Skip to content

fix: handle no fix version #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nrwiersma merged 2 commits into from
May 28, 2026
Merged

fix: handle no fix version #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce54644
fix: handle no fix version
nrwiersma May 28, 2026
05d7129
fix: linter
nrwiersma May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion govulncheck/parse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ type Fix struct {
// to Fix. Only finding messages are considered; modules whose vulnerable
// symbols are never called are not included. The Fix.Version field uses the
// module's native version prefix: "v1.2.3".
//
//nolint:cyclop
func Parse(r io.Reader) (map[string]Fix, error) {
dec := json.NewDecoder(r)

Expand All @@ -66,7 +68,7 @@ func Parse(r io.Reader) (map[string]Fix, error) {
osvs[msg.OSV.ID] = msg.OSV
}

if msg.Finding == nil || len(msg.Finding.Trace) == 0 {
if msg.Finding == nil || msg.Finding.FixedVersion == "" || len(msg.Finding.Trace) == 0 {
continue
}

Expand Down
13 changes: 13 additions & 0 deletions govulncheck/parse_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,19 @@ func TestParse_MultipleVulnerabilities(t *testing.T) {
assert.Equal(t, "GO-2024-0005", fixes["example.com/bar"].OSVs[0].ID)
}

func TestParse_HandlesNoFix(t *testing.T) {
t.Parallel()

f, err := os.Open("testdata/module-no-fix.json")
require.NoError(t, err)
t.Cleanup(func() { _ = f.Close() })

fixes, err := govulncheck.Parse(f)

require.NoError(t, err)
assert.Empty(t, fixes)
}

func TestParse_OSVMetadata(t *testing.T) {
t.Parallel()

Expand Down
4 changes: 4 additions & 0 deletions govulncheck/testdata/module-no-fix.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{"config":{"protocol_version":"v1.0.0","scanner_name":"govulncheck","scanner_version":"v1.3.0","db":"https://vuln.go.dev","scan_level":"symbol","scan_mode":"source"}}
{"osv":{"id":"GO-2024-0001","aliases":["CVE-2024-12345","GHSA-aaaa-bbbb-cccc"],"summary":"Remote code execution via crafted input in example.com/foo","references":[{"type":"ADVISORY","url":"https://pkg.go.dev/vuln/GO-2024-0001"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2024-12345"}],"affected":[{"package":{"name":"example.com/foo","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.3"}]}]}]}}
{"finding":{"osv":"GO-2024-0001","trace":[{"module":"example.com/foo","version":"v1.0.0"}]}}

Loading