Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: invalid finding: if Frame.Function is set, Frame.Package must also be #66139

Closed
zachgersh opened this issue Mar 6, 2024 · 21 comments · Fixed by ObolNetwork/charon#3056
Closed

x/vuln: invalid finding: if Frame.Function is set, Frame.Package must also be #66139

zachgersh opened this issue Mar 6, 2024 · 21 comments · Fixed by ObolNetwork/charon#3056
Assignees
@zpavlinovic
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@zachgersh
Copy link

govulncheck version

This was on version 1.0.4 (I've since downgraded back to 1.0.1 which works fine).

Does this issue reproduce at the latest version of golang.org/x/vuln?

Haven't tried latest unforunately.

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/zachary/Library/Caches/go-build'
GOENV='/Users/zachary/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/zachary/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/zachary/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.1'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/zachary/workspace/my-repo/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-argume

What did you do?

A simple govulncheck ./...

What did you see happen?

returned the above error in the title. The fun part is, switching to package instead of symbol actually showed me that there was a protobuf vuln I need to upgrade dependencies for. I will try to get a minimal reproduction together.

What did you expect to see?

A successful scan with the protobuf dependencies called out as needing an upgrade due to an active vuln.
@zachgersh zachgersh added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Mar 6, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Mar 6, 2024
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 6, 2024
@mknyszek
Copy link
Contributor

mknyszek commented Mar 6, 2024

CC @golang/vulndb

@zpavlinovic zpavlinovic self-assigned this Mar 6, 2024
@zpavlinovic
Copy link
Contributor

Thanks for reporting this. Yes, reproduction steps would be really helpful here.

@zachgersh
Copy link
Author

@zpavlinovic - yeah, I am trying to figure it out. I am wondering if it has something to do with generated code. The vuln it was trying to point out was protojson.Unmarshal. I tried to make a sample project with just that imported (but no generated proto code) and it worked just fine on 1.0.4.

I'll try it again with actually generated protobuf types to see if something weird is happening there.

@oliverpool
Copy link

oliverpool commented Mar 8, 2024
edited
Loading

The same error message started to appear on Forgejo on outdated branches: https://codeberg.org/forgejo/forgejo/actions/runs/7853/jobs/0

go run golang.org/x/vuln/cmd/govulncheck@latest ./...
go: downloading golang.org/x/vuln v1.0.4
Scanning your code and 932 packages across 232 dependent modules for known vulnerabilities...

govulncheck: invalid finding: if Frame.Function is set, Frame.Package must also be
exit status 1

It is likely related to the protobuf vulnerability, since merging the default branch (which has updated the dependency) yields:

Scanning your code and 935 packages across 232 dependent modules for known vulnerabilities...

=== Informational ===

There is 1 vulnerability in modules that you require that is neither
imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

So the cryptic initial error message does likely points to a vulnerability (however it does not help into solving it).

https://github.com/golang/vuln/blob/563994f0852c21fbdb2424841ebd8de389ff47ad/internal/scan/util.go#L34

@oliverpool
Copy link

oliverpool commented Mar 8, 2024
edited
Loading

Debugging vuln, I got the following offending frame, from OSV: "GO-2024-2611"
image

	*govulncheck.Frame{
                Module: "stdlib",
		Version:  "v1.22.1",
		Package:  "",
		Function: "NewUnaryHandler[code.gitea.io/actions-proto-go/ping/v1.PingRequest code.gitea.io/actions-proto-go/ping/v1.PingResponse]$2",
		Receiver: "",
		Position: *golang.org/x/vuln/internal/govulncheck.Position{Filename: ".cache/go/pkg/mod/connectrpc.com/connect@v1.15.0/handler.go",
			Offset: 2631,
			Line:   70,
			Column: 25,
		},
	}

Maybe the validateFindings function could return more information in case of error (OSV, Version, Package, Function), so that running a debugger would not be needed.

@xxgreg
Copy link

xxgreg commented Mar 8, 2024

Looks like this function returning an empty string for the package which leads to the error:

// pkgPath returns the path of the f's enclosing package, if any.
// Otherwise, returns "".
func pkgPath(f *ssa.Function) string {
	if f.Package() != nil && f.Package().Pkg != nil {
		return f.Package().Pkg.Path()
	}
	return ""
}

The docs on ssa.Function.Pkg are:

// enclosing package; nil for shared funcs (wrappers and error.Error)

It looks like the package name isn't available for "synthetic functions". I'm assuming thats what these odd function names with $ in them are.

