2}1_^ɨ|�ΡꠟO�ퟟ"�^�CP�i{wǞ^n�G`,svH��P��u2;w*-:>�/B\s�e�]`ur6�@P��L*��w3(�~.�B�M� _By�Wˏ\�ÿKz3:l
�CG�>�_w�m�sADzk!Ps`k�XG̡�)n0n%;��a(c�+��GY#ٹI{�ڛ@�PUrYA1^0Ġ�+~0_09���`{("�W�YaO�B �Tl+��P�"B�$Aڒc�p@<����, i�V`OYAx!A`vr@6#Z=���ow
x=#mϏ*mPD�@^ʎ:FE�lp�iT�~*͕ƭ)�Mb
tIAkY%�pe�K+*�[s$�4-SesrrO�:
k~�IƷ,o{}X%�no�!Ͽѐv�1��'�pܬ�*6WR\*�NOq��c��0�<��.*PCo@m2�5(sE*tQ_T7cJ�`RtEZ�J:D09�O�"*YO&��tdA�]i�˲�C@[UI�v�u���07mn�9}Z~Z-xC>@[U*�ʫ]x ܹ62½0�3Ԣ���xJ\e�q�p�ʵ���F\SO;n9c'�sN����Q\l퐳}O��`7k�PIE
�V]FD%S}�aO�+@�=� �=Įƃ�綟N8Eއ�ҵy�,=||�|p~�JWIlfZ1}!$)1"2umu36+�])Qc,mD-ذ��c�A?�88~οg�팋�Ug[�8Vt`x�>j=Ҟ�!ACHv`�B|��Oi&
rV~e=KiE{qн�L $-
)za1wЕ�4�Gm%y=Y�h$l�lL�³�4�R@@"#1l=jO�7O�[��C;1�i>/GqN5��`lm^xq@/�Zն-IG
�)M/Zh :%�*Z}뇚ϣb��Ķ`'�%o>ٶ+'��Q[Oi>gn}Y'9V1^ߴ&)��x|^a_>�Q�Q#H;i}(4:$-�P{G6/MR.�ޙ�o�̋��mk�e%�44q8�
qPz� H9�.�]l\Kl-�FGjC�2�-aځڐH�Y(��#�qVh���0RD�u�?��[|w3o3lծ鯜
��Λ2~
�m@6cL]�m<�vT�5k�J9'03yO,c�TPu\:(���"Yj�42Ter;uD_C5�z�#;A���U4՜e Eg0b��M']��<4Z1H@qsn�V)[ol�M �X~�˫�cXڦN��R�,*]����FOˠH;P$
kԶkG8Erp���l"�C�Ċd�wnhV�_O�=@am'=}r6ij[o |]9iH�*ư�&
�W��h��ok����]mJ{)'c��0V 8ܭ� m��ly"�:�JΙr�cu)]Ԉ�
PR> �Po'Dm�f*RՀA%Ѓ&_kRvd�+� /v�_^c`}ӘrVZ eΏ�UOq?OtyVo8q0g�K,p*$/@W �J@NGr.\�K3vK��U�(+eɾn�NJI=cDGtrp<��7
H\'/l�̵đ
In�Q[rvQ�C�)��Ό�lQjnЅwSg70/N9iߙS��,| F�p�A��k�;�d�bv@ɏԆVj$Ԁ�Oυ%dL$Tv'L)ܮ,-I�N#,
�g,kPѱ,��� #ۥ�Sy]K)TRZ?��hSQwz(>��>J�n�@_%�`l��=��ɻSxN]#g7M�O�=en]9La:o љ��� kLt[Tk_xj:!
wiFz-BD9;�i�1$g"�Iv'9}q�
=�[w"c�R*�>�d<`-�J2�Mď�Eo!�Y3q��YA��*�2�q*Yڸfklf v5bX7�gfK�1G]_wauvDAd K�e=Y?v7b�#VFd7̾b1gP@xsKJ\TX]a?
$؞OLǓ$"�(%N�\�T1<"\�9S-&U!]TL*�?v(^3}]8\f
6vW�9h~W^{чT*�O$�
�Ys(1�LoaIV*qCC�D>@�6e�Y $#}c�cl&0ξ�vNm\��AoG�q�R.Kt4�A�Xn=yͫ3]ȊY'�S,�/%JhA(X@�]��sb.@Mcqd>n���F�$;�j�~uZ"/y-d���7�bqʤ_���oͽ1>_�Qֳ��Kgcbe��3qK&֭�T\��@dEZ�.*_�۪�A/T�{,uW:,t;G^�@⟈]�/
=}?zK]s�-~A�-uL{$7!V/D^wқ3fX-ٮ�é�2avLMQ;j؇qP-b%n�\�~�9}KvxIMJ`U;͈s̞פ-�`�&�ޙ^R@
Lh`t�m@q���qǏMc-rl@7��3vux�c`J�fLrtKVއMYDWdq|xH��1-U��N��w�`vjD 3$3�9AXƫ��Sĩԧ�3P� aCK�/wUpId'��D��nלc&EYѬ@���
w�6JLOE{_�JQk<2
�XV�˵y
@X/^ݺ)3 ��j#Ǵ�Q`m`Dm`n~å6f5M+ZW!Ӎ�7�GԀ"�r�t
B>ܱt���0NAqxl�+�t/cc���ӘhH4 "1ȜNc-K9Z6>q�&]>G7Ǎ�3&z�ׯ;@JfZJq26]b]늧���j3 �'nb�.#\[�vWB_`yaBߊs^Ǹq_JNYػWΕvvr�iIs.26%T^uD^qxw)\+ ��$/;]��چMA*|n�tRKc,E2O%<��3qJ0t2�hb�WM۠mS'jZS,)cEJ
Y0!��TK��@ڟ�Nq]ĻilI'
#h
B(8uEI�hi fD�U �wB*�18# ��)�qO?'UX�:W:V�}NGj?�s%B7a$E_2Y�'�M!�
$�B?R�]#tQ*7O!w�Jw�~/C�G^i�I�=$9~:48T�
:lo�>6�ݼ8�9퉬b��a$^D?fA�t5�5V:y:;YYğvgm(O�;/kIW&ٽN%\��j�.\iPGr�S\
��=q��]NA�
?2"˾O�82�oN�t}ug�̔ B=V!O i_g�3�!�3QBsĮ:̖(J"�+�eP[�ڿmW^n�����ڳ�nvcьSO*Z�-`'0lH6�e*�c1m`qAJ\�P}/Tw|ORGP�p�'EI�vD=qiUHyQҹ
Ƴ��SD͆GC0Q/�}'6a�QPK(�_;pK}�)'۞95�;G_=2ゆIx���CMe\[#�R``/�k�Q_�nGe4^E@
`E.FL�>�o.13zw ]�g>J0�q0
lY'Ӽ��ѝx@0{ȇs�
/ax<8Wzq�.:rScDCo-�x�^P�0cD259y
a�ndƽ�b^Ì�|SpY^ӰX�}㬠e?�КW@�4)C7�VykQ�� ?`rEsQ$xb5
g[<'6s�L-\:t�`ȣ�8,�rX��ʢ1@K �?`z�-wh��O.8FTWwmr�pxIr7K&�lPΊBrk/mձ8��eCӔ�,0J�Ϛ��xgp#'! {@�̂>q˶Ҁ�'�ia]X]v �ٳѝs뚚&jǥƬ9g{O_(�ޝuQac[CP7yA=}a?P* �/l^ׯsrt{gTA�oz߳iqM^Q/�G�X'H@=HQ
�YVޝW�ifERכ|�6
F�=@L�# 47N3�2`)�ڬ1�}tCYkǭ~"F938���~4!߮$F;wNb{((-7X꽖X>g˨�C5$ri�*B�*%�#SR"j"kZTQ*Pu*xft"Fb��e*�+YaXvw<��B~'|��&Itq~1_ꎨ]PۣIM!#Ɵ�A`�
a؆+#�H�}`,�n++�+:hp< u@xP1 ��Hw�Թq�}|_ȌB{��|ګ�P_;@jgͩ?غ
M�xQ.w�;AJ-�����xcAo�q)ly�o�I�;@�wlh�gt.UP} OZL0 Kނ,KKW�W&5\p� a=m��K�*(,D[*
