internal/scan, vulncheck: emit vulns as found

This change updates govulncheck to emit findings and osvs as they are
found, which allows for quicker short circuiting depending on scan
level. It will also simplify implementing module level scanning.

Change-Id: I8cdc7492d76a9a21d5a0e9d9355ff4407d5f3864
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/528216
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Ian Cottrell <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>

cmd/govulncheck/testdata/source_informational_text.ct

@@ -7,11 +7,20 @@ Scanning your code and P packages across M dependent modules for known vulnerabi
 
 Found 1 vulnerability in packages that you import, but there are no
 call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+need to take any action. There is also 1 vulnerability in modules
+that you require that is neither imported nor called.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
-Vulnerability #1: GO-2021-0265
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
+Vulnerability #2: GO-2021-0265
     A maliciously crafted path can cause Get and other query functions to
     consume excessive amounts of CPU and time.
   More info: https://pkg.go.dev/vuln/GO-2021-0265

cmd/govulncheck/testdata/source_multientry_json.ct

@@ -17,6 +17,100 @@ $ govulncheck -json -C ${moddir}/multientry .
     "message": "Scanning your code and P packages across M dependent module for known vulnerabilities..."
   }
 }
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2022-0969",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2022-09-12T20:23:06Z",
+    "aliases": [
+      "CVE-2022-27664",
+      "GHSA-69cg-p879-7622"
+    ],
+    "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
+    "affected": [
+      {
+        "package": {
+          "name": "stdlib",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.18.6"
+              },
+              {
+                "introduced": "1.19.0"
+              },
+              {
+                "fixed": "1.19.1"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "net/http",
+              "symbols": [
+                "ListenAndServe",
+                "ListenAndServeTLS",
+                "Serve",
+                "ServeTLS",
+                "Server.ListenAndServe",
+                "Server.ListenAndServeTLS",
+                "Server.Serve",
+                "Server.ServeTLS",
+                "http2Server.ServeConn",
+                "http2serverConn.goAway"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "WEB",
+        "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
+      },
+      {
+        "type": "REPORT",
+        "url": "https://go.dev/issue/54658"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/428735"
+      }
+    ],
+    "credits": [
+      {
+        "name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2022-0969"
+    }
+  }
+}
+{
+  "finding": {
+    "osv": "GO-2022-0969",
+    "fixed_version": "v1.18.6",
+    "trace": [
+      {
+        "module": "stdlib",
+        "version": "v1.18.0",
+        "package": "net/http"
+      }
+    ]
+  }
+}
 {
   "osv": {
     "schema_version": "1.3.1",
@@ -82,6 +176,31 @@ $ govulncheck -json -C ${moddir}/multientry .
     }
   }
 }
+{
+  "finding": {
+    "osv": "GO-2021-0113",
+    "fixed_version": "v0.3.7",
+    "trace": [
+      {
+        "module": "golang.org/x/text",
+        "version": "v0.3.5"
+      }
+    ]
+  }
+}
+{
+  "finding": {
+    "osv": "GO-2021-0113",
+    "fixed_version": "v0.3.7",
+    "trace": [
+      {
+        "module": "golang.org/x/text",
+        "version": "v0.3.5",
+        "package": "golang.org/x/text/language"
+      }
+    ]
+  }
+}
 {
   "finding": {
     "osv": "GO-2021-0113",

cmd/govulncheck/testdata/source_multientry_text.ct

@@ -16,6 +16,23 @@ Vulnerability #1: GO-2021-0113
       #1: .../main.go:99:20: multientry.foobar calls language.MustParse
       #2: .../main.go:44:23: multientry.C calls language.Parse
 
+=== Informational ===
+
+Found 0 vulnerabilities in packages that you import, but there are no
+call stacks leading to the use of these vulnerabilities. You may not
+need to take any action. There is also 1 vulnerability in modules
+that you require that is neither imported nor called.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
 Your code is affected by 1 vulnerability from 1 module.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.
@@ -45,6 +62,23 @@ Vulnerability #1: GO-2021-0113
         .../main.go:44:23: golang.org/multientry.C
         golang.org/x/text/language.Parse
 
+=== Informational ===
+
+Found 0 vulnerabilities in packages that you import, but there are no
+call stacks leading to the use of these vulnerabilities. You may not
+need to take any action. There is also 1 vulnerability in modules
+that you require that is neither imported nor called.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
 Your code is affected by 1 vulnerability from 1 module.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.

cmd/govulncheck/testdata/source_replace_text.ct

@@ -16,6 +16,34 @@ Vulnerability #1: GO-2021-0113
     Example traces found:
       #1: .../main.go:11:16: replace.main calls language.Parse
 
+=== Informational ===
+
+Found 0 vulnerabilities in packages that you import, but there are no
+call stacks leading to the use of these vulnerabilities. You may not
+need to take any action. There are also 2 vulnerabilities in modules
+that you require that are neither imported nor called.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
+Vulnerability #2: GO-2020-0015
+    An attacker could provide a single byte to a UTF16 decoder instantiated with
+    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
+    the Decoder is called, or the Decoder is passed to transform.String. If used
+    to parse user supplied input, this may be used as a denial of service
+    vector.
+  More info: https://pkg.go.dev/vuln/GO-2020-0015
+  Module: golang.org/x/text
+    Found in: golang.org/x/[email protected]
+    Fixed in: golang.org/x/[email protected]
+
 Your code is affected by 1 vulnerability from 1 module.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.

cmd/govulncheck/testdata/source_subdir_text.ct

@@ -15,6 +15,34 @@ Vulnerability #1: GO-2021-0113
     Example traces found:
       #1: .../subdir.go:8:16: subdir.Foo calls language.Parse
 
+=== Informational ===
+
+Found 0 vulnerabilities in packages that you import, but there are no
+call stacks leading to the use of these vulnerabilities. You may not
+need to take any action. There are also 2 vulnerabilities in modules
+that you require that are neither imported nor called.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
+Vulnerability #2: GO-2020-0015
+    An attacker could provide a single byte to a UTF16 decoder instantiated with
+    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
+    the Decoder is called, or the Decoder is passed to transform.String. If used
+    to parse user supplied input, this may be used as a denial of service
+    vector.
+  More info: https://pkg.go.dev/vuln/GO-2020-0015
+  Module: golang.org/x/text
+    Found in: golang.org/x/[email protected]
+    Fixed in: golang.org/x/[email protected]
+
 Your code is affected by 1 vulnerability from 1 module.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.
@@ -38,6 +66,34 @@ Vulnerability #1: GO-2021-0113
         .../subdir.go:8:16: golang.org/vuln/subdir.Foo
         golang.org/x/text/language.Parse
 
+=== Informational ===
+
+Found 0 vulnerabilities in packages that you import, but there are no
+call stacks leading to the use of these vulnerabilities. You may not
+need to take any action. There are also 2 vulnerabilities in modules
+that you require that are neither imported nor called.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/[email protected]
+    Fixed in: net/[email protected]
+
+Vulnerability #2: GO-2020-0015
+    An attacker could provide a single byte to a UTF16 decoder instantiated with
+    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
+    the Decoder is called, or the Decoder is passed to transform.String. If used
+    to parse user supplied input, this may be used as a denial of service
+    vector.
+  More info: https://pkg.go.dev/vuln/GO-2020-0015
+  Module: golang.org/x/text
+    Found in: golang.org/x/[email protected]
+    Fixed in: golang.org/x/[email protected]
+
 Your code is affected by 1 vulnerability from 1 module.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.