Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: error "no symbol "go.func.*"" scanning Debian binaries #57764

Closed
hickford opened this issue Jan 12, 2023 · 8 comments
Closed

x/vuln: error "no symbol "go.func.*"" scanning Debian binaries #57764

hickford opened this issue Jan 12, 2023 · 8 comments
Assignees
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@hickford
Copy link

hickford commented Jan 12, 2023

What version of Go are you using (go version)?

$ go version
go version go1.19.3 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes I installed go install golang.org/x/vuln/cmd/govulncheck@latest

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/hickford/.cache/go-build"
GOENV="/home/hickford/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/hickford/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/hickford/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.19"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.19/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1287025169=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Try to scan Debian go binaries such as govulncheck /usr/bin/caddy , govulncheck /usr/bin/hugo , govulncheck /usr/bin/gofmt or even govulncheck /usr/bin/go.

Alternatively, you can manually download a .deb package from Debian packages such as caddy_2.6.2-1_amd64.deb and extract ar x caddy_2.6.2-1_amd64.deb && tar -xf data.tar.xz and try to scan govulncheck ./usr/bin/caddy

What did you expect to see?

Successful scan with vulnerabilities

What did you see instead?

> govulncheck /usr/bin/caddy
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: vulncheck.Binary: reading go.func.*: no symbol "go.func.*"

I also got the same error scanning the caddy binary from GitHub releases https://github.com/caddyserver/caddy/releases/download/v2.6.2/caddy_2.6.2_linux_amd64.tar.gz , extracted tar -xf caddy_2.6.2_linux_amd64.tar.gz

@hickford hickford added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 12, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jan 12, 2023
@hickford
Copy link
Author

hickford commented Jan 12, 2023

Interestingly Fedora doesn't have this problem. The caddy binary in Fedora packages (extracted rpm2cpio caddy-2.5.2-1.fc37.x86_64.rpm | cpio -idmv) scans successfully without error.

@hickford hickford changed the title x/vuln: error scanning Debian binaries "no symbol "go.func.*" x/vuln: error "no symbol "go.func.*"" scanning Debian binaries Jan 12, 2023
@seankhliao
Copy link
Member

it looks like it doesn't work without the symbol table and debug info?
ie binaries built with -ldflags='-s'

