Skip to content

x/vuln: add flag to provide actionable govulncheck fixes #56569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
el10savio opened this issue Nov 4, 2022 · 5 comments
Closed

x/vuln: add flag to provide actionable govulncheck fixes #56569

el10savio opened this issue Nov 4, 2022 · 5 comments
Assignees
@zpavlinovic
Labels
FeatureRequest Issues asking for a new feature that does not need a proposal. FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@el10savio
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.19.2 darwin/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Feature Request:

Provide a flag '--fixes/-f' that would parse the output of govulncheck and suggest actionable steps to fix them.

For example.,

  Found in: github.com/gin-gonic/gin@v1.6.3
  Fixed in: github.com/gin-gonic/gin@v1.7.7
  More info: https://pkg.go.dev/vuln/GO-2021-0052

Would output

Please run `go get -u github.com/gin-gonic/gin@v1.7.7`

Also given the fact that this output would be shown for both direct and indirect dependencies and suggests a go get generic message to update the calling dependency (package-function).

<call-stack> --- <package-function> --- <affected-function>

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/e.savio/Library/Caches/go-build"
GOENV="/Users/e.savio/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/e.savio/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/e.savio/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.19.2/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.19.2/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.19.2"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/44/79ttc6d962x84fw3_2g0wd2sdh29lk/T/go-build2982873195=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

N/A

What did you expect to see?

N/A

What did you see instead?

N/A
@el10savio el10savio added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 4, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 4, 2022
@mknyszek mknyszek added the FeatureRequest Issues asking for a new feature that does not need a proposal. label Nov 7, 2022
@mknyszek mknyszek changed the title x/vuln: [Feature Request] Add flag to provide actionable govulncheck fixes x/vuln: add flag to provide actionable govulncheck fixes Nov 7, 2022
@mknyszek
Copy link
Contributor

mknyszek commented Nov 7, 2022

CC @golang/vulndb

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 7, 2022
@zpavlinovic
Copy link
Contributor

Would

Please run `go get -u github.com/gin-gonic/gin@v1.7.7`

replace

Found in: github.com/gin-gonic/gin@v1.6.3
Fixed in: github.com/gin-gonic/gin@v1.7.7
More info: https://pkg.go.dev/vuln/GO-2021-0052

or just be an additional row in the latter message?

It seems that Fixed in effectively contains all the needed info. Would the benefit for the user be the ease of copy/paste?

@el10savio
Copy link
Author

Hi @zpavlinovic,

Yep, I was thinking that when setting the --fixes flag it would only print

go get -u github.com/gin-gonic/gin@v1.7.7

Which I was hoping one could use to pipe into bash to automatically fix vulnerability issues reported that could be fixed by just running go get -u for the appropriate vulnerabilities.

But, to be honest, you are right about the fact that

Found in: github.com/gin-gonic/gin@v1.6.3
Fixed in: github.com/gin-gonic/gin@v1.7.7
More info: https://pkg.go.dev/vuln/GO-2021-0052

Is enough in and of itself. I guess one could just pipe the output to grep "Fixed in" and use that to form the appropriate fixes.

I would be closing the issue since it looks like its not needed. Thanks a lot for checking out the feature request.

@zpavlinovic zpavlinovic self-assigned this Nov 9, 2022
@zpavlinovic
Copy link
Contributor

We will definitely investigate the option for providing a -fix flag, but we currently don't know what the outcome of that will be or when it will be determined.

Feel free to close the issue if the grep approach works for you.

@el10savio
Copy link
Author

Sure yep Thank you @zpavlinovic

@golang golang locked and limited conversation to collaborators Nov 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FeatureRequest Issues asking for a new feature that does not need a proposal. FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@zpavlinovic @mknyszek @gopherbot @el10savio