�(Ê"�;#4�˲6+�0ӱA�졭@±7 ˷z�u b>�"�I@5.ti�7FҌ �Ѡp����?�6nÞd��;.:M�j)KnE:1TMM�-m" yp63ba̐H�L9�i< |�v�25O�ݧ�~�[͟ efgA;gg;tX���6{-h[|L�
GﺆWҌp3�=L�Q7&R".�!N�Dqêl1OS+Ul|2/o��,/g���dSo?g^r|QWuP�Tn9_�Q�u<"�\b=LRK�hӳJ6�7�+B�o���y`��taH(_�>`V܄I�sϘS_;ĺ3O%%{o}^(Kv3Q��$ĴW:HUa��vV/ݵB�xS��5{&9$��O����aѪ0VVn�1�R2}1 S^�`��{�?�7O�x&{uȺ^G;[M/ll-ݜPKJI7V�5\VSdAAlh4] ڿ�a�_Ip�m_w�6;�GWeLK>�Ms�k?4.,ql7O�
I06L�H��)'�tuiHarlYM4d'e�[� �fݱ/[4)�Y*�)
Qzv0yk;��CrO%|��|z >8sz�QzNI�/N'��lt�LXW:ϐHL\
5`4j��sA?�
!sA ZD«g
^�P]x�,N@�:�Yx>pE�>(�"�9=d˷{�U�ƿ35�=]1Fk"�y;}kT�+U>�e
ą�zDYL%� B9Hp�ҧ.ڻdZi�(R o(*c+op*y
.joaQR0FGB}c�_Jz!tpȷ'�CHQ�J:Ν+-h7n<�$k9Đ'+_&Nx�`4��خc�G0�xT7<�ΖBc@�E(<�V0LM[Dyzp6�+"dE�A�T&"�EY�l+-�n�_ kg>�e�S>;�oh_�Հ x( zuM�M�AJJl�5#�
�lנ�UE|h}L�]�8�G�FGȚQ���c�%\�0:2f1j+//_ª t��]?R>p̫'mC�7hyEGMtS]52sQ�@v�=�vR#��s�-#�<ƒ#���
"�.+b%Eq�Rw8Hrd(l��%:6#�0�+F|��P[+�X"-BG]�d�iq �t��t%Gq!dVw]�M27ߵzA}�Z�2XB��
bv��PtRݭ0u,V�Aq(KbqeN�1Ԓ8ֲiN�.aћ.RQ
V\uJ+J��!ӋkM84~g¼'�w'8�R�GcȄVoN@ϏEk߈��xZpr�z>-��0oƜ&/KN�pƷ{wH1j#$?�5xd&y�0�K�Uzb?6H
M�k�#��ey=JݹJOF4͔N4~A�
>�@'l�Z"T VaTiJX�CZ�49�3`s2TJ#�@�bo:tr�Lխ�@}�z#A1Gv�ٱ쬺Y�g.4 R3evF]ltrX`ʴI�c܌1T5MMb&�
n�h#f�:�FIR���r] ЏF�w�}9aƌ=ӳDi,Q>v\m�J<5x2*��w!6*`�+߾H�\�4uLDe7�
K}�h
Kk1J�aM+}:hϺQ!7�~�}ڳF>��ȾZF]uPj5|@zn�4L-�gP��I'(_'UkU('yuXT�T �yw�k�<;ԫL4HQcʛ,Ksϵi]QW(@�&7Rr)q-����,#TU�s|,��Dn� #v
?ƄЗ��cBn\(s?uRtqaRgE��_r�Z~�TGj5͘H�t6�4հ��cO?"ݪ'93w֜�Y%t��c�P�9td�a0a:0mԹ��h%�Ku l��+>��o ��\46lC?53yF\O��08� +(/Q3eU5�q�7oD��f4ZU9{ӯ=!A
ܫI8v�!|�v�We 挅Yk̓�s$P3՚R?I٢�Q�3%"�#Y�^s��>g������ϟ�#AH_|�(^n}�fW;?�9g~Q:E_�(#qԲad,�i/]Ž+�&].SD9䋄؏�ÁR�$1`!wu��Rm�P߭f�U?�!n�p|yҔdH>+h�U[*6}2Cr^B;piMk�s))u\Ʃ2RŢЌ�H�Tq/� Q$�td�#~_Iju~U+B�-j�U^K%ϚOoܞϏ|Y)QyC~l[~�g��ZK"7�q*H$574��XL`�[�Π]W�˽?Fc|ۼV_�;o8~_~P'TT$z"J}n��׆�5�F�CX=Fꗚi[X�]�Ռ��ҹ%uN_�-y7~�~'h5��Aѵ�uk'6̫;ڣ/lWs�
$�^�kzb$BJa l=�=Kݚvn%�Q<8[,+�4.>+�=;_$ҽ
O]0��h%1Dtԝ4/�}oB+~�~�}��vrvQu3�jK\.:AB)+ZP�hv�/2KǼRy1b�W��6R]2
d8Ͱt&#;W���Fkp`6'My�k'D'v^>@m�7˦A
^L�"\�A�kN/�{idwPϐAU�
u� T.�i�؝36?@�3 N
Y=o�o�Ǿ>-Ըْ&�/&b. �)?&�Ƽ�:��
i�-�%-AHZ6�tC9Ss(Wⷿ[JKߤ6O;�EMz˘~ R>Cy-a<�~
;O
3�˧�Lz-]uώ7g=�Tל[yF
fhQDuaӘ2-�as�]�L4H��`qmH5un}$]N�B;P97ā)L�jh�V+�R:\noh]~:S+
Ǎz\7#/����?q>-\�z�?i!} 2�<;n쓾#�螬?2�Ҩm�;]ώX瘿D7�"\�~a1"Ow�K5o ϙLD�eGT.pM3�c`�o%��':8rz��ɾb�K`\�Xɓ�x)��6dJm0p&Ee8vh?�}s&(1p��K�ZZ߁\6bm t|c^��0{l;�)�rqg̰o'^'f+>/f�=:�l��kJ0L\`��Ѵվϣ�!�` ¥:0L�w�0L�{w}4_%>=gl"|�CBzFց2`vۃuu|G'�jwYv?SU\n|Ub�!G߲�^� s|`ӲYj[vzyO�I[s
WG�nHLp� tS�5�@+hh �a;?b!}�ҙLe|S/BR8ga�I߀2iYk�S�6}u%qJ@gX&ō�l.�?��Ş�} ?Łd�;5xӏ<�_'�_/a�l&Y˔_�dcUx�xFk3Y?`w/˓5`~nuM�[[
E078wZΑŤ.1}�&
mޜN,,�55qv%oގ
U=)'\H"N�'{Cw=y>X&E)I?�Pz3U&#sU�!�M�Ӥ[
�~Ϳ-hwp�@��N
瀒7^Ӂm];kVM-tRy13s|+g`'��U:B�l*CL3g%d�\PX0%4 ��Sg�A�k0�BX-boFc4��ǩp,ޔ%&"|{U�
&8=[=8�ą,�V`[�'RDdyB2h
\jc$ay_��R�sq� hN#�av[�4o=gn$'s�pT��Xn�$c
BmSָ![pN�sUVKtŌ�{-U/xy߿'_@ߺ?�"x!}AJlz=G� e
ğڢU@6Cٙˡap[�ʢf<�ABOR7;�Zy,��LQ�y�sGzY�1$E�Jt�杉BR�\-M|zp�|J5콹mvH�
��y;�@�|���ͯ
m8o~-+e|
9J2ρ{^E9SӜ.ќ�|x�]Q��u�=&�( -49\R$YzSq)8c$D1ARfsc�C���i=X (9$�n��fUF�.aһ=�MGQΗuJas:�b7I�(Z�zO-m0�\�i"3�]4
a��D�js�\�L�Lf��|ضl0?~#�l�OV��Y_5{�3jC)�|Z\]fV9�^i}8\�&|�pM�Ww2~Y �hް:sq*\�%N(tj8)ʺSlIyx8_e���aMk@V7de�j=_q5@= �HpXCH_W5m�ϧ�knؓ#j�Onk?X�BN �ۣG}n֒��玮n�u%Ş��X�D\P�gdv19?�^Xo�+�j�ׄF�qTNx?}7PYF=/M�p�S>9EK#�aRq�>p4�%� x ˨e"�&yF-rh4;*"6�$O.)~n"8b~M�\6dU�u^]R4ayj/�(X]}½?o�;jZtq��)7>Nn���!
�Op�7}
�EBٻA���KE2R�;8)4{4#
a�+�MhW8C�T%]hvs��}[s78w��a>=@G[���#)ׇDaRP�[?
[3om�qmo]�hV_bs�ηX �-0A?�έ`�ji>YkK)��@�T_�v����fu6I"��[uME�5*�\5."-J&�
Q?Bb0}WJ/Гz,K�Jtg$4�ŮX�'y�w�qM�7-�ݨL"sy}f�ۛ�Wr\x yzSa)
#H_B5B�? 103_Wu:��:ob�v}�m$E^.sh'�c>D8_uoa)�]|Ypt�34GJDnai�/`��"+'5/��Џ4-�F��WIYp(('D3L�zE*!6a�0�cXԖF#Ndp2b�H^5�;yeB(@Z~O)o
[8qP�qS~|�ߞ�Ë@y` o|fq~�T�eqe��;nn-oMj�n/Y2g{_SR��vv\_r ݕ =BM[7R#�^�fo揤֙�OF&uF֭URO�ńtYQffč(U_cS=uЯ�gf�/P�}y.60-fg�{'g1Oz/D��
q9dL0��HT�EU{��-v;Z�2]J�W�9Rg)Xd;(1`�°c�cDWW05Z_ᇀ�.��PȺ�y
ͧy�un~.� wȸ�O!(>W*5�=C/�эFz^$^x3hx שUNFwF�
�#.MU>��ס Qێ =I݄Z�5X(H�V=R ʌr/!?k�j�9�rf�[ 6P-�Ed|XZ\�\%Ͷz=A�q*)zmyX 8IOhc�q-y-Z�1iJVLHHLDn|�~L�O�M�E]g=]8KAV���v7B=]v
H�zw/�筵���wL��[ҹsܿ?�) A�%WC�))�[9սh:M
3�Ȧd1,;ta
iLHb:$?P=&I`�P-E�ƃf�-��lx�p�<��?Qkj:4�T|
�0̃�UC+z�WҺe�2z[Q#E�ĦM(��O��#A!G8�;�C%'ۖ=hl#[m۷;7�[X!hmepp��hܟ9/{�K)9@vB�3R,7?ueeɵf&z꼕�c}�j'֬ilf|�\db�# ۢ}o4[MF#)�k-?'4m~|ޤ'_a@yU]`ul^�&\}7��'q�#�`��!7Ʈ Q IZԳ��y0HJ{|��邬&b+aESw5WtbN7VeTjUn%룁,A ދ
2=>H9)'Xn/uXpF/p$S�* w�1�2hD7q��Py2JQ3=[�4sqr_U˼�
+e�/EՍ̋rF77�HFd4%;�Yut��[AbV+%G�gO+@hjž84���
*
ʑ9~erH/���jeeڬk0��cv-Z�k=� nl.��k.Yjl5r �
`y0oWXk .]�w�(E@\չ��vϖ%H=-?Evz*�H#��SPI͏�#2 ( h i8ɔ>r�PԊ��JC,f�A[nf�}Ŵ��\cU21 yp/�52Ft*�7H�4S`qv4�"o�<3+UMZ#$I_A<�Z$�,
`*CJ*KRA4�0�aD$�g�ڤ�{c�7b�̀הY j`|
сgr�5g5lP��sv�>Y{
�@yPyu༜;`�kB,v*Rp����Z���m�/b>X4�|:�0>TA
MH�U^�R<1��A��uzRa0pb|9"*O�jE2=�&�\$"kN�7�{EFq90^��$��ȷOBz�>Х�OyZ)�_UI��@�/L_��AZ�*�m>�4�!ETB$]U.�Mxw5bFI^9V��N,IG-Bq:'\ �Yyr!]_zN�&~o[oRupS?I>��)l8�],%��yZ%t bɨ, =p- נ 8'c~"W�snG8wy�5B(�)V�#�k<7년o"ܐ�&{vSW@ x�$��%P�!fa,`a.`a�Е,ta�Jh�S ~l@?Z'��]^%'��r]�nu(϶��u1cz`vrtp>&UW�_�k~mO_�F�l%viE�-�-kB>��tx�TQ稻Fx}`��QUΊMF*(N'}�g����ˏ �!w�~��tt[9:�\{t�^K9y�
#K%ْ݂O'7b.ȳFCm7!,��Fޑ�߇lp��eR�d[QT 3��sre{i_Sƹ2i�,[lΙT��5RIr%;j�T`dqсן*ԯ�>`Ua#NG|m֞ZaT�u)�zSٟ�kFKtQ�UbXig
d�cI�tA^1�:v*T+2+f0
�,�CN@C(ʏ52-gs�wuȏi�}uȏG �OK|yxo^3|i�^Z�pA4MpIc/8F{Ά�l�vIY�/&�P7Q�9�u�EI�?~8��;#Ewu*�YeB۶�k>�^�>·�|<��>YL�]jŌ_c<~W[�78��z,c
;'~�fb�ؖ|:G9l�§�4Ut}ӟ;7?^�'õg`݊K|"-#'w���mc<�Y
="ζ|�H�f.ɲ>sn�%MP!�б'CҚJ�`T`�,ӕERMLxI5lZ�
a�`2?fki}sr�{ģ5WL]8C2y^�z�(&(6_Iɡ 5k5Af��ag�.��{!�)Z�`g�_j�9eI<��xm
Mfͬ�M(g۵~.¿%ߵVl$]gڎ�w_Wn~3?�U�1ҽÝ\&��s:�ʈֹՀ�En=9��Cyq>�\1�wRL;:_liqSK`�jatK-�Hsr0.CQYTְ����ϦP�&|7;�Թ}�~4R�*_��'4�zA�lվ �wul Q}OjE]0�o�KR/�5VCR%Z]�M�tjWFG�+ԩX7�&�2L�pX��ϓeIT�,iV(�UN'��"�{cތ�Y4p�K�f�G,
~-5 ^tXs�5�p�~
07$0�9�e�3Z7}pjp}(��CP}kٻ?�mS*R| ~<&ds-RK~�mqT%P+l"tIXZw]Ӭ`
L�C2;&E7C�@�%~cFM]:Ȗ=�̆�sd#OGqHfX�;r?~%hǼ^;�Y�|�W��uL^)^"?/Vr%v��oaA3�?F:ϑaW�gqY��tv_G~T�*�S� ;��JB�KG�&J( >�ꂓ>��y$8�3Lq\ǹ7q��l\q�A|Eca!u\9n�wzP!$Q:e~Sd�G�!lx��t��Ԕ3Mlҍ� @`� �^�ϯ�Y!9w#T
�+Q��WY��n֢L�n̎:6x&f$yOu_g �{ VP�9��.o|X#q6w�rTv�����]E/3*AM[
���Vn&Θ�i+�D�Nf73A<}�4=4R(3�1ܦje>5���4n
֙�]?
