From 521f59c525eb41cf2603164c1595224c79ecbceb Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Wed, 22 Nov 2023 11:47:37 +1300 Subject: [PATCH] ci: run tests on Windows (#646) Unsurprisingly this has required a bunch of tests to be updated to handle slightly different variations in file path handling - this eventually resulted in me implementing an actual internal snapshot testing package but I've not included that in here since its sizable on its own; so please keep that in mind when reviewing . (see https://github.com/G-Rath/osv-scanner/commit/1273da79e2e26a18d663da482dc5f09258e15c51 for a sneakpeek on what the snapshot-based testing looks like) ~Note that is failing because file -> url path translation is actually busted; I've opened #645 to fix this and you can see the passing CI when both of these changes are merged in #553~ Resolves #603 Resolves #553 --- .github/workflows/checks.yml | 2 +- .github/workflows/goreleaser.yml | 2 +- cmd/osv-scanner/main_test.go | 38 +- .../fixtures/sarif-commit-output_windows.md | 52 ++ .../output/fixtures/sarif-output_windows.md | 130 +++++ .../test-vuln-results-a-grouped_windows.json | 495 ++++++++++++++++++ .../output/fixtures/test-vuln-results-a.json | 2 +- .../fixtures/test-vuln-results-a_windows.json | 292 +++++++++++ .../test-vuln-results-a_windows.sarif | 124 +++++ .../snapshots/govulncheckshim_test.json | 2 +- internal/sourceanalysis/integration_test.go | 1 + internal/sourceanalysis/rust_test.go | 2 +- internal/testutility/utility.go | 89 +++- 13 files changed, 1195 insertions(+), 36 deletions(-) create mode 100644 internal/output/fixtures/sarif-commit-output_windows.md create mode 100644 internal/output/fixtures/sarif-output_windows.md create mode 100644 internal/output/fixtures/test-vuln-results-a-grouped_windows.json create mode 100644 internal/output/fixtures/test-vuln-results-a_windows.json create mode 100644 internal/output/fixtures/test-vuln-results-a_windows.sarif diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 9b0a8d126d..488587b4af 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -47,7 +47,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-latest, macos-latest] + os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Check out code diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 78a2a82efc..720c70b2f5 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -48,7 +48,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-latest, macos-latest] + os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Check out code diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 20efc57160..d105487e34 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -12,6 +12,7 @@ import ( "github.com/go-git/go-git/v5" "github.com/google/go-cmp/cmp" + "github.com/google/osv-scanner/internal/testutility" "github.com/google/osv-scanner/internal/version" ) @@ -105,6 +106,16 @@ func expectAreEqual(t *testing.T, subject, actual, expect string) { } } +// Attempts to normalize any file paths in the given `output` so that they can +// be compared reliably regardless of the file path separator being used. +// +// Namely, escaped forward slashes are replaced with backslashes. +func normalizeFilePaths(t *testing.T, output string) string { + t.Helper() + + return strings.ReplaceAll(strings.ReplaceAll(output, "\\\\", "/"), "\\", "/") +} + // normalizeRootDirectory attempts to replace references to the current working // directory with "", in order to reduce the noise of the cmp diff func normalizeRootDirectory(t *testing.T, str string) string { @@ -115,6 +126,11 @@ func normalizeRootDirectory(t *testing.T, str string) string { t.Errorf("could not get cwd (%v) - results and diff might be inaccurate!", err) } + cwd = normalizeFilePaths(t, cwd) + + // file uris with Windows end up with three slashes, so we normalize that too + str = strings.ReplaceAll(str, "file:///"+cwd, "file://") + return strings.ReplaceAll(str, cwd, "") } @@ -127,11 +143,11 @@ func testCli(t *testing.T, tc cliTestCase) { ec := run(tc.args, stdoutBuffer, stderrBuffer) // ec := run(tc.args, os.Stdout, os.Stderr) - stdout := stdoutBuffer.String() - stderr := stderrBuffer.String() + stdout := normalizeRootDirectory(t, normalizeFilePaths(t, stdoutBuffer.String())) + stderr := normalizeRootDirectory(t, normalizeFilePaths(t, stderrBuffer.String())) - stdout = normalizeRootDirectory(t, stdout) - stderr = normalizeRootDirectory(t, stderr) + tc.wantStdout = normalizeFilePaths(t, tc.wantStdout) + tc.wantStderr = normalizeFilePaths(t, tc.wantStderr) if ec != tc.wantExitCode { t.Errorf("cli exited with code %d, not %d", ec, tc.wantExitCode) @@ -572,9 +588,10 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) { }, wantExitCode: 