Skip to content

govulncheck: make output less verbose#614

Open
toddtreece wants to merge 3 commits into
mainfrom
toddtreece/govulncheck-output-formatting
Open

govulncheck: make output less verbose#614
toddtreece wants to merge 3 commits into
mainfrom
toddtreece/govulncheck-output-formatting

Conversation

@toddtreece

@toddtreece toddtreece commented Jun 12, 2026

Copy link
Copy Markdown
Member

Example output:

Update Go toolchain to 1.26.4 or later (GO-2026-4971, GO-2026-4976, GO-2026-4977, GO-2026-4980, GO-2026-4981, GO-2026-4982, GO-2026-4986, GO-2026-5037, GO-2026-5038, GO-2026-5039)

Update the following dependencies:
• golang.org/x/net v0.55.0 (GO-2026-4918, GO-2026-5025, GO-2026-5026, GO-2026-5027, GO-2026-5028, GO-2026-5029, GO-2026-5030)
• golang.org/x/sys v0.44.0 (GO-2026-5024)

@toddtreece toddtreece requested a review from a team as a code owner June 12, 2026 14:02
@toddtreece toddtreece requested review from mckn, oshirohugo and s4kh June 12, 2026 14:02
@toddtreece toddtreece self-assigned this Jun 12, 2026
@toddtreece toddtreece moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team Jun 12, 2026
s4kh
s4kh previously approved these changes Jun 12, 2026
View reviewed changes
mckn
mckn reviewed Jun 16, 2026
View reviewed changes

@mckn mckn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Added some small nits to consider.

Comment thread pkg/analysis/passes/govulncheck/govulncheck.go
called[id].fixedVersion = msg.Finding.FixedVersion
}
if called[id].module == "" {
called[id].module = firstModule(msg.Finding.Trace)

@mckn mckn Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There might be a bug in the "firstModule" function according to this:

According to the govulncheck JSON spec, Finding.Trace for source-mode is a call stack where trace[0] is the user's entry point and subsequent frames descend into the vulnerable dependency. So firstModule(msg.Finding.Trace) returns the user's own module, not the vulnerable dependency.

For example, for a plugin calling into golang.org/x/net, the trace is:

trace[0]: {module: "github.com/user/myplugin", function: "main"}
trace[1]: {module: "golang.org/x/net", function: "vulnerableFunc"}

firstModule returns "github.com/user/myplugin", and the output becomes:
Update the following dependencies:
• github.com/user/myplugin v1.2.3 (GO-2024-AAAA) ← wrong

The fix should look at the last non-empty module in the trace (or specifically the frame that has Position == nil, which is the vulnerable symbol frame). The test data in sampleNDJSON happens to use the same module for all frames, so the unit test passes but doesn't catch this.

@toddtreece toddtreece Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch on the test, the fixture used the same module on every frame, so it didn't actually check which end firstModule reads from. updated in bee6cb5

the Finding.Trace doc in (govulncheck.go#L154-L156) states:

Frames are sorted starting from the imported vulnerable symbol until the entry point. The first frame in Frames should match Symbol.

it seems like trace[0] is the vulnerable dependency and the entry point is last. govulncheck's own renderer reads Trace[0].Module as the affected module (text.go#L279).

Comment thread pkg/analysis/passes/govulncheck/govulncheck.go Outdated

type vulnInfo struct {
id string
summary string

@mckn mckn Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we ever using this field? I can see that we set it but I can't find any usages of reading it except in tests.

@toddtreece toddtreece Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! removed in 8cf02f5

Comment thread pkg/analysis/passes/govulncheck/govulncheck.go Outdated
Comment on lines +126 to +128
if sourceFindings[id] == nil {
sourceFindings[id] = info
}

@mckn mckn Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set this not only based on if it is nil but also set it when semver.Compare is greater than the previous set one so we always use the newest.

@toddtreece toddtreece Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call. updated in 8cf02f5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mckn mckn mckn left review comments

@s4kh s4kh s4kh left review comments

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/grafana-catalog

At least 1 approving review is required to merge this pull request.

Assignees

@toddtreece toddtreece

Labels

None yet

Projects

Grafana Catalog Team
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@toddtreece @mckn @s4kh