Closed evanj closed 1 year ago
@golang/vulndb
What does the Go standard tooling tell you? Does it produce a warning?
I am asking as I have a problem reproducing this.
Change https://go.dev/cl/459036 mentions this issue: internal: use go env to compute GOMODCACHE
The go
command has not difficulty. E.g. go test ./...
works fine.
Here is a complete reproduction script on a clean Ubuntu 20.04 LTS container:
Start the container with: docker run --rm -ti ubuntu:20.04
Script to run in the container:
# install curl
apt update
apt install --yes curl
# create a normal user account and run the rest of the commands as that user
useradd --create-home normaluser --shell /bin/bash
su --login normaluser
# install Go 1.19.4
curl --location https://go.dev/dl/go1.19.4.linux-amd64.tar.gz | tar xz
export PATH=$PATH:$HOME/go/bin
# get latest govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
# create a program with a third-party dependency
mkdir exampleprogram
cd exampleprogram
go mod init example.com/exampleprogram
cat > main.go <<END_PROGRAM
package main
import (
"fmt"
"golang.org/x/text/unicode/runenames"
)
func main() {
fmt.Printf("name for a: %s\n", runenames.Name('r'))
}
END_PROGRAM
go get golang.org/x/text/unicode/runenames
# run the program with Go tools (works)
go test ./...
go run .
# run govulncheck (does not work)
govulncheck ./...
# run govulncheck with explicit GOPATH (works)
echo "GOPATH?" $(go env GOPATH)
GOPATH=/home/normaluser/go govulncheck ./...
Example output I get when I run this (with a lot of output removed)
root@e15e7e6bb951:/# # install curl
root@e15e7e6bb951:/# apt update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
... LINES REMOVED ...
All packages are up to date.
root@e15e7e6bb951:/# apt install --yes curl
Reading package lists... Done
... LINES REMOVED ...
done.
root@e15e7e6bb951:/# # create a normal user account and run the rest of the commands as that user
root@e15e7e6bb951:/# useradd --create-home normaluser --shell /bin/bash
root@e15e7e6bb951:/# su --login normaluser
normaluser@e15e7e6bb951:~$
normaluser@e15e7e6bb951:~$ # install Go 1.19.4
normaluser@e15e7e6bb951:~$ curl --location https://go.dev/dl/go1.19.4.linux-amd64.tar.gz | tar xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 75 100 75 0 0 14 0 0:00:05 0:00:05 --:--:-- 19
100 142M 100 142M 0 0 16.0M 0 0:00:08 0:00:08 --:--:-- 41.3M
normaluser@e15e7e6bb951:~$ export PATH=$PATH:$HOME/go/bin
normaluser@e15e7e6bb951:~$
normaluser@e15e7e6bb951:~$ # get latest govulncheck
normaluser@e15e7e6bb951:~$ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20221217143601-785badac1c32
go: downloading golang.org/x/tools v0.4.1-0.20221217013628-b4dfc36097e2
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
go: downloading golang.org/x/mod v0.7.0
go: downloading golang.org/x/sys v0.3.0
normaluser@e15e7e6bb951:~$
normaluser@e15e7e6bb951:~$ # create a program with a third-party dependency
normaluser@e15e7e6bb951:~$ mkdir exampleprogram
normaluser@e15e7e6bb951:~$ cd exampleprogram
normaluser@e15e7e6bb951:~/exampleprogram$ go mod init example.com/exampleprogram
go: creating new go.mod: module example.com/exampleprogram
normaluser@e15e7e6bb951:~/exampleprogram$ cat > main.go <<END_PROGRAM
... LINES REMOVED ...
> END_PROGRAM
normaluser@e15e7e6bb951:~/exampleprogram$ go get golang.org/x/text/unicode/runenames
go: downloading golang.org/x/text v0.5.0
go: added golang.org/x/text v0.5.0
normaluser@e15e7e6bb951:~/exampleprogram$
normaluser@e15e7e6bb951:~/exampleprogram$ # run the program with Go tools (works)
normaluser@e15e7e6bb951:~/exampleprogram$ go test ./...
? example.com/exampleprogram [no test files]
normaluser@e15e7e6bb951:~/exampleprogram$ go run .
name for a: LATIN SMALL LETTER R
normaluser@e15e7e6bb951:~/exampleprogram$
normaluser@e15e7e6bb951:~/exampleprogram$ # run govulncheck (does not work)
normaluser@e15e7e6bb951:~/exampleprogram$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
govulncheck: vulncheck.Source: GetByModule("golang.org/x/text"): httpSource.GetByModule("golang.org/x/text"): Index(): mkdir /pkg: permission denied
normaluser@5374067b4b4f:~/exampleprogram$ echo "GOPATH?" $(go env GOPATH)
GOPATH? /home/normaluser/go
normaluser@5374067b4b4f:~/exampleprogram$ GOPATH=/home/normaluser/go govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.
What are the contents of the GOENV
file, which looks to be "/home/ej/.config/go/env"
according to go env
?
On my personal Linux desktop it contains:
CC=clang
In the clean Ubuntu container reproduction example the file $HOME/.config/go/env
does not exist.
Thanks for the very detailed reproduction instructions! The fix should now be in. At the very least, I was able to follow reproduction steps without them resulting in an error/panic:
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.
Confirmed that this fixes my issue! Thanks for the rapid response!
Summary: I have no Go-related environment variables set, other than putting the Go tools in
PATH
. Go tools work, butgovulncheck
seems to try to cache files in the wrong place, and reports:govulncheck: vulncheck.Source: GetByModule("google.golang.org/protobuf"): httpSource.GetByModule("google.golang.org/protobuf"): Index(): mkdir /pkg: permission denied
. The workaround is to explicitly setting theGOPATH
environment variable:GOPATH=$(go env GOPATH) govulncheck ./...
.What version of Go are you using (
go version
)?Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes. Specifically I ran:
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I ran:
govulncheck ./...
in this repository: https://github.com/evanj/hacksWhat did you expect to see?
I expected to see some valid output.
What did you see instead?
The problem is I have no Go related environment variables set, other than PATH:
To fix this error, I can explicitly set GOPATH, and run this tool with:
GOPATH=$(go env GOPATH) govulncheck ./...
. This works as expected.My understanding is that Go tools should no longer require setting GOPATH.