Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: package slices is not in GOROOT #68034

Closed
bcl opened this issue Jun 18, 2024 · 11 comments
Closed

x/vuln: package slices is not in GOROOT #68034

bcl opened this issue Jun 18, 2024 · 11 comments
Assignees
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@bcl
Copy link

bcl commented Jun 18, 2024

When using vuln with go v1.20.14 it fails to install because slices is not in the standard library. The vuln docs, and go.mod, claim to be compatible with go 1.18 and later.

https://github.com/osbuild/weldr-client/actions/runs/9542027269/job/26296139660?pr=139

Setup go version spec 1.20.x
Found in cache @ /opt/hostedtoolcache/go/1.20.14/x64
Added go to the path
Successfully set up Go version 1.20.x
/opt/hostedtoolcache/go/1.20.14/x64/bin/go env GOMODCACHE
/opt/hostedtoolcache/go/1.20.14/x64/bin/go env GOCACHE
/home/runner/go/pkg/mod
/home/runner/.cache/go-build
Cache is not found
go version go1.20.14 linux/amd64

Run go install golang.org/x/vuln/cmd/govulncheck@latest
  go install golang.org/x/vuln/cmd/govulncheck@latest
  shell: /usr/bin/bash -e {0}
go: downloading golang.org/x/vuln v1.1.2
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.18.0
go: downloading golang.org/x/tools v0.22.0
go: downloading golang.org/x/sync v0.7.0
Error: ../../../go/pkg/mod/golang.org/x/vuln@v1.1.2/internal/openvex/handler.go:12:2: package slices is not in GOROOT (/opt/hostedtoolcache/go/1.20.14/x64/src/slices)
Error: Process completed with exit code 1.
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jun 18, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jun 18, 2024
@gabyhelp
Copy link

Similar Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@mauri870
Copy link
Member

mauri870 commented Jun 18, 2024

The Go Release Policy states that each major Go release is supported until there are two newer major releases.

Since go 1.22 was released back in February it has been a couple months that Go 1.20 does not receive any kind of security update.

Plus you are installing the most recent commit of vuln (latest) which is unlikely to work anyway with Go 1.20.

My advice is that you should update to a supported release.

Edit: sorry for the ping @latest

@mauri870
Copy link
Member

The go.mod argument is valid, we should probably change it to go 1.21.

@mauri870 mauri870 added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 18, 2024
@mauri870
Copy link
Member

cc @golang/vulndb

@mauri870
Copy link
Member

Looking a bit more into it, the only place that imports slices was added 2 weeks ago in https://go-review.googlesource.com/c/vuln/+/575859.

I wonder if we should have used x/exp/slices instead.

@ianthehat
Copy link

We have been discussing as a team what our strategy should be for keeping the go.mod go lines up to date across all the x repositories, we should probably just manually update this one for now as that conversation progresses.
It would be ironic to expend effort to make a vulnerability tool compile with a vulnerable version of go, we definitely don't plan to support building with any version of go except the most recent security patch of actively supported versions!

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/593235 mentions this issue: all: require go1.21

@bcl
Copy link
Author

bcl commented Jun 18, 2024

Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20

bcl added a commit to bcl/weldr-client that referenced this issue Jun 24, 2024
go vuln doesn't support 1.20 anymore. It isn't required for tests to
pass, so bump it to 1.21 even though we are still targeting 1.20,
hopefully any errors it finds will be helpful in the future.

See:
* golang/go#68034
* golang/vuln@f35edf8
bcl added a commit to bcl/weldr-client that referenced this issue Jun 24, 2024
go vuln doesn't support 1.20 anymore. It isn't required for tests to
pass, so bump it to 1.21 even though we are still targeting 1.20,
hopefully any errors it finds will be helpful in the future.

See:
* golang/go#68034
* golang/vuln@f35edf8
bcl added a commit to osbuild/weldr-client that referenced this issue Jun 24, 2024
go vuln doesn't support 1.20 anymore. It isn't required for tests to
pass, so bump it to 1.21 even though we are still targeting 1.20,
hopefully any errors it finds will be helpful in the future.

See:
* golang/go#68034
* golang/vuln@f35edf8
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/595935 mentions this issue: cmd/govulncheck: remove line about go version requirements

gopherbot pushed a commit to golang/vuln that referenced this issue Jul 1, 2024
Use the go directive in go.mod as the single source of truth
for the required Go version for installing golvulncheck.

Updates golang/go#68034
Fixes golang/go#68256

Change-Id: Ief445ffa40282feff6a97419b48dc6290071d971
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/595935
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
@xswordsx
Copy link

xswordsx commented Jul 16, 2024

Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20

Had the same issue. The two options are: install v1.1.1 of the tool or clone the repo and patch it so it doesn't use slices

[PATCH] Remove slices package
diff --git a/go.mod b/go.mod
index 1412cb1..dd7e820 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module golang.org/x/vuln

-go 1.21
+go 1.18

 require (
        github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786
diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go
index b5e43aa..8553743 100644
--- a/internal/openvex/handler.go
+++ b/internal/openvex/handler.go
@@ -9,7 +9,7 @@ import (
        "encoding/json"
        "fmt"
        "io"
-       "slices"
+       "sort"
        "time"

        "golang.org/x/vuln/internal/govulncheck"
@@ -153,16 +153,8 @@ func statements(h *handler) []Statement {
                statements = append(statements, s)
        }

-       slices.SortFunc(statements, func(a, b Statement) int {
-               if a.Vulnerability.ID > b.Vulnerability.ID {
-                       return 1
-               }
-               if a.Vulnerability.ID < b.Vulnerability.ID {
-                       return -1
-               }
-               // this should never happen in practice, since statements are being
-               // populated from a map with the vulnerability IDs as keys
-               return 0
+       sort.Slice(statements, func(i, j int) bool {
+               return statements[i].Vulnerability.ID < statements[j].Vulnerability.ID
        })
        return statements
 }

@zpavlinovic
Copy link
Contributor

FWIW, newly released govulncheck v1.1.3 now requires go1.21 and newer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

7 participants