Sync from SUSE:SLFO:Main govulncheck revision 6fa039474305806c69ae6c8a3b7e4405
This commit is contained in:
commit
b75d7a2155
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
20
_service
Normal file
20
_service
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
<services>
|
||||||
|
<service name="tar_scm" mode="manual">
|
||||||
|
<param name="url">https://github.com/golang/vuln.git</param>
|
||||||
|
<param name="scm">git</param>
|
||||||
|
<param name="exclude">.git</param>
|
||||||
|
<param name="revision">v1.1.3</param>
|
||||||
|
<param name="versionformat">@PARENT_TAG@</param>
|
||||||
|
<param name="changesgenerate">enable</param>
|
||||||
|
<param name="versionrewrite-pattern">v(.*)</param>
|
||||||
|
<param name="filename">govulncheck</param>
|
||||||
|
</service>
|
||||||
|
<service name="set_version" mode="manual">
|
||||||
|
</service>
|
||||||
|
<service name="recompress" mode="manual">
|
||||||
|
<param name="file">*.tar</param>
|
||||||
|
<param name="compression">gz</param>
|
||||||
|
</service>
|
||||||
|
<service name="go_modules" mode="manual">
|
||||||
|
</service>
|
||||||
|
</services>
|
4
_servicedata
Normal file
4
_servicedata
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
<servicedata>
|
||||||
|
<service name="tar_scm">
|
||||||
|
<param name="url">https://github.com/golang/vuln.git</param>
|
||||||
|
<param name="changesrevision">4ea4418106cea3bb2c9aa098527c924e9e1fbbb4</param></service></servicedata>
|
BIN
govulncheck-1.1.3.tar.gz
(Stored with Git LFS)
Normal file
BIN
govulncheck-1.1.3.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
271
govulncheck.changes
Normal file
271
govulncheck.changes
Normal file
@ -0,0 +1,271 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 16 14:47:39 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Packaging improvements:
|
||||||
|
* Add ExcludeArch: s390 to build with SLE-12. Go is supported on
|
||||||
|
s390x but not available on s390.
|
||||||
|
* Fix License: BSD-3-Clause, drop incorrect AND Apache-2.0
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 17 03:29:15 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.1.3:
|
||||||
|
* internal/openvex: update handler test
|
||||||
|
* LICENSE: update per Google Legal
|
||||||
|
* internal/vulncheck: add warning message for ancient binaries
|
||||||
|
* all: remove build restrictions requiring go1.18
|
||||||
|
* cmd/govulncheck: clarify unsafe/reflection limitations
|
||||||
|
* cmd/govulncheck: update docs for old Go binaries
|
||||||
|
* internal/openvex: omit vulns with no findings
|
||||||
|
* cmd/govulncheck/integration: adjust k8s expectations
|
||||||
|
* all: remove skipIfShort
|
||||||
|
* all: remove unnecessary test lines for staticcheck
|
||||||
|
* internal/vulncheck: avoid recomputing if module is known
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/buildinfo: add support for ancient Go binaries
|
||||||
|
* internal/goversion: comment out a printing line
|
||||||
|
* internal/goversion: add package as copy of rsc.io/goversion/version
|
||||||
|
* cmd/govulncheck: remove line about go version requirements
|
||||||
|
* internal/vulncheck: improve documentation
|
||||||
|
* internal/vulncheck: use module info when looking for symbols
|
||||||
|
* internal/vulncheck: handle symbols ending with .
|
||||||
|
* cmd/govulncheck/integration: make expectation check more robust
|
||||||
|
* all: require go1.21
|
||||||
|
- Packaging improvements:
|
||||||
|
* Build PIE with pattern that may become recommended procedure:
|
||||||
|
%%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
|
||||||
|
A go toolchain buildmode default config would be preferable
|
||||||
|
but none exist at this time.