v��y�E{?/�F�FV=OōA;jn�QK���6{vPC~VQ�wlIMwi蕒q4u�*E��aV -�=J��n�D�e;0E-uL]ӂZ/}\uR(B~(0]#bUx�Jۂ=o�;ڎ;:~9k�J]b�$$5$�m<4�}$w!�_"�#Kɏw,\oƅO3�2Igw1 2';bew�DF}g<ٱɼd4x`@L�n�ڑ��UOУSj�F��՚��y^�X
;ɞ�1�pm2�ɪPI+�Yhz$-'bW�<:;���>`m�Ҿ�>b{ι3ݞd7$&!!@��j(*HP��~nq,rV!&��s-~Wd~��Ni�M�aYց�=ڭp�l�!ތ��CxL;�9|pn�l.7ip�z�ZGd2r^Z%r�Ae�>Q�j<��>ґ�Q:�r�_e4K� �'ո��C(<߽Zu( ~�q���2M�\ᨙ|�k__n#I�Eņ��]JP�GC>3@&BYvL�}���uy��
N;y�<}<�yd�_3 Y�G,#�vH 2�n 4�1٠P�P-0�i<߮Ax,i�Bcɸ� f./�Cwx`JGϏ4*�3�N\\Ƞ08��'t~9͛`�t_lWt]�I*n!M��7HnKn~
>p��N[@
[
�gB%Q;�JFm r
B2�b,w*��ES^p�~oC#p7/ߵ�DnN���2jK���czk�i �CM��yy3Ѩ4ۈ�W�@�2�pBρ饌�+��^'irGb�{]3���
7�و!tҶ]ybq
@k�ǹ�JՍ
^e�ɟXNi�@\u{#J҉|rFp$-{wUiү$�y�lS0;W5��x@k3�$Rۙ8y8FC8YI-sCu|8ansZZ.kl̕yt�Y|#A~U^$y;ۙq�Cs�($Z?�f.���v-# >j�Ԃ~Ssn;���]|�c��Cjo?k_^sPFږ9�sf>3A{f�9��*RRM��-c38�Mh aƘ8>3r0��{yWqǼ<���G=ֽnP70ɉ[Tws EǦcJ�>�/g.?�yT[vgK�4�]�@{�
6�"pO?k��?TZd{+�v߿:wF�Qz�Oi'ΡҖn
�^'vmYKᶳi7|Ρ[�j'w3Oo팓>jFww7ewjn =S%�/ݚp۩{jvNiP�h};Oylm?D4�T�~:o�|�ΊZ/!�PEL�HHw�G>�?tw~?i��ބS*LWly�8c
QL�&NKa]�5nGI�pئs9�gҷ3?uަz8OD�}�}M�@#�9A[�ltߴGo"�כ�H#�ov\%=POs3n�sJF#�^G]Vm0�{�
\�u.�G5(/잰�پ`\�Z�aN!L�28�ӈ","��C9_օ`�2��vkos6{z�?Fb7ޱ[4 -\=8iqK/5O~瀿&�~$-K�ű-Ks�S1�v&XЌ�-(浯(U�5Eĉ;4Qg#�Io��(cyxJ#@!224*R#�.#5:;-ް�Q�[d_#Kx�Hҗjf'�p�7SN7>]�F�|pͳ|?�>w�1[4�N?:�]֣^|[k/nih[j�C�CV�BQ�$�?oux#>�)�!yRC0|mW:whD9R�ɬ#UaYèԧ;3�&k22X�(dxO:+FyP��%zw9o}
a��=���N{%��i's�Z?9݆+]yx9YIԀ@n�S22`�!zQe�OT�fw�5$GBl�+!f3SFXu��%7BLߟ)Lk�`T�U�?Y�(;8&@�6XF`
�JU2ɛ81@e~y1N*��YHg8�3�OaYm2ć x5㾬CzwyV�Λ u[@0��F�,}#�~<}2']{Uo"�k^臈*@jN9hv�a&ͱe![ѕK٧3�n?j^2� �f`�yt�e)^̵O�(x_)G��h?�\zd9;�>�}_'Ru��ݙ�cHi��Ǝ�:�*ra^�̶
r)-Y�Y-\>��3p�Bɯ匦,d^srw*H?9y]{5?C!+�_p�{�E7u�k6r
*kQqx1�|('�hOP&C���NjW�L&(K$?
ubБ䣰�
͒*2�2R > +Ñ,oĦ�e2)3u����"Tq"7$Eܳ�Lz7y��z[o#70iтٵZM?]5q
A�p�_hFQ��R,hd)~�YB��u>ozy[Dp[:m"�aHgŽ}"iVTfO4x��E�Y"nqt; D!�NF4)Ӛ&y�i`sE]a٠YOX�h�6٤!:o�~w[�oz�Aʻz0"*?$Kt�ۢ�f1P�~0�rzo�~DʲQ=ZG,Y�^$Tfe}lPr,�%�zF�ȂQs5Ykmf&(� t@Ǚ?b0�弒J �Z%zO/',�e Y�+r� �{ؠMZ��Z"k:�c�Q¬F@.M�.$\1��
Fe9
&_�
'�P\O(Z"3m��~fDӿ#|x��A$�OD�w2*I��X]^˽ߚruI$&0@�_YMfm\$Tj^jJ4�Y4G�$lXVN�&I-W(p��ˢ��OGz3R/e?]s�oBh}�g!~˥֓�g:{5=�(�gr���E>�1Fz��]��3ۻsS/M��n\=D�Il
4'f
7-DZƒ�Ia��!?Hz?>e�BY ^��l����#7Tq"UW}��'~g5A>w뢺^۪�~#[rOGSi~FY�&^rx�mx} ["tX]�9M^BB5J�\Ru5�|���gؐ;)D[�@>2*I�b���=$O@;r'֢Ks7�m�Z0�jr=at�*�Se3/ :y{ЉhP'+3$P#jMSA���UjV�C�;ݜ9NHHBڎ�&dgJiиgc��hdS`�Z
8�?;ʼnsNks� �t3>>nE&FR�.0&��L6D�Q�0@��JDI�ltU7͈/EÌ|�?ڇ�E_�#xB�/C|98mJ|Wp�gdnrD`�dQ"Es4�1ů W]~+�?J)AO 3P!4E"w]#ՈA��@|G{UJ_Km�42! �ݴn�ԐZsZ=;*x�cy��s|Q��@s#|�Ds?d{��7f[ ɟ;gASHBFq+fo-ʤ�Qd)1E)��~h�hX�R�ۙ�j�+ �P�Lϭqh5��b�GE
