Initial commit

2024-02-19 11:27:31 +03:00 · 2024-02-19 11:27:31 +03:00 · daf01e65df
commit daf01e65df
7 changed files with 64 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,3 @@
+module git.frostfs.info/alexvanin/vulncheck-example
+
+go 1.22.0
--- a/unusedvulndep/go.mod
+++ b/unusedvulndep/go.mod
@ -0,0 +1,7 @@
+module git.frostfs.info/alexvanin/vulncheck-example/unusedvulndep
+
+go 1.22.0
+
+require golang.org/x/crypto v0.16.0
+
+require golang.org/x/sys v0.15.0 // indirect
--- a/unusedvulndep/go.sum
+++ b/unusedvulndep/go.sum
@ -0,0 +1,6 @@
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
--- a/unusedvulndep/module.go
+++ b/unusedvulndep/module.go
@ -0,0 +1,17 @@
+// Unusedvulndep is a package that imports golang.org/x/crypto package
+// with vulnarability https://pkg.go.dev/vuln/GO-2023-2402 and provides
+// function that is not affected by vulnarability
+package usedvulndep
+
+import (
+	"golang.org/x/crypto/ssh"
+)
+
+// FunctionWithVulnarability is a nop function that transitively adds
+// vulnarable dependency but unvunarable code to a call trace of
+// your application
+func FunctionWithoutVulnarability() error {
+	var s ssh.Signer
+	_, err := ssh.NewCertSigner(new(ssh.Certificate), s)
+	return err
+}
--- a/usedvulndep/go.mod
+++ b/usedvulndep/go.mod
@ -0,0 +1,7 @@
+module git.frostfs.info/alexvanin/vulncheck-example/usedvulndep
+
+go 1.22.0
+
+require golang.org/x/crypto v0.16.0
+
+require golang.org/x/sys v0.15.0 // indirect
--- a/usedvulndep/go.sum
+++ b/usedvulndep/go.sum
@ -0,0 +1,6 @@
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
--- a/usedvulndep/module.go
+++ b/usedvulndep/module.go
@ -0,0 +1,18 @@
+// Usedvulndep is a package that imports golang.org/x/crypto package
+// with vulnarability https://pkg.go.dev/vuln/GO-2023-2402 and provides
+// function that affected by vulnarability
+package usedvulndep
+
+import (
+	"net"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// FunctionWithVulnarability is a nop function that transitively adds
+// vulnarable code to a call trace of your application
+func FunctionWithVulnarability() error {
+	var c net.Conn
+	_, _, _, err := ssh.NewServerConn(c, new(ssh.ServerConfig))
+	return err
+}