internal/vulncheck: get correctly package for instantiated functions

Fixes golang/go#66139 Change-Id: I57812643c78e6cd17415e310567212587978a233 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/570616 LUCI-TryBot-Result: Go LUCI <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Zvonimir Pavlinovic <[email protected]> Reviewed-by: Maceo Thompson <[email protected]>
golang · Mar 25, 2024 · a06239c · a06239c
1 parent 8f863e2
commit a06239c
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 11 deletions.
diff --git a/cmd/govulncheck/testdata/modules/stdlib/stdlib.go b/cmd/govulncheck/testdata/modules/stdlib/stdlib.go
@@ -15,4 +15,12 @@ func main() {
 
 	http.HandleFunc("/hello", helloHandler)
 	log.Fatal(http.ListenAndServe(":8080", nil))
+
+	// Test issue #66139
+	log.Fatal(work[string]("golang"))
+}
+
+func work[T any](t T) error {
+	log.Printf("%v\n", t)
+	return http.Serve(nil, nil)
 }
diff --git a/cmd/govulncheck/testdata/testfiles/stdlib/source_stdlib_json.ct b/cmd/govulncheck/testdata/testfiles/stdlib/source_stdlib_json.ct
@@ -185,3 +185,45 @@ $ govulncheck -C ${moddir}/stdlib -format json .
     ]
   }
 }
+{
+  "finding": {
+    "osv": "GO-2022-0969",
+    "fixed_version": "v1.18.6",
+    "trace": [
+      {
+        "module": "stdlib",
+        "version": "v1.18.0",
+        "package": "net/http",
+        "function": "Serve",
+        "position": {
+          "filename": "src/net/http/server.go",
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
+        }
+      },
+      {
+        "module": "golang.org/stdlib",
+        "package": "golang.org/stdlib",
+        "function": "work[string]",
+        "position": {
+          "filename": "stdlib.go",
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
+        }
+      },
+      {
+        "module": "golang.org/stdlib",
+        "package": "golang.org/stdlib",
+        "function": "main",
+        "position": {
+          "filename": "stdlib.go",
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
+        }
+      }
+    ]
+  }
+}
diff --git a/cmd/govulncheck/testdata/testfiles/stdlib/source_stdlib_text.ct b/cmd/govulncheck/testdata/testfiles/stdlib/source_stdlib_text.ct
@@ -15,6 +15,7 @@ Vulnerability #1: GO-2022-0969
     Fixed in: net/[email protected]
     Example traces found:
       #1: stdlib.go:<l>:<c>: stdlib.main calls http.ListenAndServe
+      #2: stdlib.go:<l>:<c>: stdlib.work[string] calls http.Serve
 
 Your code is affected by 1 vulnerability from the Go standard library.
 This scan found no other vulnerabilities in packages you import or modules you
@@ -40,6 +41,10 @@ Vulnerability #1: GO-2022-0969
       #1: for function net/http.ListenAndServe
         stdlib.go:<l>:<c>: golang.org/stdlib.main
         src/net/http/server.go:<l>:<c>: net/http.ListenAndServe
+      #2: for function net/http.Serve
+        stdlib.go:<l>:<c>: golang.org/stdlib.main
+        stdlib.go:<l>:<c>: golang.org/stdlib.work[string]
+        src/net/http/server.go:<l>:<c>: net/http.Serve
 
 Your code is affected by 1 vulnerability from the Go standard library.
 This scan found no other vulnerabilities in packages you import or modules you

diff --git a/internal/internal.go b/internal/internal.go
@@ -24,5 +24,9 @@ const (
 
 	// UnknownModulePath is a special module path for when we cannot work out
 	// the module for a package.
-	UnknownModulePath = "unknown"
+	UnknownModulePath = "unknown-module"
+
+	// UnknownPackagePath is a special package path for when we cannot work out
+	// the packagUnknownModulePath = "unknown"
+	UnknownPackagePath = "unknown-package"
 )
diff --git a/internal/vulncheck/source.go b/internal/vulncheck/source.go
@@ -275,15 +275,6 @@ func vulnFuncs(cg *callgraph.Graph, affVulns affectingVulns) map[*callgraph.Node
 	return m
 }
 
-// pkgPath returns the path of the f's enclosing package, if any.
-// Otherwise, returns "".
-func pkgPath(f *ssa.Function) string {
-	if f.Package() != nil && f.Package().Pkg != nil {
-		return f.Package().Pkg.Path()
-	}
-	return ""
-}
-
 func createNode(nodes map[*ssa.Function]*FuncNode, f *ssa.Function, graph *PackageGraph) *FuncNode {
 	if fn, ok := nodes[f]; ok {
 		return fn

diff --git a/internal/vulncheck/utils.go b/internal/vulncheck/utils.go
@@ -18,6 +18,7 @@ import (
 	"golang.org/x/tools/go/packages"
 	"golang.org/x/tools/go/ssa/ssautil"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/vuln/internal"
 	"golang.org/x/vuln/internal/osv"
 	"golang.org/x/vuln/internal/semver"
 
@@ -348,8 +349,23 @@ func modVersion(mod *packages.Module) string {
 	return mod.Version
 }
 
+// pkgPath returns the path of the f's enclosing package, if any.
+// Otherwise, returns internal.UnknownPackagePath.
+func pkgPath(f *ssa.Function) string {
+	g := f
+	if f.Origin() != nil {
+		// Instantiations of generics do not have
+		// an associated package. We hence look up
+		// the original function for the package.
+		g = f.Origin()
+	}
+	if g.Package() != nil && g.Package().Pkg != nil {
+		return g.Package().Pkg.Path()
+	}
+	return internal.UnknownPackagePath
+}
 func IsStdPackage(pkg string) bool {
-	if pkg == "" {
+	if pkg == "" || pkg == internal.UnknownPackagePath {
 		return false
 	}
 	// std packages do not have a "." in their path. For instance, see