127, wantStdout: "", - wantStderr: ` - open /path/to/my:file: no such file or directory - `, + wantStderr: testutility.ValueIfOnWindows( + "open /path/to/my:file: The system cannot find the path specified.", + "open /path/to/my:file: no such file or directory", + ), }, { name: "", @@ -585,9 +602,10 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) { }, wantExitCode: 127, wantStdout: "", - wantStderr: ` - open /path/to/my:project/package-lock.json: no such file or directory - `, + wantStderr: testutility.ValueIfOnWindows( + "open /path/to/my:project/package-lock.json: The filename, directory name, or volume label syntax is incorrect.", + "open /path/to/my:project/package-lock.json: no such file or directory", + ), }, // one lockfile with local path { diff --git a/internal/output/fixtures/sarif-commit-output_windows.md b/internal/output/fixtures/sarif-commit-output_windows.md new file mode 100644 index 0000000000..42f5da81e1 --- /dev/null +++ b/internal/output/fixtures/sarif-commit-output_windows.md @@ -0,0 +1,52 @@ +**Your dependency is vulnerable to [OSV-2023-72](https://osv.dev/list?q=OSV-2023-72)**. + +## [OSV-2023-72](https://osv.dev/vulnerability/OSV-2023-72) + +
+Details + +> OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057 +> +> ``` +> Crash type: Heap-buffer-overflow WRITE 4 +> Crash state: +> perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor +> perfetto::trace_processor::TrackEventModule::ParseTracePacketData +> perfetto::trace_processor::ProtoTraceParser::ParseTracePacket +> ``` +> + +
+ +--- + +### Affected Packages + +| Source | Package Name | Package Version | +| --- | --- | --- | +| lockfile:/usr/local/google/home/rexpan/Documents/Project/engine/deps_flatten.txt | https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto | b8da07095979310818f0efde2ef3c69ea70d62c5 | + +## Remediation + +To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. + +### Fixed Versions + +| Vulnerability ID | Package Name | Fixed Version | +| --- | --- | --- | +| OSV-2023-72 | perfetto | 9a7f09383dd39f19e662d428321ca708a2a600a3 | + +If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an +`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. + +See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ + +Add or append these values to the following config files to ignore this vulnerability: + +`\usr\local\google\home\rexpan\Documents\Project\engine/osv-scanner.toml` + +``` +[[IgnoredVulns]] +id = "OSV-2023-72" +reason = "Your reason for ignoring this vulnerability" +``` diff --git a/internal/output/fixtures/sarif-output_windows.md b/internal/output/fixtures/sarif-output_windows.md new file mode 100644 index 0000000000..858a777f23 --- /dev/null +++ b/internal/output/fixtures/sarif-output_windows.md @@ -0,0 +1,130 @@ +**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)** +(Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ). + +## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013) + +
+Details + +> The Rust Security Response WG was notified that the `regex` crate did not +> properly limit the complexity of the regular expressions (regex) it parses. An +> attacker could use this security issue to perform a denial of service, by +> sending a specially crafted regex to a service accepting untrusted regexes. No +> known vulnerability is present when parsing untrusted input with trusted +> regexes. +> +> This issue has been assigned CVE-2022-24713. The severity of this vulnerability +> is "high" when the `regex` crate is used to parse untrusted regexes. Other uses +> of the `regex` crate are not affected by this vulnerability. +> +> ## Overview +> +> The `regex` crate features built-in mitigations to prevent denial of service +> attacks caused by untrusted regexes, or untrusted input matched by trusted +> regexes. Those (tunable) mitigations already provide sane defaults to prevent +> attacks. This guarantee is documented and it's considered part of the crate's +> API. +> +> Unfortunately a bug was discovered in the mitigations designed to prevent +> untrusted regexes to take an arbitrary amount of time during parsing, and it's +> possible to craft regexes that bypass such mitigations. This makes it possible +> to perform denial of service attacks by sending specially crafted regexes to +> services accepting user-controlled, untrusted regexes. +> +> ## Affected versions +> +> All versions of the `regex` crate before or equal to 1.5.4 are affected by this +> issue. The fix is include starting from `regex` 1.5.5. +> +> ## Mitigations +> +> We recommend everyone accepting user-controlled regexes to upgrade immediately +> to the latest version of the `regex` crate. +> +> Unfortunately there is no fixed set of problematic regexes, as there are +> practically infinite regexes that could be crafted to exploit this +> vulnerability. Because of this, we do not recommend denying known problematic +> regexes. +> +> ## Acknowledgements +> +> We want to thank Addison Crump for responsibly disclosing this to us according +> to the [Rust security policy][1], and for helping review the fix. +> +> We also want to thank Andrew Gallant for developing the fix, and Pietro Albini +> for coordinating the disclosure and writing this advisory. +> +> [1]: https://www.rust-lang.org/policies/security + +
