x/vuln: govulncheck is confused when go command version doesn't match that used to build it #55045
Comments
julieqiu
added
vulncheck or vulndb
|
This is clearly a problem in go/packages, but I can't reproduce it (either in vulncheck or in go/packages/gopackages), using the exact same two go versions on my machine. # build go1.20 devel
$ cd $HOME/w/goroot/src/
$ git co 54182ff54a
$ ./make.bash
$ ../bin/go version
go version devel go1.20-54182ff54a Fri Sep 9 20:29:05 2022 +0000 darwin/arm64
# install go1.18.5
$ go install golang.org/dl/go1.18.5@latest
$ go1.18.5 download
$ go1.18.5 version
go version go1.18.5 darwin/arm64
# build govulncheck with 1.18 and run it with 1.20-devel
$ cd $HOME/w/vulndb
$ git co abdd677
$ (export PATH=$HOME/w/goroot/bin:$PATH; go version; go1.18.5 run ./cmd/govulncheck/ .)
go version devel go1.20-54182ff54a Fri Sep 9 20:29:05 2022 +0000 darwin/arm64
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability #1: GO-2022-0969 [...success message omitted...]
exit status 3
# target program
$ cat main.go
package main
import "net/http"
func main() {
http.ListenAndServe(":8080", nil)
}Can you verify this by running |
This is what I have.
to but not with |
Ah, thanks, now it's easy to reproduce: I should have guessed the reason from the initial report, which is obvious in hindsight: you can't use an older version of go/types than the version of Go used by the source you are trying to type-check. If you use go1.18 to build the application, then its std library is from go1.18, so its go/types won't understand newer features like unsafe.StringData. (Recall that the unsafe package is implemented directly in the type checker.) In principle you could build the application using the go1.20 source of go/types using a go1.18 toolchain (though you might need to backport go/types to go1.18 if it happens to use new features like generics) and it would work. But we don't support that. So the bug is that go/packages doesn't issue a clear error when it encounters Go code that is too new. I think the fix is for go/packages to specify release tags to go list that are no newer than its version of go/types. I'll file a separate issue for that. |
Maybe? Certainly, if the |
|
Change https://go.dev/cl/435356 mentions this issue: |
An application that links in version 1.18 of (say) go/types cannot process Go source files reported by version 1.19 of 'go list'. There is no way to tell go list to behave as if it was go1.18, so for now we proceed with parsing/typechecking but, in case of errors, we issue an additional informative diagnostic. Fixes golang/go#55883 Fixes golang/go#55045 Updates golang/go#50825 Updates golang/go#52078 Change-Id: I5fd99b09742c136f4db7f71d2a75e4cdb730460d Reviewed-on: https://go-review.googlesource.com/c/tools/+/435356 gopls-CI: kokoro <[email protected]> Reviewed-by: Robert Findley <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Alan Donovan <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Auto-Submit: Alan Donovan <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Not quite sure what's going on here.
The text was updated successfully, but these errors were encountered: