Open fflewddur opened 1 year ago
CC @golang/vulndb
Change https://go.dev/cl/485515 mentions this issue: cmd/govulncheck: add test for multiple entry points
Change https://go.dev/cl/485898 mentions this issue: cmd/govulncheck/testdata: add test for json mode for multiple entry points
What version of Go are you using (
go version
)?Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes
What did you do?
I ran govulncheck on a sample module that calls a single vulnerable function in three separate locations. Instead of seeing all three locations, the output only shows the filename and line number for one invocation. The sample module I used is available from https://go.dev/play/p/_B6yVIfrkZl
This is the output from govulncheck:
What did you expect to see?
I expected govulncheck to report the location of all three invocations of the vulnerable function, language.Parse(). Specifically, in the "Call stacks in your code:" section, I expected to see rows for lines 50 and 63, in addition to line 76.
Alternatively, showing all invocations may make sense only in verbose mode (-v flag), but if we go that route, it would still be helpful to explain in the output how many times the vulnerable symbol is used, and that the output only shows one example. Without either of these changes, it seems possible to misinterpret govulncheck's output as saying that the given module only invokes a vulnerable symbol in one, perhaps innocuous, location, when in reality it may be invoked in other more critical locations.
What did you see instead?
govulncheck only showed the filename and line number for one invocation of language.Parse().