x/vuln/vulncheck: panic - interface conversion: types.Type is *types.Interface, not *types.Struct

[JackMordaunt]

What version of Go are you using (go version)?

go version go1.19.3 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

What did you do?

Run govulncheck ./... on a multi-package proprietary codebase, one that uses cgo.

What did you expect to see?

Successful exit, or even partial vulnerability results.

What did you see instead?

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
panic: interface conversion: types.Type is *types.Interface, not *types.Struct

goroutine 1 [running]:
golang.org/x/tools/go/callgraph/vta.field.Type({{0x958430?, 0xc03fac2bd0?}, 0xc0ab3bd468?})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:108 +0x78
golang.org/x/tools/go/callgraph/vta.(*builder).representative(0xc0ab3bd790, {0x958c28, 0xc0c1042d68})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:692 +0x4a
golang.org/x/tools/go/callgraph/vta.(*builder).addInFlowEdge(0xc0ab3bd790, {0x958c28, 0xc0c1042d68}, {0x958cc8, 0xc0c1056a90})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:653 +0x65
golang.org/x/tools/go/callgraph/vta.(*builder).fieldAddr(0xc0ab3bd790?, 0xc088580600)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:436 +0xca
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc0ab3bd678?, {0x95b870?, 0xc088580600?})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:347 +0x2d4
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:299
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc0ab3bd790, 0xc000064c00?)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:291 +0x1e5
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:265
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc0ab3bdb70?, 0xc0d05ac580)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/vulncheck.callGraph(0xc06963a0c0, {0xc01b539000, 0x581, 0x40?})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/vulncheck/utils.go:71 +0x2b9
golang.org/x/vuln/vulncheck.Source({0x95a2f0, 0xc000130020}, {0xc067e65400?, 0x44, 0x80}, 0xc067dddd78)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/vulncheck/source.go:80 +0x4cd
golang.org/x/vuln/internal/govulncheck.Source({0x95a2f0?, 0xc000130020?}, 0xc000191eb0?, {0xc067e65400, 0x44, 0x80})
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/internal/govulncheck/run.go:31 +0x94
main.doGovulncheck({0xc00012c010?, 0x1, 0x1}, 0x1)
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/cmd/govulncheck/main.go:114 +0x35b
main.main()
        /home/jack/go/pkg/mod/golang.org/x/[email protected]/cmd/govulncheck/main.go:69 +0x127

[JackMordaunt]

Actually, this is strange. I ran govulncheck per package and all invocations are successful. It's only when I use the spread operator that it panics. It would be useful for it to report some diagnostics when panic, like what package it was analyzing while it panicked.

[hyangah]

What is the version of govulncheck?

go version -m <path_to_govulncheck>

[zpavlinovic]

Does the issue reproduce with the latest version of govulncheck?

[zpavlinovic]

Solved by #57174.