Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: compute derived symbols for exported package #56185

Open
zpavlinovic opened this issue Oct 12, 2022 · 1 comment
Open

x/vulndb: compute derived symbols for exported package #56185

zpavlinovic opened this issue Oct 12, 2022 · 1 comment
Assignees
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@zpavlinovic
Copy link
Contributor

Suppose a vulnerable symbol module/internal.v is reachable in a user program and that there is a derived symbol "module/internal.V" in the vulnerability report. A call stack produced by govulncheck could be something like

main.go calls module/internal.V

The vulnerability is in an internal package and that can be confusing to the user. Instead, we should make the derived symbols be the closest exported symbols of the same module that are in a public package.

For instance, the mere fact that the above summarized call stack exists means that there has to be a sequence of calls of the form module/p.Foo -> module/internal.V -> ... -> module/internal.v. We should thus have module/p.Foo as the derived symbol.

This will also help during report creation where we are interested if a unexported vulnerable symbol is reachable by an exported symbol of a public package of the module in question.

@zpavlinovic
Copy link
Contributor Author

We should also not include the private symbol in OSV entry if we are able to find some derived symbols.

@zpavlinovic zpavlinovic self-assigned this Oct 13, 2022
@julieqiu julieqiu modified the milestones: vuln/2022, vuln/unplanned Apr 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

2 participants