x/vuln: reduce noise in example traces

[tatianab]

Reduce the number of example traces that is output by govulncheck

Output of running on x/vulndb:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3
 and govulncheck@v0.2.0 with vulnerability data from https://vuln.go.dev (last modified 2023-07-06 20:13:13 +0000 UTC).

Scanning your code and 581 packages across 60 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: runtime@go1.20.3
    Fixed in: runtime@go1.20.5
    Example traces found:
      #1: cmd/vulnreport/main.go:196:13: vulnreport.main calls log.Fatalf, which eventually calls runtime.Caller
      #2: internal/issues/githubtest/setup.go:38:11: githubtest.Setup calls testing.common.Cleanup, which calls runtime.Callers
      #3: internal/worker/server.go:168:31: worker.responseWriter.WriteHeader calls http.response.WriteHeader, which eventually calls runtime.CallersFrames
      #4: internal/worker/server.go:168:31: worker.responseWriter.WriteHeader calls http.response.WriteHeader, which eventually calls runtime.Frames.Next
      #5: internal/worker/log/gcpjson.go:14:2: log.init calls event.init, which eventually calls runtime.Func.Entry
      #6: internal/worker/worker.go:178:2: worker.CreateIssues calls event.End, which eventually calls runtime.Func.Name
      #7: internal/worker/worker.go:178:2: worker.CreateIssues calls event.End, which eventually calls runtime.FuncForPC
      #8: internal/database/legacydb/diff.go:24:18: legacydb.Diff calls cmp.Diff, which eventually calls runtime.GC
      #9: internal/database/database.go:123:21: database.VulnsIndex.MarshalJSON calls json.Marshal, which eventually calls runtime.GOMAXPROCS
      #10: cmd/vulnreport/main.go:15:2: vulnreport.init calls build.init, which eventually calls runtime.GOROOT
      #11: internal/test/packages.go:19:10: test.VerifyImports calls testing.common.Fatal, which eventually calls runtime.Goexit
      #12: internal/observe/observe.go:103:32: observe.eventHandler.Event calls otel.MetricHandler.Event, which eventually calls runtime.Gosched
      #13: internal/gitrepo/gitrepo.go:94:26: gitrepo.ReadTxtarRepo calls os.File.Write, which eventually calls runtime.KeepAlive
      #14: internal/worker/store/mem_store.go:193:12: store.memTransaction.GetCVERecords calls sort.Slice, which eventually calls runtime.MemProfileRecord.InUseBytes
      #15: cmd/vulnreport/main.go:125:3: vulnreport.main calls pprof.StopCPUProfile, which calls runtime.SetCPUProfileRate
      #16: internal/report/report.go:267:17: report.Report.Write calls os.File.Close, which eventually calls runtime.SetFinalizer
      #17: internal/derrors/derrors.go:45:19: derrors.Report calls errorreporting.Client.Report, which eventually calls runtime.Stack
      #18: internal/worker/update.go:122:24: worker.cveUpdater.update calls runtime.TypeAssertionError.Error
      #19: internal/worker/store/fire_store.go:14:2: store.init calls firestore.init, which eventually calls runtime.Version
      #20: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which calls runtime.efaceOf
      #21: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which eventually calls runtime.findfunc
      #22: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which calls runtime.float64frombits
      #23: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which eventually calls runtime.forcegchelper
      #24: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta
      #25: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which eventually calls runtime.lockInit
      #26: internal/worker/update.go:122:24: worker.cveUpdater.update calls runtime.plainError.Error
      #27: cmd/vulnreport/main.go:23:2: vulnreport.init calls runtime.init, which eventually calls runtime.throw

Vulnerability #2: GO-2023-1753
    Improper handling of empty HTML attributes in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1753
  Standard library
    Found in: html/template@go1.20.3
    Fixed in: html/template@go1.20.4
    Example traces found:
      #1: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.Execute
      #2: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.ExecuteTemplate

Vulnerability #3: GO-2023-1752
    Improper handling of JavaScript whitespace in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1752
  Standard library
    Found in: html/template@go1.20.3
    Fixed in: html/template@go1.20.4
    Example traces found:
      #1: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.Execute
      #2: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.ExecuteTemplate

Vulnerability #4: GO-2023-1751
    Improper sanitization of CSS values in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1751
  Standard library
    Found in: html/template@go1.20.3
    Fixed in: html/template@go1.20.4
    Example traces found:
      #1: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.Execute
      #2: cmd/worker/main.go:121:56: worker.runServer calls http.ListenAndServe, which eventually calls template.Template.ExecuteTemplate

Your code is affected by 4 vulnerabilities from the Go standard library.

[jybp]

@tatianab did you find a way to reduce the noise? I would be fine with completely dropping the Example traces found.

Edit: Apparently there's a -show=traces flag that when unused removes some verbosity but not enough:
https://github.com/golang/vuln/blob/master/internal/scan/text.go#L312-L324

[jybp]

@ianthehat @zpavlinovic Would adding a flag that would just skip the .traces call do the job? https://github.com/golang/vuln/blob/master/internal/scan/text.go#L271
I could make that contribution.
As far as what the flag exactly is I'm not sure. I guess have a new value for show would be the best. Maybe -show=notraces?
https://github.com/golang/vuln/blob/master/internal/scan/flags.go#L222-L229

[zpavlinovic]

I think the issue is about not showing all the example traces and we can do something for that, e.g., show X traces and then mention there are more traces that can be seen with -verbose show.

But not showing traces at all should not be provided as an option here, I think. What is the point of call analysis then? If you want to run package and module level analysis, then you can use -scan package and -scan module.