Hq�f�_
�Co9X�R�s)?P s�'х�'~t)�?�yaV��OAK�(��s�J6GS"�?�OE\Psৈ8��sඳ@:_R��A1*pE>SEm�J;H���z���/ѭp�c��\i
[|�j JGn|g^1��|{�Oڝ�ɱ!G>Ӷ�
r�-!�u��^Yv��� `WG(D/�rlOFI1iIr$ҟKmw vn;z<��fnȋ�?w{�}A;$�i[so'A[769Bv䱜@}'PS#vO>ɟ>�>߳q݉NmTٵm[CNspxE/g�Do��S^�Eؔ_D
#�^k��Ҳ{yz[�T*G9!@&5{U�]A�KB��*9|�SP{IJy�`�UA6R0�=ԉ(��*yA!0Z'hvׯ�A8���vƋ?Q�H�.O8Mı|g~E7ϦM?d^KfM>A+�x\K,)}�*DiPi�zoR�k�BiJ}ʁhJN%W���=sz��gq.�"~#J~JP����V dS
��`Xf)YX��̋1Ɗcz}]g5̀D?·P.qv�>BP$+ŮSU�]G�<�Gp&
w?�9yyu��GvI>Rz)nUA5'.Zⶳde_pێz �{kX}Yk/�4Ip2�5|H_I(P9YX?&T%9@Z�}P�
�*A
M{š8ܵq
z/p��?�/n痾p�y~"tWLJ%�'i!~v/8ʽ<�%�- `SNr{kq�/6G~"�G(�YWח\0f�i2>w^��⡦O4�c���ކ/3��Aʣ뱈7#ƺ^9&oq2E[�/ģ�NI+AJۂb�Q[$D, J׀ٿp_ 7�s�>#Yl�y'�
�sʴr}isw�Ge4�L<_�,6Q�+�O
��O[ X9?�S'*Z1;'ڛA�iU5I=�#^p�]_G]/^�^ʶ�Cq%��(V�A��Y %�㯼l�(b[.'tB!�u3a[�N+.cIZAͽؒY\ΐ�?⩠�?@��7UKUU?fW?:�hZ)SX�O�~i�7�:�dd�]�/oz�8o<ɖo\^-q(=ؒS
x6ovG}1�r'�)=Zz�
xow~߿Rz-ۑ_߿[o� ~���}<3\)߷BC/%�r> k�S.m�w^��E;o�LA|*N.m\ʼni~�=l�&
KŦ=J:E\�9[�5{5�|j[,J�IRijn��iu���>��"��.�_`O~%qu<狓C�#FP�i�v U.F>㩦Wkd"g<I^qi�X4GÝ�z%t6L3;U'Q~Ϯ�CF��7 7@9HA?v?��=9yC`%yqG�{��uZI�wx(k�dTj$�̗Wn���E=B=~�Z6X;œ2�@Ҳ5� >x�Rk j`YbBǢ6
}[�H9&�� / FJgwg~�/�&ף? E u/��vI9h7vՅ<${oyLC $SҤ;Z=jAc\MSQ��Fi#)�}=Hwh�0.�}�A5&NQyPc�D^ 7(j�?{W?x����m��X+�[�b�\PPC�GS܇)>K])u|G"vx�NIT�U!Zkh:N9؎4g[]rw7O�/F�;�;~�C�jZqE>BvM�Rs�$}DzMORJ���"�$�}Z�.;3�oDg_"��j}{wvXoDž��-mC�OHٴ3�iy34SJW�4>�аEHu̫^6hIuDݧ#ӒќOԄT?/�C!�yejQ h Ca���l�^F�8Da�!�\AH�֣)�"t
g
_�1B�A7EZoqv�� ��-3E
CG�=lG�T��KAF6[���yEB[�8`0�A�]�ņx�VuJk9�/?QO��{I4��qZ:Cx)��s Yh~(B~[�g ��Ы��qC=_ba~,6b?BJ,zq\g8累I]Z�$�:��R��nEz9g>˞M͇kʌm7,�^0WdH#�[ /L�m5 �4H�N��1��b�ä~^/�yFmJb4��Z�20YF\dp<
mݰ9A)䫠12"J�NyhƕU~ES>%�4�,#`1?O>�vQ=7!B �oX}&{g�
�@�6�#I-͊I��p9VƟҏ�A=01#@�H �DQ�ff6Da�A�-C�AT�ũ"xhq3±Q\Y�HU8$�rA?En�g#�-bbVR����/u\:9WP�NIR=tOn?vĿG�7BЫ��k,{>תWz�f>ErUsE
@n)*^s�\lNcH��%zW>ӿ9_p9w3w?4wh�X@
�d3B �ũR-V]RYtb�J.�u�h�us��)WAϹ�6,nt�v~qag
0�74K5&�p�tOϜSxGz-��YȻ�r9�[(Pd�ⳕ=]㑆!~*z}ضu*H,rqȼ�uz6Ƙ�w���_v7uʊ4�¿{%ę*?n+�/}3d>8�r~�D$S4hqv�^~�rO�Z,/ӒO!zA�C�Aa*0"l� �V%�<47�PQ�Z?.!dϸ, �QrC6E�;��b췐yn�ujL!ɾ��,fV�'>-Wi\X�iWn��A�81nX��Ĵfi%YCcsl�s]ܵ4o߉�[4o>y=߯�[vW圈J[vrDž�3iLZ&�MBDQp�"���ա�(s5ipk(G,CEZٸMV�w댫Y.=4CE[$�pu�^f>e,�DOlBµib\�;JR2b"J}^'+��>LEf&c�ᢑ)�d��|\�GȨnh~ZЏMb߯2㷁U�%%3p=Mbi.=�3��K"0eaRnhb~%�Ƅ�~��7<:M"7��|na�6,J�.F
綻��'�8�F�YzLژmCN~8��eo@ђ+PgQ; wFdN)�
g/κ$;d�<�Jdҏ,�MI2(ԘTS�_Ex3hH~#u|'.iǡ�į/$#9 �x��C]|Dp8icm�e{�.!^Db?������H�~�ۨNm8q���nƧ�LD J}�zq#Ϋya�j~"φ&KJ/!B"a5�,J%R�a�X(?
