Skip to content

Commit

Permalink
internal/vulns: disable display of vulns for stdlib pages at master
Browse files Browse the repository at this point in the history
The resolved version for stdlib pages at master is a
v0-prefixed psuedoversion. The result is that all vulns
for stdlib pages that begin at v0 are listed as affecting
even though they may have been fixed in later versions of Go.

This change removes vuln data for stdlib pages when requested
version is master.

Fixes golang/go#57327.

Change-Id: Ie9df8cb25bc3126397a49af349d401d3a1e2e994
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/460817
Run-TryBot: Jamal Carvalho <jamal@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: kokoro <noreply+kokoro@google.com>
  • Loading branch information
jamalc committed Jan 9, 2023
1 parent 90d4957 commit 035bfc0
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 5 deletions.
18 changes: 13 additions & 5 deletions internal/vulns/vulns.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"golang.org/x/mod/semver"
"golang.org/x/pkgsite/internal/derrors"
"golang.org/x/pkgsite/internal/stdlib"
"golang.org/x/pkgsite/internal/version"
"golang.org/x/vuln/osv"
)

Expand Down Expand Up @@ -48,12 +49,19 @@ func VulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
return vs
}

func vulnsForPackage(ctx context.Context, modulePath, version, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, version, packagePath)
func vulnsForPackage(ctx context.Context, modulePath, vers, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, vers, packagePath)

if getVulnEntries == nil {
return nil, nil
}
// Stdlib pages requested at master will map to a pseudo version that puts
// all vulns in range. We can't really tell you're at master so version.IsPseudo
// is the best we can do. The result is vulns won't be reported for a pseudoversion
// that refers to a commit that is in a vulnerable range.
if modulePath == stdlib.ModulePath && version.IsPseudo(vers) {
return nil, nil
}
if modulePath == stdlib.ModulePath && strings.HasPrefix(packagePath, "cmd/go") {
modulePath = vulnCmdGoModulePath
} else if modulePath == stdlib.ModulePath {
Expand All @@ -68,7 +76,7 @@ func vulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
// package at this version.
var vulns []Vuln
for _, e := range entries {
if vuln, ok := entryVuln(e, modulePath, packagePath, version); ok {
if vuln, ok := entryVuln(e, modulePath, packagePath, vers); ok {
vulns = append(vulns, vuln)
}
}
Expand Down Expand Up @@ -107,10 +115,10 @@ func (e OSVEntry) AffectedModulesAndPackages() []string {
return affected
}

func entryVuln(e *osv.Entry, modulePath, packagePath, version string) (Vuln, bool) {
func entryVuln(e *osv.Entry, modulePath, packagePath, ver string) (Vuln, bool) {
for _, a := range e.Affected {
// a.Package.Name is Go "module" name. Go package path is a.EcosystemSpecific.Imports.Path.
if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(version) {
if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(ver) {
continue
}
if packageMatches := func() bool {
Expand Down
27 changes: 27 additions & 0 deletions internal/vulns/vulns_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,13 +44,30 @@ func TestVulnsForPackage(t *testing.T) {
},
}},
}
stdlib := osv.Entry{
ID: "GO-2",
Affected: []osv.Affected{{
Package: osv.Package{Name: "stdlib"},
Ranges: []osv.AffectsRange{{
Type: osv.TypeSemver,
Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.19.4"}},
}},
EcosystemSpecific: osv.EcosystemSpecific{
Imports: []osv.EcosystemSpecificImport{{
Path: "net/http",
}},
},
}},
}

get := func(_ context.Context, modulePath string) ([]*osv.Entry, error) {
switch modulePath {
case "good.com":
return nil, nil
case "bad.com", "unfixable.com":
return []*osv.Entry{&e}, nil
case "stdlib":
return []*osv.Entry{&stdlib}, nil
default:
return nil, fmt.Errorf("unknown module %q", modulePath)
}
Expand Down Expand Up @@ -89,6 +106,16 @@ func TestVulnsForPackage(t *testing.T) {
{
"unfixable.com", "", "v1.999.999", []Vuln{{ID: "GO-1"}},
},
// Vulns for stdlib
{
"std", "net/http", "go1.19.3", []Vuln{{ID: "GO-2"}},
},
{
"std", "net/http", "v0.0.0-20230104211531-bae7d772e800", nil,
},
{
"std", "net/http", "go1.20", nil,
},
}
for _, tc := range testCases {
got := VulnsForPackage(ctx, tc.mod, tc.version, tc.pkg, get)
Expand Down

0 comments on commit 035bfc0

Please sign in to comment.