internal/scan: do not show stacks in traces mode for binaries

There are no stacks so the trace just contains the vulnerable symbol that is anyhow communicated to the user. Change-Id: I8a8ebcf3864f91150449dafe812f474a4a59bda8 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/614456 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Maceo Thompson <[email protected]>
golang · Sep 23, 2024 · 2e326d4 · 2e326d4
1 parent 3917389
commit 2e326d4
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 33 deletions.
diff --git a/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct b/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
@@ -50,30 +50,18 @@ Vulnerability #1: GO-2021-0113
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Vulnerable symbols found:
-      #1: for function golang.org/x/text/language.Compose
-        Compose
-      #2: for function golang.org/x/text/language.Make
-        Make
-      #3: for function golang.org/x/text/language.MatchStrings
-        MatchStrings
-      #4: for function golang.org/x/text/language.MustParse
-        MustParse
-      #5: for function golang.org/x/text/language.Parse
-        Parse
-      #6: for function golang.org/x/text/language.ParseAcceptLanguage
-        ParseAcceptLanguage
-      #7: for function golang.org/x/text/language.Tag.Base
-        Tag.Base
-      #8: for function golang.org/x/text/language.Tag.Extension
-        Tag.Extension
-      #9: for function golang.org/x/text/language.Tag.IsRoot
-        Tag.IsRoot
-      #10: for function golang.org/x/text/language.Tag.Parent
-        Tag.Parent
-      #11: for function golang.org/x/text/language.Tag.Region
-        Tag.Region
-      #12: for function golang.org/x/text/language.Tag.String
-        Tag.String
+      #1: golang.org/x/text/language.Compose
+      #2: golang.org/x/text/language.Make
+      #3: golang.org/x/text/language.MatchStrings
+      #4: golang.org/x/text/language.MustParse
+      #5: golang.org/x/text/language.Parse
+      #6: golang.org/x/text/language.ParseAcceptLanguage
+      #7: golang.org/x/text/language.Tag.Base
+      #8: golang.org/x/text/language.Tag.Extension
+      #9: golang.org/x/text/language.Tag.IsRoot
+      #10: golang.org/x/text/language.Tag.Parent
+      #11: golang.org/x/text/language.Tag.Region
+      #12: golang.org/x/text/language.Tag.String
 
 Vulnerability #2: GO-2020-0015
     Infinite loop when decoding some inputs in golang.org/x/text
@@ -82,12 +70,9 @@ Vulnerability #2: GO-2020-0015
     Found in: golang.org/x/[email protected]
     Fixed in: golang.org/x/[email protected]
     Vulnerable symbols found:
-      #1: for function golang.org/x/text/transform.String
-        String
-      #2: for function golang.org/x/text/encoding/unicode.bomOverride.Transform
-        bomOverride.Transform
-      #3: for function golang.org/x/text/encoding/unicode.utf16Decoder.Transform
-        utf16Decoder.Transform
+      #1: golang.org/x/text/transform.String
+      #2: golang.org/x/text/encoding/unicode.bomOverride.Transform
+      #3: golang.org/x/text/encoding/unicode.utf16Decoder.Transform
 
 Your code is affected by 2 vulnerabilities from 1 module.
 This scan found no other vulnerabilities in packages you import or modules you

diff --git a/internal/scan/text.go b/internal/scan/text.go
@@ -312,24 +312,33 @@ func (h *TextHandler) traces(traces []*findingSummary) {
 	// as users cannot act on them and they can hence
 	// spam users.
 	const binLimit = 5
+	binary := h.scanMode == govulncheck.ScanModeBinary
 	for i, entry := range compacts {
 		if i == 0 {
-			if h.scanMode == govulncheck.ScanModeBinary {
+			if binary {
 				h.style(keyStyle, "    Vulnerable symbols found:\n")
 			} else {
 				h.style(keyStyle, "    Example traces found:\n")
 			}
 		}
 
 		// skip showing all symbols in binary mode unless '-show traces' is on.
-		if h.scanMode == govulncheck.ScanModeBinary && (i+1) > binLimit && !h.showTraces {
+		if binary && (i+1) > binLimit && !h.showTraces {
 			h.print("      Use '-show traces' to see the other ", len(compacts)-binLimit, " found symbols\n")
 			break
 		}
 
 		h.print("      #", i+1, ": ")
-		if !h.showTraces {
+
+		if !h.showTraces { // show summarized traces
 			h.print(entry.Compact, "\n")
+			continue
+		}
+
+		if binary {
+			// There are no call stacks in binary mode
+			// so just show the full symbol name.
+			h.print(symbol(entry.Trace[0], false), "\n")
 		} else {
 			h.print("for function ", symbol(entry.Trace[0], false), "\n")
 			for i := len(entry.Trace) - 1; i >= 0; i-- {