Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: panic: interface conversion: types.Type is *types.Interface, not *types.Tuple #64112

Closed
porridge opened this issue Nov 14, 2023 · 15 comments · Fixed by siderolabs/image-factory#85
Assignees
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@porridge
Copy link

porridge commented Nov 14, 2023

What version of Go are you using (go version)?

$ go version
go version go1.20.4 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mowsiany/.cache/go-build"
GOENV="/home/mowsiany/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/mowsiany/go/pkg/mod"
GONOPROXY="github.com/stackrox"
GONOSUMDB="github.com/stackrox"
GOOS="linux"
GOPATH="/home/mowsiany/go"
GOPRIVATE="github.com/stackrox"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/nix/store/8v5zwymidmry0wd3lhj6zggskzsvqrfk-go-1.20.4/share/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/nix/store/8v5zwymidmry0wd3lhj6zggskzsvqrfk-go-1.20.4/share/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/mowsiany/go/src/github.com/stackrox/stackrox/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/nix-shell.D6LFVs/nix-shell.HAxUOJ/go-build3258101912=/tmp/go-build -gno-record-gcc-switches"

What did you do?

git clone git@github.com:stackrox/stackrox.git
cd stackrox
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./operator/...

What did you expect to see?

Something useful :-)

What did you see instead?

Scanning your code and 1348 packages across 183 dependent modules for known vulnerabilities...

panic: interface conversion: types.Type is *types.Interface, not *types.Tuple

goroutine 19672 [running]:
golang.org/x/tools/go/callgraph/vta.addReturnFlows(0x831320?, 0x7fa3cd46f018?, {0x7fa3d6613fb0, 0xc0aeb85880})
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:654 +0x20c
golang.org/x/tools/go/callgraph/vta.(*builder).rtrn(0xc1302bfc08, 0xc0e4418210)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:640 +0xbf
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc1302bfaf0?, {0x9659d0?, 0xc0e4418210?})
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:370 +0x378
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:300
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc1302bfc08, 0xc126d7fba8?)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:292 +0x1bf
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:266
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc126d7fee0?, 0xc10333b280)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/internal/vulncheck.callGraph({0x963c70, 0xc056d8a690}, 0xc03aa40b40, {0xc10333c000, 0xf6, 0xc000154380?})
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:81 +0x23e
golang.org/x/vuln/internal/vulncheck.Source.func1()
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:65 +0xf5
created by golang.org/x/vuln/internal/vulncheck.Source
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:61 +0x31f
@porridge porridge added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 14, 2023
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 14, 2023
@zpavlinovic zpavlinovic self-assigned this Nov 14, 2023
@zpavlinovic
Copy link
Contributor

I was able to replicate the issue. Will look into this.

@smira
Copy link

smira commented Nov 24, 2023

same issue, different repository (I hope this is useful):

$ git clone git@github.com:siderolabs/image-factory.git
$ cd image-factory/
$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...
Scanning your code and 1574 packages across 263 dependent modules for known vulnerabilities...

panic: interface conversion: types.Type is *types.Pointer, not *types.Tuple

goroutine 22071 [running]:
golang.org/x/tools/go/callgraph/vta.addReturnFlows(0x82eda0?, 0x7f42258e80f8?, {0x7f422f8ca460, 0xc071dec180})
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:654 +0x1fb
golang.org/x/tools/go/callgraph/vta.(*builder).rtrn(0xc0fbabbc08, 0xc0a3cc4d20)
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:640 +0xaf
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc0fbabbaf0?, {0x971118?, 0xc0a3cc4d20?})
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:370 +0x36e
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:300
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc0fbabbc08, 0x50?)
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:292 +0x1ae
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:266
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc0fbabbee0?, 0xc0e6075270)
	/home/smira/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/internal/vulncheck.callGraph({0x96fec0, 0xc04f0fbef0}, 0xc04de3f2c0, {0xc0e6076400, 0x4b, 0x776fa0?})
	/home/smira/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:81 +0x23d
golang.org/x/vuln/internal/vulncheck.Source.func1()
	/home/smira/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:65 +0xef
created by golang.org/x/vuln/internal/vulncheck.Source in goroutine 6
	/home/smira/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:61 +0x2d9

both @main and @latest versions fail

go version
go version go1.21.4 linux/amd64

@zpavlinovic
Copy link
Contributor

Thank you for reporting this. The issue is in one of the dependencies. We are working to resolve it.

smira added a commit to smira/kres that referenced this issue Nov 30, 2023
See golang/go#64112

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@petitout
Copy link

any ETA for a fix, we are hitting it in our private project ...

