x/vuln: govulncheck seg faults when used against project using 1.22.0 #65590
Comments
|
Try clone https://github.com/golang/vuln, bump the version of |
|
Thanks for looking into this. Still seeing a seg fault |
|
It seems this is a bug in the ssa dependency. Could you provide steps to reproduce this? |
|
65590.zip
Note, in the snippet above I used the version of I suspect this is something unique to my environment? Though I should point out that at least two other colleagues of mine have encountered this on their machines (one on Darwin/amd64 and the other on Darwin/arm64) Let me if there is more info you need. |
|
Possibly a duplicate of #65608 ? |
|
Unfortunately that reproducer did not reproduce for me: |
Perhaps an environment issue on my machine .. here's my go env |
|
I also have a this is fine this is also fine |
|
this panic as well for me $ govulncheck -version
Go: go1.22.0
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2024-02-07 04:19:28 +0000 UTC
No vulnerabilities found.
Share feedback at https://go.dev/s/govulncheck-feedback.$ govulncheck ./...
Scanning your code and 386 packages across 30 dependent modules for known vulnerabilities...
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x28 pc=0x5be12a]
goroutine 4517 [running]:
golang.org/x/tools/go/ssa.memberFromObject(0xc009efdf00, {0x0, 0x0?}, {0x0, 0x0})
C:/Users/erian/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:53 +0x4a
golang.org/x/tools/go/ssa.membersFromDecl(0xc009efdf00, {0x795250?, 0xc00e25c380?})
C:/Users/erian/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:141 +0x373
golang.org/x/tools/go/ssa.(*Program).CreatePackage(0xc02179a180, 0xc00b1d2660, {0xc009110540, 0x3, 0x3}, 0xc00e26a140, 0x1)
C:/Users/erian/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:222 +0x77c
golang.org/x/vuln/internal/vulncheck.buildSSA.func1(0xc000232040?)
C:/Users/erian/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:37 +0xe5
golang.org/x/vuln/internal/vulncheck.buildSSA({0xc006062640, 0x7, 0xc0005e7f90?}, 0x293aa5?)
C:/Users/erian/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:45 +0x128
golang.org/x/vuln/internal/vulncheck.Source.func1()
C:/Users/erian/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:63 +0x8f
created by golang.org/x/vuln/internal/vulncheck.Source in goroutine 6
C:/Users/erian/go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:61 +0x2d9env: $ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\erian\AppData\Local\go-build
set GOENV=C:\Users\erian\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\erian\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\erian\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.22.0
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOMOD=C:\h0llyw00dz\GoGenAI-Terminal-Chat\go.mod
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\erian\AppData\Local\Temp\go-build2961088783=/tmp/go-build -gno-record-gcc-switches |
|
Latest version it fix $ govulncheck ./...
Scanning your code and 386 packages across 32 dependent modules for known vulnerabilities...
No vulnerabilities found.$ govulncheck -version
Go: go1.22.0
Scanner: govulncheck@v1.0.4
DB: https://vuln.go.dev
DB updated: 2024-02-07 04:19:28 +0000 UTC
No vulnerabilities found. |
|
I'm using |
|
Seems most error happens on darwin/arm64. |
|
Seems it happens on darwin exclusively AFAIKT. @H0llyW00dzZ's issue happens on windows with govulncheck v1.0.1, but not with v1.0.4 |
|
We're experiencing the same issue, both on my local machine (darwin/arm64) and in an Ubuntu based GitHub runner. I've tried both v1.0.3 and v1.0.4 on my local machine. I'll have to check what's being used by the github runner but it should be at least v1.0.3. |
|
@jmdeal Seems your job running with the 1.0.4 It's happy to find a reproduced example on amd64. |
|
For folks that can reproduce the issue, can you paste here your Similarly, can you reproduce the issue if you reinstall govulncheck with 1.22.0? |
|
Reinstallation appears to have fixed it on my machine, looks like v1.0.4 was installed with 1.21.7: No issues after reinstalling with 1.22.0. I believed our CI job had reinstalled it when we bumped to 1.22, but after reviewing the logs again it looks like it pulled it from a cache. It's working now that we've cleared the cache and forced the reinstall. I am wondering if this is expected / user error or should the version installed with v1.21.7 still worked? If it is expected we'll have to update our toolchain cache key to reference the go version going forward but that shouldn't be a problem. |
|
While we are investigating this more (the issue seems to be somewhere deep in the dependencies), we suggest folks reinstall govulncheck with go1.22 as a temporary workaround. |
|
also about this one when I tryna downgrade to $ go install golang.org/x/vuln/cmd/govulncheck@v1.0.1$ govulncheck -version
Go: go1.22.0
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2024-02-20 17:50:57 +0000 UTC
No vulnerabilities found.
Share feedback at https://go.dev/s/govulncheck-feedback.$ govulncheck ./...
Scanning your code and 387 packages across 30 dependent modules for known vulnerabilities...
No vulnerabilities found.
Share feedback at https://go.dev/s/govulncheck-feedback.it working fine |
|
Hi Team, I am still having this issue with govulncheck. Are there any fixes, Please? Retest With an Older Version of govulncheck (v1.0.1) - Status Failed Thanks! |
Have you tried doing Recompiling govulncheck itself with a new version of Go did the trick for a few other people. If that does not work, that is also a useful bit of information for us. |
Due to an issue outlined here: golang/go#65590
|
Just upgrade my project from 1.21.5 to 1.22.1 and govulncheck has gotten broken in a similar way: govulncheck -version: |
|
👋 Also seeing this same bug, but without The common denominator being the SSA package: I am seeing a similar panic that points to these lines:
🤔 I wonder if |
|
The issue happens when govulncheck is built with go1.21 and earlier but is run against go1.22 and later. There is a change in semantics for loops in go1.22. If govulncheck uses package loading logic from an earlier version, the loaded code would be incorrect for go1.22+. The actual crash point is in the dependencies and this is why it has been observed with other tools as well. The fix for this is to avoid the crash and generate an appropriate error message. The error message instructs users to rebuild govulncheck with a newer Go version. The fix should be available as of this CL. We plan to tag the vuln repo soon. Closing. |
We have a go project that we build using go1.21.6. We've been using
govulncheckto check the project for vulnerabilities.Today, we upgraded from 1.21.6 to 1.22.0. Now when we run
govulncheckwe see a stack trace.If i down grade the project back to 1.21.6, govuln works as expected
Go version details
The text was updated successfully, but these errors were encountered: