cmd/govulncheck: mask line numbers and columns

These can in principle change for stdlib. Although we always pretend we are running against go1.18, the actual stdlib underneath can be different. This could result in different line numbers and columns. There currently does not exist a clean way of masking line position for stdlib paths, so we mask everything with placeholders. Change-Id: I08628acbf10aa3f36b969bac5745ae3b4d52f284 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/562215 LUCI-TryBot-Result: Go LUCI <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Maceo Thompson <[email protected]> Run-TryBot: Zvonimir Pavlinovic <[email protected]>
golang · Feb 6, 2024 · 5507063 · 5507063
1 parent c154f6a
commit 5507063
Show file tree

Hide file tree

Showing 12 changed files with 121 additions and 104 deletions.
diff --git a/cmd/govulncheck/main_test.go b/cmd/govulncheck/main_test.go
@@ -51,6 +51,23 @@ var fixups = []fixup{
 			s := string(b)
 			return []byte(fmt.Sprintf(`.../%s%c`, filepath.Base(s[:len(s)-1]), s[len(s)-1]))
 		},
+	}, {
+		// modifies position lines to mask actual line and column with <l> and
+		// <c> placeholders, resp.
+		pattern: `\.go:(\d+):(\d+):`,
+		replace: `.go:<l>:<c>:`,
+	}, {
+		// modify position lines in json
+		pattern: `\"line\":(\s)*(\d+)`,
+		replace: `"line": <l>`,
+	}, {
+		// modify position columns in json
+		pattern: `\"column\":(\s)*(\d+)`,
+		replace: `"column": <c>`,
+	}, {
+		// modify position offset in json
+		pattern: `\"offset\":(\s)*(\d+)`,
+		replace: `"offset": <o>`,
 	}, {
 		// There was a one-line change in container/heap/heap.go between 1.18
 		// and 1.19 that makes the stack traces different. Ignore it.

diff --git a/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct b/cmd/govulncheck/testdata/testfiles/convert/convert_text.ct
@@ -14,7 +14,7 @@ Vulnerability #1: GO-2021-0265
     Found in: github.com/tidwall/[email protected]
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
-      #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+      #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
 
 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
@@ -26,7 +26,7 @@ Vulnerability #2: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Example traces found:
-      #1: .../vuln.go:13:16: vuln.main calls language.Parse
+      #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
 
 Your code is affected by 2 vulnerabilities from 2 modules.
 This scan also found 1 vulnerability in packages you import and 0

diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
@@ -252,9 +252,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "receiver": "Result",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 5744,
-          "line": 296,
-          "column": 17
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -263,9 +263,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "main",
         "position": {
           "filename": ".../vuln.go",
-          "offset": 183,
-          "line": 14,
-          "column": 20
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       }
     ]
@@ -373,9 +373,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "Parse",
         "position": {
           "filename": ".../parse.go",
-          "offset": 5808,
-          "line": 228,
-          "column": 6
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -384,9 +384,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "main",
         "position": {
           "filename": ".../vuln.go",
-          "offset": 159,
-          "line": 13,
-          "column": 16
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       }
     ]
@@ -493,9 +493,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "receiver": "Result",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 4415,
-          "line": 220,
-          "column": 17
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -505,9 +505,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "modPretty",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 53718,
-          "line": 2631,
-          "column": 21
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -517,9 +517,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "execModifier",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 52543,
-          "line": 2587,
-          "column": 21
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -529,9 +529,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "Get",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 38077,
-          "line": 1881,
-          "column": 36
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -542,9 +542,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "receiver": "Result",
         "position": {
           "filename": ".../gjson.go",
-          "offset": 5781,
-          "line": 297,
-          "column": 12
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -553,9 +553,9 @@ $ govulncheck -C ${moddir}/vuln -json ./...
         "function": "main",
         "position": {
           "filename": ".../vuln.go",
-          "offset": 183,
-          "line": 14,
-          "column": 20
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       }
     ]

diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
@@ -13,7 +13,7 @@ Vulnerability #1: GO-2021-0265
     Found in: github.com/tidwall/[email protected]
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
-      #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+      #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
 
 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
@@ -25,7 +25,7 @@ Vulnerability #2: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Example traces found:
-      #1: .../vuln.go:13:16: vuln.main calls language.Parse
+      #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
 
 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -36,7 +36,7 @@ Vulnerability #3: GO-2021-0054
     Found in: github.com/tidwall/[email protected]
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
-      #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
+      #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
 
 Your code is affected by 3 vulnerabilities from 2 modules.
 This scan also found 0 vulnerabilities in packages you import and 2
@@ -60,8 +60,8 @@ Vulnerability #1: GO-2021-0265
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
       #1: for function github.com/tidwall/gjson.Result.Get
-        .../vuln.go:14:20: golang.org/vuln.main
-        .../gjson.go:296:17: github.com/tidwall/gjson.Result.Get
+        .../vuln.go:<l>:<c>: golang.org/vuln.main
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
 
 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
@@ -74,8 +74,8 @@ Vulnerability #2: GO-2021-0113
     Fixed in: golang.org/x/[email protected]
     Example traces found:
       #1: for function golang.org/x/text/language.Parse
-        .../vuln.go:13:16: golang.org/vuln.main
-        .../parse.go:228:6: golang.org/x/text/language.Parse
+        .../vuln.go:<l>:<c>: golang.org/vuln.main
+        .../parse.go:<l>:<c>: golang.org/x/text/language.Parse
 
