-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
internal/scan: add binary extract mode
The extract mode spits out a json blob representing the minimal representation of a Go binary needed for govulncheck vulnerability detection. binary mode accepts both a Go binary and this representation as an input. The contents of extract should be regarded as a blob. The users of this flag should not rely on its representation. It might change in the future. Change-Id: I81027062d34609fed7541ad2092d4cbe5df0d118 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/542035 Run-TryBot: Zvonimir Pavlinovic <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Ian Cottrell <[email protected]> Reviewed-by: Maceo Thompson <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
- Loading branch information
1 parent
3072335
commit 8fb35e0
Showing
20 changed files
with
285 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
46 changes: 46 additions & 0 deletions
46
cmd/govulncheck/testdata/testfiles/extract/binary_extract.ct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
##### | ||
# Test binary mode using the extracted binary blob. | ||
$ govulncheck -mode=binary ${testdir}/extract/vuln.blob --> FAIL 3 | ||
Scanning your binary for known vulnerabilities... | ||
|
||
Vulnerability #1: GO-2021-0265 | ||
A maliciously crafted path can cause Get and other query functions to | ||
consume excessive amounts of CPU and time. | ||
More info: https://pkg.go.dev/vuln/GO-2021-0265 | ||
Module: github.com/tidwall/gjson | ||
Found in: github.com/tidwall/[email protected] | ||
Fixed in: github.com/tidwall/[email protected] | ||
Example traces found: | ||
#1: gjson.Get | ||
#2: gjson.Result.Get | ||
|
||
Vulnerability #2: GO-2021-0113 | ||
Due to improper index calculation, an incorrectly formatted language tag can | ||
cause Parse to panic via an out of bounds read. If Parse is used to process | ||
untrusted user inputs, this may be used as a vector for a denial of service | ||
attack. | ||
More info: https://pkg.go.dev/vuln/GO-2021-0113 | ||
Module: golang.org/x/text | ||
Found in: golang.org/x/[email protected] | ||
Fixed in: golang.org/x/[email protected] | ||
Example traces found: | ||
#1: language.Parse | ||
|
||
Vulnerability #3: GO-2021-0054 | ||
Due to improper bounds checking, maliciously crafted JSON objects can cause | ||
an out-of-bounds panic. If parsing user input, this may be used as a denial | ||
of service vector. | ||
More info: https://pkg.go.dev/vuln/GO-2021-0054 | ||
Module: github.com/tidwall/gjson | ||
Found in: github.com/tidwall/[email protected] | ||
Fixed in: github.com/tidwall/[email protected] | ||
Example traces found: | ||
#1: gjson.Result.ForEach | ||
|
||
Your code is affected by 3 vulnerabilities from 2 modules. | ||
|
||
Share feedback at https://go.dev/s/govulncheck-feedback. | ||
|
||
# Test extract mode. Due to the size of the blob even for smallest programs, we | ||
# directly compare its output to a target vuln_blob.json file. | ||
$ govulncheck-cmp -mode=extract ${moddir}/vuln/vuln_dont_run_me ${testdir}/extract/vuln.blob |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]}{"name":"govulncheck-extract","version":"0.1.0"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
##### | ||
# Test extraction of an unsupported file format | ||
$ govulncheck -mode=extract ${moddir}/vuln/go.mod --> FAIL 1 | ||
govulncheck: unrecognized binary format |
1 change: 1 addition & 0 deletions
1
cmd/govulncheck/testdata/testfiles/failures/invalid_header.blob
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"id":"invalid-name","protocol":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]} |
1 change: 1 addition & 0 deletions
1
cmd/govulncheck/testdata/testfiles/failures/invalid_header_name.blob
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"invalid-name","version":"0.1.0"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]} |
1 change: 1 addition & 0 deletions
1
cmd/govulncheck/testdata/testfiles/failures/invalid_header_version.blob
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"govulncheck-extract","version":"8.8.8"}{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"govulncheck-extract","version":"0.1.0"}{"name":"govulncheck-extract","version":"0.1.0"}{"modules":[]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"govulncheck-extract","version":"0.1.0"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"modules":[{"Path":"github.com/tidwall/gjson","Version":"v1.6.5","Replace":null,"Time":null,"Main":false,"Indirect":false,"Dir":"","GoMod":"","GoVersion":"","Error":null}]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
// Copyright 2023 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
//go:build go1.18 | ||
// +build go1.18 | ||
|
||
package scan | ||
|
||
import ( | ||
"encoding/json" | ||
"fmt" | ||
"io" | ||
"sort" | ||
|
||
"golang.org/x/vuln/internal/derrors" | ||
"golang.org/x/vuln/internal/vulncheck" | ||
) | ||
|
||
const ( | ||
// extractModeID is the unique name of the extract mode protocol | ||
extractModeID = "govulncheck-extract" | ||
extractModeVersion = "0.1.0" | ||
) | ||
|
||
// header information for the blob output. | ||
type header struct { | ||
Name string `json:"name"` | ||
Version string `json:"version"` | ||
} | ||
|
||
// runExtract dumps the extracted abstraction of binary at cfg.patterns to out. | ||
// It prints out exactly two blob messages, one with the header and one with | ||
// the vulncheck.Bin as the body. | ||
func runExtract(cfg *config, out io.Writer) (err error) { | ||
defer derrors.Wrap(&err, "govulncheck") | ||
|
||
bin, err := createBin(cfg.patterns[0]) | ||
if err != nil { | ||
return err | ||
} | ||
sortBin(bin) // sort for easier testing and validation | ||
header := header{ | ||
Name: extractModeID, | ||
Version: extractModeVersion, | ||
} | ||
|
||
enc := json.NewEncoder(out) | ||
|
||
if err := enc.Encode(header); err != nil { | ||
return fmt.Errorf("marshaling blob header: %v", err) | ||
} | ||
if err := enc.Encode(bin); err != nil { | ||
return fmt.Errorf("marshaling blob body: %v", err) | ||
} | ||
return nil | ||
} | ||
|
||
func sortBin(bin *vulncheck.Bin) { | ||
sort.SliceStable(bin.PkgSymbols, func(i, j int) bool { | ||
return bin.PkgSymbols[i].Pkg+"."+bin.PkgSymbols[i].Name < bin.PkgSymbols[j].Pkg+"."+bin.PkgSymbols[j].Name | ||
}) | ||
} |
Oops, something went wrong.