x/vuln: json output always exits 0

[tendervittles]

What version of Go are you using (go version)?

$ go version
go version go1.21rc3 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/tendervittles/.cache/go-build'
GOENV='/home/tendervittles/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/tendervittles/go/pkg/mod'
GONOPROXY='gitlab.com/m2md'
GONOSUMDB='gitlab.com/m2md'
GOOS='linux'
GOPATH='/home/tendervittles/go'
GOPRIVATE='gitlab.com/m2md'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21rc3'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/tendervittles/vuln.tutorial/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build182358312=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Followed the steps in https://go.dev/doc/tutorial/govulncheck.

Running govulncheck ./... has the expected output. Exit status is non-zero.

vuln.tutorial$ govulncheck ./...
Using go1.21rc3 and [email protected] with vulnerability data from https://vuln.go.dev (last modified 2023-07-31 22:18:02 +0000 UTC).

Scanning your code and 48 packages across 1 dependent module for known vulnerabilities...

Vulnerability #1: GO-2021-0113
    Out-of-bounds read in golang.org/x/text/language
  More info: https://pkg.go.dev/vuln/GO-2021-0113
  Module: golang.org/x/text
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: main.go:12:43: vuln.main calls language.Parse

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1059
    Denial of service via crafted Accept-Language header in
    golang.org/x/text/language
  More info: https://pkg.go.dev/vuln/GO-2022-1059
  Module: golang.org/x/text
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Your code is affected by 1 vulnerability from 1 module.

Share feedback at https://go.dev/s/govulncheck-feedback.
vuln.tutorial$ echo $?
3
vuln.tutorial$ 

Running govulncheck -json ./... has the expected json output. Exit status is zero.

vuln.tutorial$ govulncheck -json ./...
{
  "config": {
    "protocol_version": "v1.0.0",
    "scanner_name": "govulncheck",
    "scanner_version": "v1.0.1-0.20230801195028-b2f5f90cdca7",
    "db": "https://vuln.go.dev",
    "db_last_modified": "2023-07-31T22:18:02Z",
    "go_version": "go1.21rc3",
    "scan_level": "symbol"
  }
}
{
  "progress": {
    "message": "Scanning your code and 48 packages across 1 dependent module for known vulnerabilities..."
  }
}
{
  "osv": {
    "schema_version": "1.3.1",
    "id": "GO-2021-0113",
    "modified": "2023-06-12T18:45:41Z",
    "published": "2021-10-06T17:51:21Z",
    "aliases": [
      "CVE-2021-38561",
      "GHSA-ppp9-7jff-5vj2"
    ],
    "summary": "Out-of-bounds read in golang.org/x/text/language",
    "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
    "affected": [
      {
        "package": {
          "name": "golang.org/x/text",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "0.3.7"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/x/text/language",
              "symbols": [
                "MatchStrings",
                "MustParse",
                "Parse",
                "ParseAcceptLanguage"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "FIX",
        "url": "https://go.dev/cl/340830"
      },
      {
        "type": "FIX",
        "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
      }
    ],
    "credits": [
      {
        "name": "Guido Vranken"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2021-0113"
    }
  }
}
{
  "finding": {
    "osv": "GO-2021-0113",
    "fixed_version": "v0.3.7",
    "trace": [
      {
        "module": "golang.org/x/text",
        "version": "v0.3.5",
        "package": "golang.org/x/text/language",
        "function": "Parse"
      },
      {
        "module": "vuln.tutorial",
        "package": "vuln.tutorial",
        "function": "main",
        "position": {
          "filename": "/home/csv/vuln.tutorial/main.go",
          "offset": 189,
          "line": 12,
          "column": 43
        }
      }
    ]
  }
}
{
  "osv": {
    "schema_version": "1.3.1",
    "id": "GO-2022-1059",
    "modified": "2023-06-12T18:45:41Z",
    "published": "2022-10-11T18:16:24Z",
    "aliases": [
      "CVE-2022-32149",
      "GHSA-69ch-w2m2-3vjp"
    ],
    "summary": "Denial of service via crafted Accept-Language header in golang.org/x/text/language",
    "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
    "affected": [
      {
        "package": {
          "name": "golang.org/x/text",
          "ecosystem": "Go"
        },
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "0.3.8"
              }
            ]
          }
        ],
        "ecosystem_specific": {
          "imports": [
            {
              "path": "golang.org/x/text/language",
              "symbols": [
                "MatchStrings",
                "ParseAcceptLanguage"
              ]
            }
          ]
        }
      }
    ],
    "references": [
      {
        "type": "REPORT",
        "url": "https://go.dev/issue/56152"
      },
      {
        "type": "FIX",
        "url": "https://go.dev/cl/442235"
      },
      {
        "type": "WEB",
        "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ"
      }
    ],
    "credits": [
      {
        "name": "Adam Korczynski (ADA Logics)"
      },
      {
        "name": "OSS-Fuzz"
      }
    ],
    "database_specific": {
      "url": "https://pkg.go.dev/vuln/GO-2022-1059"
    }
  }
}
{
  "finding": {
    "osv": "GO-2022-1059",
    "fixed_version": "v0.3.8",
    "trace": [
      {
        "module": "golang.org/x/text",
        "version": "v0.3.5",
        "package": "golang.org/x/text/language"
      }
    ]
  }
}
vuln.tutorial$ echo $?
0
vuln.tutorial$

What did you expect to see?

If a vulnerability is detected the exit status should always be non-zero, regardless of output format.

What did you see instead?

Exit status changed because I set -json.

[mauri870]

A non zero status code on failure/error should be the recommended approach for cli tools. Doing this change now will surely break some scripts for people that use set -e or just && between commands.

[dr2chase]

@golang/vulndb

[ianthehat]

This is working as intended.
In JSON mode the exit status indicates wether the JSON output can be trusted only. You should parse the JSON only if the exit code is 0. To find out if there was a vulnerability in that mode you need to actually look at the JSON.