 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -87,12 +87,12 @@ Vulnerability #3: GO-2021-0054
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
       #1: for function github.com/tidwall/gjson.Result.ForEach
-        .../vuln.go:14:20: golang.org/vuln.main
-        .../gjson.go:297:12: github.com/tidwall/gjson.Result.Get
-        .../gjson.go:1881:36: github.com/tidwall/gjson.Get
-        .../gjson.go:2587:21: github.com/tidwall/gjson.execModifier
-        .../gjson.go:2631:21: github.com/tidwall/gjson.modPretty
-        .../gjson.go:220:17: github.com/tidwall/gjson.Result.ForEach
+        .../vuln.go:<l>:<c>: golang.org/vuln.main
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
+        .../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach
 
 Your code is affected by 3 vulnerabilities from 2 modules.
 This scan also found 0 vulnerabilities in packages you import and 2
@@ -115,7 +115,7 @@ Vulnerability #1: GO-2021-0265
     Found in: github.com/tidwall/[email protected]
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
-      #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get
+      #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
 
 Vulnerability #2: GO-2021-0113
     Due to improper index calculation, an incorrectly formatted language tag can
@@ -127,7 +127,7 @@ Vulnerability #2: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Example traces found:
-      #1: .../vuln.go:13:16: vuln.main calls language.Parse
+      #1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
 
 Vulnerability #3: GO-2021-0054
     Due to improper bounds checking, maliciously crafted JSON objects can cause
@@ -138,7 +138,7 @@ Vulnerability #3: GO-2021-0054
     Found in: github.com/tidwall/[email protected]
     Fixed in: github.com/tidwall/[email protected]
     Example traces found:
-      #1: .../vuln.go:14:20: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
+      #1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
 
 === Package Results ===
 

diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
@@ -243,9 +243,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "MustParse",
         "position": {
           "filename": ".../tags.go",
-          "offset": 427,
-          "line": 13,
-          "column": 6
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -254,9 +254,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "foobar",
         "position": {
           "filename": ".../main.go",
-          "offset": 1694,
-          "line": 99,
-          "column": 20
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -265,9 +265,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "D",
         "position": {
           "filename": ".../main.go",
-          "offset": 705,
-          "line": 48,
-          "column": 8
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -276,9 +276,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "main",
         "position": {
           "filename": ".../main.go",
-          "offset": 441,
-          "line": 26,
-          "column": 3
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       }
     ]
@@ -296,9 +296,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "Parse",
         "position": {
           "filename": ".../parse.go",
-          "offset": 1121,
-          "line": 33,
-          "column": 6
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -307,9 +307,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "C",
         "position": {
           "filename": ".../main.go",
-          "offset": 679,
-          "line": 44,
-          "column": 23
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       },
       {
@@ -318,9 +318,9 @@ $ govulncheck -json -C ${moddir}/multientry .
         "function": "main",
         "position": {
           "filename": ".../main.go",
-          "offset": 340,
-          "line": 22,
-          "column": 3
+          "offset": <o>,
+          "line": <l>,
+          "column": <c>
         }
       }
     ]

diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_text.ct
@@ -15,8 +15,8 @@ Vulnerability #1: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Example traces found:
-      #1: .../main.go:99:20: multientry.foobar calls language.MustParse
-      #2: .../main.go:44:23: multientry.C calls language.Parse
+      #1: .../main.go:<l>:<c>: multientry.foobar calls language.MustParse
+      #2: .../main.go:<l>:<c>: multientry.C calls language.Parse
 
 Your code is affected by 1 vulnerability from 1 module.
 This scan also found 0 vulnerabilities in packages you import and 1
@@ -42,14 +42,14 @@ Vulnerability #1: GO-2021-0113
     Fixed in: golang.org/x/[email protected]
     Example traces found:
       #1: for function golang.org/x/text/language.MustParse
-        .../main.go:26:3: golang.org/multientry.main
-        .../main.go:48:8: golang.org/multientry.D
-        .../main.go:99:20: golang.org/multientry.foobar
-        .../tags.go:13:6: golang.org/x/text/language.MustParse
+        .../main.go:<l>:<c>: golang.org/multientry.main
+        .../main.go:<l>:<c>: golang.org/multientry.D
+        .../main.go:<l>:<c>: golang.org/multientry.foobar
+        .../tags.go:<l>:<c>: golang.org/x/text/language.MustParse
       #2: for function golang.org/x/text/language.Parse
-        .../main.go:22:3: golang.org/multientry.main
-        .../main.go:44:23: golang.org/multientry.C
-        .../parse.go:33:6: golang.org/x/text/language.Parse
+        .../main.go:<l>:<c>: golang.org/multientry.main
+        .../main.go:<l>:<c>: golang.org/multientry.C
+        .../parse.go:<l>:<c>: golang.org/x/text/language.Parse
 
 === Package Results ===
 

diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_text.ct
@@ -16,7 +16,7 @@ Vulnerability #1: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Example traces found:
-      #1: .../main.go:11:16: replace.main calls language.Parse
+      #1: .../main.go:<l>:<c>: replace.main calls language.Parse
 
 Your code is affected by 1 vulnerability from 1 module.
 This scan also found 0 vulnerabilities in packages you import and 2