Skip to content

Commit

Permalink
cmd/govulncheck: update test data
Browse files Browse the repository at this point in the history
Generated with 'go test -update' for changes introduced by CL 555515.

For golang/go#65084.

Change-Id: I05938ce2755b6acdd42efc3fe9f51a485d8ca405
Cq-Include-Trybots: luci.golang.try:x_vuln-gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/555655
Auto-Submit: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
  • Loading branch information
dmitshur authored and gopherbot committed Jan 16, 2024
1 parent d8d123b commit e313109
Show file tree
Hide file tree
Showing 2 changed files with 111 additions and 30 deletions.
75 changes: 75 additions & 0 deletions cmd/govulncheck/testdata/testfiles/source-call/source_vuln_json.ct
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,81 @@ $ govulncheck -C ${moddir}/vuln -json ./...
]
}
}
{
"finding": {
"osv": "GO-2021-0054",
"fixed_version": "v1.6.6",
"trace": [
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "ForEach",
"receiver": "Result"
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "modPretty",
"position": {
"filename": ".../gjson.go",
"offset": 53718,
"line": 2631,
"column": 21
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "execModifier",
"position": {
"filename": ".../gjson.go",
"offset": 52543,
"line": 2587,
"column": 21
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"position": {
"filename": ".../gjson.go",
"offset": 38077,
"line": 1881,
"column": 36
}
},
{
"module": "github.com/tidwall/gjson",
"version": "v1.6.5",
"package": "github.com/tidwall/gjson",
"function": "Get",
"receiver": "Result",
"position": {
"filename": ".../gjson.go",
"offset": 5781,
"line": 297,
"column": 12
}
},
{
"module": "golang.org/vuln",
"package": "golang.org/vuln",
"function": "main",
"position": {
"filename": ".../vuln.go",
"offset": 183,
"line": 14,
"column": 20
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
Expand Down
66 changes: 36 additions & 30 deletions cmd/govulncheck/testdata/testfiles/source-call/source_vuln_text.ct
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,21 @@ Vulnerability #2: GO-2021-0113
Example traces found:
#1: .../vuln.go:13:16: vuln.main calls language.Parse

Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/[email protected]
Fixed in: github.com/tidwall/[email protected]
Example traces found:
#1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2022-0969
Expand All @@ -42,16 +51,7 @@ Vulnerability #1: GO-2022-0969
Found in: net/[email protected]
Fixed in: net/[email protected]

Vulnerability #2: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/[email protected]
Fixed in: github.com/tidwall/[email protected]

Vulnerability #3: GO-2020-0015
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
Expand All @@ -62,7 +62,7 @@ Vulnerability #3: GO-2020-0015
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]

Your code is affected by 2 vulnerabilities from 2 modules.
Your code is affected by 3 vulnerabilities from 2 modules.

Share feedback at https://go.dev/s/govulncheck-feedback.

Expand Down Expand Up @@ -97,12 +97,27 @@ Vulnerability #2: GO-2021-0113
.../vuln.go:13:16: golang.org/vuln.main
golang.org/x/text/language.Parse

Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/[email protected]
Fixed in: github.com/tidwall/[email protected]
Example traces found:
#1: for function github.com/tidwall/gjson.Result.ForEach
.../vuln.go:14:20: golang.org/vuln.main
.../gjson.go:297:12: github.com/tidwall/gjson.Result.Get
.../gjson.go:1881:36: github.com/tidwall/gjson.Get
.../gjson.go:2587:21: github.com/tidwall/gjson.execModifier
.../gjson.go:2631:21: github.com/tidwall/gjson.modPretty
github.com/tidwall/gjson.Result.ForEach

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2022-0969
Expand All @@ -114,16 +129,7 @@ Vulnerability #1: GO-2022-0969
Found in: net/[email protected]
Fixed in: net/[email protected]

Vulnerability #2: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/[email protected]
Fixed in: github.com/tidwall/[email protected]

Vulnerability #3: GO-2020-0015
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
Expand All @@ -134,6 +140,6 @@ Vulnerability #3: GO-2020-0015
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]

Your code is affected by 2 vulnerabilities from 2 modules.
Your code is affected by 3 vulnerabilities from 2 modules.

Share feedback at https://go.dev/s/govulncheck-feedback.

0 comments on commit e313109

Please sign in to comment.