Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: Panic "cannot range over: func(yield func(K, V) bool) using golang 1.23.0 #68978

Closed
weberr13 opened this issue Aug 20, 2024 · 5 comments
Closed

x/vuln: Panic "cannot range over: func(yield func(K, V) bool) using golang 1.23.0 #68978

weberr13 opened this issue Aug 20, 2024 · 5 comments
Assignees
@zpavlinovic
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@weberr13
Copy link

govulncheck version

Go: go1.23.0
Scanner: [email protected]
DB: https://vuln.go.dev/
DB updated: 2024-08-19 17:26:34 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes, we are seeing this with @latest

go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
Go: go1.23.0
Scanner: [email protected]

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN='/builds/<companyName>/<programName>/bin'
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/builds/<companyName>/<productName>/.cache/pkg/mod'
GONOPROXY='gitlab.com/<companyName>'
GONOSUMDB='gitlab.com/<companyName>'
GOOS='linux'
GOPATH='/builds/<companyName>/<productName>/.cache'
GOPRIVATE='gitlab.com/<companyName>'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/root/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/builds/<companyName>/<productName>/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2454570330=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Simply ran

go install golang.org/x/vuln/cmd/govulncheck@latest ; govulncheck ./... within a gitlab pipeline

What did you see happen?

running go vulncheck within a container built FROM golang:1.23.0 a scan of our repro fails with the following:

Scanning your code and 1332 packages across 127 dependent modules for known vulnerabilities...
panic: Cannot range over: func(yield func(K, V) bool)
goroutine 19402 [running]:
golang.org/x/tools/go/ssa.(*builder).rangeStmt(0xc022b93df8, 0xc001fbd080, 0xc005f8c8a0, 0x0)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2074 +0x774
golang.org/x/tools/go/ssa.(*builder).stmt(0xc022b93df8, 0xc001fbd080, {0x9d35d0?, 0xc005f8c8a0?})
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2293 +0x205
golang.org/x/tools/go/ssa.(*builder).stmtList(...)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:944
golang.org/x/tools/go/ssa.(*builder).stmt(0xc022b93df8, 0xc001fbd080, {0x9d32a0?, 0xc005f99680?})
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2255 +0xe47
golang.org/x/tools/go/ssa.(*builder).buildFunctionBody(0xc022b93df8, 0xc001fbd080)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2369 +0x433
golang.org/x/tools/go/ssa.(*builder).buildFunction(0x7f0b80?, 0xc001fbd080)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2304 +0x28
golang.org/x/tools/go/ssa.(*builder).buildCreated(0xc022b93df8)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2391 +0x25
golang.org/x/tools/go/ssa.(*Package).build(0xc00435f380)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2584 +0xc25
sync.(*Once).doSlow(0x0?, 0x0?)
	/usr/local/go/src/sync/once.go:76 +0xb4
sync.(*Once).Do(...)
	/usr/local/go/src/sync/once.go:67
golang.org/x/tools/go/ssa.(*Package).Build(...)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2455
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2440 +0x45
created by golang.org/x/tools/go/ssa.(*Program).Build in goroutine 18863
	/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2439 +0x187
make: *** [Makefile:55: vulncheck-pipeline] Error 2

What did you expect to see?

previous versions of golang did not panic
@weberr13 weberr13 added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Aug 20, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Aug 20, 2024
@gabyhelp
Copy link

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@zpavlinovic zpavlinovic self-assigned this Aug 20, 2024
@zpavlinovic
Copy link
Contributor

It is interesting that the version of govulncheck is v1.0.1 whereas the latest release of govulncheck is v1.1.3. Could you confirm that you are indeed using the latest version of govulncheck?

If yes, do you have a test code on which we could reproduce the issue?

@weberr13
Copy link
Author

I will double check but as stated I ran

go install golang.org/x/vuln/cmd/govulncheck@latest

within the 1.23 container, I would expect that would grab the latest but I could be mistaken. I'll check my docker file to see if 2 versions are there. as for the code, I can't post the proprietary code but as stated this worked with a 1.22.5 container and that is the full stack trace.

@timothy-king
Copy link
Contributor

timothy-king commented Aug 20, 2024
edited
Loading

/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2074 +0x774

This line in the stack trace means that you are using x/tools at the pseudo version v0.12.1-0.20230815132531-74c255bcf846 . The latest version of x/tools for vulncheck is v0.23.0.

This is before https://go.googlesource.com/vuln/+/286bb05c5ff5bbdfe3b680955a2560ba16c2ac4a.
And is after https://go.googlesource.com/vuln/+/da4b74a5408a0116e9a2dde953659a7b0956dc56/go.mod .

So I am somewhat confident what you are running is [email protected] . Not v1.1.3. I do not know why you are running this version, but that seems to be the problem.

FROM golang:1.23.0
make: *** [Makefile:55: vulncheck-pipeline] Error 2

This suggests both a Makefile and dockerfile are involved. A minimized reproducer or more details about both of these components would help.

@weberr13
Copy link
Author

I did find an older version on vulncheck in the image and once updated it started to work again. Thank you for your assistance!

@dashpole dashpole mentioned this issue Sep 10, 2024
Merged
@gabyhelp gabyhelp mentioned this issue Nov 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@timothy-king @zpavlinovic @weberr13 @gopherbot @gabyhelp