@hickford
Copy link
Author

go module -m

hickford@penguin ~/bin> go version -m debian-caddy
debian-caddy: go1.19.4
        path    github.com/caddyserver/caddy/v2/cmd/caddy
        build   -compiler=gc
        build   -trimpath=true
        build   CGO_ENABLED=0
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1
hickford@penguin ~/bin> go version -m github-caddy
github-caddy: go1.19.2
        path    command-line-arguments
        dep     filippo.io/edwards25519 v1.0.0-rc.1     h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU=
        dep     github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96      h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
        dep     github.com/BurntSushi/toml      v1.2.0  h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
        dep     github.com/Masterminds/goutils  v1.1.1  h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
        dep     github.com/Masterminds/semver/v3        v3.1.1  h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
        dep     github.com/Masterminds/sprig/v3 v3.2.2  h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
        dep     github.com/alecthomas/chroma    v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek=
        dep     github.com/antlr/antlr4/runtime/Go/antlr        v0.0.0-20220418222510-f25a4f6275ed      h1:ue9pVfIcP+QMEjfgo/Ez4ZjNZfonGgR6NgjMaJMu1Cg=
        dep     github.com/aryann/difflib       v0.0.0-20210328193216-ff5ff6dc229b      h1:uUXgbcPDK3KpW29o4iy7GtuappbWT0l5NaMo9H9pJDw=
        dep     github.com/beorn7/perks v1.0.1  h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
        dep     github.com/caddyserver/caddy/v2 v2.6.2  h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
        dep     github.com/caddyserver/certmagic        v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
        dep     github.com/cenkalti/backoff/v4  v4.1.2  h1:6Yo7N8UP2K6LWZnW94DLVSSrbobcWdVzAYOisuDPIFo=
        dep     github.com/cespare/xxhash       v1.1.0  h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
        dep     github.com/cespare/xxhash/v2    v2.1.2  h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
        dep     github.com/chzyer/readline      v0.0.0-20180603132655-2972be24d48e      h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
        dep     github.com/cpuguy83/go-md2man/v2        v2.0.2  h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
        dep     github.com/dgraph-io/badger     v1.6.2  h1:mNw0qs90GVgGGWylh0umH5iag1j6n/PeJtNvL6KY/x8=
        dep     github.com/dgraph-io/badger/v2  v2.2007.4       h1:TRWBQg8UrlUhaFdco01nO2uXwzKS7zd+HVdwV/GHc4o=
        dep     github.com/dgraph-io/ristretto  v0.0.4-0.20200906165740-41ebdbffecfd    h1:KoJOtZf+6wpQaDTuOWGuo61GxcPBIfhwRxRTaTWGCTc=
        dep     github.com/dgryski/go-farm      v0.0.0-20200201041132-a6ae2369ad13      h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
        dep     github.com/dlclark/regexp2      v1.4.0  h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
        dep     github.com/dustin/go-humanize   v1.0.1-0.20200219035652-afde56e7acac    h1:opbrjaN/L8gg6Xh5D04Tem+8xVcz6ajZlGCs49mQgyg=
        dep     github.com/felixge/httpsnoop    v1.0.3  h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
        dep     github.com/go-chi/chi   v4.1.2+incompatible     h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
        dep     github.com/go-kit/kit   v0.10.0 h1:dXFJfIHVvUcpSgDOV+Ne6t7jXri8Tfv2uOLHUZ2XNuo=
        dep     github.com/go-logfmt/logfmt     v0.5.0  h1:TrB8swr/68K7m9CcGut2g3UOihhbcbiMAYiuTXdEih4=
        dep     github.com/go-logr/logr v1.2.3  h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
        dep     github.com/go-logr/stdr v1.2.2  h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
        dep     github.com/go-sql-driver/mysql  v1.6.0  h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
        dep     github.com/golang/protobuf      v1.5.2  h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
        dep     github.com/golang/snappy        v0.0.4  h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
        dep     github.com/google/cel-go        v0.12.5 h1:DmzaiSgoaqGCjtpPQWl26/gND+yRpim56H1jCVev6d8=
        dep     github.com/google/uuid  v1.3.0  h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
        dep     github.com/grpc-ecosystem/grpc-gateway  v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
        dep     github.com/huandu/xstrings      v1.3.2  h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
        dep     github.com/imdario/mergo        v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
        dep     github.com/jackc/chunkreader/v2 v2.0.1  h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