The function which appears to be causing this in my case is in the connect rpc package.

func NewClient[Req, Res any](httpClient HTTPClient, url string, options ...ClientOption) *Client[Req, Res]

https://github.com/connectrpc/connect-go/blob/75d634f2c4ebf49b4e604565d20bd42578c71f1c/client.go#L42

Also - If I remove the failing empty package name check, I actually get reasonable output.

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Mar 8, 2024
edited
Loading

Thanks for looking into this and providing the details. I think the bug is in how we are handling instantiations of generic functions. I will try to make a fix soon. I believe this should do the trick:

// pkgPath returns the path of the f's enclosing package, if any.
// Otherwise, returns "".
func pkgPath(f *ssa.Function) string {
        g := f
        if f.Origin() != nil {
           g = f.Origin()
        }

	if g.Package() != nil && g.Package().Pkg != nil {
		return g.Package().Pkg.Path()
	}
	return ""
}

@xxgreg
Copy link

xxgreg commented Mar 8, 2024
edited
Loading

@zpavlinovic No problem. Thanks for your hard work on this tool.

Edit: In case it's helpful, output included below after updating pkgPath with the code above, and running it on my codebase. Some Xs added to avoid sharing private paths/domains.

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.32.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
      #1: pkg/tables/meta.go:25:28: tables.DecodeMeta calls protojson.Unmarshal, which eventually calls json.Decoder.Peek
      #2: pkg/tables/meta.go:25:28: tables.DecodeMeta calls protojson.Unmarshal, which eventually calls json.Decoder.Read
      #3: pkg/tables/meta.go:25:28: tables.DecodeMeta calls protojson.Unmarshal
      #4: XXXXX/v1/workflowv1connect/workflow_service.connect.go:99:27: workflowv1connect.workflowServiceClient.Status calls connect.NewClient[XXXXX/workflow/v1.StatusRequest XXXXX/workflow/v1.StatusResponse], which eventually calls protojson.UnmarshalOptions.Unmarshal

This now includes the package name. i.e. connect.NewClient

I also think it may be worth considering changing the empty package name check to be a warning rather than a hard error. This means the vuln codebase will be more robust to future changes in x/tools/go/ssa.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/570575 mentions this issue: internal/scan: add more info to validation errors

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/570616 mentions this issue: internal/vulncheck: get correctly package for instantiated functions

@zachgersh
Copy link
Author

@xxgreg - thanks for tracking this down since I had not had time to come back and repro. Also big thanks to @zpavlinovic for being responsive as well with a changeset already up. I am going to bump forward again once this is fixed in 1.0.5

gopherbot pushed a commit to golang/vuln that referenced this issue Mar 11, 2024
@zpavlinovic
internal/scan: add more info to validation errors
d04103f 
Updates golang/go#66139

Change-Id: I3a7eb8ea6a653802740f6ccb2b6449f929da6e67
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/570575
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
@AlekSi
Copy link
Contributor

AlekSi commented Mar 27, 2024

Do you plan to release 1.0.5 soon?

@zpavlinovic
Copy link
Contributor

Yes, but we don't have an exact timeline yet. There are a few more features we'd like to add before we make the release.

@joeljuca
Copy link

Hi – I'm having a similar error msg from a project I've recently jumped on:

$ govulncheck ./...
==> Running govulncheck
Scanning your code and 395 packages across 53 dependent modules for known vulnerabilities...

govulncheck: invalid finding: if Frame.Function is set, Frame.Package must also be
make: *** [lint] Error 1

I've updated google.golang.org/protobuf to v1.33.0 but got no luck so far:

$ go get -u google.golang.org/protobuf
go: upgraded google.golang.org/protobuf v1.30.0 => v1.33.0

I'm definitely not a Golang specialist, and it's not clear how to fix this issue. Should I update some other package? Or, is there something obvious I'm missing? Should I downgrade govulncheck to v1.0.4 till it's fixed?

