x/vuln: Panic "cannot range over: func(yield func(K, V) bool) using golang 1.23.0

[weberr13]

govulncheck version

Go: go1.23.0
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev/
DB updated: 2024-08-19 17:26:34 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes, we are seeing this with @latest

go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
Go: go1.23.0
Scanner: govulncheck@v1.0.1

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN='/builds/<companyName>/<programName>/bin'
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/builds/<companyName>/<productName>/.cache/pkg/mod'
GONOPROXY='gitlab.com/<companyName>'
GONOSUMDB='gitlab.com/<companyName>'
GOOS='linux'
GOPATH='/builds/<companyName>/<productName>/.cache'
GOPRIVATE='gitlab.com/<companyName>'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/root/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/builds/<companyName>/<productName>/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2454570330=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Simply ran

go install golang.org/x/vuln/cmd/govulncheck@latest ; govulncheck ./... within a gitlab pipeline

What did you see happen?

running go vulncheck within a container built FROM golang:1.23.0 a scan of our repro fails with the following:

Scanning your code and 1332 packages across 127 dependent modules for known vulnerabilities...
panic: Cannot range over: func(yield func(K, V) bool)
goroutine 19402 [running]:
golang.org/x/tools/go/ssa.(*builder).rangeStmt(0xc022b93df8, 0xc001fbd080, 0xc005f8c8a0, 0x0)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2074 +0x774
golang.org/x/tools/go/ssa.(*builder).stmt(0xc022b93df8, 0xc001fbd080, {0x9d35d0?, 0xc005f8c8a0?})
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2293 +0x205
golang.org/x/tools/go/ssa.(*builder).stmtList(...)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:944
golang.org/x/tools/go/ssa.(*builder).stmt(0xc022b93df8, 0xc001fbd080, {0x9d32a0?, 0xc005f99680?})
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2255 +0xe47
golang.org/x/tools/go/ssa.(*builder).buildFunctionBody(0xc022b93df8, 0xc001fbd080)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2369 +0x433
golang.org/x/tools/go/ssa.(*builder).buildFunction(0x7f0b80?, 0xc001fbd080)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2304 +0x28
golang.org/x/tools/go/ssa.(*builder).buildCreated(0xc022b93df8)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2391 +0x25
golang.org/x/tools/go/ssa.(*Package).build(0xc00435f380)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2584 +0xc25
sync.(*Once).doSlow(0x0?, 0x0?)
	/usr/local/go/src/sync/once.go:76 +0xb4
sync.(*Once).Do(...)
	/usr/local/go/src/sync/once.go:67
golang.org/x/tools/go/ssa.(*Package).Build(...)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2455
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2440 +0x45
created by golang.org/x/tools/go/ssa.(*Program).Build in goroutine 18863
	/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2439 +0x187
make: *** [Makefile:55: vulncheck-pipeline] Error 2

What did you expect to see?

previous versions of golang did not panic

[gabyhelp]

Related Issues and Documentation

• x/vuln: Panics regularly #54995 (closed)
• x/vuln: panic: in main.fn: cannot convert *t0 (any) to I #62089 (closed)
• x/vuln: vulnerability scan crashes #63146 (closed)
• x/vuln: unrecognized failures #67291 (closed)
• govulncheck: panic: runtime error: invalid memory address or nil pointer dereference #66203 (closed)
• x/vuln: govulncheck: panic on a nil types.Object #66130 (closed)
• x/text/message/pipeline: TestFullCycle/ssa fails with "panic: Cannot range over: func(yield func(E) bool)" on Go tip #67348 (closed)
• x/tools/go/ssa: emitConv panic on generics #57272 (closed)
• x/vuln/cmd/govulncheck: stack overflow #51560 (closed)
• x/vuln/cmd/govulncheck: TestCommand broken by CL 381317 #52712 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[zpavlinovic]

It is interesting that the version of govulncheck is v1.0.1 whereas the latest release of govulncheck is v1.1.3. Could you confirm that you are indeed using the latest version of govulncheck?

If yes, do you have a test code on which we could reproduce the issue?

[weberr13]

I will double check but as stated I ran

go install golang.org/x/vuln/cmd/govulncheck@latest

within the 1.23 container, I would expect that would grab the latest but I could be mistaken. I'll check my docker file to see if 2 versions are there. as for the code, I can't post the proprietary code but as stated this worked with a 1.22.5 container and that is the full stack trace.

[timothy-king]

/go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/builder.go:2074 +0x774

This line in the stack trace means that you are using x/tools at the pseudo version v0.12.1-0.20230815132531-74c255bcf846 . The latest version of x/tools for vulncheck is v0.23.0.

This is before https://go.googlesource.com/vuln/+/286bb05c5ff5bbdfe3b680955a2560ba16c2ac4a.
And is after https://go.googlesource.com/vuln/+/da4b74a5408a0116e9a2dde953659a7b0956dc56/go.mod .

So I am somewhat confident what you are running is govulncheck@v1.0.1 . Not v1.1.3. I do not know why you are running this version, but that seems to be the problem.

FROM golang:1.23.0
make: *** [Makefile:55: vulncheck-pipeline] Error 2

This suggests both a Makefile and dockerfile are involved. A minimized reproducer or more details about both of these components would help.

[weberr13]

I did find an older version on vulncheck in the image and once updated it started to work again. Thank you for your assistance!