diff --git a/cmd/govulncheck/testdata/stdlib/modules/stdlib/old_dont_run_me b/cmd/govulncheck/testdata/stdlib/modules/stdlib/old_dont_run_me new file mode 100644 index 00000000..2a648cb2 Binary files /dev/null and b/cmd/govulncheck/testdata/stdlib/modules/stdlib/old_dont_run_me differ diff --git a/cmd/govulncheck/testdata/stdlib/testfiles/binary/binary_old_go_text.ct b/cmd/govulncheck/testdata/stdlib/testfiles/binary/binary_old_go_text.ct new file mode 100644 index 00000000..03aa4df2 --- /dev/null +++ b/cmd/govulncheck/testdata/stdlib/testfiles/binary/binary_old_go_text.ct @@ -0,0 +1,44 @@ +##### +# Test verbose scanning with text output for a binary built +# with an ancient Go version +$ govulncheck -mode binary -show verbose ${moddir}/stdlib/old_dont_run_me --> FAIL 3 +Scanning your binary for known vulnerabilities... + +Fetching vulnerabilities from the database... + +Checking the binary against the vulnerabilities... + +warning: binary built with Go version go1.12.10, only standard library vulnerabilities will be checked + +warning: failed to extract build system specification GOOS: GOARCH: + + +=== Symbol Results === + +Vulnerability #1: GO-2022-0969 + HTTP/2 server connections can hang forever waiting for a clean shutdown that + was preempted by a fatal error. This condition can be exploited by a + malicious client to cause a denial of service. + More info: https://pkg.go.dev/vuln/GO-2022-0969 + Standard library + Found in: net/http@go1.12.10 + Fixed in: net/http@go1.18.6 + Vulnerable symbols found: + #1: http.ListenAndServe + #2: http.ListenAndServeTLS + #3: http.Serve + #4: http.ServeTLS + #5: http.Server.ListenAndServe + Use '-show traces' to see the other 4 found symbols + +=== Package Results === + +No other vulnerabilities found. + +=== Module Results === + +No other vulnerabilities found. + +Your code is affected by 1 vulnerability from the Go standard library. +This scan found no other vulnerabilities in packages you import or modules you +require. diff --git a/internal/semver/semver_test.go b/internal/semver/semver_test.go index e16b26c0..4c4a3c84 100644 --- a/internal/semver/semver_test.go +++ b/internal/semver/semver_test.go @@ -38,3 +38,22 @@ func TestGoTagToSemver(t *testing.T) { } } } + +func TestLess(t *testing.T) { + for _, test := range []struct { + v1 string + v2 string + want bool + }{ + {"go1.19", "go1.19", false}, + {"go1.19.1", "go1.19", false}, + {"v0.2.1", "v0.3.0", true}, + {"go1.12.2", "go1.18", true}, + {"v1.20.0-pre4", "v1.20.0-pre.4", false}, + {"v1.20.0-pre4", "v1.20.0-pre4.4", true}, + } { + if got := Less(test.v1, test.v2); got != test.want { + t.Errorf("want Less(%s, %s)=%t; got %t", test.v1, test.v2, test.want, got) + } + } +} diff --git a/internal/vulncheck/binary.go b/internal/vulncheck/binary.go index db96ba33..03d7a6ad 100644 --- a/internal/vulncheck/binary.go +++ b/internal/vulncheck/binary.go @@ -13,6 +13,7 @@ import ( "golang.org/x/vuln/internal/buildinfo" "golang.org/x/vuln/internal/client" "golang.org/x/vuln/internal/govulncheck" + "golang.org/x/vuln/internal/semver" ) // Bin is an abstraction of Go binary containing @@ -64,6 +65,15 @@ func binary(ctx context.Context, handler govulncheck.Handler, bin *Bin, cfg *gov return nil, err } + // Emit warning message for ancient Go binaries, defined as binaries + // built with Go version without support for debug.BuildInfo (< go1.18). + if semver.Less(bin.GoVersion, "go1.18") { + p := &govulncheck.Progress{Message: fmt.Sprintf("warning: binary built with Go version %s, only standard library vulnerabilities will be checked", bin.GoVersion)} + if err := handler.Progress(p); err != nil { + return nil, err + } + } + if bin.GOOS == "" || bin.GOARCH == "" { p := &govulncheck.Progress{Message: fmt.Sprintf("warning: failed to extract build system specification GOOS: %s GOARCH: %s\n", bin.GOOS, bin.GOARCH)} if err := handler.Progress(p); err != nil {