@zpavlinovic
Copy link
Contributor

The latest tagged version of govulncheck is v1.0.4 and you should see the failure with this version. You should not see it with govulncheck@master.

@KaloyanTanev KaloyanTanev mentioned this issue Apr 4, 2024
Closed
pjanotti added a commit to signalfx/splunk-otel-collector that referenced this issue Apr 7, 2024
@pjanotti
x/vuln: invalid finding: if Frame.Function is set, Frame.Package must…
64ff916 
… also be set

Per golang/go#66139 (comment) this can be removed when v1.0.5 is released.
pjanotti added a commit to signalfx/splunk-otel-collector that referenced this issue Apr 8, 2024
@atoulme @pjanotti
add govulncheck to the build (#4595)
9d5a0dc 
* add govulncheck to the build

* Fix golang.org/x/net vulnerability

* x/vuln: invalid finding: if Frame.Function is set, Frame.Package must also be set

Per golang/go#66139 (comment) this can be removed when v1.0.5 is released.

* Ensure CI uses the env for all go-version setting

---------

Co-authored-by: Paulo Janotti <pjanotti@splunk.com>
@d8660091 d8660091 mentioned this issue Apr 9, 2024
Merged
@AlekSi
Copy link
Contributor

AlekSi commented Apr 10, 2024

There are a few more features we'd like to add before we make the release.

But why bundle features with a vital bug fix into a patch release and make everyone use an untagged version in the meantime?

@silverwind
Copy link

silverwind commented Apr 12, 2024
edited
Loading

Is it really recommended to run govulncheck@master? I have my doubts about its future stability.

magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue Apr 14, 2024
@magneticstain
Temporary fix for golang/go#66139
098aecf
magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue Apr 14, 2024
@magneticstain
Temporary fix for golang/go#66139
167f396
magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue Apr 14, 2024
@magneticstain
Add base unit tests for azure vms (#443)
3ea4642 
* Add base unit tests for azure vms

- More in-depth unit tests will need to come in the future when mocks are eventually added

* Fix vm unit test

* Temporary fix for golang/go#66139

* Temporary fix for golang/go#66139

* Update dependencies
@awly
Copy link
Contributor

awly commented Apr 16, 2024

@zpavlinovic any chance you could tag v1.0.5 with this fix, and then v1.1.0 with the new features in progress?
I'm not sure how much work it is to release a new version, but this would fix failures for a number of users without incurring tech debt of using govulncheck@master in CI pipelines.

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Apr 16, 2024
edited
Loading

We tagged the new version of govulncheck with v1.1.0.

Is it really recommended to run govulncheck@master? I have my doubts about its future stability.

We never recommend that. The point was that the fix is in and should be available at a more stable tag soon.

But why bundle features with a vital bug fix into a patch release and make everyone use an untagged version in the meantime?

We were in the process of adding a larger set of features that required a slightly breaking change in JSON output. This issue got discovered and fixed in between. Ideally, we would bundle all this together to keep releases cleaner, but given that the issue seems to affect more people than initially projected, we are providing a new tag right now. See release notes for more info.

@joeljuca
Copy link

@zpavlinovic sorry, what do you mean with "See release notes for more info"? I'm looking for these notes but I can't find them. golang/go doesn't seem to use GitHub Releases.

@silverwind
Copy link

Here: https://github.com/golang/vuln/releases/tag/v1.1.0

magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue Apr 28, 2024
@magneticstain
Feature issue 362 add azure support (#447)
783a48e 
* Add azure vm support (#441)

* Add Azure as supported platform in app

* Update CLI flags to denote supported platforms

* Update flag modification logic to include azure and other non-aws services

* Add base Azure plugin package

* Add initial AZ VM plugin

* Add Azure VM Support

- Create new module for azure and virtual machine plugin

* Update build configs

* Upgrade dependencies

- Main upgrade was to patch google.golang.org/protobuf from `v1.32.0` to `v1.33.0` to fix `GO-2024-2611`

* Update dep checksums

* Add base unit tests for azure vms (#443)

* Add base unit tests for azure vms

- More in-depth unit tests will need to come in the future when mocks are eventually added

* Fix vm unit test

* Temporary fix for golang/go#66139

* Temporary fix for golang/go#66139

* Update dependencies

* Add support for Azure Load Balancer (#444)

* Move public IP fetching function to own struct

Allows usage of it by vms and (now) LBs. It's likely to be needed for CDNs as well.

