x/vuln: fix handling of build tags for govulncheck

[rminnich]

What version of Go are you using (go version)?

go version go1.20.3 darwin/arm64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

darwin
arm64

What did you do?

in github.com/u-root/u-root

rminnich-macbookpro2:u-root rminnich$ GOOS=linux govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3 and govulncheck@v0.0.0-506ee65bc240-20230412201939 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-13 00:03:55 +0000 UTC).
Packages contain errors:
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/socket.go:74:12: undefined: archWidth
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscall_linux.go:312:14: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscall_linux.go:321:14: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscalls.go:212:20: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscalls.go:223:11: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:258:12: t.Syscall.FillArgs undefined (type *SyscallEvent has no field or method FillArgs)
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:265:13: t.Syscall.FillRet undefined (type *SyscallEvent has no field or method FillRet)
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:435:28: undefined: signals
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:436:33: undefined: signals

but

rminnich-macbookpro2:u-root rminnich$ GOOS=linux govulncheck pkg/strace/...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3 and govulncheck@v0.0.0-506ee65bc240-20230412201939 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-13 00:03:55 +0000 UTC).

Scanning your code and 0 packages across 0 dependent modules for known vulnerabilities...
No vulnerabilities found.

Why does it find errors on the same code in the one case and not see them in others.

Also:
govulncheck ./...

Gets a huge number of errors, almost as though constraints are not properly applied?

[rminnich]

oh, also,

rminnich-macbookpro2:u-root rminnich$ GOARCH=amd64 GOOS=linux govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3 and govulncheck@v0.0.0-506ee65bc240-20230412201939 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-13 00:03:55 +0000 UTC).

Scanning your code and 441 packages across 71 dependent modules for known vulnerabilities...
No vulnerabilities found.
rminnich-macbookpro2:u-root rminnich$ GOARCH=arm64 GOOS=linux govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using go1.20.3 and govulncheck@v0.0.0-506ee65bc240-20230412201939 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-13 00:03:55 +0000 UTC).
Packages contain errors:
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/socket.go:74:12: undefined: archWidth
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscall_linux.go:312:14: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscall_linux.go:321:14: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscalls.go:212:20: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/syscalls.go:223:11: undefined: syscalls
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:258:12: t.Syscall.FillArgs undefined (type *SyscallEvent has no field or method FillArgs)
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:265:13: t.Syscall.FillRet undefined (type *SyscallEvent has no field or method FillRet)
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:435:28: undefined: signals
/Users/rminnich/go/src/github.com/u-root/u-root/pkg/strace/tracer.go:436:33: undefined: signals

again, it's almost like it's not applying build constraints somehow

[dr2chase]

@golang/vulndb

[ianthehat]

I believe that it is applying build constraints correctly, if you try to build the code with GOARCH= arm64 GOOS=linux go build ./... you will get the same list of errors, the code just does not build for arm (it only has syscall_linux_amd64.go, there is no corresponding syscall_linux_arm64.go)
The reason you get no errors when you do GOOS=linux govulncheck pkg/strace/... is because that is package pattern, not a directory pattern, and it is a package pattern that matches no packages. I think the result could be made much clearer when this happens, but the Scanning your code and 0 packages across 0 dependent modules for known vulnerabilities... is the key text.
If instead you do GOOS=linux govulncheck ./pkg/strace/... with the extra ./ on the front to make it a directory pattern, you will see the same list of build errors.

[rminnich]

you're right, thanks. This is definitely on us. I forgot the u-root tool skips this pkg because we don't have arm64 support yet.

Anyway, I think we're going to make govulncheck part of our CI. I am closing this as operator error for now :-)

I do think the 'matches no packages' case could be clearer, however.