Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: govulncheck should report vulnerabilities for all GOOS/GOARCH values #54841

Closed
jba opened this issue Sep 2, 2022 · 10 comments
Closed

x/vuln: govulncheck should report vulnerabilities for all GOOS/GOARCH values #54841

jba opened this issue Sep 2, 2022 · 10 comments
Assignees
@jba
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/2022

Comments

@jba
Copy link
Contributor

jba commented Sep 2, 2022

Running govulncheck on one platform shouldn't limit reports to vulnerabilities that apply to that platform. For example, running govulncheck on Linux should report Windows vulnerabilities as well.

We might want to have a flag that limits reports to just a subset of platforms, so users who don't care about Windows or WASM can get a more focused set of reports if they want.
@jba jba added NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo labels Sep 2, 2022
@jba jba self-assigned this Sep 2, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 2, 2022
@julieqiu julieqiu removed the x/vuln label Sep 2, 2022
@julieqiu julieqiu removed the x/vuln label Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/2022 Sep 6, 2022
@adamdecaf
Copy link
Contributor

What about a -platforms <comma-separated-list> flag that could accept all or linux,windows values.

@zpavlinovic
Copy link
Contributor

Based on an offline discussion, this should apply for the analysis of source code only. Users will likely apply govulncheck on binaries ready for deployment, so we can use os and system architecture info present in the binary.

What about a -platforms <comma-separated-list> flag that could accept all or linux,windows values.

Interesting idea, but I think we could add a line in the output for each vulnerability that also specifies to which os and archs the vuln applies to. This would avoid the need for the flag and would not complicate the output too much for the user.

  ...
  Found in: ...
  Fixed in: ...
  More info: ...
  GOOS: linux, windows
  GOARCH: all

Something like that.

@gopherbot
Copy link

Change https://go.dev/cl/432356 mentions this issue: vulncheck: Source returns vulns for all GOOS/GOARCH

@hyangah
Copy link
Contributor

hyangah commented Sep 22, 2022
edited

@zpavlinovic If I run govulncheck on my macOS machine (without any GOOS, GOARCH overrides), after this fix, will it discover callpaths that affect only Windows, automatically? Or will this vulnerability get reported in the "Informational vulnerabilities" section (non-affecting vulnerabilities)?

@jba
Copy link
Contributor Author

jba commented Sep 22, 2022

It will discover vulns that affect only Windows. They will be reported with

platforms: windows/amd64

so you can tell.

Imagine that you develop on Mac but deploy to Linux servers. We don't know that, but we don't want you to miss a vulnerability.

@hyangah
Copy link
Contributor

hyangah commented Sep 22, 2022
edited

To clarify my question - will it be in the "Affecting vulnerability" section (for those with call info) or in the "Non-affecting vulnerability" section (for those without call info)?

@hyangah
Copy link
Contributor

hyangah commented Sep 22, 2022
edited

To answer my question - given that govulncheck still depends on go/packages and there is no special massaging to load all sources (this is a known difficult problem), if the call path exists only in a specific platform, that will be reported in the "Informational" section. Users can still adjust GOOS/GOARCH and rerun govulncheck to verify their code is indeed clean.

@zpavlinovic
Copy link
Contributor

With this change, govulncheck will create vulnerability graphs as if all of the vulnerabilities apply to all of the platforms. When we present the vulnerability info in the end, then we will simply mention which specific platforms this vulnerability applies to.

I guess in theory it could happen that different underlying platforms can produce different compiled code, but I am not sure will that affect vulnerability detection in practice. I guess this mostly applies to the standard library?

@hyangah
Copy link
Contributor

hyangah commented Sep 22, 2022

For example https://pkg.go.dev/vuln/GO-2022-0493 is a vulnerability in golang.org/x/sys/unix or syscall for unix. I guess users who run govulnceck on windows wouldn't hit this code path even though their cross-platform projects may be affected if they are built on unix platform.

Hmm, I just realized this vulnerability won't be even reported in the informational section since golang.org/x/sys/unix package won't be imported. Or is the "Informational vulnerability" section based on the module requirement graphs?

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Sep 22, 2022
edited

For example https://pkg.go.dev/vuln/GO-2022-0493 is a vulnerability in golang.org/x/sys/unix or syscall for unix. I guess users who run govulnceck on windows wouldn't hit this code path even though their cross-platform projects may be affected if they are built on unix platform.

This was the behavior before. This issue is about showing them that path regardless of what platform they are using: we show them that path and then mention that it would be exercised on the windows platform.

We want to do this because users might run govulncheck on one platform during development where the vulnerability does not exist. That could give them a false sense of security if they also don't run govulncheck on other platforms for which some vulnerabilities do apply. Also, it is probably a better user experience doing things this way rather than the user running govulncheck on all possible platforms.

Hmm, I just realized this vulnerability won't be even reported in the informational section since golang.org/x/sys/unix package won't be imported. Or is the "Informational vulnerability" section based on the module requirement graphs?

It should be based on the package imports graph.

@zpavlinovic zpavlinovic mentioned this issue Oct 7, 2022
Closed
@albertony albertony mentioned this issue Oct 23, 2022
Merged
5 tasks
@Templum Templum mentioned this issue Nov 15, 2022
Closed
softdev050 added a commit to softdev050/Golangvuln that referenced this issue Apr 5, 2023
@softdev050
vulncheck: Source returns vulns for all GOOS/GOARCH
35ff592 
vulncheck.Source will return all matching vulns, regardless of the
current values of GOOS and GOARCH.

cmd/govulncheck displays the GOOS/GOARCH values if there are any.

Fixes golang/go#54841.

Change-Id: I98dbb75fe631416d0b53a8d4c851ee01a2d00c6c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/432356
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
sayjun0505 added a commit to sayjun0505/Golangvuln that referenced this issue Apr 8, 2023
@sayjun0505
vulncheck: Source returns vulns for all GOOS/GOARCH
d0eb22f 
vulncheck.Source will return all matching vulns, regardless of the
current values of GOOS and GOARCH.

cmd/govulncheck displays the GOOS/GOARCH values if there are any.

Fixes golang/go#54841.

Change-Id: I98dbb75fe631416d0b53a8d4c851ee01a2d00c6c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/432356
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
stanislavkononiuk added a commit to stanislavkononiuk/Golangvuln that referenced this issue Jun 26, 2023
@stanislavkononiuk
vulncheck: Source returns vulns for all GOOS/GOARCH
5abc096 
vulncheck.Source will return all matching vulns, regardless of the
current values of GOOS and GOARCH.

cmd/govulncheck displays the GOOS/GOARCH values if there are any.

Fixes golang/go#54841.

Change-Id: I98dbb75fe631416d0b53a8d4c851ee01a2d00c6c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/432356
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jba jba

Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: Done
Milestone
vuln/2022
Development

No branches or pull requests
6 participants
@adamdecaf @zpavlinovic @hyangah @julieqiu @gopherbot @jba