@zpavlinovic
Copy link
Contributor

We don't have an exact timeline, but it should be soon. We have CLs going through the review phase.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/549377 mentions this issue: all: update tools to pick up bug fixes

@zpavlinovic
Copy link
Contributor

I've tested the change and the issue seems to be gone for the two repos mentioned here.

@smira
Copy link

smira commented Dec 14, 2023

Thank you, do you expect to cut a release with these fixes?

@zpavlinovic
Copy link
Contributor

We are planning for a new release soon, we'll try to bundle this with some other improvements we are making. I don't have a precise timeline though.

@petitout
Copy link

task: [govulncheck] go run golang.org/x/vuln/cmd/govulncheck@master ./...
go: downloading golang.org/x/vuln v1.0.2-0.20231214181003-58c180b66eda
go: downloading golang.org/x/mod v0.14.0
go: downloading golang.org/x/tools v0.16.2-0.20231213222424-dcabb5ce9720
Scanning your code and 368 packages across 414 dependent modules for known vulnerabilities...

panic: interface conversion: types.Type is *types.Interface, not *types.Tuple

@zpavlinovic
Copy link
Contributor

@petitout Could you share reproduction steps?

@porridge
Copy link
Author

porridge commented Dec 19, 2023

@zpavlinovic I get the same error as @petitout with my original repro steps above (with stackrox/stackrox @ 5c615a9e29ad23f5ab29a59e128b728b06073cee)

[mowsiany@mowsiany stackrox]$ govulncheck ./operator/...
Scanning your code and 1350 packages across 183 dependent modules for known vulnerabilities...

panic: interface conversion: types.Type is *types.Interface, not *types.Tuple

goroutine 19765 [running]:
golang.org/x/tools/go/callgraph/vta.addReturnFlows(0x831320?, 0x7f0d83825110?, {0x7f0d8ec3dd40, 0xc0c3888b00})
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:654 +0x20c
golang.org/x/tools/go/callgraph/vta.(*builder).rtrn(0xc12797fc08, 0xc08c525530)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:640 +0xbf
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc12797faf0?, {0x9659d0?, 0xc08c525530?})
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:370 +0x378
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:300
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc12797fc08, 0x50?)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:292 +0x1bf
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/graph.go:266
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc12797fee0?, 0xc103769e30)
	/home/mowsiany/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/internal/vulncheck.callGraph({0x963c70, 0xc05b39e730}, 0xc0430ccd80, {0xc1036e3800, 0xf7, 0xc000628000?})
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:81 +0x23e
golang.org/x/vuln/internal/vulncheck.Source.func1()
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:65 +0xf5
created by golang.org/x/vuln/internal/vulncheck.Source
	/home/mowsiany/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:61 +0x31f
[mowsiany@mowsiany stackrox]$ govulncheck --version
Go: go1.20.4
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2023-12-18 21:18:26 +0000 UTC

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.
[mowsiany@mowsiany stackrox]$ 

@zpavlinovic zpavlinovic reopened this Dec 19, 2023
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Dec 19, 2023

@porridge I cannot replicate the issue with govulncheck@master (we'll tag it soon).

@hitzhangjie
Copy link
Contributor

Yes, I tried master branch, master branch may have fixed it.

@zpavlinovic
Copy link
Contributor

Tag v1.0.2 should contain the fix.

smira added a commit to smira/image-service that referenced this issue Jan 25, 2024
Upstream issue was fixed: golang/go#64112 (comment)

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants