x/vuln: json output always exits 0 #61704
Description
What version of Go are you using (go version)?
$ go version go version go1.21rc3 linux/amd64
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes.
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE='' GOARCH='amd64' GOBIN='' GOCACHE='/home/tendervittles/.cache/go-build' GOENV='/home/tendervittles/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/home/tendervittles/go/pkg/mod' GONOPROXY='gitlab.com/m2md' GONOSUMDB='gitlab.com/m2md' GOOS='linux' GOPATH='/home/tendervittles/go' GOPRIVATE='gitlab.com/m2md' GOPROXY='https://proxy.golang.org,direct' GOROOT='/usr/local/go' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.21rc3' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/home/tendervittles/vuln.tutorial/go.mod' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build182358312=/tmp/go-build -gno-record-gcc-switches'
What did you do?
Followed the steps in https://go.dev/doc/tutorial/govulncheck.
Running govulncheck ./... has the expected output. Exit status is non-zero.
vuln.tutorial$ govulncheck ./...
Using go1.21rc3 and govulncheck@v1.0.1-0.20230801195028-b2f5f90cdca7 with vulnerability data from https://vuln.go.dev (last modified 2023-07-31 22:18:02 +0000 UTC).
Scanning your code and 48 packages across 1 dependent module for known vulnerabilities...
Vulnerability #1: GO-2021-0113
Out-of-bounds read in golang.org/x/text/language
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: main.go:12:43: vuln.main calls language.Parse
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1059
Denial of service via crafted Accept-Language header in
golang.org/x/text/language
More info: https://pkg.go.dev/vuln/GO-2022-1059
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.5
Fixed in: golang.org/x/text@v0.3.8
Your code is affected by 1 vulnerability from 1 module.
Share feedback at https://go.dev/s/govulncheck-feedback.
vuln.tutorial$ echo $?
3
vuln.tutorial$
Running govulncheck -json ./... has the expected json output. Exit status is zero.
vuln.tutorial$ govulncheck -json ./...
{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.1-0.20230801195028-b2f5f90cdca7",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-07-31T22:18:02Z",
"go_version": "go1.21rc3",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and 48 packages across 1 dependent module for known vulnerabilities..."
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2021-0113",
"modified": "2023-06-12T18:45:41Z",
"published": "2021-10-06T17:51:21Z",
"aliases": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
],
"summary": "Out-of-bounds read in golang.org/x/text/language",
"details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/340830"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
}
],
"credits": [
{
"name": "Guido Vranken"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0113"
}
}
}
{
"finding": {
"osv": "GO-2021-0113",
"fixed_version": "v0.3.7",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language",
"function": "Parse"
},
{
"module": "vuln.tutorial",
"package": "vuln.tutorial",
"function": "main",
"position": {
"filename": "/home/csv/vuln.tutorial/main.go",
"offset": 189,
"line": 12,
"column": 43
}
}
]
}
}
{
"osv": {
"schema_version": "1.3.1",
"id": "GO-2022-1059",
"modified": "2023-06-12T18:45:41Z",
"published": "2022-10-11T18:16:24Z",
"aliases": [
"CVE-2022-32149",
"GHSA-69ch-w2m2-3vjp"
],
"summary": "Denial of service via crafted Accept-Language header in golang.org/x/text/language",
"details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"affected": [
{
"package": {
"name": "golang.org/x/text",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/text/language",
"symbols": [
"MatchStrings",
"ParseAcceptLanguage"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/56152"
},
{
"type": "FIX",
"url": "https://go.dev/cl/442235"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ"
}
],
"credits": [
{
"name": "Adam Korczynski (ADA Logics)"
},
{
"name": "OSS-Fuzz"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-1059"
}
}
}
{
"finding": {
"osv": "GO-2022-1059",
"fixed_version": "v0.3.8",
"trace": [
{
"module": "golang.org/x/text",
"version": "v0.3.5",
"package": "golang.org/x/text/language"
}
]
}
}
vuln.tutorial$ echo $?
0
vuln.tutorial$
What did you expect to see?
If a vulnerability is detected the exit status should always be non-zero, regardless of output format.
What did you see instead?
Exit status changed because I set -json.