Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: govulncheck panic: interface conversion: types.Type is *types.Interface, not *types.Array #57174

Closed
sixcolors opened this issue Dec 8, 2022 · 10 comments
Closed

x/vuln: govulncheck panic: interface conversion: types.Type is *types.Interface, not *types.Array #57174

sixcolors opened this issue Dec 8, 2022 · 10 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@sixcolors
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.19.3 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/sixcolors/Library/Caches/go-build"
GOENV="/Users/sixcolors/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/sixcolors/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/sixcolors/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.19.3/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.19.3/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.19.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/sixcolors/maintainer/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/jl/xzdcwhj92pdfdqnp_z8cmbc40000gn/T/go-build2239372547=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

~/maintainer (main) » govulncheck ./...         sixcolors@Jason-McNeils-Mac-Pro
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
panic: interface conversion: types.Type is *types.Interface, not *types.Array

goroutine 1 [running]:
golang.org/x/tools/go/callgraph/vta.sliceArrayElem({0x1554540, 0xc06db65790})
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/utils.go:126 +0x1bd
golang.org/x/tools/go/callgraph/vta.(*builder).indexAddr(0xc096eff790?, 0xc06db6c660)
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/graph.go:481 +0x38
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc096eff678?, {0x1557d58?, 0xc06db6c660?})
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/graph.go:355 +0x165
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/graph.go:299
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc096eff790, 0x280?)
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/graph.go:291 +0x1e5
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/graph.go:265
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc096effb70?, 0xc0873d7560)
	/Users/sixcolors/go/pkg/mod/golang.org/x/tools@v0.4.0/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/vulncheck.callGraph(0xc03c0f9200, {0xc0873e0000, 0x165, 0x80?})
	/Users/sixcolors/go/pkg/mod/golang.org/x/vuln@v0.0.0-20221208170415-d970d6cd0f6e/vulncheck/utils.go:70 +0x2b9
golang.org/x/vuln/vulncheck.Source({0x15564d0, 0xc0001ae008}, {0xc029b26800?, 0x14, 0x20}, 0xc03c89bd78)
	/Users/sixcolors/go/pkg/mod/golang.org/x/vuln@v0.0.0-20221208170415-d970d6cd0f6e/vulncheck/source.go:80 +0x4cd
golang.org/x/vuln/internal/govulncheck.Source({0x15564d0?, 0xc0001ae008?}, 0xc000217eb0?, {0xc029b26800, 0x14, 0x20})
	/Users/sixcolors/go/pkg/mod/golang.org/x/vuln@v0.0.0-20221208170415-d970d6cd0f6e/internal/govulncheck/run.go:31 +0x94
main.doGovulncheck({0xc0001b4010?, 0x1, 0x1}, 0x1)
	/Users/sixcolors/go/pkg/mod/golang.org/x/vuln@v0.0.0-20221208170415-d970d6cd0f6e/cmd/govulncheck/main.go:114 +0x35b
main.main()
	/Users/sixcolors/go/pkg/mod/golang.org/x/vuln@v0.0.0-20221208170415-d970d6cd0f6e/cmd/govulncheck/main.go:69 +0x127

What did you expect to see?

working scan

What did you see instead?

Type error panic.
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 8, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Dec 8, 2022
@zpavlinovic zpavlinovic self-assigned this Dec 8, 2022
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Dec 8, 2022
edited

Thanks for reporting this! Do you have a minimal reproducible example? Or do you have some code in general we can use to reproduce the issue?

@sixcolors
Copy link
Author

sixcolors commented Dec 8, 2022
edited

Thanks for reporting this! Do you have a minimal reproducible example? Or do you have some code in general where we can use to reproduce the issue?

Trying to get that now. The project triggering this on is closed source.

@sixcolors
Copy link
Author

Okay, this one has the issue: https://github.com/sixcolors/fiber-boilerplate

@sixcolors
Copy link
Author

Note: no panic when run with go version go1.19.4 darwin/amd64 or go version go1.19.4 linux/amd64 installed

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Dec 8, 2022
edited

Same here, I get no errors for the newer version, but do get it for, say, 1.19.1.

This is likely related to changes to the type checker, which ultimately affect call graph construction. Will investigate. Thanks for the info!