Q&js�6D}
�.0
V��W�O��(�2=X"f�n>θ؞�s�W#q�_i>}>��)}Wkp��f�h�d%�rz{�G��@�2vkO"�;�7j
E�/7��!C7g�3'x�er./VkDs4n�{�!IғIHV�dJTsɕ7J�?ՕٺFst.אCf<ţ(2"*U2{f�Nh*�\UcE�� ��x��O��{{]ϭ曉��PcDZ�/�h;Q�pC#ߥ�{AK[;86�ɿͤ�y5:q>=���Ao\7"�aCp쁢+vgw7,l^PzVӊ&QcLh8(aO!mK�E(y"�Q(?{"�N_%#}VFB�؎f8�(�8R�w!oG#>�7?�7 W{cw�z�m-��D8:+(�,-mc����TCx�oI_%o#kg��'/-yRaw�lV��v+~J^�ǞȅWrU gr�xu�!N%qhz$ ڟDQOTIFIYK�X��ı/V$�f!�jYfৱ@�&,/3��|g�;|4�Ƨw=ː�͋=w?p�G�IxH&�@P�吟9U�/�(4?~<�I[�93OT)Opx~�;y>Bs?^+~�z:�u�bI{���J�Bg��@iy��6olV"�yJOG=~�u�G=z8B3;_}|/�;8+�/0"W�Ql,#.AnL$-ɬlPwN6~̐)U3p3����Mo5�×�*�U#I�:�={�
_nH�(YOH᮹Us7�� >:�I(@F+E,_9PT~̙LmN
4䥳;�ˈ08ۣ�ȁ�ws4g�*9e~Cˌ��/
ǣ�=T@z�"iY�nR#+�U|��<0 LT:4_Ў�\JF>Z[Icǔ�+JD*4rC>n-�z_B0|e��]EPoLAumg>7Q?M(ar/+�pmg_c[A��u�nì#XLe1�ׁ5f>��c~<���q$r np<-�xQHOu�"
R-~=��"H` @�= n.�p3}�:Xk���\)ķ~.s7;`$=�A緛g����b娄pԆlv2PzTPu:� ~�_bz' �~�Eqˮ|W讳1*r�I�p�[$3#lX4�yODY�
H�K/U9)͟�R�!0ďAh;9�~ٳ�ɉC� |�ۃ�UZ'S|*1
م$�W��<2&+VFe�7�|ZQ8�P%xA%] דW��#/9y �!�9�^i(R+俼Zʌ*d_}�,"68O79O#|ɹS�G�$r+P 鎛x=vTPv�bz���.A��u.�)<Χ}# =V�U
4{`A`?UJ[B�]Fn�/�wXT֏Qv�qkLip�{^3!Ze�+}@Y/�4;
/�q��1n���!v�;�dX!q�AK,"/#�>VTwq!W�Loo䳆ˆp��BUiWoʏ>"vn%VVB}Eܚ."S�|r?0]ޏܐ�y�"�3
M4'��o˺o�Fs:ORS �zY��j#�O%2ԃmv6�X)�Re!�|�lD|?}*Pu��l�)Pֶouj OD�MKBz{��
T��Xb껋e8F�Me"ge:кyr)Q�Q~dM�Z{¯,#n���ڪ²"KWleߴ5ցZku-6�y~;�㔍aSm)e?�m5Δkk�Te m$Rw� Ne^4�;��#�9�߉*D%DPup2{ 3�.jbi%I$QG�B%CP�,st�̿u�1d=�b屻+�U~=+|$%t|f&�,gT>1zu11/#)lz�1c�aOF�8U �����}ƾʻDaE%SYr�g�p(>T�hP1�Mْ�JL͢N"$�R��ŝ���y>T@KƊ�+>sT>d1�S+vo5Z����WGG�g�C3'[Or�9@B2̓ �Zv8�:Z;�W/j�/�<��A9j�R�G|_H
>B^ʓ+�pDj.顿p�M""f�}Dijɔ�#Hה$D p](y��&��~e$dD��8O8ΉT�Q/G)o\ �akʓ!yjzԆZ>���IR�\�ΡO,{mnaε9#yRۏtWMD C~,D|qQ�Slp4G�;D�~C1�B>`].n'sC`�U7*2��.-n~M% ]0Ͻgۺ|7�z)?aV�[=]ac�?�cfeVa{ТE
N}q�
>ϩ4Zx,D�Gg33�z�<8'GbW8do�/#�z|̖LY)Ua���H���-Ebw@�}Qx\=M}orvr�r"�C�?%d�jօK�O3��pH�.)W.( "サ/yļϴ�KȥW�/ux�2{it<
~u�Ѫ>z�e1�
c�~`:�Ƨ��/ˈ9�5Y
G vVGI��쌔Hp_��2+m`\?��6˥ +s~]�pHk\¢�U|0A豳sYGpNY�U8��[2 @Df�O�wUHJ!,~�W�\Bv�
p#Z~y�1
XU�)J�(ك\C�R֥�IQ|X�p��|/)3)2rNY`u�jh�-~bߧ¿uΧS�3x<ۗ*�(-�ri
`ls_vG_1tf:/AFs �5�gRĖ�10A>.�V�+E3uΐӛi\6��e4ӕ$GGdx��LPT�5BT�F"̗XN8{��..���|a՝f{맴3w��H?oF�~:Ygv�G+K�$�)HQ|ذy�;/aҪ~I%�R*�Hvoe$eg+a+r�%VrJP<\~__ݗdwvӪ�e;|�S�Hy:xЗl*i�"Ҏzly3ƴU5gNts�r=(y�}=:8\S�{Uwꡞ@}qL^UoOJ'dB�\��3=�C�<0�'}K��C#C/H_#=B�'د\з'{ˑSNLpOQ�$�r$�}9K/��దOuE9�fb\p#jF*>"i��pY�S�#S�B�F@�tƩ��ZoEk7��͒gy;�n�24;�LLKJ�=̖VOp^�M:U"z�LTB}4Q�n+vEM�\�iCg�sz{�63=$G瑈A89wOww;S$[Nd�C.MW$j|����pͦ5r^Y]:⾮�<,�Ibb�r,6_n|+.�7aG8%��ytjC| y.~|4alLy�?߷v�6��0,-�i�xUstH&7Er!ӕyb1�tI:NZk7�A*Ѿ$�县[��OeƹEDGV]\zz b/ u%3�[]4L�$�2O�=�!{*8�kT�mFK*�Tuׇ^]|6M�iBslz�.�q�<4L(h�sJZ�}kY�kCٸXm<306-39.�(
~ɫ:���_�^�Eٙ.}W��ި#EUv�gqƁ<@w4|8��w`&OF8s7�"6�a[{�4Te':�h{�͈ߍG+z+ez&/l�gc
Ha8$\�S)(֥�W���i\5�8Є�p8?)�?�T�ϛ�~�9K�DpC3=��aн7;|�7w։"!}9t�ׇc?E�pt \q5]*"�SU$U\]z�hm��'3PWM�)�TXr3a+��ﰮC[�?i�/G\\ߴ^|r8{RJ)K_m�$Qj�UJ)=(�=
(9�X(,Vu2�xvFc �!WwS~{�NW<'.zI:Xӓ}J<:5q�1]%��.+,`B猐�d>^N2&qǵ/���jo>~@|'Bg^�u&8wwS:p/¬@H}k%�%`�F?`8rr�3�~5����ė",�w�
^=wfKj6%3�MR�"R�_�Y91f�(&I(ϭd+Gx��
�i�>_:bg=W|}���yb�rTYxR��~J^EV/WU]weOǞ4X%�;MSȓF��c�.wD�L��X8s��ѡ�JFzt�o�Q-^Wr{7L]ΥֳKX'^y�oa'��,t��n4}�=�*qؖ[�dk'#+R�2l�Gn�`BXEZ0Plw&=1vK�HG>[�#�߲ȕL�"faŔ�bGmrr"�_!ǯ�s"G/N]vd6+4�@s/O(oߎ��ѫ{ogna�~<�7�IC\mg3j$%��f�r?]uWZy�x;��^]4K�ϷFr�4#"B;N)�m;}G4�-�!Ԏqz��^?Uo�Y4LמY-o]V/NodBڽB�ARҊ�6L��%�j[�?