+ +## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8) + +
+Details + +> > This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well. +> +> [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw +> +> The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes. +> +> This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability. +> +> ## Overview +> +> The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. +> +> Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. +> +> ## Affected versions +> +> All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5. +> +> ## Mitigations +> +> We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate. +> +> Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes. +> +> ## Acknowledgements +> +> We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix. +> +> We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory. + +
+ +--- + +### Affected Packages + +| Source | Package Name | Package Version | +| --- | --- | --- | +| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 | + +## Remediation + +To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. + +### Fixed Versions + +| Vulnerability ID | Package Name | Fixed Version | +| --- | --- | --- | +| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 | +| RUSTSEC-2022-0013 | regex | 1.5.5 | + +If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an +`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. + +See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ + +Add or append these values to the following config files to ignore this vulnerability: + +`\path\to\sub-rust-project/osv-scanner.toml` + +``` +[[IgnoredVulns]] +id = "CVE-2022-24713" +reason = "Your reason for ignoring this vulnerability" +``` diff --git a/internal/output/fixtures/test-vuln-results-a-grouped_windows.json b/internal/output/fixtures/test-vuln-results-a-grouped_windows.json new file mode 100644 index 0000000000..44b9fbecba --- /dev/null +++ b/internal/output/fixtures/test-vuln-results-a-grouped_windows.json @@ -0,0 +1,495 @@ +{ + "GHSA-m5pq-gvj9-9vr8": { + "DisplayID": "CVE-2022-24713", + "PkgSource": [ + { + "Package": { + "name": "regex", + "version": "1.5.1", + "ecosystem": "crates.io", + "commit": "" + }, + "Source": { + "path": "D:\\path\\to\\sub-rust-project\\Cargo.lock", + "type": "lockfile" + } + } + ], + "AliasedVulns": { + "GHSA-m5pq-gvj9-9vr8": { + "modified": "2022-08-11T20:38:52Z", + "published": "2022-03-08T20:00:36Z", + "schema_version": "1.4.0", + "id": "GHSA-m5pq-gvj9-9vr8", + "aliases": [ + "CVE-2022-24713" + ], + "summary": "Rust's regex crate vulnerable to regular expression denial of service", + "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" + }, + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rust-lang/regex/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-08" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-14" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5113" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5118" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-03-08T20:00:36Z", + "nvd_published_at": "2022-03-08T19:15:00Z", + "severity": "HIGH" + } + }, + "RUSTSEC-2022-0013": { + "modified": "2023-06-13T13:10:24Z", + "published": "2022-03-08T12:00:00Z", + "schema_version": "1.4.0", + "id": "RUSTSEC-2022-0013", + "aliases": [ + "CVE-2022-24713", + "GHSA-m5pq-gvj9-9vr8" + ], + "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", + "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "categories": [ + "denial-of-service" + ], + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/regex" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + } + ] + } + }, + "AliasedIDList": [ + "CVE-2022-24713", + "RUSTSEC-2022-0013", + "GHSA-m5pq-gvj9-9vr8" + ] + }, + "GO-2021-0053": { + "DisplayID": "CVE-2021-3121", + "PkgSource": [ + { + "Package": { + "name": "github.com/gogo/protobuf", + "version": "1.3.1", + "ecosystem": "Go", + "commit": "" + }, + "Source": { + "path": "D:\\path\\to\\go.mod", + "type": "lockfile" + } + } + ], + "AliasedVulns": { + "GO-2021-0053": { + "modified": "2023-06-12T18:45:41Z", + "published": "2021-04-14T20:04:52Z", + "schema_version": "1.4.0", + "id": "GO-2021-0053", + "aliases": [ + "CVE-2021-3121", + "GHSA-c3h9-896r-86jm" + ], + "summary": "Panic due to improper input validation in github.com/gogo/protobuf", + "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/gogo/protobuf", + "purl": "pkg:golang/github.com/gogo/protobuf" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.2" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2021-0053.json" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gogo/protobuf/plugin/unmarshal", + "symbols": [ + "unmarshal.Generate", + "unmarshal.field" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0053" + } + } + }, + "AliasedIDList": [ + "CVE-2021-3121", + "GO-2021-0053", + "GHSA-c3h9-896r-86jm" + ] + }, + "RUSTSEC-2022-0013": { + "DisplayID": "CVE-2022-24713", + "PkgSource": [ + { + "Package": { + "name": "regex", + "version": "1.5.1", + "ecosystem": "crates.io", + "commit": "" + }, + "Source": { + "path": "D:\\path\\to\\sub-rust-project\\Cargo.lock", + "type": "lockfile" + } + } + ], + "AliasedVulns": { + "GHSA-m5pq-gvj9-9vr8": { + "modified": "2022-08-11T20:38:52Z", + "published": "2022-03-08T20:00:36Z", + "schema_version": "1.4.0", + "id": "GHSA-m5pq-gvj9-9vr8", + "aliases": [ + "CVE-2022-24713" + ], + "summary": "Rust's regex crate vulnerable to regular expression denial of service", + "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" + }, + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rust-lang/regex/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-08" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-14" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5113" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5118" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-03-08T20:00:36Z", + "nvd_published_at": "2022-03-08T19:15:00Z", + "severity": "HIGH" + } + }, + "RUSTSEC-2022-0013": { + "modified": "2023-06-13T13:10:24Z", + "published": "2022-03-08T12:00:00Z", + "schema_version": "1.4.0", + "id": "RUSTSEC-2022-0013", + "aliases": [ + "CVE-2022-24713", + "GHSA-m5pq-gvj9-9vr8" + ], + "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", + "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "categories": [ + "denial-of-service" + ], + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/regex" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + } + ] + } + }, + "AliasedIDList": [ + "CVE-2022-24713", + "RUSTSEC-2022-0013", + "GHSA-m5pq-gvj9-9vr8" + ] + } +} diff --git a/internal/output/fixtures/test-vuln-results-a.json b/internal/output/fixtures/test-vuln-results-a.json index 0749a28b69..605ee93f59 100644 --- a/internal/output/fixtures/test-vuln-results-a.json +++ b/internal/output/fixtures/test-vuln-results-a.json @@ -289,4 +289,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/internal/output/fixtures/test-vuln-results-a_windows.json b/internal/output/fixtures/test-vuln-results-a_windows.json new file mode 100644 index 0000000000..684035241f --- /dev/null +++ b/internal/output/fixtures/test-vuln-results-a_windows.json @@ -0,0 +1,292 @@ +{ + "results": [ + { + "source": { + "path": "D:\\path\\to\\go.mod", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "github.com/gogo/protobuf", + "version": "1.3.1", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "modified": "2023-06-12T18:45:41Z", + "published": "2021-04-14T20:04:52Z", + "schema_version": "1.4.0", + "id": "GO-2021-0053", + "aliases": [ + "CVE-2021-3121", + "GHSA-c3h9-896r-86jm" + ], + "summary": "Panic due to improper input validation in github.com/gogo/protobuf", + "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/gogo/protobuf", + "purl": "pkg:golang/github.com/gogo/protobuf" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.2" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2021-0053.json" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gogo/protobuf/plugin/unmarshal", + "symbols": [ + "unmarshal.Generate", + "unmarshal.field" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0053" + } + } + ], + "groups": [ + { + "ids": [ + "GO-2021-0053" + ] + } + ] + } + ] + }, + { + "source": { + "path": "D:\\path\\to\\sub-rust-project\\Cargo.lock", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "regex", + "version": "1.5.1", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "modified": "2022-08-11T20:38:52Z", + "published": "2022-03-08T20:00:36Z", + "schema_version": "1.4.0", + "id": "GHSA-m5pq-gvj9-9vr8", + "aliases": [ + "CVE-2022-24713" + ], + "summary": "Rust's regex crate vulnerable to regular expression