        dep     github.com/jackc/pgconn v1.10.1 h1:DzdIHIjG1AxGwoEEqS+mGsURyjt4enSmqzACXvVzOT8=
        dep     github.com/jackc/pgio   v1.0.0  h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
        dep     github.com/jackc/pgpassfile     v1.0.0  h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
        dep     github.com/jackc/pgproto3/v2    v2.2.0  h1:r7JypeP2D3onoQTCxWdTpCtJ4D+qpKr0TxvoyMhZ5ns=
        dep     github.com/jackc/pgservicefile  v0.0.0-20200714003250-2b9c44734f2b      h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
        dep     github.com/jackc/pgtype v1.9.0  h1:/SH1RxEtltvJgsDqp3TbiTFApD3mey3iygpuEGeuBXk=
        dep     github.com/jackc/pgx/v4 v4.14.0 h1:TgdrmgnM7VY72EuSQzBbBd4JA1RLqJolrw9nQVZABVc=
        dep     github.com/klauspost/compress   v1.15.11        h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c=
        dep     github.com/klauspost/cpuid/v2   v2.1.1  h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
        dep     github.com/libdns/libdns        v0.2.1  h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
        dep     github.com/lucas-clemente/quic-go       v0.29.2 h1:O8Mt0O6LpvEW+wfC40vZdcw0DngwYzoxq5xULZNzSI8=
        dep     github.com/manifoldco/promptui  v0.9.0  h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
        dep     github.com/marten-seemann/qpack v0.2.1  h1:jvTsT/HpCn2UZJdP+UUB53FfUUgeOyG5K1ns0OJOGVs=
        dep     github.com/marten-seemann/qtls-go1-19   v0.1.1  h1:mnbxeq3oEyQxQXwI4ReCgW9DPoPR94sNlqWoDZnjRIE=
        dep     github.com/mattn/go-colorable   v0.1.8  h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
        dep     github.com/mattn/go-isatty      v0.0.13 h1:qdl+GuBjcsKKDco5BsxPJlId98mSWNKqYA+Co0SC1yA=
        dep     github.com/matttproud/golang_protobuf_extensions        v1.0.1  h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
        dep     github.com/mgutz/ansi   v0.0.0-20200706080929-d51e80ef957d      h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
        dep     github.com/mholt/acmez  v1.0.4  h1:N3cE4Pek+dSolbsofIkAYz6H1d3pE+2G0os7QHslf80=
        dep     github.com/micromdm/scep/v2     v2.1.0  h1:2fS9Rla7qRR266hvUoEauBJ7J6FhgssEiq2OkSKXmaU=
        dep     github.com/miekg/dns    v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
        dep     github.com/mitchellh/copystructure      v1.2.0  h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
        dep     github.com/mitchellh/go-ps      v1.0.0  h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
        dep     github.com/mitchellh/reflectwalk        v1.0.2  h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
        dep     github.com/pkg/errors   v0.9.1  h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
        dep     github.com/prometheus/client_golang     v1.12.2 h1:51L9cDoUHVrXx4zWYlcLQIZ+d+VXHgqnYKkIuq4g/34=
        dep     github.com/prometheus/client_model      v0.2.0  h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
        dep     github.com/prometheus/common    v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
        dep     github.com/prometheus/procfs    v0.7.3  h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
        dep     github.com/rs/xid       v1.2.1  h1:mhH9Nq+C1fY2l1XIpgxIiUOfNpRBYH1kKcr+qfKgjRc=
        dep     github.com/russross/blackfriday/v2      v2.1.0  h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
        dep     github.com/shopspring/decimal   v1.2.0  h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
        dep     github.com/shurcooL/sanitized_anchor_name       v1.0.0  h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
        dep     github.com/sirupsen/logrus      v1.8.1  h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
        dep     github.com/slackhq/nebula       v1.5.2  h1:wuIOHsOnrNw3rQx8yPxXiGu8wAtAxxtUI/K8W7Vj7EI=
        dep     github.com/smallstep/certificates       v0.22.1 h1:oAwb9tj+M3sKnlKLqPpJUOsn1HbxKOJ4MVCuvDHHjy8=
        dep     github.com/smallstep/cli        v0.22.0 h1:Mbb2CkunxAVig7Cr1NymS2NhjeOvkZqLPsfe9ZKMEfk=
        dep     github.com/smallstep/nosql      v0.4.0  h1:Go3WYwttUuvwqMtFiiU4g7kBIlY+hR0bIZAqVdakQ3M=
        dep     github.com/smallstep/truststore v0.12.0 h1:973Aa6fA7Ob/GCxqziosDzkQq6tV0Le6IUe4sikyW+U=
        dep     github.com/spf13/cast   v1.4.1  h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
        dep     github.com/spf13/cobra  v1.5.0  h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
        dep     github.com/spf13/pflag  v1.0.5  h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
        dep     github.com/stoewer/go-strcase   v1.2.0  h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
