Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: crash on large repos #59966

Closed
Dafaque opened this issue May 4, 2023 · 7 comments
Closed

x/vuln: crash on large repos #59966

Dafaque opened this issue May 4, 2023 · 7 comments
Assignees
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@Dafaque
Copy link

Dafaque commented May 4, 2023

What version of Go are you using (go version)?

$ go version
go version go1.20.3 linux/amd64
go version go1.19.8 linux/amd64 # nix-shell

Does this issue reproduce at the latest version of golang.org/x/vuln?

I've install @latest and @v0.1.0 version, but output shows:
Using go1.20.3 and govulncheck@v0.0.0 with
I guess, yes?

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/me/.cache/go-build"
GOENV="/home/me/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/me/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/me/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="..../go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4038305880=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run under vscode intergrated terminal govulncheck -v ./... on project that meets condition:

$ tree .
......
843 directories, 3746 files

In my case it's a very large vendor dir

What did you expect to see?

My laptop is working and i actually get vuln report

What did you see instead?

Even cursor is dead for a ~2 min;
htop for a second afrer vscode crash shows all 8 cores and 8gb RAM are full

@Dafaque Dafaque added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label May 4, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned May 4, 2023
@Dafaque Dafaque changed the title x/vuln: x/vuln: crash on large repos May 4, 2023
@Dafaque
Copy link
Author

Dafaque commented May 4, 2023

UPD
After first success run from outside vscode, witch runs very fast and without any issues, runs under vscode terminal now out of trouble too

@Dafaque
Copy link
Author

Dafaque commented May 4, 2023

UPD2
Outside vscode under nix-shell -p go_1_19:

govulncheck -v ...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.19.8 and govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-18 21:32:26 +0000 UTC).

Scanning your code and 95 packages across 0 dependent modules for known vulnerabilities...
Killed

With total PC freeze

@Dafaque
Copy link
Author

Dafaque commented May 4, 2023

pure zsh run with go1.20 detects more packages and deps:

govulncheck -v ./...                                                                                                                   127 ✘  9s  
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3 and govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-18 21:32:26 +0000 UTC).

Scanning your code and 570 packages across 110 dependent modules for known vulnerabilities...

@Dafaque
Copy link
Author

Dafaque commented May 4, 2023

Just figured out, maybe trouble depends on go version
go.mod contains line go 1.19, but under go_1_19 always failed (nix-shell, vscode or zsh/bash), but go_1_20 runs perfectly

@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 5, 2023
@cagedmantis
Copy link
Contributor

cc @golang/vulndb

@zpavlinovic zpavlinovic self-assigned this Sep 27, 2023
@zpavlinovic
Copy link
Contributor

Does this issue still reproduce?

@zpavlinovic zpavlinovic added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 27, 2023
@gopherbot
Copy link

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Development

No branches or pull requests

4 participants