmd/govulncheck: show results per (vulnerability, module) grouping
e163b67 
Instead of showing results per each package whose symbols are called, we
now show vulnerabilities instead. We also break each vulnerability by
modules whose symbols have been exercised. Explicit package info is
omitted as it can be deduced from the shown call stacks.

This also fixes the issue of incorrect vulnerability counting. Other
change involve keeping things consistent between the main part and
Informational.

Updates golang/go#56207
Fixes golang/go#56177

Change-Id: I4cc12881443938cd3eb4f581e6689e53daeb28c7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/461646
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
cmd/govulncheck: add progress output
a29aeae 
There are two progress output messages: one for source and one for binaries.
The latter one is simpler since the binary analysis is almost instantaneous.

Fixes golang/go#56501
Updates golang/go#56207

Change-Id: I381c8ef3b7db9c87c52ef6b2132b79be940b8b3d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463099
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
cmd/govulncheck: print progress messages only in text mode
fef35bb 
Otherwise, the JSON output is corrupted.

Updates golang/go#56501
Updates golang/go#56207

Change-Id: I97a7dff99f1a06d001280079ccccc2fed211de70
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463105
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
cmd/govulncheck: add environment message
2866690 
We define environment as Go version at PATH (showed only for source
mode), govulncheck version (effectively x/vuln version), and list of
vulnerability databases with their timestamp.

The CL also moves some code around.

Fixes golang/go#56097
Fixes golang/go#56514
Updates golang/go#56207

Change-Id: I2e2f179a5421b3dfc1e1f1e4bd0ed13d16735364
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463106
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
cmd/govulncheck: show results per (vulnerability, module) grouping
bb6c25b 
Instead of showing results per each package whose symbols are called, we
now show vulnerabilities instead. We also break each vulnerability by
modules whose symbols have been exercised. Explicit package info is
omitted as it can be deduced from the shown call stacks.

This also fixes the issue of incorrect vulnerability counting. Other
change involve keeping things consistent between the main part and
Informational.

Updates golang/go#56207
Fixes golang/go#56177

Change-Id: I4cc12881443938cd3eb4f581e6689e53daeb28c7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/461646
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
cmd/govulncheck: add progress output
b8a39fd 
There are two progress output messages: one for source and one for binaries.
The latter one is simpler since the binary analysis is almost instantaneous.

Fixes golang/go#56501
Updates golang/go#56207

Change-Id: I381c8ef3b7db9c87c52ef6b2132b79be940b8b3d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463099
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
cmd/govulncheck: print progress messages only in text mode
a00e751 
Otherwise, the JSON output is corrupted.

Updates golang/go#56501
Updates golang/go#56207

Change-Id: I97a7dff99f1a06d001280079ccccc2fed211de70
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463105
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
cmd/govulncheck: add environment message
b3bce0c 
We define environment as Go version at PATH (showed only for source
mode), govulncheck version (effectively x/vuln version), and list of
vulnerability databases with their timestamp.

The CL also moves some code around.

Fixes golang/go#56097
Fixes golang/go#56514
Updates golang/go#56207

Change-Id: I2e2f179a5421b3dfc1e1f1e4bd0ed13d16735364
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/463106
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@zpavlinovic
Copy link
Contributor

This issue is not needed anymore as the new version of govulncheck has been released (and only 6 is now left to do).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. umbrella UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@zpavlinovic @hyangah @julieqiu @gopherbot @joedian