Description
What version of Go are you using (go version)?
$ go version go version go1.20.4 linux/amd64
Does this issue reproduce at the latest version of golang.org/x/vuln?
yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/mowsiany/.cache/go-build" GOENV="/home/mowsiany/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/mowsiany/go/pkg/mod" GONOPROXY="github.com/stackrox" GONOSUMDB="github.com/stackrox" GOOS="linux" GOPATH="/home/mowsiany/go" GOPRIVATE="github.com/stackrox" GOPROXY="https://proxy.golang.org,direct" GOROOT="/nix/store/8v5zwymidmry0wd3lhj6zggskzsvqrfk-go-1.20.4/share/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/nix/store/8v5zwymidmry0wd3lhj6zggskzsvqrfk-go-1.20.4/share/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.20.4" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/home/mowsiany/go/src/github.com/stackrox/stackrox/go.mod" GOWORK="" CGO_CFLAGS="-O2 -g" CGO_CPPFLAGS="" CGO_CXXFLAGS="-O2 -g" CGO_FFLAGS="-O2 -g" CGO_LDFLAGS="-O2 -g" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/nix-shell.D6LFVs/nix-shell.HAxUOJ/go-build3258101912=/tmp/go-build -gno-record-gcc-switches"
What did you do?
git clone [email protected]:stackrox/stackrox.git
cd stackrox
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./operator/...
What did you expect to see?
Something useful :-)
What did you see instead?
Scanning your code and 1348 packages across 183 dependent modules for known vulnerabilities...
panic: interface conversion: types.Type is *types.Interface, not *types.Tuple
goroutine 19672 [running]:
golang.org/x/tools/go/callgraph/vta.addReturnFlows(0x831320?, 0x7fa3cd46f018?, {0x7fa3d6613fb0, 0xc0aeb85880})
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:654 +0x20c
golang.org/x/tools/go/callgraph/vta.(*builder).rtrn(0xc1302bfc08, 0xc0e4418210)
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:640 +0xbf
golang.org/x/tools/go/callgraph/vta.(*builder).instr(0xc1302bfaf0?, {0x9659d0?, 0xc0e4418210?})
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:370 +0x378
golang.org/x/tools/go/callgraph/vta.(*builder).fun(...)
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:300
golang.org/x/tools/go/callgraph/vta.(*builder).visit(0xc1302bfc08, 0xc126d7fba8?)
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:292 +0x1bf
golang.org/x/tools/go/callgraph/vta.typePropGraph(...)
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/graph.go:266
golang.org/x/tools/go/callgraph/vta.CallGraph(0xc126d7fee0?, 0xc10333b280)
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/go/callgraph/vta/vta.go:75 +0xe5
golang.org/x/vuln/internal/vulncheck.callGraph({0x963c70, 0xc056d8a690}, 0xc03aa40b40, {0xc10333c000, 0xf6, 0xc000154380?})
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/internal/vulncheck/utils.go:81 +0x23e
golang.org/x/vuln/internal/vulncheck.Source.func1()
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/internal/vulncheck/source.go:65 +0xf5
created by golang.org/x/vuln/internal/vulncheck.Source
/home/mowsiany/go/pkg/mod/golang.org/x/[email protected]/internal/vulncheck/source.go:61 +0x31f