Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln/cmd/govulncheck: output a final result in json mode #62340

Closed
andy-github-info opened this issue Aug 29, 2023 · 8 comments
Closed

x/vuln/cmd/govulncheck: output a final result in json mode #62340

andy-github-info opened this issue Aug 29, 2023 · 8 comments
Assignees
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@andy-github-info
Copy link

What version of Go are you using (go version)?

# govulncheck  --version
Go: go1.21.0
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2023-08-23 14:38:50 +0000 UTC

What operating system and processor architecture are you using (go env)?

go env Output
# go env
GO111MODULE='on'
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://goproxy.cn,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='0'
GOMOD='/root/tmp/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build351832300=/tmp/go-build -gno-record-gcc-switches'

What did you do?

执行了以下命令检查漏洞
# govulncheck -json ./...

What did you expect to see?

{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.1",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-23T14:38:50Z",
"go_version": "go1.21.0",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and 48 packages across 1 dependent module for known vulnerabilities..."
}
}
{
"result": {
"status": true
}
}

What did you see instead?

{
"config": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v1.0.1",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-08-23T14:38:50Z",
"go_version": "go1.21.0",
"scan_level": "symbol"
}
}
{
"progress": {
"message": "Scanning your code and 48 packages across 1 dependent module for known vulnerabilities..."
}
}

@andy-github-info andy-github-info added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Aug 29, 2023
@seankhliao seankhliao changed the title govulncheck uses json output and adds questions to CI. x/vuln/cmd/govulncheck: output a final result in json mode Aug 29, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Aug 29, 2023
@joedian joedian added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 29, 2023
@zpavlinovic zpavlinovic self-assigned this Sep 20, 2023
@zpavlinovic
Copy link
Contributor

What would be the easiest way for us to reproduce this?

@zpavlinovic
Copy link
Contributor

It is also not clear what is being suggested here. The govulncheck command provides streaming json containing the result section. Could it just be that govulncheck did not find anything for your project?

@zpavlinovic zpavlinovic added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 26, 2023
@andy-github-info
Copy link
Author

Use the command 'govulncheck-json. /... 'Reproduce.

@andy-github-info
Copy link
Author

It is hoped that a key value in the json result of govulncheck can clearly indicate whether there is any vulnerability in the detection result. The current version does not have this key/value, so it cannot be integrated into CI for automation.

@zpavlinovic
Copy link
Contributor

govulncheck supports streaming json where typically one will see a config section followed by a progress section, followed by findings. (More info also here). If there are no findings, that means nothing has been found. It is specifically designed for CI automation where the results are communicated as soon as they are computed (hence streaming).

Closing.

@andy-github-info
Copy link
Author

Like the following? If the finding property is in, there is a vulnerability; otherwise, there is no vulnerability

root@Ubuntu ~/tmp# govulncheck -json ./... |jq ".finding" null null null { "osv": "GO-2021-0113", "fixed_version": "v0.3.7", "trace": [ { "module": "golang.org/x/text", "version": "v0.3.5", "package": "golang.org/x/text/language", "function": "Parse" }, { "module": "tmp", "package": "tmp", "function": "main", "position": { "filename": "/root/tmp/g1.go", "offset": 189, "line": 12, "column": 43 } } ] } null { "osv": "GO-2022-1059", "fixed_version": "v0.3.8", "trace": [ { "module": "golang.org/x/text", "version": "v0.3.5", "package": "golang.org/x/text/language" } ] }

@zpavlinovic
Copy link
Contributor

Yes, and you can have multiple findings.

Each finding will give you the information needed to interpret it. Above, you can see that you have a trace of multiple frames showing you the call stack. That means that the vulnerability was called and the function in the first frame is the vulnerable symbol.

If the trace has only one entry whose function is empty, that means that the vulnerability is only imported.

We plan to write up more detailed documentation about json output.

@andy-github-info
Copy link
Author

ok, thanks

@golang golang locked and limited conversation to collaborators Oct 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Development

No branches or pull requests

4 participants