Gi{g�]&g�eiòrYFO*v
rr]e�Z�$FgP` �F
a�M#�x�a~�`�ri��҂�B����@��x�qc,Hc=z�um\^6�E:}9`�.f!.DmU!�Bw2�t$�(�5��/ܫVlH�wj;{xHZsC�|�q�{q[mCg=P0�۫mj/�._�.W�:I�'��^�E�L�;ƭ~Pr�_r�JC:p{5ΣD�F?.#�#<Ρcda/zMC6'�]y0O1`u8�iQǩ� g 8{kł'�<�W)l#$Ní@X`AWr
�C[dŰ/R^|2H6Bdr^y3^=Mo/k�x�^qh��e�.�ȶ`�au߿'�|^|=v�a�Olf˥ݗrXHCTwXCF��mk^◯hJ0F|:S �>ʉoO67ͪDvSZ:&y�Bԙ)*M׃?��麗&QH3�3[x���4+}o"!'S�bT6V~��,E/
?�K��Ă1T*ba'%�{s�$�z�_z�A_C#CM�)}��NJ=BrנXذ+#Eg6hnUZ�U#�̲�(^[$�(i�v+\�BlHd3)j�%Vl�d�'~QjPM'M�~�3
fE�-5Y��%!ȓ#d}��$;_8#�a!rQ41R�]n�䫑#�{��G;G!9#c� �ej]�
;�cȣcCcR%i�
�BUDgY�^x�̀G��w`
�bG#<#nI$JT+/g=syx쵢7s�~)e7-t�Nn^y�
mҺY�,A0�K[ďMnƛDWs,]�i-�%�W!dO+Ɛ'�$J`Pbd蓪-�ߙj3VdXXMɉ0�̸aN Z� Q0m]7n�m�,;B
e�q+-DdlҨa+
fm
("ˡ�#4W��yF0Zְ��
-�~q$q\6E�|>��'o�gqr.YJ�OU żf,c#(tu3�Ï+ &E9�G��ȷ�!5U�`hj2۬W����@J���Ld=�
Kyr
ܨ5M�p8Ct̳�+z+0J�-ji
dH$8Q8�Dj��QTK){R.3��k�o&��"0YZKSDl[E>zo7#eC�=L�z̈́�/KӰ
z�y�\""�H&EJc�T-�R('Z"e
�e?�30BX:^�'m֗f�tmG|/¯gB�3OLyi拝�Ptqn҂Ӑ:%_;l<
}P8XP;�M��T
es
�v8Jhj$��a�t=q&n�|~p W"|r�jO�GO'2�oDnd2)i^�ULTߞ�Ld�A�U� ~No/�EEޙ$fIBhSX'�g$ea_.�K��2w�%\
W"8�6��4�[ΎLĚ4ȃXԄwr t5Q|c�R4gj>�?D0Lq�SuU� x$,ƉΉge||p2M58EADإ�/]�|�v{d
mETlt.v�f;I̎HT�*8$�]͔��!,9fRR'$�ü)�[/֯W�>=` {`�aЕ�}@\RkO�.4sO;u�vϭug%O?1e9n"L �IbjR�_�' )0U� Ąd��SuݝpֈsB ̄��
��ۣb�Rm�}g�|2�:#o @XzG�m.S;(5%Ą#/7(9B3ZxC|�!�`O��'�"zLC?2�}SSuPdq*ɉ�:P¶o
;'UM�bE%
2ba4,!'JP.뱬Ygڨ`�YDհף8(
KINr��`2AE<�Ic�cGD>�?"�.�qD
&a�^6Mfmh",��x����3&&"l�N1>QMP�}:8
t$ĝXHĆ83hO,ԋ�F�6w"�ku��
pQgCS>^߃h�w�uҎi8X�G4�5�Èdzv$
�ޗ�{-ֻ[ʼ]ȪL'�AmMn-u*L
�
@ಬ�#7p�]�s!�oU�S(�K*+*
[?`m!�Ua:aKA��bk� �'r_>\>s���}g[ѢJ7)?J�N�)
pos�"'�f,��UA8��\U^9�t/N�V`�Nn"%QԶH �29��Vv0K~^��QW r1va埁5Ґ0-*�W
*pE�AY�TTu�
[��eXөj
<�o��t02J8ۧ�j;%0���A�Cы6wMc]ߴa�=9�r̙�{} �RX6'B?Z�%+M88�B,'ʡ�rʞr�I�?ݣrX9?TNDYkO%y�t98�_�B0Iwr
ֶҤ�gf%8v#崄�sWFL�T�a�3�5I1W!�5
��g�w|^�G~!n){|�C#`/IPhe�`]�oY|�b[^:证�W׃5a)s�*
WN\M��ߐ7d�r&�!�fRQĭ�cjzD|.95A=l??�pf�,kR&���l�1��3l!]`9i-ii1]p�&�/$ՐaK1F�9xIF�ahmGyRKz^�H'!,*Da�E A9YOOfdv-����
j��iU�Hz�mu:a���1&dp pË́Yصw�
�>|�hG?��/�|�!T.h�՞&�H̒��AH�31"�
!�LMAMTFy�
iHZr�C{eh3z|ҡ~|��{��hW���yS%7;r�p3ysF�*�m TvyڿqKw�$٥�!���Dׅ�yM[K~65RQ����5ּ~0�Di��v�\xbS\~~�_"E!�3O9%�TYpSadSSp^3,�5B=٫'I�>��-
i㢟{m����ܹeU!O`vR'A�C#Jh�z�vmr�Q~\�ķ@buAy�NGAQ⎪(WP]L3
u@D�pmk=%|�CpI�~@׃d֟X_~|v ^|/]PiK+L}�2MQb3ۆ� *��؟}:No����M.Wq6�oaFcbX9�4A�r�Wdz��F}W}��r�:�LS�~/o~u�d
j/XJ�2F")'LHH�JlTy_{> '.9oLw�I9}<,h6B@<*�Pgɓ)�+CGC@g�C�}�u鉭k}8?.k�::p#[ҜaH�kt��хn"Yd��WtDK&�^B2p$X"ML^q�=X�е��v/
g�[ڽ]^smSs$
Ub
x��"��r�5,�ȅث#r.$tƸVy{l��a7̧�'A�Ӭ|輠�0G��^��=g*mlSUC(P�+6�c6�E$�YjH$<8��9KT�� '5$�!UK6�iu�!]��ÚIf3OƧ�QezH&Q/LV <�7�� ]�JI�{;67߸ȣ�[(4IH:r"<"G2Hp8`|�FS/��Gx_8˻\Xg%݀����{ &)EX�7 �Ƥ5ǘc/'��W��"_zr�r/�7XsF"�=FҞ!j�Y1ג���S}Azdϛ�G|
%VL�7aTx\3¿*=B^m55T-��ٺ�,<ʽ� �JH1�}!f�L2tY>��iTc�] qS6bbn�N{+�>�+�X���$���~ͼq
�Sȕ�+�$Is)BRh`+61S]lt�7Ƃ�Y^CPE�/}DT~@iAXP�8y�
�DI�ZX=O �=M��dq�VM
y�) C0P!ͯ<7li�Üh�Bd�ohYCZ}���/�/�@KKj*��Id�p"�,�`E|���"V#\{I7Zy��říy�_���K�mqg"~;Y}{Զ�>t#k�I)�-8��?44q�a09�Od+@�+!:w��1Z�6$�ӌX"�D+b�eM�aEZlX�&
=Y�>�o,ͦ6J6А�\$ZZ2̻}`$1oU0�~\�w7�OcCsusmy��#"}W�6b=+�j�gy?LC\�+G.>G=nf"?/ �.�i
�Z�u�[WttbGϚeK6vXwk[8ES�].o7u}{Ү.�o�vq�v}{P�wykb�tZ.me~w�tyW,=e'NFJJ �C�C<=q^S�9Yd�.̐
K�z:rx�F�G%J�Mq$�U�X>Ts��!�!a.�jΰH�аDZlHI!ZbIFRA͔QN�4JR�$;14M
̬N/cxSD
Csb2��D�%�fAv-rmA�AƤT2Y7J�qBb9:4=>4ͽN�>Y^�wϽu}�Ay`�O�5=�/)�qC'slx{:ҽ_1|{5CܗW�e��N^�Dz�_X_?v��Սu}YӢq�yn7N8T]%Nkc�>,B(�
�
�ꞑ��T2ND0N",� �( b��v�<Ε{Q(Q/QW�24�RFsw�WB⪬9<;0~ylOl�",b
J4� �'dUU.c!rءt
