internal/scan: limit number of binary traces shown

Traces, e.g., symbols in binary mode are not as useful as they are in the
source mode. Users cannot directly act on the binary using this info.
Given potential future reports for vulnerabilities in the main module of
binaries, which won't have symbol info, and current precision levels for
stripped binaries, there can be many traces shown. This can spam the
user without providing really useful information.

We hence limit the number of traces shown and provide annotation
instructing users on how to retrieve the remaining traces.

Change-Id: Ib58b6d29df8a7b9cce5e16173db036f0183f2b85
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/587996
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Maceo Thompson <maceothompson@google.com>

Author: zpavlinovic

cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct

@@ -13,10 +13,12 @@ Vulnerability #1: GO-2021-0113
     Found in: golang.org/x/text@v0.3.0
     Fixed in: golang.org/x/text@v0.3.7
     Vulnerable symbols found:
-      #1: language.MatchStrings
-      #2: language.MustParse
-      #3: language.Parse
-      #4: language.ParseAcceptLanguage
+      #1: language.Compose
+      #2: language.Make
+      #3: language.MatchStrings
+      #4: language.MustParse
+      #5: language.Parse
+      Use '-show traces' to see the other 7 found symbols
 
 Vulnerability #2: GO-2020-0015
     Infinite loop when decoding some inputs in golang.org/x/text
@@ -33,3 +35,61 @@ Your code is affected by 2 vulnerabilities from 1 module.
 This scan found no other vulnerabilities in packages you import or modules you
 require.
 Use '-show verbose' for more details.
+
+# The same as above but with '-show traces'.
+$ govulncheck -mode=binary -show traces ${strip_vuln_binary} --> FAIL 3
+=== Symbol Results ===
+
+Vulnerability #1: GO-2021-0113
+    Due to improper index calculation, an incorrectly formatted language tag can
+    cause Parse to panic via an out of bounds read. If Parse is used to process
+    untrusted user inputs, this may be used as a vector for a denial of service
+    attack.
+  More info: https://pkg.go.dev/vuln/GO-2021-0113
+  Module: golang.org/x/text
+    Found in: golang.org/x/text@v0.3.0
+    Fixed in: golang.org/x/text@v0.3.7
+    Vulnerable symbols found:
+      #1: for function golang.org/x/text/language.Compose
+        golang.org/x/text/language.Compose
+      #2: for function golang.org/x/text/language.Make
+        golang.org/x/text/language.Make
+      #3: for function golang.org/x/text/language.MatchStrings
+        golang.org/x/text/language.MatchStrings
+      #4: for function golang.org/x/text/language.MustParse
+        golang.org/x/text/language.MustParse
+      #5: for function golang.org/x/text/language.Parse
+        golang.org/x/text/language.Parse
+      #6: for function golang.org/x/text/language.ParseAcceptLanguage
+        golang.org/x/text/language.ParseAcceptLanguage
+      #7: for function golang.org/x/text/language.Tag.Base
+        golang.org/x/text/language.Tag.Base
+      #8: for function golang.org/x/text/language.Tag.Extension
+        golang.org/x/text/language.Tag.Extension
+      #9: for function golang.org/x/text/language.Tag.IsRoot
+        golang.org/x/text/language.Tag.IsRoot
+      #10: for function golang.org/x/text/language.Tag.Parent
+        golang.org/x/text/language.Tag.Parent
+      #11: for function golang.org/x/text/language.Tag.Region
+        golang.org/x/text/language.Tag.Region
+      #12: for function golang.org/x/text/language.Tag.String
+        golang.org/x/text/language.Tag.String
+
+Vulnerability #2: GO-2020-0015
+    Infinite loop when decoding some inputs in golang.org/x/text
+  More info: https://pkg.go.dev/vuln/GO-2020-0015
+  Module: golang.org/x/text
+    Found in: golang.org/x/text@v0.3.0
+    Fixed in: golang.org/x/text@v0.3.3
+    Vulnerable symbols found:
+      #1: for function golang.org/x/text/transform.String
+        golang.org/x/text/transform.String
+      #2: for function golang.org/x/text/encoding/unicode.bomOverride.Transform
+        golang.org/x/text/encoding/unicode.bomOverride.Transform
+      #3: for function golang.org/x/text/encoding/unicode.utf16Decoder.Transform
+        golang.org/x/text/encoding/unicode.utf16Decoder.Transform
+
+Your code is affected by 2 vulnerabilities from 1 module.
+This scan found no other vulnerabilities in packages you import or modules you
+require.
+Use '-show verbose' for more details.

cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json

@@ -1 +1 @@
-{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido Vranken"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}
+{"schema_version":"1.3.1","id":"GO-2021-0113","modified":"2023-04-03T15:57:51Z","published":"2021-10-06T17:51:21Z","aliases":["CVE-2021-38561","GHSA-ppp9-7jff-5vj2"],"details":"Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/language","symbols":["MatchStrings","MustParse","Parse","ParseAcceptLanguage","Compose","Make","Tag.Base","Tag.Extension","Tag.IsRoot","Tag.Parent","Tag.Region","Tag.String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"credits":[{"name":"Guido Vranken"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0113"}}

cmd/govulncheck/testdata/strip/vulndb-v1/ID/GO-2021-0113.json.gz

@@ -297,23 +297,37 @@ func (h *TextHandler) traces(traces []*findingSummary) {
 		return symbol(traces[i].Trace[0], true) < symbol(traces[j].Trace[0], true)
 	})
 
-	first := true
-	count := 1
-	for _, entry := range traces {
-		if entry.Compact == "" {
-			continue // skip package and module level traces
+	// compacts are finding summaries with compact traces
+	// suitable for non-verbose textual output. Currently,
+	// only traces produced by symbol analysis.
+	var compacts []*findingSummary
+	for _, t := range traces {
+		if t.Compact != "" {
+			compacts = append(compacts, t)
 		}
-		if first {
+	}
+
+	// binLimit is a limit on the number of binary traces
+	// to show. Traces for binaries are less interesting
+	// as users cannot act on them and they can hence
+	// spam users.
+	const binLimit = 5
+	for i, entry := range compacts {
+		if i == 0 {
 			if h.scanMode == govulncheck.ScanModeBinary {
 				h.style(keyStyle, "    Vulnerable symbols found:\n")
 			} else {
 				h.style(keyStyle, "    Example traces found:\n")
 			}
 		}
-		first = false
 
-		h.print("      #", count, ": ")
-		count++
+		// skip showing all symbols in binary mode unless '-show traces' is on.
+		if h.scanMode == govulncheck.ScanModeBinary && (i+1) > binLimit && !h.showTraces {
+			h.print("      Use '-show traces' to see the other ", len(compacts)-binLimit, " found symbols\n")
+			break
+		}
+
+		h.print("      #", i+1, ": ")
 		if !h.showTraces {
 			h.print(entry.Compact, "\n")
 		} else {