denial of service", + "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" + }, + { + "type": "WEB", + "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/rust-lang/regex/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-08" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202208-14" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5113" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5118" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-03-08T20:00:36Z", + "nvd_published_at": "2022-03-08T19:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2023-06-13T13:10:24Z", + "published": "2022-03-08T12:00:00Z", + "schema_version": "1.4.0", + "id": "RUSTSEC-2022-0013", + "aliases": [ + "CVE-2022-24713", + "GHSA-m5pq-gvj9-9vr8" + ], + "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", + "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "regex", + "purl": "pkg:cargo/regex" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "1.5.5" + } + ] + } + ], + "database_specific": { + "categories": [ + "denial-of-service" + ], + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/regex" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-m5pq-gvj9-9vr8", + "RUSTSEC-2022-0013" + ] + } + ] + } + ] + } + ] +} diff --git a/internal/output/fixtures/test-vuln-results-a_windows.sarif b/internal/output/fixtures/test-vuln-results-a_windows.sarif new file mode 100644 index 0000000000..91827284f8 --- /dev/null +++ b/internal/output/fixtures/test-vuln-results-a_windows.sarif @@ -0,0 +1,124 @@ +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "CVE-2022-24713", + "name": "CVE-2022-24713", + "shortDescription": { + "text": "CVE-2022-24713: Regexes with large repetitions on empty sub-expressions take a very long time to parse" + }, + "fullDescription": { + "text": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", + "markdown": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security" + }, + "deprecatedIds": [ + "CVE-2022-24713", + "RUSTSEC-2022-0013", + "GHSA-m5pq-gvj9-9vr8" + ], + "help": { + "text": "**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)**\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ).\n\n## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Rust Security Response WG was notified that the `regex` crate did not\n\u003e properly limit the complexity of the regular expressions (regex) it parses. An\n\u003e attacker could use this security issue to perform a denial of service, by\n\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\n\u003e known vulnerability is present when parsing untrusted input with trusted\n\u003e regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\n\u003e is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\n\u003e of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service\n\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\n\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\n\u003e attacks. This guarantee is documented and it's considered part of the crate's\n\u003e API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\n\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\n\u003e possible to craft regexes that bypass such mitigations. This makes it possible\n\u003e to perform denial of service attacks by sending specially crafted regexes to\n\u003e services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\n\u003e issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\n\u003e to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are\n\u003e practically infinite regexes that could be crafted to exploit this\n\u003e vulnerability. Because of this, we do not recommend denying known problematic\n\u003e regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according\n\u003e to the [Rust security policy][1], and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\n\u003e for coordinating the disclosure and writing this advisory.\n\u003e \n\u003e [1]: https://www.rust-lang.org/policies/security\n\n\u003c/details\u003e\n\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\u003e \n\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\u003e \n\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:D:\\path\\to\\sub-rust-project\\Cargo.lock | regex | 1.5.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`D:\\path\\to\\sub-rust-project/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-24713\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)**\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ).\n\n## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Rust Security Response WG was notified that the `regex` crate did not\n\u003e properly limit the complexity of the regular expressions (regex) it parses. An\n\u003e attacker could use this security issue to perform a denial of service, by\n\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\n\u003e known vulnerability is present when parsing untrusted input with trusted\n\u003e regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\n\u003e is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\n\u003e of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service\n\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\n\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\n\u003e attacks. This guarantee is documented and it's considered part of the crate's\n\u003e API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\n\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\n\u003e possible to craft regexes that bypass such mitigations. This makes it possible\n\u003e to perform denial of service attacks by sending specially crafted regexes to\n\u003e services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\n\u003e issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\n\u003e to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are\n\u003e practically infinite regexes that could be crafted to exploit this\n\u003e vulnerability. Because of this, we do not recommend denying known problematic\n\u003e regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according\n\u003e to the [Rust security policy][1], and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\n\u003e for coordinating the disclosure and writing this advisory.\n\u003e \n\u003e [1]: https://www.rust-lang.org/policies/security\n\n\u003c/details\u003e\n\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\u003e \n\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\u003e \n\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:D:\\path\\to\\sub-rust-project\\Cargo.lock | regex | 1.5.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`D:\\path\\to\\sub-rust-project/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-24713\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "CVE-2021-3121", + "name": "CVE-2021-3121", + "shortDescription": { + "text": "CVE-2021-3121: Panic due to improper input validation in github.com/gogo/protobuf" + }, + "fullDescription": { + "text": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", + "markdown": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector." + }, + "deprecatedIds": [ + "CVE-2021-3121", + "GO-2021-0053", + "GHSA-c3h9-896r-86jm" + ], + "help": { + "text": "**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/list?q=CVE-2021-3121)**.\n\n## [GO-2021-0053](https://osv.dev/vulnerability/GO-2021-0053)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:D:\\path\\to\\go.mod | github.com/gogo/protobuf | 1.3.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`D:\\path\\to/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-3121\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/list?q=CVE-2021-3121)**.\n\n## [GO-2021-0053](https://osv.dev/vulnerability/GO-2021-0053)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:D:\\path\\to\\go.mod | github.com/gogo/protobuf | 1.3.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`D:\\path\\to/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-3121\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.4.3" + } + }, + "artifacts": [ + { + "location": { + "uri": "file:///D:/path/to/sub-rust-project/Cargo.lock" + }, + "length": -1 + }, + { + "location": { + "uri": "file:///D:/path/to/go.mod" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "CVE-2022-24713", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/path/to/sub-rust-project/Cargo.lock" + } + } + } + ] + }, + { + "ruleId": "CVE-2021-3121", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'github.com/gogo/protobuf@1.3.1' is vulnerable to 'CVE-2021-3121' (also known as 'GO-2021-0053', 'GHSA-c3h9-896r-86jm')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/path/to/go.mod" + } + } + } + ] + }, + { + "ruleId": "CVE-2022-24713", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/path/to/sub-rust-project/Cargo.lock" + } + } + } + ] + } + ] + } + ] +} diff --git a/internal/sourceanalysis/integration/fixtures-go/snapshots/govulncheckshim_test.json b/internal/sourceanalysis/integration/fixtures-go/snapshots/govulncheckshim_test.json index 355e95d082..94e7867d90 100755 --- a/internal/sourceanalysis/integration/fixtures-go/snapshots/govulncheckshim_test.json +++ b/internal/sourceanalysis/integration/fixtures-go/snapshots/govulncheckshim_test.json @@ -18,7 +18,7 @@ "column":22, "filename":"", "line":13, - "offset":234 + "offset":-1 } } ] diff --git a/internal/sourceanalysis/integration_test.go