internal/vulncheck: emit OSVs in their raw form asap

We omit raw unfiltered OSVs the moment we fetch them from the database. In practice, findings will be linked to a proper subset of these, making more explicit govulncheck strengths of taking into account: - module versions - platform information - symbols and their reachability via call graph Change-Id: I3330535938ac037ccc9fae84562fa4270fd00d0e Reviewed-on: https://go-review.googlesource.com/c/vuln/+/538788 LUCI-TryBot-Result: Go LUCI <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Maceo Thompson <[email protected]> Run-TryBot: Zvonimir Pavlinovic <[email protected]>
golang · Nov 1, 2023 · aca0fd4 · aca0fd4 · tianon · Jun 6, 2024
1 parent b7bbfa0
commit aca0fd4
Show file tree

Hide file tree

Showing 10 changed files with 930 additions and 34 deletions.
diff --git a/cmd/govulncheck/testdata/binary_json.ct b/cmd/govulncheck/testdata/binary_json.ct
@@ -275,3 +275,261 @@ $ govulncheck -json -mode=binary ${vuln_binary}
     ]
   }
 }
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2021-0059",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-04-14T20:04:52Z",
+    "aliases": [
+      "CVE-2020-35380",
+      "GHSA-w942-gw6m-p62c"
+    ],
+    "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
+    "affected": [
+      {
+        "package": {
+          "name": "github.com/tidwall/gjson",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.6.4"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "github.com/tidwall/gjson",
+              "symbols": [
+                "Get",
+                "GetBytes",
+                "GetMany",
+                "GetManyBytes",
+                "Result.Array",
+                "Result.Get",
+                "Result.Map",
+                "Result.Value",
+                "squash"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "FIX",
+        "url": "https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc"
+      },
+      {
+        "type": "WEB",
+        "url": "https://github.com/tidwall/gjson/issues/192"
+      }
+    ],
+    "credits": [
+      {
+        "name": "@toptotu"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2021-0059"
+    }
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2020-0015",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-04-14T20:04:52Z",
+    "aliases": [
+      "CVE-2020-14040",
+      "GHSA-5rcv-m4m3-hfh7"
+    ],
+    "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/x/text",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.3.3"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/x/text/encoding/unicode",
+              "symbols": [
+                "bomOverride.Transform",
+                "utf16Decoder.Transform"
+              ]
+            },
+            {
+              "path": "golang.org/x/text/transform",
+              "symbols": [
+                "String"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/238238"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
+      },
+      {
+        "type": "REPORT",
+        "url": "https://go.dev/issue/39491"
+      },
+      {
+        "type": "WEB",
+        "url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
+      }
+    ],
+    "credits": [
+      {
+        "name": "@abacabadabacaba and Anton Gyllenberg"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2020-0015"
+    }
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2022-0969",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2022-09-12T20:23:06Z",
+    "aliases": [
+      "CVE-2022-27664",
+      "GHSA-69cg-p879-7622"
+    ],
+    "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
+    "affected": [
+      {
+        "package": {
+          "name": "stdlib",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.18.6"
+              },
+              {
+                "introduced": "1.19.0"
+              },
+              {
+                "fixed": "1.19.1"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "net/http",
+              "symbols": [
+                "ListenAndServe",
+                "ListenAndServeTLS",
+                "Serve",
+                "ServeTLS",
+                "Server.ListenAndServe",
+                "Server.ListenAndServeTLS",
+                "Server.Serve",
+                "Server.ServeTLS",
+                "http2Server.ServeConn",
+                "http2serverConn.goAway"
+              ]
+            }
+          ]
+        }
+      },
+      {
+        "package": {
+          "name": "golang.org/x/net",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.0.0-20220906165146-f3363e06e74c"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/x/net/http2",
+              "symbols": [
+                "Server.ServeConn",
+                "serverConn.goAway"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "WEB",
+        "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
+      },
+      {
+        "type": "REPORT",
+        "url": "https://go.dev/issue/54658"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/428735"
+      }
+    ],
+    "credits": [
+      {
+        "name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2022-0969"
+    }
+  }
+}