frontend: display unexported vulnerable symbols

If all vulnerable symbols in a package are unexported, display the unexported symbols instead of displaying "all symbols". Change-Id: I509ac158670ed2529bc040abbd80e96bdde676a4 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/571320 TryBot-Bypass: Jonathan Amsterdam <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Michael Matloob <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
golang · Apr 10, 2024 · 29d7d25 · 29d7d25
1 parent b8abe08
commit 29d7d25
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 25 deletions.
diff --git a/internal/vuln/vulns.go b/internal/vuln/vulns.go
@@ -78,9 +78,10 @@ func toVulns(entries []*osv.Entry) []Vuln {
 type AffectedPackage struct {
 	PackagePath string
 	Versions    string
-	// List of exported affected symbols. Empty list
-	// implies all symbols in the package are affected.
-	Symbols []string
+	// Lists of affected symbols.
+	// If both of these lists are empty, all symbols in the package are affected.
+	ExportedSymbols   []string
+	UnexportedSymbols []string
 }
 
 // A pair is like an osv.Range, but each pair is a self-contained 2-tuple
@@ -152,29 +153,32 @@ func AffectedPackages(e *osv.Entry) []*AffectedPackage {
 			vs = append(vs, s)
 		}
 		for _, p := range a.EcosystemSpecific.Packages {
+			exported, unexported := affectedSymbols(p.Symbols)
 			affs = append(affs, &AffectedPackage{
-				PackagePath: p.Path,
-				Versions:    strings.Join(vs, ", "),
-				Symbols:     exportedSymbols(p.Symbols),
+				PackagePath:       p.Path,
+				Versions:          strings.Join(vs, ", "),
+				ExportedSymbols:   exported,
+				UnexportedSymbols: unexported,
 				// TODO(hyangah): where to place GOOS/GOARCH info
 			})
 		}
 	}
 	return affs
 }
 
-func exportedSymbols(in []string) []string {
-	var out []string
+func affectedSymbols(in []string) (e, u []string) {
 	for _, s := range in {
 		exported := true
 		for _, part := range strings.Split(s, ".") {
 			if !token.IsExported(part) {
-				exported = false // exported only all parts in the symbol name are exported.
+				exported = false // exported only if all parts of the symbol name are exported.
 			}
 		}
 		if exported {
-			out = append(out, s)
+			e = append(e, s)
+		} else {
+			u = append(u, s)
 		}
 	}
-	return out
+	return e, u
 }
diff --git a/internal/vuln/vulns_test.go b/internal/vuln/vulns_test.go
@@ -261,8 +261,8 @@ func TestAffectedPackagesPackagesSymbols(t *testing.T) {
 				}},
 			},
 			want: []*AffectedPackage{{
-				PackagePath: "example.com/mod/pkg",
-				Symbols:     []string{"F"},
+				PackagePath:     "example.com/mod/pkg",
+				ExportedSymbols: []string{"F"},
 			}},
 		},
 		{
@@ -280,8 +280,9 @@ func TestAffectedPackagesPackagesSymbols(t *testing.T) {
 				}},
 			},
 			want: []*AffectedPackage{{
-				PackagePath: "example.com/mod/pkg",
-				Symbols:     []string{"F", "S.F"}, // unexported symbols are excluded.
+				PackagePath:       "example.com/mod/pkg",
+				ExportedSymbols:   []string{"F", "S.F"},
+				UnexportedSymbols: []string{"g", "S.f", "s.F", "s.f"},
 			}},
 		},
 		{
@@ -328,11 +329,12 @@ func TestAffectedPackagesPackagesSymbols(t *testing.T) {
 			want: []*AffectedPackage{{
 				PackagePath: "example.com/mod1/pkg1",
 			}, {
-				PackagePath: "example.com/mod1/pkg2",
-				Symbols:     []string{"F"},
+				PackagePath:     "example.com/mod1/pkg2",
+				ExportedSymbols: []string{"F"},
 			}, {
-				PackagePath: "example.com/mod2/pkg3",
-				Symbols:     []string{"H"},
+				PackagePath:       "example.com/mod2/pkg3",
+				ExportedSymbols:   []string{"H"},
+				UnexportedSymbols: []string{"g"},
 			}},
 		},
 	}

diff --git a/static/frontend/vuln/entry/entry.tmpl b/static/frontend/vuln/entry/entry.tmpl
@@ -56,12 +56,20 @@
       <div class="VulnEntryPackages-attr" data-name="Path"><a href="/{{.PackagePath}}">{{.PackagePath}}</a></div>
       <div class="VulnEntryPackages-attr" data-name="Versions">{{if .Versions}}{{.Versions}}{{else}}all versions, no known fixed{{end}}</div>
       <div class="VulnEntryPackages-attr VulnEntryPackages-symbols" data-name="Symbols">
-      {{if .Symbols}}{{ $length := len .Symbols}}
-         {{ $vuln := . }}
-         {{if lt $length 5}}<ul>{{range .Symbols}}<li><a href="/{{$vuln.PackagePath}}#{{.}}">{{.}}</a></li>{{end}}</ul>
-         {{else}}<details><summary>{{len .Symbols}} affected symbols</summary>
-         <ul class="VulnEntryPackages-detailsContent">{{range .Symbols}}<li><a href="/{{$vuln.PackagePath}}#{{.}}">{{.}}</a></li>{{end}}</ul></details>
+      {{ $vuln := . }}
+      {{if .ExportedSymbols}}{{ $length := len .ExportedSymbols}}
+         {{if lt $length 5}}<ul>{{range .ExportedSymbols}}<li><a href="/{{$vuln.PackagePath}}#{{.}}">{{.}}</a></li>{{end}}</ul>
+         {{else}}<details><summary>{{len .ExportedSymbols}} affected symbols</summary>
+         <ul class="VulnEntryPackages-detailsContent">{{range .ExportedSymbols}}<li><a href="/{{$vuln.PackagePath}}#{{.}}">{{.}}</a></li>{{end}}</ul></details>
          {{end}}
+      {{else if .UnexportedSymbols}}
+        <details><summary>{{len .UnexportedSymbols}} unexported affected symbols</summary>
+          <ul class="VulnEntryPackages-detailsContent">
+            {{range .UnexportedSymbols}}
+              <li>{{.}}</li>
+            {{end}}
+          </ul>
+        </details>
       {{else}}all symbols{{end}}
       </div>
     </li>
@@ -109,4 +117,4 @@
       Suggest an edit to this report.
     </a>
   </div>
-{{end}}
+{{end}}