Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln/cmd/govulncheck: cgo incompatibility #51819

Closed
amotmot opened this issue Mar 19, 2022 · 5 comments
Closed

x/vuln/cmd/govulncheck: cgo incompatibility #51819

amotmot opened this issue Mar 19, 2022 · 5 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone

Comments

@amotmot
Copy link

amotmot commented Mar 19, 2022

What version of Go are you using (go version)?

go version go1.18 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="[...]/.cache/go-build"
GOENV="[...]/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="[...]/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="[...]/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="[...]/podman/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3833157872=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Running govulncheck on packages that rely on cgo results in errors

What did you see?

➜  podman git:(main) govulncheck -json ./...   
[...]/podman/vendor/github.com//gpgme/data.go:7:8: could not import C (no metadata for C)
[...]/podman/vendor/github.com/proglottis/gpgme/data.go:150:13: invalid operation: cannot compare d.dh == nil (operator == not defined on untyped nil)
[...]/podman/vendor/github.com/proglottis/gpgme/gpgme.go:294:14: invalid operation: cannot compare c.ctx == nil (operator == not defined on untyped nil)
[...]/podman/vendor/github.com/proglottis/gpgme/gpgme.go:442:24: invalid operation: cannot compare key.k == nil (operator == not defined on untyped nil)
[...]/podman/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go:15:8: could not import C (no metadata for C)
[...]/podman/vendor/github.com/containers/storage/pkg/devicemapper/devmapper_log.go:5:8: could not import C (no metadata for C)
dependencies/dependencies.go:7:2: import "github.com/onsi/ginkgo/ginkgo" is a program, not an importable package
govulncheck: packages contain errors

Details ...
https://github.com/containers/podman/blob/main/vendor/github.com/proglottis/gpgme/data.go#L7

How should govulncheck ignore import "C"?

@gopherbot gopherbot added this to the Unreleased milestone Mar 19, 2022
@mknyszek
Copy link
Contributor

CC @golang/security

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 21, 2022
@zpavlinovic
Copy link
Contributor

This seems like a package loading issue. govulncheck uses the underlying build system to build the specified packages.

@jba

@zpavlinovic zpavlinovic changed the title x/exp/vulndb/govulncheck: cgo incompatibility x/vuln/cmd/govulncheck: cgo incompatibility Mar 24, 2022
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Mar 24, 2022
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Mar 24, 2022

Note: the new version of govulncheck is now in x/vuln/cmd/govulncheck. The previous version is not supported anymore and has been deleted.

@jba
Copy link
Contributor

jba commented Mar 25, 2022

As a simple test, I created a Go program that uses cgo and ran govulncheck on it. It worked properly. This is using the standard go tool, with Go 1.18.

As a test to see if CGO_ENABLED was the culprit, I set CGO_ENABLED=0, but got a different error message. I wasn't able to generate the message "could not import C (no metadata for C)".

I think you'll have to give us steps to reproduce the bug. I can't make progress without it.

@jba jba added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Mar 25, 2022
@gopherbot
Copy link
Contributor

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@golang golang locked and limited conversation to collaborators Apr 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
Status: No status
Development

No branches or pull requests

5 participants