        dep     github.com/tailscale/tscert     v0.0.0-20220316030059-54bbcb9f74e2      h1:xwMw7LFhV9dbvot9A7NLClP9udqbjrQlIwWMH8e7uiQ=
        dep     github.com/urfave/cli   v1.22.5 h1:lNq9sAHXK2qfdI8W+GRItjCEkI+2oR4d+MEHy1CKXoU=
        dep     github.com/yuin/goldmark        v1.5.2  h1:ALmeCk/px5FSm1MAcFBAsVKZjDuMVj8Tm7FFIlMJnqU=
        dep     github.com/yuin/goldmark-highlighting   v0.0.0-20220208100518-594be1970594      h1:yHfZyN55+5dp1wG7wDKv8HQ044moxkyGq12KFFMFDxg=
        dep     go.etcd.io/bbolt        v1.3.6  h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
        dep     go.mozilla.org/pkcs7    v0.0.0-20210826202110-33d05740a352      h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
        dep     go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp   v0.34.0 h1:9NkMW03wwEzPtP/KciZ4Ozu/Uz5ZA7kfqXJIObnrjGU=
        dep     go.opentelemetry.io/otel        v1.9.0  h1:8WZNQFIB2a71LnANS9JeyidJKKGOOremcUtb/OtHISw=
        dep     go.opentelemetry.io/otel/exporters/otlp/internal/retry  v1.4.0  h1:j7AwzDdAQBJjcqayAaYbvpYeZzII7cEe5qJTu+De6UY=
        dep     go.opentelemetry.io/otel/exporters/otlp/otlptrace       v1.4.0  h1:lRpP10E8oTGVmY1nVXcwelCT1Z8ca41/l5ce7AqLAss=
        dep     go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.4.0  h1:buSx4AMC/0Z232slPhicN/fU5KIlj0bMngct5pcZhkI=
        dep     go.opentelemetry.io/otel/metric v0.31.0 h1:6SiklT+gfWAwWUR0meEMxQBtihpiEs4c+vL9spDTqUs=
        dep     go.opentelemetry.io/otel/sdk    v1.4.0  h1:LJE4SW3jd4lQTESnlpQZcBhQ3oci0U2MLR5uhicfTHQ=
        dep     go.opentelemetry.io/otel/trace  v1.9.0  h1:oZaCNJUjWcg60VXWee8lJKlqhPbXAPB51URuR47pQYc=
        dep     go.opentelemetry.io/proto/otlp  v0.12.0 h1:CMJ/3Wp7iOWES+CYLfnBv+DVmPbB+kmy9PJ92XvlR6c=
        dep     go.step.sm/cli-utils    v0.7.4  h1:oI7PStZqlvjPZ0u2EB4lN7yZ4R3ShTotdGL/L84Oorg=
        dep     go.step.sm/crypto       v0.18.0 h1:saD/tMG7uKJmUIPyOyudidVTHPnozTU02CDd+oqwKn0=
        dep     go.step.sm/linkedca     v0.18.0 h1:uxRBd2WDvJNZ2i0nJm/QmG4lkRxWoebYKJinchX7T7o=
        dep     go.uber.org/atomic      v1.9.0  h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
        dep     go.uber.org/multierr    v1.6.0  h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
        dep     go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
        dep     golang.org/x/crypto     v0.0.0-20220722155217-630584e8d5aa      h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
        dep     golang.org/x/exp        v0.0.0-20220722155223-a9213eeb770e      h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
        dep     golang.org/x/net        v0.0.0-20220812165438-1d4ff48094d1      h1:mx1QvUwXKGgh+3SB51PH4G1TouzL84rLG0CtpdX+TTg=
        dep     golang.org/x/sys        v0.0.0-20220728004956-3c1f35247d10      h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
        dep     golang.org/x/term       v0.0.0-20210927222741-03fcf44c2211      h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
        dep     golang.org/x/text       v0.3.8-0.20211004125949-5bd84dd9b33b    h1:NXqSWXSRUSCaFuvitrWtU169I3876zRTalMRbfd6LL0=
        dep     google.golang.org/genproto      v0.0.0-20220617124728-180714bec0ad      h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U=
        dep     google.golang.org/grpc  v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8=
        dep     google.golang.org/protobuf      v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
        dep     gopkg.in/natefinch/lumberjack.v2        v2.0.0  h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
        dep     gopkg.in/square/go-jose.v2      v2.6.0  h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
        dep     gopkg.in/yaml.v2        v2.4.0  h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
        dep     gopkg.in/yaml.v3        v3.0.1  h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
        build   -compiler=gc
        build   -trimpath=true
        build   CGO_ENABLED=0
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1
hickford@penguin ~/bin> go version -m fedora-caddy
fedora-caddy: go1.19
        path    github.com/caddyserver/caddy/cmd/caddy
        build   -compiler=gc
        build   -ldflags=" -X github.com/caddyserver/caddy/version=2.5.2 -B 0x5ed1393cc60665b6fd18eda730da04e78c91ee51 -compressdwarf=false -linkmode=external -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1 -Wl,-dT,/builddir/build/BUILD/caddy-2.5.2/.package_note-caddy-2.5.2-1.fc37.x86_64.ld '"
        build   -tags=rpm_crashtraceback
        build   CGO_ENABLED=1
        build   CGO_CFLAGS=
        build   CGO_CPPFLAGS=
        build   CGO_CXXFLAGS=
        build   CGO_LDFLAGS=
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1

