Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: golvuncheck ./... should recurse through _all_ sub directories. #56715

Closed
glycerine opened this issue Nov 12, 2022 · 3 comments
Closed

x/vuln: golvuncheck ./... should recurse through _all_ sub directories. #56715

glycerine opened this issue Nov 12, 2022 · 3 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@glycerine
Copy link

glycerine commented Nov 12, 2022
edited
Loading

govulncheck ./... craps out early on the recursion before finding the go modules below the current directory, forcing manual intervention when a simple automated scan of a directory tree is desired. Preferred behavior: continue the recursive search down through all sub directories, checking each module found.

Example:

$ go version
go version go1.18.3 linux/amd64

$ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20221111165027-50a0e29f49cc
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
go: downloading golang.org/x/tools v0.2.1-0.20221108172846-9474ca31d0df
go: downloading golang.org/x/mod v0.6.0
go: downloading golang.org/x/sys v0.1.0

(base) me@box ~/go/src/golang.org/x $ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. Try navigating to your module directory.
Otherwise, run go mod init to make your project a module.

See https://go.dev/doc/modules/managing-dependencies for more information.
(base) me@box ~/go/src/golang.org/x $ ls
crypto  exp  image  mod  net  sync  sys  text  tools  xerrors

(base) me@box ~/go/src/golang.org/x $ cd crypto/

(base) me@box ~/go/src/golang.org/x/crypto (master) $ ls

acme     blake2b   cast5             CONTRIBUTING.md  ed25519  internal  ocsp     pbkdf2     ripemd160  ssh      xts
argon2   blake2s   chacha20          CONTRIBUTORS     go.mod   LICENSE   openpgp  pkcs12     salsa20    tea
AUTHORS  blowfish  chacha20poly1305  cryptobyte       go.sum   md4       otr      poly1305   scrypt     twofish
bcrypt   bn256     codereview.cfg    curve25519       hkdf     nacl      PATENTS  README.md  sha3       xtea

(base) me@box ~/go/src/golang.org/x/crypto (master) $ govulncheck ./...   ## now it works after manually locating sub directories.

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.

Vulnerability #1: GO-2022-1095
...
@glycerine glycerine added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 12, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 12, 2022
@seankhliao
Copy link
Member

related #50745

@joedian joedian added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 14, 2022
@hyangah
Copy link
Contributor

hyangah commented Dec 7, 2022

@glycerine If you run go list ./... from the directory, do you see any modules or packages reported? I guess not. govulncheck works like other go commands, so IMO this is working as intended unless the meaning of ./... changes.

@zpavlinovic zpavlinovic self-assigned this Dec 8, 2022
@zpavlinovic
Copy link
Contributor

Closing this as working as intended.

@golang golang locked and limited conversation to collaborators Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
6 participants
@glycerine @zpavlinovic @hyangah @gopherbot @seankhliao @joedian