This repo contains a small test program which contains a vulnerability and can be used to test whether vulnerability checkers find it. It can also be used as a perverse example to determine whether vulnerability checkers honour the module replace directive if present.
The small program uses the module gopkg.in/yaml.v3
at version
v3.0.0-20200615113413-eeeca48fe776. This version contains CVE-2022-28948. See
Running the small program with the go.mod file as
module github.com/bvwells/go-vulnerability
go 1.18
require gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
will ilustrate generate the CVE.
> go run main.go
panic: internal error: attempted to parse unknown event (please report): none [recovered]
panic: internal error: attempted to parse unknown event (please report): none
goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc000107ee8)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:294 +0x6d
panic({0xe4fcc0, 0xc000040380})
C:/Program Files/Go/src/runtime/panic.go:838 +0x207
gopkg.in/yaml%2ev3.(*parser).parse(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:163 +0x194
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194
gopkg.in/yaml%2ev3.(*parser).sequence(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:259 +0x125
gopkg.in/yaml%2ev3.(*parser).parse(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(0xc00003f000?, 0xc000064460)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194 +0x25
gopkg.in/yaml%2ev3.(*parser).mapping(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:285 +0x1c8
gopkg.in/yaml%2ev3.(*parser).parse(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:152 +0xff
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:203 +0x7d
gopkg.in/yaml%2ev3.(*parser).parse(0xc00003f000)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:156 +0xab
gopkg.in/yaml%2ev3.unmarshal({0xc0000145f0, 0xa, 0xa}, {0xe4bf00?, 0xc000040370}, 0xc0?)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:161 +0x306
gopkg.in/yaml%2ev3.Unmarshal(...)
C:/Users/bwells/go/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:89
main.main()
C:/git/github.com/bvwells/go-vulnerability/main.go:9 +0x69
exit status 2
If the replace directive is used in the go.mod file to replace the version
module github.com/bvwells/go-vulnerability
go 1.18
require gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
With this replace directive the program will run correctly.