Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln/cmd/govulncheck: TestCommand fails after golang.org/x dependency update #65084

Closed
dmitshur opened this issue Jan 12, 2024 · 3 comments
Closed
Assignees
Labels
NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone

Comments

@dmitshur
Copy link
Contributor

TestCommand is passing at commit golang/vuln@7335627, but failing at commit golang/vuln@d8d123b (CL 555515) with:

$ go test ./cmd/govulncheck
--- FAIL: TestCommand (1.65s)
    --- FAIL: TestCommand//Users/gopher/go/src/golang.org/x/vuln/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json (1.19s)
        cmdtest.go:336: /Users/gopher/go/src/golang.org/x/vuln/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct:3: want=-, got=+
            $ govulncheck -C ${moddir}/vuln -json ./...
              []string{
              	... // 461 identical elements
              	`        "version": "v1.6.5",`,
              	`        "package": "github.com/tidwall/gjson"`,
            + 	"      }",
            + 	"    ]",
            + 	"  }",
            + 	"}",
            + 	"{",
            + 	`  "finding": {`,
            + 	`    "osv": "GO-2021-0054",`,
            + 	`    "fixed_version": "v1.6.6",`,
            + 	`    "trace": [`,
            + 	"      {",
            + 	`        "module": "github.com/tidwall/gjson",`,
            + 	`        "version": "v1.6.5",`,
            + 	`        "package": "github.com/tidwall/gjson",`,
            + 	`        "function": "ForEach",`,
            + 	`        "receiver": "Result"`,
            + 	"      },",
[...]
              	... // 163 identical elements
              }
            
            
    --- FAIL: TestCommand//Users/gopher/go/src/golang.org/x/vuln/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text (2.77s)
        cmdtest.go:336: /Users/gopher/go/src/golang.org/x/vuln/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct:3: want=-, got=+
            $ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
              []string{
              	... // 22 identical elements
              	"      #1: .../vuln.go:13:16: vuln.main calls language.Parse",
              	"",
            - 	"=== Informational ===",
            + 	"Vulnerability #3: GO-2021-0054",
            + 	"    Due to improper bounds checking, maliciously crafted JSON objects can cause",
            + 	"    an out-of-bounds panic. If parsing user input, this may be used as a denial",
            + 	"    of service vector.",
            + 	"  More info: https://pkg.go.dev/vuln/GO-2021-0054",
            + 	"  Module: github.com/tidwall/gjson",
            + 	"    Found in: github.com/tidwall/[email protected]",
            + 	"    Fixed in: github.com/tidwall/[email protected]",
            + 	"    Example traces found:",
[...]           
            /Users/gopher/go/src/golang.org/x/vuln/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct:71: want=-, got=+
            $ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
[...]

FAIL
FAIL	golang.org/x/vuln/cmd/govulncheck	7.890s
FAIL

(full details are on the post-submit dashboard here)

CL 555515 is a change generated by the automated tagging workflow, that updates to the latest versions of golang.org/x dependencies. This test runs only on longtest builders, and x/vuln trybots only has short builders by default, so it wasn't caught in pre-submit.

A short term fix is to revert the CL, or fix forward. @golang/vulndb What would you prefer?

That said, these kinds of CLs are expected to happen continuously, so there might be more to do to make the test okay with continuous golang.org/x dependency updates. If that's not viable, then let's discuss if something should change on the side of the monthly tagging workflow or the builder configuration. Thanks.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 12, 2024
@dmitshur dmitshur added this to the Unreleased milestone Jan 12, 2024
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 12, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/555655 mentions this issue: cmd/govulncheck: update test data

@dmitshur
Copy link
Contributor Author

I think CL 555655 should fix the immediate problem.

@dmitshur dmitshur added Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) and removed Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) labels Jan 12, 2024
gopherbot pushed a commit to golang/vuln that referenced this issue Jan 16, 2024
Generated with 'go test -update' for changes introduced by CL 555515.

For golang/go#65084.

Change-Id: I05938ce2755b6acdd42efc3fe9f51a485d8ca405
Cq-Include-Trybots: luci.golang.try:x_vuln-gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/555655
Auto-Submit: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
@zpavlinovic zpavlinovic self-assigned this Jan 22, 2024
@zpavlinovic
Copy link
Contributor

This is fixed now.

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

3 participants