Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: ignore directory when there are no buildable Go files #59633

Closed
rminnich opened this issue Apr 14, 2023 · 5 comments
Closed

x/vuln: ignore directory when there are no buildable Go files #59633

rminnich opened this issue Apr 14, 2023 · 5 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@rminnich
Copy link
Contributor

What version of Go are you using (go version)?

1.19.5

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

darwin/arm64

What did you do?

GOOS=linux GOOS=arm64 govulncheck

Using go1.19.5 and govulncheck@v0.0.0-506ee65bc240-20230412201939 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-13 00:03:55 +0000 UTC).
err: exit status 1: stderr: go build github.com/u-root/u-root/pkg/mount: build constraints exclude all Go files in /Users/rminnich/go/src/github.com/u-root/u-root/pkg/mount
go build github.com/u-root/u-root/pkg/mount/block: build constraints exclude all Go files in /Users/rminnich/go/src/github.com/u-root/u-root/pkg/mount/block
go build github.com/u-root/u-root/pkg/spidev: build constraints exclude all Go files in /Users/rminnich/go/src/github.com/u-root/u-root/pkg/spidev
go build github.com/u-root/u-root/pkg/mount/loop: build constraints exclude all Go files in /Users/rminnich/go/src/github.com/u-root/u-root/pkg/mount/loop

What did you expect to see?

no output

What did you see instead?

I think that if there are no buildable Go files, it should ignore the directory entirely.
@rminnich rminnich added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Apr 14, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Apr 14, 2023
@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 14, 2023
@dr2chase
Copy link
Contributor

@golang/vulndb

@julieqiu julieqiu changed the title x/vuln: x/vuln: ignore directory when there are no buildable Go files Apr 14, 2023
@saurabh-sm
Copy link

I'm have a sub-package for each topic, which includes like booleans, numbers, strings, hashmaps, etc. And each sub-package has a directory which contains test and implementation files.

Th project structure looks like:

.
├── LICENSE
├── README.md
├── ...
├── ...
└── pkg
    ├── beginning
    │   ├── hello
    │   │   ├── hello.go
    │   │   └── hello_test.go
    ├── booleans
    │   ├── pacman
    │   │   ├── ghostgobble.go
    │   │   └── ghostgobble_test.go
    ├── hashmaps
    │   ├── inventory
    │   │   ├── inventorymanagement.go
    │   │   └── inventorymanagement_test.go
    │   ├── lexiconia
    │   │   ├── lexiconia.go
    │   │   └── lexiconia_test.go
    │   └── store
    │       ├── gross.go
    │       └── gross_test.go
    ├── interfaces
    │   ├── airportrobot
    │   │   ├── robot.go
    │   │   └── robot_test.go
    │   └── meteorology
    │       ├── meteorology.go
    │       └── meteorology_test.go
    ├── numbers
    │   ├── account
    │   │   ├── savingsaccount.go
    │   │   └── savingsaccount_test.go
    │   ├── armstrong
    │   │   ├── armstrongnumber.go
    │   │   └── armstrongnumber_test.go
    │   ├── collatzconjecture
    │   │   ├── collatz.go
    │   │   └── collatz_test.go
    │   ├── currencyexchange
    │   │   ├── exchange.go
    │   │   └── exchange_test.go
    │   ├── differences
    │   │   ├── squaresdifference.go
    │   │   └── squaresdifference_test.go
    │   └── lasagna
    │       ├── gopherlasagna.go
    │       └── gopherlasagna_test.go
    ├── pointers
    │   ├── census
    │   │   ├── census.go
    │   │   └── census_test.go
    │   └── electionday
    │       ├── electionday.go
    │       └── electionday_test.go
    ├── strings
    │   ├── appointment
    │   │   ├── hairsalon.go
    │   │   └── hairsalon_test.go
    │   ├── loglibrary
    │   │   ├── loglib.go
    │   │   └── loglib_test.go
    │   ├── pangram
    │   │   ├── pangram.go
    │   │   └── pangram_test.go
    │   ├── reverse
    │   │   ├── reverse.go
    │   │   └── reverse_test.go
    └── types
        ├── chessboard
        │   ├── chessboard.go
        │   └── chessboard_test.go
        └── sortingroom
            ├── sortingroom.go
            └── sortingroom_test.go
...
...

All this is in a GitHub repository here.

When I run govulncheck for this repository, I get error:

There are errors with the provided package patterns:

-: no Go files in /home/runner/work/gotime/gotime/pkg/beginning
-: no Go files in /home/runner/work/gotime/gotime/pkg/booleans
-: no Go files in /home/runner/work/gotime/gotime/pkg/hashmaps
-: no Go files in /home/runner/work/gotime/gotime/pkg/interfaces
...
...

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

I'm not sure why this is an error as there are Go files in each pkg/<sub-package>/directory.

@zpavlinovic
Copy link
Contributor

What is the actual package pattern you passed to govulncheck? What is the output you get with go test and go build (with the same package pattern)?

@saurabh-sm
Copy link

saurabh-sm commented Jun 10, 2023
edited

I'm not using go build. The pattern for go test and govulncheck is the same:

Go Test:

go test -v ./...

govulncheck on source code

govulncheck -json ./...

and on test code

govulncheck -json -test ./pkg/...

Running govulncheck with govulncheck -json -test ./pkg/* gives the error No go files in ...

@ianthehat
Copy link

This is working as intended.
You want to use the pattern govulncheck -json -test ./pkg/..., it means something very different to govulncheck -json -test ./pkg/*.
The former is a single pattern recurisve descent of the packages that will skip empty directories, the latter is expanded by the shell to a the complete list of subdirectories, which is what makes it complain because as far as the program is concerned you directly requested a directory that has no go files.
Go list with the same pattern will produce exactly the same set of errors.
I downloaded your module and tested it to make sure, just change the pattern in your audit.yml and it will be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
6 participants
@rminnich @ianthehat @zpavlinovic @dr2chase @gopherbot @saurabh-sm