@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 13, 2023
@cagedmantis
Copy link
Contributor

@golang/vulndb

@rvstaveren
Copy link

rvstaveren commented Jan 31, 2023

Had a look at govulncheck for scanning go binaries for outstanding vulnerabilities, but it behaves a bit odd on FreeBSD too
E.g. if I install telegraf from pkg build by FreeBSD, I’m getting a

“govulncheck: vulncheck.Binary: reading go.func.: no symbol "go.func."”

However, if I build and install telegraf from ports (build the same thing as the package, but from source), it works as advertised.
Also, the binary sizes differ vastly for the port (205M) and pkg version (148M) despite a “make package”.

go version -m reports no differences on both the pkg and the port binary: same go version, same mods

$ diff -uw --label telegraf-from-pkg <(go version -m /usr/local/bin/telegraf) --label telegraf-from-ports <(go version -m work/stage/usr/local/bin/telegraf)
--- telegraf-from-pkg
+++ telegraf-from-ports
@@ -1,4 +1,4 @@
-/usr/local/bin/telegraf: go1.19.5
+work/stage/usr/local/bin/telegraf: go1.19.5
        path    github.com/influxdata/telegraf/cmd/telegraf
        mod     github.com/influxdata/telegraf  (devel)
        dep     cloud.google.com/go     v0.104.0        h1:gSmWO7DY1vOm0MVU6DNXM11BWHHsTUmsC5cv1fuW5X8=

@zpavlinovic
Copy link
Contributor

Thanks for reporting this, that is odd. We'll look into this soon.

@zpavlinovic zpavlinovic self-assigned this Feb 6, 2023
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Feb 8, 2023

I was able to reproduce the issue with caddy. I assume the same happens with telegraf.

The released binary causes issues to govulncheck. The one built from source (with the same go1.19.2 version) has no issues.

it looks like it doesn't work without the symbol table and debug info? ie binaries built with -ldflags='-s'

This is my impression as well. When I compile caddy from the source but with -ldflags='-s', I can reproduce the issue. The size of this binary is very similar (although not the same) to the released binary. What is confusing to me is that go version -m does not show

...
build   -ldflags=-s
...

for the released binary but it does for the one built from source.

@gopherbot
Copy link

Change https://go.dev/cl/470377 mentions this issue: vulncheck/internal/buildinfo: use go.mod precision for stripped binaries

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

6 participants