x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177

zpavlinovic · 2022-10-12T18:28:05Z

For some projects, govulncheck will report that X vulnerabilities are found and then proceed to listing them in order with their order number. Sometimes X does not match Y, where Y is the number of the last vulnerability listed. For instance, X=11 and Y=12 below:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 11 known vulnerabilities.

[...]

Vulnerability #11: GO-2020-0015
  An attacker could provide a single byte to a UTF16 decoder
  [...]

  Found in: golang.org/x/text/encoding/unicode@v0.3.1-0.20181227161524-e6919f6577db
  Fixed in: golang.org/x/text/encoding/unicode@v0.3.3
  More info: https://pkg.go.dev/vuln/GO-2020-0015

Vulnerability #12: GO-2020-0015
  An attacker could provide a single byte to a UTF16 decoder
  [...]

  Found in: golang.org/x/text/transform@v0.3.1-0.20181227161524-e6919f6577db
  Fixed in: golang.org/x/text/transform@v0.3.3
  More info: https://pkg.go.dev/vuln/GO-2020-0015

The issue is that X is the number of unique OSVs detected while Y is the total number of unique <OSV, package path> pairs detected. This can happen since an OSV can define vulnerable symbols for multiple packages.

The most promising solution is to change the numbering mechanism for Y and combine results for the same OSV. For instance, the contents of Vulnerability #11 and Vulnerability #12 can be merged under a single Vulnerability #11.

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-01-20T01:51:32Z

Change https://go.dev/cl/461646 mentions this issue: cmd/govulncheck: show results per (vulnerability, module) grouping

Instead of showing results per each package whose symbols are called, we now show vulnerabilities instead. We also break each vulnerability by modules whose symbols have been exercised. Explicit package info is omitted as it can be deduced from the shown call stacks. This also fixes the issue of incorrect vulnerability counting. Other change involve keeping things consistent between the main part and Informational. Updates golang/go#56207 Fixes golang/go#56177 Change-Id: I4cc12881443938cd3eb4f581e6689e53daeb28c7 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/461646 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>

zpavlinovic added UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo labels Oct 12, 2022

zpavlinovic modified the milestones: Backlog, vuln/2022 Oct 12, 2022

zpavlinovic added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 12, 2022

julieqiu mentioned this issue Oct 13, 2022

x/vuln/cmd/govulncheck: umbrella issue for govulncheck updates #56207

Closed

bkessler-go assigned zpavlinovic Jan 23, 2023

gopherbot closed this as completed in golang/vuln@7ab98b4 Jan 25, 2023

golang locked and limited conversation to collaborators Jan 25, 2024

gopherbot added the FrozenDueToAge label Jan 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177

x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177

zpavlinovic commented Oct 12, 2022

gopherbot commented Jan 20, 2023

x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177

x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177

Comments

zpavlinovic commented Oct 12, 2022

gopherbot commented Jan 20, 2023