-
Notifications
You must be signed in to change notification settings - Fork 57
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cmd/govulncheck: add sarif test for binaries
Updates golang/go#61347 Change-Id: Iae039bb8dbe77cb984e425179bc39eaa2ddc3b8e Reviewed-on: https://go-review.googlesource.com/c/vuln/+/550736 Reviewed-by: Maceo Thompson <maceothompson@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
- Loading branch information
1 parent
3c9f048
commit 6f169c6
Showing
1 changed file
with
211 additions
and
0 deletions.
There are no files selected for viewing
211 changes: 211 additions & 0 deletions
211
cmd/govulncheck/testdata/testfiles/binary-call/binary_sarif.ct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,211 @@ | ||
| ##### | ||
| # Test basic binary scanning with sarif output | ||
| $ govulncheck -format sarif -mode binary ${vuln_binary} | ||
| { | ||
| "version": "2.1.0", | ||
| "$schema": "https://json.schemastore.org/sarif-2.1.0.json", | ||
| "runs": [ | ||
| { | ||
| "tool": { | ||
| "driver": { | ||
| "name": "govulncheck", | ||
| "semanticVersion": "v0.0.0", | ||
| "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck", | ||
| "properties": { | ||
| "protocol_version": "v1.0.0", | ||
| "scanner_name": "govulncheck", | ||
| "scanner_version": "v0.0.0-00000000000-20000101010101", | ||
| "db": "testdata/vulndb-v1", | ||
| "db_last_modified": "2023-04-03T15:57:51Z", | ||
| "scan_level": "symbol", | ||
| "scan_mode": "binary" | ||
| }, | ||
| "rules": [ | ||
| { | ||
| "id": "GO-2020-0015", | ||
| "shortDescription": { | ||
| "text": "[GO-2020-0015] Infinite loop when decoding some inputs in golang.org/x/text" | ||
| }, | ||
| "fullDescription": { | ||
| "text": "Infinite loop when decoding some inputs in golang.org/x/text" | ||
| }, | ||
| "help": { | ||
| "text": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector." | ||
| }, | ||
| "helpUri": "https://pkg.go.dev/vuln/GO-2020-0015", | ||
| "properties": { | ||
| "tags": [ | ||
| "CVE-2020-14040", | ||
| "GHSA-5rcv-m4m3-hfh7" | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "id": "GO-2021-0054", | ||
| "shortDescription": { | ||
| "text": "[GO-2021-0054] Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector." | ||
| }, | ||
| "fullDescription": { | ||
| "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector." | ||
| }, | ||
| "help": { | ||
| "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector." | ||
| }, | ||
| "helpUri": "https://pkg.go.dev/vuln/GO-2021-0054", | ||
| "properties": { | ||
| "tags": [ | ||
| "CVE-2020-36067", | ||
| "GHSA-p64j-r5f4-pwwx" | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "id": "GO-2021-0113", | ||
| "shortDescription": { | ||
| "text": "[GO-2021-0113] Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack." | ||
| }, | ||
| "fullDescription": { | ||
| "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack." | ||
| }, | ||
| "help": { | ||
| "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack." | ||
| }, | ||
| "helpUri": "https://pkg.go.dev/vuln/GO-2021-0113", | ||
| "properties": { | ||
| "tags": [ | ||
| "CVE-2021-38561", | ||
| "GHSA-ppp9-7jff-5vj2" | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "id": "GO-2021-0265", | ||
| "shortDescription": { | ||
| "text": "[GO-2021-0265] A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time." | ||
| }, | ||
| "fullDescription": { | ||
| "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time." | ||
| }, | ||
| "help": { | ||
| "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time." | ||
| }, | ||
| "helpUri": "https://pkg.go.dev/vuln/GO-2021-0265", | ||
| "properties": { | ||
| "tags": [ | ||
| "CVE-2021-42248", | ||
| "CVE-2021-42836", | ||
| "GHSA-c9gm-7rfj-8w5h", | ||
| "GHSA-ppj4-34rq-v8j9" | ||
| ] | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| "results": [ | ||
| { | ||
| "ruleId": "GO-2020-0015", | ||
| "level": "note", | ||
| "message": { | ||
| "text": "Your code depends on 1 vulnerable module (golang.org/x/text), but doesn't appear to call any of the vulnerable symbols." | ||
| } | ||
| }, | ||
| { | ||
| "ruleId": "GO-2021-0054", | ||
| "level": "error", | ||
| "message": { | ||
| "text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)." | ||
| }, | ||
| "stacks": [ | ||
| { | ||
| "message": { | ||
| "text": "A call stack for vulnerable function github.com/tidwall/gjson.Result.ForEach" | ||
| }, | ||
| "frames": [ | ||
| { | ||
| "module": "github.com/tidwall/gjson", | ||
| "location": { | ||
| "physicalLocation": { | ||
| "artifactLocation": {}, | ||
| "region": {} | ||
| }, | ||
| "message": {} | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "ruleId": "GO-2021-0113", | ||
| "level": "error", | ||
| "message": { | ||
| "text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)." | ||
| }, | ||
| "stacks": [ | ||
| { | ||
| "message": { | ||
| "text": "A call stack for vulnerable function golang.org/x/text/language.Parse" | ||
| }, | ||
| "frames": [ | ||
| { | ||
| "module": "golang.org/x/text", | ||
| "location": { | ||
| "physicalLocation": { | ||
| "artifactLocation": {}, | ||
| "region": {} | ||
| }, | ||
| "message": {} | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "ruleId": "GO-2021-0265", | ||
| "level": "error", | ||
| "message": { | ||
| "text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)." | ||
| }, | ||
| "stacks": [ | ||
| { | ||
| "message": { | ||
| "text": "A call stack for vulnerable function github.com/tidwall/gjson.Get" | ||
| }, | ||
| "frames": [ | ||
| { | ||
| "module": "github.com/tidwall/gjson", | ||
| "location": { | ||
| "physicalLocation": { | ||
| "artifactLocation": {}, | ||
| "region": {} | ||
| }, | ||
| "message": {} | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "message": { | ||
| "text": "A call stack for vulnerable function github.com/tidwall/gjson.Result.Get" | ||
| }, | ||
| "frames": [ | ||
| { | ||
| "module": "github.com/tidwall/gjson", | ||
| "location": { | ||
| "physicalLocation": { | ||
| "artifactLocation": {}, | ||
| "region": {} | ||
| }, | ||
| "message": {} | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |