vulncheck

package
v0.0.0-...-210767f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2023 License: MIT Imports: 29 Imported by: 0

Documentation

Overview

Package vulncheck detects uses of known vulnerabilities in Go programs.

Vulncheck identifies vulnerability uses in Go programs at the level of call graph, package import graph, and module requires graph. For instance, vulncheck identifies which vulnerable functions and methods are transitively called from the program entry points. vulncheck also detects transitively imported packages and required modules that contain known vulnerable functions and methods.

We recommend using the command line tool govulncheck to detect vulnerabilities in your code.

Usage

The two main APIs of vulncheck, Source and Binary, allow vulnerability detection in Go source code and binaries, respectively.

Source accepts a list of [Package] objects, which are a trimmed version of golang.org/x/tools/go/packages.Package objects to reduce memory consumption. Binary accepts a path to a Go binary file that must have been compiled with Go 1.18 or greater.

Both Source and Binary require information about known vulnerabilities in the form of a vulnerability database, specifically a github.com/khulnasoft-lab/go-vulndb/vuln/internal/client.Client. The vulnerabilities are modeled using the github.com/khulnasoft-lab/go-vulndb/vuln/internal/osv format.

Results

The results of vulncheck are slices of the call graph, package imports graph, and module requires graph leading to the use of an identified vulnerability. The parts of these graphs not related to any vulnerabilities are omitted.

The CallStacks and [ImportChains] functions search the returned slices for user-friendly representative call stacks and import chains. These call stacks and import chains are provided as examples of vulnerability uses in the client code.

Limitations

There are some limitations with vulncheck. Please see the documented limitations for more information.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CallStacks 

func CallStacks(res *Result) map[*Vuln]CallStack

CallStacks returns representative call stacks for each vulnerability in res. The returned call stacks are heuristically ordered by how seemingly easy is to understand them: shorter call stacks with less dynamic call sites appear earlier in the returned slices.

CallStacks performs a breadth-first search of res.CallGraph starting at the vulnerable symbol and going up until reaching an entry function or method in res.CallGraph.Entries. During this search, each function is visited at most once to avoid potential exponential explosion. Hence, not all call stacks are analyzed.

Types

type CallSite 

type CallSite struct {
	// Parent is the enclosing function where the call is made.
	Parent *FuncNode

	// Name stands for the name of the function (variable) being called.
	Name string

	// RecvType is the full path of the receiver object type, if any.
	RecvType string

	// Position describes the position of the function in the file.
	Pos *token.Position

	// Resolved indicates if the called function can be statically resolved.
	Resolved bool
}

A CallSite describes a function call.

type CallStack 

type CallStack []StackEntry

CallStack is a call stack starting with a client function or method and ending with a call to a vulnerable symbol.

type FuncNode 

type FuncNode struct {
	// Name is the name of the function.
	Name string

	// RecvType is the receiver object type of this function, if any.
	RecvType string

	// Package is the package the function is part of.
	Package *packages.Package

	// Position describes the position of the function in the file.
	Pos *token.Position

	// CallSites is a set of call sites where this function is called.
	CallSites []*CallSite
}

A FuncNode describes a function in the call graph.

func (*FuncNode) Receiver 

func (fn *FuncNode) Receiver() string

Receiver returns the FuncNode's receiver, with package path removed. Pointers are preserved if present.

func (*FuncNode) String 

func (fn *FuncNode) String() string

type ModVulns 

type ModVulns struct {
	Module *packages.Module
	Vulns  []*osv.Entry
}

ModVulns groups vulnerabilities per module.

func FetchVulnerabilities 

func FetchVulnerabilities(ctx context.Context, c *client.Client, modules []*packages.Module) ([]*ModVulns, error)

FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.

type PackageGraph 

type PackageGraph struct {
	// contains filtered or unexported fields
}

PackageGraph holds a complete module and package graph. Its primary purpose is to allow fast access to the nodes by path.

func NewPackageGraph 

func NewPackageGraph(goVersion string) *PackageGraph

func (*PackageGraph) AddModules 

func (g *PackageGraph) AddModules(mods ...*packages.Module)

AddModules adds the modules and any replace modules provided. It will ignore modules that have duplicate paths to ones the graph already holds.

func (*PackageGraph) AddPackages 

func (g *PackageGraph) AddPackages(pkgs ...*packages.Package)

AddPackages adds the packages and the full graph of imported packages. It will ignore packages that have duplicate paths to ones the graph already holds.

func (*PackageGraph) GetModule 

func (g *PackageGraph) GetModule(path string) *packages.Module

.

func (*PackageGraph) GetPackage 

func (g *PackageGraph) GetPackage(path string) *packages.Package

GetPackage returns the package matching the path. If the graph does not already know about the package, a new one is added.

func (*PackageGraph) LoadModules 

func (g *PackageGraph) LoadModules(cfg *packages.Config) (mods []*packages.Module, err error)

func (*PackageGraph) LoadPackages 

func (g *PackageGraph) LoadPackages(cfg *packages.Config, tags []string, patterns []string) ([]*packages.Package, error)

LoadPackages loads the packages specified by the patterns into the graph. See golang.org/x/tools/go/packages.Load for details of how it works.

type Result 

type Result struct {
	// EntryFunctions are a subset of Functions representing vulncheck entry points.
	EntryFunctions []*FuncNode

	// EntryPackages are a subset of Packages representing packages of vulncheck entry points.
	EntryPackages []*packages.Package

	// Vulns contains information on detected vulnerabilities and their place in
	// the above graphs. Only vulnerabilities whose symbols are reachable in Calls,
	// or whose packages are imported in Imports, or whose modules are required in
	// Requires, have an entry in Vulns.
	Vulns []*Vuln
}

Result contains information on how known vulnerabilities are reachable in the call graph, package imports graph, and module requires graph of the user code.

func Binary 

func Binary(ctx context.Context, exe io.ReaderAt, cfg *govulncheck.Config, client *client.Client) (_ *Result, err error)

Binary detects presence of vulnerable symbols in exe. The Calls, Imports, and Requires fields on Result will be empty.

func Source 

func Source(ctx context.Context, pkgs []*packages.Package, cfg *govulncheck.Config, client *client.Client, graph *PackageGraph) (_ *Result, err error)

Source detects vulnerabilities in packages. The result will contain:

1) An ImportGraph related to an import of a package with some known vulnerabilities.

2) A RequireGraph related to a require of a module with a package that has some known vulnerabilities.

3) A CallGraph leading to the use of a known vulnerable function or method.

type StackEntry 

type StackEntry struct {
	// Function whose frame is on the stack.
	Function *FuncNode

	// Call is the call site inducing the next stack frame.
	// nil when the frame represents the last frame in the stack.
	Call *CallSite
}

StackEntry is an element of a call stack.

type Vuln 

type Vuln struct {
	// OSV contains information on the detected vulnerability in the shared
	// vulnerability format.
	//
	// OSV, Symbol, PkgPath, and ModPath identify a vulnerability.
	//
	// Note that *osv.Entry may describe multiple symbols from multiple
	// packages.
	OSV *osv.Entry

	// Symbol is the name of the detected vulnerable function or method.
	Symbol string

	// CallSink is the FuncNode in Result.Calls corresponding to Symbol.
	//
	// When analyzing binaries, Symbol is not reachable, or cfg.ScanLevel
	// is symbol, CallSink will be unavailable and set to 0.
	CallSink *FuncNode

	// ImportSink is the PkgNode in Result.Imports corresponding to PkgPath.
	//
	// When analyzing binaries or PkgPath is not imported, ImportSink will be
	// unavailable and set to 0.
	ImportSink *packages.Package
}

Vuln provides information on how a vulnerability is affecting user code by connecting it to the Result.{Calls,Imports,Requires} graphs. Vulnerabilities detected in Go binaries do not appear in the Result graphs.

Source Files

View all Source files

Directories

Path Synopsis
internal
buildinfo
gosym
Package gosym implements access to the Go symbol and line number tables embedded in Go binaries generated by the gc compilers.
 Package gosym implements access to the Go symbol and line number tables embedded in Go binaries generated by the gc compilers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.