internal/vulns: disable display of vulns for stdlib pages at master

The resolved version for stdlib pages at master is a v0-prefixed psuedoversion. The result is that all vulns for stdlib pages that begin at v0 are listed as affecting even though they may have been fixed in later versions of Go. This change removes vuln data for stdlib pages when requested version is master. Fixes golang/go#57327. Change-Id: Ie9df8cb25bc3126397a49af349d401d3a1e2e994 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/460817 Run-TryBot: Jamal Carvalho <jamal@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com>
golang · Jan 9, 2023 · 035bfc0 · 035bfc0
1 parent 90d4957
commit 035bfc0
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/internal/vulns/vulns.go b/internal/vulns/vulns.go
@@ -14,6 +14,7 @@ import (
 	"golang.org/x/mod/semver"
 	"golang.org/x/pkgsite/internal/derrors"
 	"golang.org/x/pkgsite/internal/stdlib"
+	"golang.org/x/pkgsite/internal/version"
 	"golang.org/x/vuln/osv"
 )
 
@@ -48,12 +49,19 @@ func VulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
 	return vs
 }
 
-func vulnsForPackage(ctx context.Context, modulePath, version, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
-	defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, version, packagePath)
+func vulnsForPackage(ctx context.Context, modulePath, vers, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
+	defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, vers, packagePath)
 
 	if getVulnEntries == nil {
 		return nil, nil
 	}
+	// Stdlib pages requested at master will map to a pseudo version that puts
+	// all vulns in range. We can't really tell you're at master so version.IsPseudo
+	// is the best we can do. The result is vulns won't be reported for a pseudoversion
+	// that refers to a commit that is in a vulnerable range.
+	if modulePath == stdlib.ModulePath && version.IsPseudo(vers) {
+		return nil, nil
+	}
 	if modulePath == stdlib.ModulePath && strings.HasPrefix(packagePath, "cmd/go") {
 		modulePath = vulnCmdGoModulePath
 	} else if modulePath == stdlib.ModulePath {
@@ -68,7 +76,7 @@ func vulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
 	// package at this version.
 	var vulns []Vuln
 	for _, e := range entries {
-		if vuln, ok := entryVuln(e, modulePath, packagePath, version); ok {
+		if vuln, ok := entryVuln(e, modulePath, packagePath, vers); ok {
 			vulns = append(vulns, vuln)
 		}
 	}
@@ -107,10 +115,10 @@ func (e OSVEntry) AffectedModulesAndPackages() []string {
 	return affected
 }
 
-func entryVuln(e *osv.Entry, modulePath, packagePath, version string) (Vuln, bool) {
+func entryVuln(e *osv.Entry, modulePath, packagePath, ver string) (Vuln, bool) {
 	for _, a := range e.Affected {
 		// a.Package.Name is Go "module" name. Go package path is a.EcosystemSpecific.Imports.Path.
-		if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(version) {
+		if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(ver) {
 			continue
 		}
 		if packageMatches := func() bool {

diff --git a/internal/vulns/vulns_test.go b/internal/vulns/vulns_test.go
@@ -44,13 +44,30 @@ func TestVulnsForPackage(t *testing.T) {
 			},
 		}},
 	}
+	stdlib := osv.Entry{
+		ID: "GO-2",
+		Affected: []osv.Affected{{
+			Package: osv.Package{Name: "stdlib"},
+			Ranges: []osv.AffectsRange{{
+				Type:   osv.TypeSemver,
+				Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.19.4"}},
+			}},
+			EcosystemSpecific: osv.EcosystemSpecific{
+				Imports: []osv.EcosystemSpecificImport{{
+					Path: "net/http",
+				}},
+			},
+		}},
+	}
 
 	get := func(_ context.Context, modulePath string) ([]*osv.Entry, error) {
 		switch modulePath {
 		case "good.com":
 			return nil, nil
 		case "bad.com", "unfixable.com":
 			return []*osv.Entry{&e}, nil
+		case "stdlib":
+			return []*osv.Entry{&stdlib}, nil
 		default:
 			return nil, fmt.Errorf("unknown module %q", modulePath)
 		}
@@ -89,6 +106,16 @@ func TestVulnsForPackage(t *testing.T) {
 		{
 			"unfixable.com", "", "v1.999.999", []Vuln{{ID: "GO-1"}},
 		},
+		// Vulns for stdlib
+		{
+			"std", "net/http", "go1.19.3", []Vuln{{ID: "GO-2"}},
+		},
+		{
+			"std", "net/http", "v0.0.0-20230104211531-bae7d772e800", nil,
+		},
+		{
+			"std", "net/http", "go1.20", nil,
+		},
 	}
 	for _, tc := range testCases {
 		got := VulnsForPackage(ctx, tc.mod, tc.version, tc.pkg, get)