|
||||||
|
* Update to BuildRequires: golang(API) >= 1.21 matching go.mod
|
||||||
|
* Use name macro where applicable to normalize common lines
|
||||||
|
across Go app packages. Also makes renaming binary easier when
|
||||||
|
required to handle package name conflict.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jun 06 20:41:57 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.1.2:
|
||||||
|
* internal/osv: add review status
|
||||||
|
* vulncheck: update documentation for vex
|
||||||
|
* cmd/govulncheck/integration/stackrox-scanner: update expectations
|
||||||
|
* cmd/govulncheck/integration/k8s: update expectations
|
||||||
|
* internal/govulncheck: add more comments for emitted OSVs
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/scan: increase telemetry counter for show flag
|
||||||
|
* internal/scan: add format and scan level telemetry
|
||||||
|
* internal/cmd/govulncheck: remove unnecessary binary dependency
|
||||||
|
* cmd/govulncheck/integration: update go in integration tests
|
||||||
|
* internal/openvex: add hash for doc ID
|
||||||
|
* internal/openvex: add statements to handler
|
||||||
|
* internal/openvex: add handler
|
||||||
|
* all: remove test that runs govulncheck on govulncheck
|
||||||
|
* internal/sarif: fix a typo
|
||||||
|
* internal/scan: limit number of binary traces shown
|
||||||
|
* cmd/govulncheck: record scan mode telemetry
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 23 14:12:18 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.1.1:
|
||||||
|
* all: remove unit tests for staticcheck, unparam, and spellcheck
|
||||||
|
* internal/sarif,cmd/govulncheck: publicize sarif
|
||||||
|
* internal/vulncheck: load source code for scan symbol mode only
|
||||||
|
* all: update golang.org/x/tools
|
||||||
|
* internal/vulncheck: emit progress message instead of warning
|
||||||
|
* internal/scan: improve textual output for binary traces
|
||||||
|
* internal/buildinfo: avoid panic on nil symbol for elf
|
||||||
|
* internal/sarif: improve GOMODCACHE relative paths
|
||||||
|
* internal/sarif: add version to module info for locations
|
||||||
|
* internal/sarif: remove originalURIBaseIds
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/gosym: preallocate inlined call slice
|
||||||
|
* internal/vulncheck: improve progress message for binaries
|
||||||
|
* internal/vulncheck: emit fetch db and vuln checking progress messages
|
||||||
|
* internal/scan: print progress messages only in verbose mode
|
||||||
|
* internal/scan: refactor flag usage in text handler
|
||||||
|
* Revert "internal/scan: disallow multiple patterns in source mode"
|
||||||
|
* internal/sarif: add missing required Message field
|
||||||
|
* internal/scan: disallow multiple patterns in source mode
|
||||||
|
* internal/vulncheck: use new improved DeleteSyntheticNodes
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 16 20:29:47 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.1.0:
|
||||||
|
* internal/openvex: add vex types
|
||||||
|
* internal/sarif: compute relative paths for findings
|
||||||
|
* internal/sarif: remove unused field
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/sarif,internal/scan,internal/traces: clean up tests
|
||||||
|
* internal/sarif: add region part of the physical location
|
||||||
|
* internal/sarif: add code flows
|
||||||
|
* cmd/govulncheck: clean up test
|
||||||
|
* cmd/govulncheck: make test case config data
|
||||||
|
* cmd/govulncheck: add comment capability to fixups
|
||||||
|
* cmd/govulncheck: remove unnecessary fixups
|
||||||
|
* cmd/govulncheck: make fixup part of a test case
|
||||||
|
* cmd/govulncheck: extract stdlib into special test case
|
||||||
|
* cmd/govulncheck: restore parallelism for tests
|
||||||
|
* cmd/govulncheck: add nogomod test case
|
||||||
|
* cmd/govulncheck: restructure testdata tests
|
||||||
|
* cmd/govulncheck: add sarif test for binaries
|
||||||
|
* internal/sarif: add stacks
|
||||||
|
* internal/sarif: add result message
|
||||||
|
* internal/vulncheck: get correctly package for instantiated functions
|
||||||
|
* internal/sarif: add result stubs to run object
|
||||||
|
* internal/govulncheck: add scan mode to config
|
||||||
|
* internal/vulncheck: delete only synthetic nodes not related to generics
|
||||||
|
* internal/scan: add more info to validation errors
|
||||||
|
* internal/sarif: add rules
|
||||||
|
* internal/scan: fix name of the error variable
|
||||||
|
* internal/sarif: add handler
|
||||||
|
* internal/scan: add sarif flag
|
||||||
|
* internal/scan: add types for format, show, mode, and scan flags
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/vulncheck: use proper stdlib check when loading packages
|
||||||
|
* internal/vulncheck,internal/scan: sort messages where needed
|
||||||
|
* internal/scan: introduce format flag
|
||||||
|
* internal/vulncheck: manipulate packages from PackageGraph
|
||||||
|
* internal/vulncheck: do not have stdlibModule as global
|
||||||
|
* cmd/govulncheck: make sure filepath are cross-platform
|
||||||
|
* internal/govulncheck: fix up some comments
|
||||||
|
* internal/vulncheck: add relative paths for vendored paths
|
||||||
|
* internal/vulncheck: emit relative paths for call findings
|
||||||
|
* internal/vulncheck, internal/scan: improve stdlib reporting
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* all: remove bash checks
|
||||||
|
* all: do go mod tidy test inside unit tests
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 06 20:44:38 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.0.4:
|
||||||
|
* cmd/govulncheck: mask line numbers and columns
|
||||||
|
* internal/scan: remove redundant new lines
|
||||||
|
* internal/vulncheck: add position for sinks in findings' trace
|
||||||
|
* internal/scan: put -show <option> into single quotes
|
||||||
|
* internal/buildinfo: do module-level analysis with no PCLN table
|
||||||
|
* internal/scan: add a newline after summary
|
||||||
|
* internal/test: add more info on GoBuild failures
|
||||||
|
* internal/scan: remove extra dot in a comment
|
||||||
|
* cmd/govulncheck: fix vendor test
|
||||||
|
* internal/vulncheck: refactor a loop with an append
|
||||||
|
* cmd/govulncheck: fix stripped bin test
|
||||||
|
* cmd/govulncheck: update vendor tests
|
||||||
|
* cmd/govulncheck: add more tests and reorganize them
|
||||||
|
* internal/vulncheck: add package and module mode for binaries
|
||||||
|
* internal/scan: replace Source with Symbol in text output
|
||||||
|
* internal/scan: fix error statuses for scan={package|module}
|
||||||
|
* internal/scan: add -show verbose flag
|
||||||
|
* internal/scan: overhaul text output
|
||||||
|
* internal/scan: simplify redundant error checking
|
||||||
|
* internal/scan: add scan level to testdata
|
||||||
|
* cmd/govulncheck/integration: update expectations for stackrox
|
||||||
|
* internal/vulncheck: support osv entries with no pkg info
|
||||||
|
* internal/vulncheck: remove redundant symbol check
|
||||||
|
* internal/vulncheck: simplify vulnerability detection
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 06 20:44:25 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.0.3:
|
||||||
|
* internal/scan: add binary extract mode
|
||||||
|
* internal/scan, vulncheck: use packages.load for mod info
|
||||||
|
* internal/govulncheck: briefly explain streaming JSON
|
||||||
|
* internal/vulncheck: remove -mod=mod flag from LoadModules
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 17 20:49:27 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.0.2:
|
||||||
|
* cmd/govulncheck: update test data
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* internal/osv: fix type name in comment
|
||||||
|
* internal/scan: remove informational header for package and module mode
|
||||||
|
* internal/scan: remove redundant newline for package and module mode
|
||||||
|
* cmd/govulncheck/integration/stackrox: update vuln expectation
|
||||||
|
* all: update tools to pick up bug fixes
|
||||||
|
* internal/vulncheck: compute proper db names for generic functions
|
||||||
|
* internal/vulncheck: improve error message for fetching vulns
|
||||||
|
* testdata: Add more package/mod level tests
|
||||||
|
* internal/scan: change text based on scan level
|
||||||
|
* internal/scan: update show help message
|
||||||
|
* internal/sarif: add sarif types
|
||||||
|
* internal/scan: enable module scan mode
|
||||||
|
* internal/scan: add scan_level to text tests
|
||||||
|
* internal/scan: add scan level to textHandler
|
||||||
|
* cmd/govulncheck: rearrange test files
|
||||||
|
* all: add logging to TestGovulncheck
|
||||||
|
* internal/scan: disallow package input in mod level
|
||||||
|
* go.mod: update golang.org/x dependencies
|
||||||
|
* cmd/govulncheck: fix mod level behavior
|
||||||
|
* all: update to x/tools@v.15.0
|
||||||
|
* internal/vulncheck: define Binary over Bin
|
||||||
|
* internal/vulncheck: add binary abstraction data structure
|
||||||
|
* cmd/govulncheck: organize tests into subdirs
|
||||||
|
* internal/scan: Improve "Informational" text output
|
||||||
|
* internal/scan: properly "genericify" choose
|
||||||
|
* internal/vulncheck: emit package findings all at once
|
||||||
|
* internal/vulncheck: update logic for package level analysis
|
||||||
|
* internal/vulncheck: remove obsolete tests and helpers
|
||||||
|
* internal/scan: remove obsolete function
|
||||||
|
* internal/scan: check for go mod before running
|
||||||
|
* cmd/govulncheck/integration: add new expectations
|
||||||
|
* cmd/govulncheck: Fix no go mod tests
|
||||||
|
* internal/vulncheck: rename moduleVulnerabilities
|
||||||
|
