x/vuln/cmd/govulncheck: CVEs are not detected in GOPATH mode

[rittneje]

Reopening #51591 because the issue is still present.

What version of Go are you using (go version)?

$ go version
go version go1.17.11 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/tmp/.gocache"
GOENV="/Users/rittneje/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/rittneje/test/pkg/mod"
GONOPROXY="REDACTED"
GONOSUMDB="REDACTED"
GOOS="darwin"
GOPATH="/Users/rittneje/test"
GOPRIVATE="REDACTED"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/rittneje/go1.17.11"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/rittneje/go1.17.11/pkg/tool/darwin_amd64"
GOVCS="REDACTED"
GOVERSION="go1.17.11"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/kf/kr7_s3xx0l12zbj3jrn082hmzy5gvy/T/go-build1950822096=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

go.mod

module cvetest

go 1.16

require (
	golang.org/x/text v0.3.0
)

main.go

package main

import (
	"golang.org/x/text/language"
)

func main() {
	language.Parse("")
}

These files are located under $GOPATH/src/cvetest.

I then ran govulncheck cvetest in $GOPATH.

What did you expect to see?

Either it should report the vulnerability, or at least it should fail with an appropriate error message if this mode of operation is not supported.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
-------------------------------------------------------

GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic via an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Call stacks in your code:
 cvetest.main calls golang.org/x/text/language.Parse

Found in:  golang.org/x/text/language@v0.3.0
Fixed in:  golang.org/x/text/language@v0.3.7
More info: https://pkg.go.dev/vuln/GO-2021-0113

What did you see instead?

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

If I run the same command in $GOPATH/src/cvetest then it works.

[zpavlinovic]

I get the following message with the latest govulncheck version:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

I get this error everywhere except when I am in the cvetest directory.

Could you confirm you get the same or something different?

[rittneje]

@zpavlinovic No, I continue to get the same output as before with the latest version (v0.0.0-20221007155627-b5628b3a3e55).

In $GOPATH:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

In $GOPATH/src/cvetest:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2021-0113
Due to improper index calculation, an incorrectly formatted
language tag can cause Parse to panic via an out of bounds read.
If Parse is used to process untrusted user inputs, this may be
used as a vector for a denial of service attack.

Call stacks in your code:
main.go:8:16: cvetest.main calls golang.org/x/text/language.Parse

Found in: golang.org/x/text/language@v0.3.0
Fixed in: golang.org/x/text/language@v0.3.7
More info: https://pkg.go.dev/vuln/GO-2021-0113

[zpavlinovic]

What do you get when you run govulncheck cvetest outside of $GOPATH altogether?

[rittneje]

@zpavlinovic It gives the same output.

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

[zpavlinovic]

Hm, really unexpected.

What happens if you try to govulncheck some different packages, say "nonexistent" that should not exist and similar? Sorry for going back and forth with this, but I cannot reproduce the issue so I am trying to gather as much information as possible.

[rittneje]

A non-existent package yields this output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

Strangely, even though that implies that it first searches for the go.mod file, if I remove the go.mod file from $GOPATH/src/cvetest, it still gives me the wrong output no matter which directory I run it from.

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

[rittneje]

@zpavlinovic I think I figured out the issue. Somehow govulncheck is sensitive to the presence of the $GOPATH/src/cvetest/vendor folder (created via go mod vendor). If that folder exists, then it does not yield any warning message when executed in GOPATH mode. Deleting the vendor folder and running in GOPATH mode yields the following output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
govulncheck: no go.mod file

govulncheck only works Go with modules. To make your project a module, run go mod init.

See https://go.dev/doc/modules/managing-dependencies for more information.

This output is particularly confusing because there is a go.mod file.

[gopherbot]

Change https://go.dev/cl/443455 mentions this issue: internal/govulncheck: add running in GOPATH error

[zpavlinovic]

Thanks, that helps. I believe govulncheck is behaving correctly (at least it is consistent with golang.org/x/tools/go/packages/gopackages command), but we'll try to improve error messaging for GOPATH.

As the documentation states, govulncheck is always expected to be executed from the module directory. When in $GOPATH/src/cvetest, that is true. Also, since there exists a go.mod file, loading of packages will be done in MODULES mode despite the fact that we are somewhere in $GOPATH. This is due to GO111MODULE="auto". That is why everything works in this case regardless of vendoring.

When in $GOPATH instead, the loading of packages is done in GOPATH mode. Vendoring here plays a big role. When the dependencies are vendored, GOPATH mode can load the packages but there will be no versions. That is why the result is that there are no vulnerabilities. We'll add an error communicating when module information is not available as otherwise one can get a false sense of security.

When the dependencies are not vendored, then the module system needs to be consulted to load dependencies appropriately (as cvetest is a module) and that overrides GOPATH mode. It raises a loading error and since govulncheck then cannot find any go.mod file in the current directory , we get the "no go.mod message". This is expected. We'll update the error message to additionally hint that navigating to the module directory is also one possibility for a quick fix (instead of just suggesting to run go mod init).