@klauspost
Copy link
Contributor

Another repro: https://github.com/minio/mc/actions/runs/3656601095/jobs/6179226117 - fails on github.com/minio/mc master branch)

go version go1.19.4 linux/amd64

@gopherbot
Copy link

Change https://go.dev/cl/456436 mentions this issue: vulncheck: add support for generics

@harshavardhana
Copy link
Contributor

harshavardhana commented Dec 12, 2022
edited

It seems to still fail after installing the latest govulncheck

govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
panic: in github.com/minio/minio/internal/config.Error: cannot convert *t0 (PT) to T

goroutine 15209 [running]:
golang.org/x/tools/go/ssa.emitConv(0xc0246a9680, {0x95c460, 0xc09ed746c0}, {0x958470?, 0xc0345660c0})
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/emit.go:295 +0x9f4
golang.org/x/tools/go/ssa.(*builder).stmt(0x0?, 0xc0246a9680, {0x959a18?, 0xc013685640?})
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2220 +0x1831
golang.org/x/tools/go/ssa.(*builder).stmtList(0x864600?, 0x1?, {0xc02cdc57c0?, 0x3, 0x657605?})
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:946 +0x67
golang.org/x/tools/go/ssa.(*builder).stmt(0xc0246a9680?, 0xc0246a9680, {0x959478?, 0xc0330cf7d0?})
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2277 +0xe7d
golang.org/x/tools/go/ssa.(*builder).buildFunctionBody(0x656cd1?, 0xc0246a9680)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2391 +0x4ba
golang.org/x/tools/go/ssa.(*builder).buildFunction(0x656d20?, 0xc0246a9680)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2326 +0x2e
golang.org/x/tools/go/ssa.(*builder).buildCreated(0xc048f45df0)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2413 +0x25
golang.org/x/tools/go/ssa.(*Package).build(0xc04763fa80)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2606 +0xcd4
sync.(*Once).doSlow(0xc026e4a7b0?, 0x0?)
        /home/harsha/sdk/go1.19.3/src/sync/once.go:74 +0xc2
sync.(*Once).Do(...)
        /home/harsha/sdk/go1.19.3/src/sync/once.go:65
golang.org/x/tools/go/ssa.(*Package).Build(...)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2477
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2462 +0x4c
created by golang.org/x/tools/go/ssa.(*Program).Build
        /home/harsha/go/pkg/mod/golang.org/x/tools@v0.4.0/go/ssa/builder.go:2461 +0x19c

This did not happen like last week, nothing changed in this area of code.

@zpavlinovic
Copy link
Contributor

That is a different issue. It is related to the ssa package. I will investigate and see if there is a simple fix. If not, I will open a separate issue. Can you tell me the Go version you are using?

@harshavardhana
Copy link
Contributor

That is a different issue. It is related to the ssa package. I will investigate and see if there is a simple fix. If not, I will open a separate issue. Can you tell me the Go version you are using?

its go1.19.3 @zpavlinovic

go version -m `which govulncheck`
/home/harsha/go/bin/govulncheck: go1.19.3
        path    golang.org/x/vuln/cmd/govulncheck
        mod     golang.org/x/vuln       (devel)
        dep     golang.org/x/exp        v0.0.0-20220722155223-a9213eeb770e      h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
        dep     golang.org/x/mod        v0.7.0  h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
        dep     golang.org/x/sys        v0.3.0  h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
        dep     golang.org/x/tools      v0.4.0  h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
        build   -compiler=gc
        build   CGO_ENABLED=1
        build   CGO_CFLAGS=
        build   CGO_CPPFLAGS=
        build   CGO_CXXFLAGS=
        build   CGO_LDFLAGS=
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1
        build   vcs=git
        build   vcs.revision=af59454a8a0a42ff9d84df1a73c4248f60a5d9b6
        build   vcs.time=2022-12-12T18:28:31Z
        build   vcs.modified=false

@zpavlinovic zpavlinovic mentioned this issue Dec 13, 2022
Closed
@zpavlinovic zpavlinovic mentioned this issue Jan 23, 2023
Closed
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
vulncheck: add support for generics
9edb84e 
Make ssa instantiate generics.

Fixes golang/go#57174

Change-Id: I2d2e28a48e3a64df3d4d415b4629fe3e0a1ba28d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/456436
Reviewed-by: Fnu Harshavardhana <hrshvardhana@gmail.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
vulncheck: add support for generics
dc6157d 
Make ssa instantiate generics.

Fixes golang/go#57174

Change-Id: I2d2e28a48e3a64df3d4d415b4629fe3e0a1ba28d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/456436
Reviewed-by: Fnu Harshavardhana <hrshvardhana@gmail.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
@prattmic prattmic mentioned this issue Apr 21, 2023
Closed
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
vulncheck: add support for generics
a715e54 
Make ssa instantiate generics.

Fixes golang/go#57174

Change-Id: I2d2e28a48e3a64df3d4d415b4629fe3e0a1ba28d
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/456436
Reviewed-by: Fnu Harshavardhana <hrshvardhana@gmail.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
@golang golang locked and limited conversation to collaborators Dec 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@harshavardhana @zpavlinovic @klauspost @sixcolors @gopherbot