* internal/vulncheck: add documentation and propagate errors
|
||||||
|
* internal/vulncheck: emit OSVs in their raw form asap
|
||||||
|
* internal/scan: move emit logic for findings to internal/vulncheck
|
||||||
|
* internal: properly fetch modules in source mode
|
||||||
|
* internal/scan: verify scan level flag
|
||||||
|
* internal/govulncheck: update Finding docstring
|
||||||
|
* internal/vulncheck: remove file set computation
|
||||||
|
* internal/scan: generate better message when patterns matches no packages
|
||||||
|
* internal/scan, vulncheck: emit vulns as found
|
||||||
|
* internal/scan: use modVersion for mod version
|
||||||
|
* internal/scan: suggest earliest valid fixed version as the fix
|
||||||
|
* internal/scan: communicate default value for test flag
|
||||||
|
* internal/semver: rename the LatestFixedVersion function
|
||||||
|
* cmd/govulncheck: fix incorrect test file name
|
||||||
|
* cmd/govulncheck: remove go version for test file
|
||||||
|
* internal/vulnchec: improve comments and names for imports level logic
|
||||||
|
* internal/govulncheck: update description of Findings
|
||||||
|
* internal/vulncheck/internal/buildinfo: support stripped darwin binaries
|
||||||
|
* internal/scan: update test names
|
||||||
|
* internal/scan: text output allows module level vulns
|
||||||
|
* internal/client: add additional context to HTTP error message
|
||||||
|
* internal/scan: add isImported function
|
||||||
|
* internal/scan: fix trace count bug
|
||||||
|
* internal/vulncheck: add LoadModules using go.mod
|
||||||
|
* internal/govulncheck: add WantPackages scan level
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Sep 24 23:15:41 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||||||
|
|
||||||
|
- Update to version 1.0.1:
|
||||||
|
* all: go get golang.org/x/tools@74c255b
|
||||||
|
* internal/scan: change the way convert mode works
|
||||||
|
* internal/scan: add -version flag
|
||||||
|
* internal/vulncheck/internal/gosym: fix typo
|
||||||
|
* internal/gosym: update binary mode version parsing
|
||||||
|
* internal/scan: refactor to remove redundant code
|
||||||
|
* vulncheck/internal/gosym: add support for go versions > 1.20
|
||||||
|
* internal/vulncheck/internal/buildinfo: skip failing tests
|
||||||
|
* cmd/govulncheck: skip TestCommand in short mode
|
||||||
|
- _service add setversion to automatically update spec Version
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 12 13:13:23 UTC 2023 - Lubos Kocman <lubos.kocman@suse.com>
|
||||||
|
|
||||||
|
- Correction of license based on legaldb scan
|
||||||
|
Add Apache 2.0 for google/go-cmdtest and
|
||||||
|
vendor/github.com/google/renameio
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 18 22:43:11 UTC 2023 - jkowalczyk@suse.com
|
||||||
|
|
||||||
|
- Initial package version 1.0.0:
|
||||||
|
* internal/scan: print the summary even when there are no findings
|
||||||
|
* cmd,internal/govulncheck: change protocol version to v1.0.0
|
||||||
|
* cmd,internal: remove experimental reference
|
||||||
|
* internal/govulncheck: improve documentation
|
58
govulncheck.spec
Normal file
58
govulncheck.spec
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
#
|
||||||
|
# spec file for package govulncheck
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
Name: govulncheck
|
||||||
|
Version: 1.1.3
|
||||||
|
Release: 0
|
||||||
|
Summary: CLI tool to report known CVE vulnerabilities in Go source code and binaries
|
||||||
|
License: BSD-3-Clause
|
||||||
|
Group: Development/Languages/Go
|
||||||
|
URL: https://github.com/golang/vuln
|
||||||
|
Source: %{name}-%{version}.tar.gz
|
||||||
|
Source1: vendor.tar.gz
|
||||||
|
BuildRequires: golang(API) >= 1.21
|
||||||
|
# Required to build on SLE-12
|
||||||
|
ExcludeArch: s390
|
||||||
|
|
||||||
|
%description
|
||||||
|
govulncheck is a CLI tool to report known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.
|
||||||
|
|
||||||
|
By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program. See https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a different database, which must implement the specification at https://go.dev/security/vuln/database.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -a 1
|
||||||
|
|
||||||
|
%build
|
||||||
|
%ifnarch ppc64
|
||||||
|
export GOFLAGS="-buildmode=pie"
|
||||||
|
%endif
|
||||||
|
go build ./cmd/%{name}
|
||||||
|
|
||||||
|
%check
|
||||||
|
# execute the binary as a basic check
|
||||||
|
./%{name} --help
|
||||||
|
|
||||||
|
%install
|
||||||
|
install -D -m 0755 %{name} "%{buildroot}/%{_bindir}/%{name}"
|
||||||
|
|
||||||
|
%files
|
||||||
|
%doc README.md
|
||||||
|
%license LICENSE
|
||||||
|
%{_bindir}/%{name}
|
||||||
|
|
||||||
|
%changelog
|
BIN
vendor.tar.gz
(Stored with Git LFS)
Normal file
BIN
vendor.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user