* Add support for Azure Load Balancer

* Add unit tests for azure/public_ip

* Add unit tests for azure load balancer plugin

* Minor formatting fix

* Comment out unused function in load balancer unit tests

* Revert previous commit

* Comment out unused function in az public IP unit tests

* Issue 434 add azure cdn support (#445)

* Add CDN Plugin

* Fix CCR GA workflow

* Spin out AFD endpoint processing logic for Azure CDNs to own function

Makes `GetResources()` a little less complex and clunky

* Add unit tests for azure cdn plugin

* Update codacy coverage reporter workflow to match others

* Update `example.com` IPs in utils unit tests

* Add additional services to azure service search unit test
magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue Apr 28, 2024
@magneticstain
Release v2.1.0 (#448)
34c8de3 
* Deploy: Update env and app ver for new release

* Deploy: Fix app ver

* Feature issue 362 add azure support (#447)

* Add azure vm support (#441)

* Add Azure as supported platform in app

* Update CLI flags to denote supported platforms

* Update flag modification logic to include azure and other non-aws services

* Add base Azure plugin package

* Add initial AZ VM plugin

* Add Azure VM Support

- Create new module for azure and virtual machine plugin

* Update build configs

* Upgrade dependencies

- Main upgrade was to patch google.golang.org/protobuf from `v1.32.0` to `v1.33.0` to fix `GO-2024-2611`

* Update dep checksums

* Add base unit tests for azure vms (#443)

* Add base unit tests for azure vms

- More in-depth unit tests will need to come in the future when mocks are eventually added

* Fix vm unit test

* Temporary fix for golang/go#66139

* Temporary fix for golang/go#66139

* Update dependencies

* Add support for Azure Load Balancer (#444)

* Move public IP fetching function to own struct

Allows usage of it by vms and (now) LBs. It's likely to be needed for CDNs as well.

* Add support for Azure Load Balancer

* Add unit tests for azure/public_ip

* Add unit tests for azure load balancer plugin

* Minor formatting fix

* Comment out unused function in load balancer unit tests

* Revert previous commit

* Comment out unused function in az public IP unit tests

* Issue 434 add azure cdn support (#445)

* Add CDN Plugin

* Fix CCR GA workflow

* Spin out AFD endpoint processing logic for Azure CDNs to own function

Makes `GetResources()` a little less complex and clunky

* Add unit tests for azure cdn plugin

* Update codacy coverage reporter workflow to match others

* Update `example.com` IPs in utils unit tests

* Add additional services to azure service search unit test

* Deploy: update app env to `production`

* Deploy: update "Commits since..." version in README
gsora pushed a commit to ObolNetwork/charon that referenced this issue Apr 29, 2024
*: govulncheck v1.1.0, Go v1.22.2
762c799 
Fixes `govulncheck` to version v1.1.0 which fixes golang/go#66139.

This version also renames "stacks" to "traces" for the `-show` flag.

Update to Go v1.22.2 at the same time in order to fix security issues.
@gsora gsora mentioned this issue Apr 29, 2024
Merged
obol-bulldozer bot pushed a commit to ObolNetwork/charon that referenced this issue Apr 29, 2024
@gsora
*: govulncheck v1.1.0, Go v1.22.2 (#3056)
25171c4 
Fixes `govulncheck` to version v1.1.0 which fixes golang/go#66139.

This version also renames "stacks" to "traces" for the `-show` flag.

Update to Go v1.22.2 at the same time in order to fix security issues.

category: misc
ticket: none
magneticstain added a commit to magneticstain/ip-2-cloudresource that referenced this issue May 26, 2024
@magneticstain
Remove temp fix for govulncheck bug
d81a797 
Bug has been fixed in v1.1.0

References: golang/go#66139
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

Successfully merging a pull request may close this issue.

*: govulncheck v1.1.0, Go v1.22.2 ObolNetwork/charon
10 participants
@xxgreg @AlekSi @silverwind @joeljuca @zachgersh @zpavlinovic @awly @mknyszek @oliverpool @gopherbot