b/internal/sourceanalysis/integration_test.go index c7b47c4e29..b30113ae4f 100644 --- a/internal/sourceanalysis/integration_test.go +++ b/internal/sourceanalysis/integration_test.go @@ -50,5 +50,6 @@ func Test_RunGoVulnCheck(t *testing.T) { } res["GO-2023-1558"][0].Trace[1].Position.Filename = "" + res["GO-2023-1558"][0].Trace[1].Position.Offset = -1 testutility.AssertMatchFixtureJSON(t, filepath.Join(fixturesDir, "snapshots/govulncheckshim_test.json"), res) } diff --git a/internal/sourceanalysis/rust_test.go b/internal/sourceanalysis/rust_test.go index be97cd08b5..c5a34b9e07 100644 --- a/internal/sourceanalysis/rust_test.go +++ b/internal/sourceanalysis/rust_test.go @@ -94,7 +94,7 @@ func Test_rustBuildSource(t *testing.T) { }, }, want: []string{ - workingDir + "/fixtures-rust/rust-project/target/release/test-project", + workingDir + filepath.FromSlash("/fixtures-rust/rust-project/target/release/test-project") + testutility.ValueIfOnWindows(".exe", ""), }, }, } diff --git a/internal/testutility/utility.go b/internal/testutility/utility.go index 1501c5e2ec..361581aa30 100644 --- a/internal/testutility/utility.go +++ b/internal/testutility/utility.go @@ -4,7 +4,10 @@ import ( "encoding/json" "fmt" "os" + "path/filepath" "reflect" + "runtime" + "strings" "testing" "github.com/google/go-cmp/cmp" @@ -13,36 +16,67 @@ import ( "github.com/hexops/gotextdiff/span" ) -// LoadJSONFixture loads a JSON fixture file and returns the decoded version. -func LoadJSONFixture[V any](t *testing.T, path string) V { +func determineWindowsFixturePath(t *testing.T, path string) string { t.Helper() - file, err := os.Open(path) - if err != nil { - t.Fatalf("Failed to open fixture: %s", err) - } - var value V - err = json.NewDecoder(file).Decode(&value) - if err != nil { - t.Fatalf("Failed to parse fixture: %s", err) - } - return value + ext := filepath.Ext(path) + + return strings.TrimSuffix(path, ext) + "_windows" + ext } -// AssertMatchFixtureJSON matches the JSON at path with the value val, failing if not equal, printing out the difference. -func AssertMatchFixtureJSON[V any](t *testing.T, path string, val V) { +func loadFixture(t *testing.T, path string) ([]byte, string) { t.Helper() - fileA, err := os.ReadFile(path) + + var file []byte + var err error + + // when on Windows, check if there is a version of the fixture whose filename + // ends with _windows and if so use that instead + if //goland:noinspection GoBoolExpressions + runtime.GOOS == "windows" { + winFixturePath := determineWindowsFixturePath(t, path) + + file, err = os.ReadFile(winFixturePath) + + if err == nil { + return file, winFixturePath + } + // load the original file if a Windows-specific version does not exist + if !os.IsNotExist(err) { + t.Fatalf("Failed to open fixture: %s", err) + } + } + + file, err = os.ReadFile(path) + if err != nil { t.Fatalf("Failed to open fixture: %s", err) } + return file, path +} + +// LoadJSONFixture loads a JSON fixture file and returns the decoded version. +func LoadJSONFixture[V any](t *testing.T, path string) V { + t.Helper() + + file, _ := loadFixture(t, path) + var elem V - err = json.Unmarshal(fileA, &elem) + err := json.Unmarshal(file, &elem) if err != nil { t.Fatalf("Failed to unmarshal val: %s", err) } + return elem +} + +// AssertMatchFixtureJSON matches the JSON at path with the value val, failing if not equal, printing out the difference. +func AssertMatchFixtureJSON[V any](t *testing.T, path string, val V) { + t.Helper() + + elem := LoadJSONFixture[V](t, path) + if !reflect.DeepEqual(val, elem) { t.Errorf("Not equal: \n%s", cmp.Diff(val, elem)) } @@ -80,16 +114,20 @@ func CreateTextFixture(t *testing.T, path string, val string) { } } +func normalizeNewlines(content string) string { + return strings.ReplaceAll(content, "\r\n", "\n") +} + // AssertMatchFixtureText matches the Text file at path with actual func AssertMatchFixtureText(t *testing.T, path string, actual string) { t.Helper() - fileA, err := os.ReadFile(path) - if err != nil { - t.Fatalf("Failed to open fixture: %s", err) - } + fileA, path := loadFixture(t, path) + + actual = normalizeNewlines(actual) expect := string(fileA) - if actual != string(fileA) { + expect = normalizeNewlines(expect) + if actual != expect { if os.Getenv("TEST_NO_DIFF") == "true" { t.Errorf("\nactual %s does not match expected:\n got:\n%s\n\n want:\n%s", path, actual, expect) } else { @@ -108,3 +146,12 @@ func AcceptanceTests(t *testing.T, reason string) { t.Skip("Skipping extended test: ", reason) } } + +func ValueIfOnWindows(win, or string) string { + if //goland:noinspection GoBoolExpressions + runtime.GOOS == "windows" { + return win + } + + return or +}