J8wSkE�G˂�][G^Rk�u-��4Y]S(NrTMz+|l=)L5OPT
�h%QPbB�QFRV&BƧ�b^B~}ty0O�#W�Մ
+8u�t�kFb�]%뛄YtYä��ou͓�7xVTxHiGT^P�
Xo%!�% V��]5P~ ?cT�nHC�6(Z�J�O0�Jr�i`w3�f1p>),48C:�y��n9�r�Lq˒T�E$X=�QQ,,A�ɆW?ڠ'#>�aڠwΒ�z�Uw{�5U\ذ}��{mYS|lQeXX�$e1(b!f�ȸ^�v�el�*��k�BX]|+QCte@��?WψNWì��K1M+w[:��\:�UWI�VT'}loy�)�Ԃ%��)]óeoKe�s_ƭb��J a==�N2Qډ*ԯ_��DmD;�B�˧ ~b-=Qv^IuͿ�W��7_�[z`X<Q�!t�t.W��P.���
uw�j;ǩMy�,]>ōH^?W/%!�9J&��rh1=�Jlm/A'0@�I�q�c�ʚעw�a9��LnP�v��)!y#LP!�2=�P"oiYz*@
�ZXq|S"k^�5�PqU�7�]?v~W4�a^6Yt^kN5,kjծ
q��onVed��|�-mN'�yE-_I)kB�"\t@~�yWzD�QYEBLxY�a35PT�ɞ.��Ps|V�Y)�`3s#nAI�o��$I+,еDo�W�\|
H� ��!�lyo8s]ik�3rTUh4Ο�J-y"E�ئ=��V�q{lt7�4}jg=�:{6~y~QB^7 p{ ۶- �K�1_7)�fs5R=铜%v26)lmf\�"[\uq�G 9xNw(5�g^!6Y�ҥ�B�}ù�^(J]y�L�u�\�lJ�Xe
aQA>j,kڎN00Z��[xCYb~^F`pzf�pޮLMM�tNs�ЇD��
Oh�P9���xL)�`o*-6M�GsEiZo�L'�jPz?#oims
�dpʋ*d\5=g@�u4/EP�<]an9!f9\sř
S�7S,Iqp�䭪MU*pA=/T§'z{92l��I*�b=z�+T_��QZ֦\5"��K]�*QTa5�_Wǡ�Ƣ�6���x\X>@{"]?d:؈
DT"g;vH䄋c4Zbj&
k&af�.�zHnv�s<\�k�oaM<�-�T4p�h�vZb�V�uRx�2M`c3yV�9��ߍN/6y|HC>:Es݉ɍw~|ܢ�
7ܫ%K:G]o
=zD�L&�s"˗ ��QGa��g!PE�lȕ~ԳAIgzv]Ub:+ �ɐ{SĸGzOMi.M<�RU�p0dS ]\]f@ַE?E%9N�L!�-*WG]m�u�^f�Sb5ٸ`ρSQ���/&�!�f#<3�u4�ա }�2G��m�gtDF0mmjkUD�u�sG#ނys0/�FM7XI߭ذěEtWQm9\@|k>4l0Y&6I6Q1T1(db^j2rbnRFܬ���'>Lt��牗Q�y�Ԉi�=xL}�_!IOsןX^"jU4��/#�5ޣm�;lyt-dpBbR23|US7Qbѳub�I4-]^��Sa��+|$�dz]GsC8C(]k$?v��ѢB1�7�V:Lֈ.w=
�[.H�oy݁R}gэA��nl��]��n<вx]U 5BX.�m"6Đ<%Yĵ6ݢkFD��(Cț$�_,{κ)/� ^pM�a�n�wmR˗W�W�,lpQ�zK`%)�)p8����,��!1[X` LFvm� �Hkj6<�lPC��i!YBja$m�nEG
zsO!>�v�_p'VuCfO�*gW��]^f-(�:6:yL�F�*,DP/h}:�-+ �u$U鞵Zݝfy��KZ!�_zQ�Yz@V�_l��%��-Dc݆*qj.�qc&C��>@�>x���i�]/�Х
R�!vfF4�zbnV�hn /Y�[viTT@�j�lfb"ȿ1�0%"3 0{2@'
;vH=M=pk@�vcI?w'zמ)Ѕ^;t\lGp|:u.*F"%
W�\;kI2$Ub�(
Uޛ�ߖ`\ju[:[zۖ;>�`UW|Wf�e *a}=c�&SD|8�/5�0skP��ᾭ'~x\jk:K6bOea�5z>t�sui7�ڼ`f�Ց&:qd9 9WP2,FD{H�e
XJ��k"3ɐ> $«\�~%:�2ȨH-g#^P[G{εx}m^}�v:'$iq]p�z{qm}7̯�U�GU-=�v�43%2ph$s-!d-B�Q4�|eU^x����y�}o�976,Ho]SeƊ�7&vOy&v�rxH6R2\�1r:'G:b(�fZAIREp}�J_K~E&iae:��QD&^#1�$�+9
[�@@40�e%�z3�F_4'?�߁��~,Axt��|�%4nB6��2iIz�nw5`��d9IY_�vWS@%�BYGj"WRQ뷵$3�t2���,Id;cJ4-1�00%LK� 1"۩�(됒�1Z3t5NNcF2D�
%}\==�捴;AD}g^vNn`o,�uMͭtϔZ�3�f$4�'�PJp@{&֕G�B=`HLIL�X�5ZD�(;}Ǻ)r.nXX,JGA*JeUpN]w!~6w�
"||WGyu}-E964,^D;u.mnz�y�m$��g�f032�8C15C
R��b F/�F��2L����r'*�mdf�~wҸ]�s)0�a�ktLTFsVWUw�w>�n?�G'��noAc\'E4U�L2tcaD1E.+pv`ߥɾ~{OP?7#~�{�D+^ω�.g~E�(_"�2Ph�7"P��:=et
ˎ�rw4r5�J SK~=3�;�ip+eTj(/8$�wk+=ٟ�S?�i&_mK�<.3>1�ZfTJv
=uDR�fWJg�=Vi"A/SM� _V'
G&F�-��㋉`9�5Y<}n*(]�XT~��C��*�6�K�U*��Ή�gFB2C��g=6ϫ]�;��Kw��~��v}k;v
/uY_��v]~�8�m)��ɐZne�ٕV⪢ꊓX+tswQп%v���?C}JF[iEb\c��>/J. ���p��"K@5�nIzIE9�)<}ݝZMjB< �%0�FBKp&aXL��Ȧ
�ږ\Hga+1$�2/8�(#i�㡠>�!�Y�<�
g3���K-9�[E[��{`_A*.nxp<ߺ_x��_|qDߐ�7DՎ@'>F�zR$40�d4Q=Yd)<��r2'j&B$A+d:�3[jz��z�{X�@��kMn�GđZn&�Ub'G�"!iG$ǍAE#T�QOaĚ *Y���($1Jz�;�U�d/`<˨�;ui[5i?s�J侊 j�L0D�5|fNش/�obٴUYVyu/��5&?g"4��/1z x̏C˿;!O=)Pm[}.O!x��r�^ui:@E^rӝD��g�RsLc�1+BQT�X6M �<��Q�y_Y+�')\GX
DuvL'W?>�15Ίx:Ċa`�S[(_�F]C�H6a�B�1b;�a��ɫ*��p9A鷄�̈́����A?DN%KD9xҐS} 'x.7 ~'}t_3VwOQhnr7V���@m=]�ߎ
_\*.D%TQNf��F.F��{A�2HŽ��d:i�RB6�MntNFsn4��PO^lj*QSm��iyv"!cA��r |t Z}H�PD$"LO.Ub Kg40�O&�+6VkPG��P�{H/uղS3�$s(Ot9I@cQ�JY�aOFv0U!yx]ԍ�}Ğ�͵
M~xeu�`W8?�NR�vb�& t-MH\[4dSl[J���G�>��? .? %m^y3�E
ؕ�D�AWO��`
1�yx�3
vKg!O����z2?�jٍWuu*�UW��6����C1ɠ�姐_ $?�Ǧ�i$^Ox��},iugZ�!j��ؐ�Hy6d!IR�Bu@2ŊZJq�Yb���$kţ3�}�CT /۪�Pg�bmWΡtXP尪#�,dP�æ,��,{�WB�&LdUt @�}꧃8A
f5ľ
FDD:,Jb�P2�γY�GG!n|*7;t �~C$�Yv#X|!�=�07-11A.=:�[4d�kJmrhf"e8P~6w҇ċ�d=�Cm��gIL�gm}'ek{M+e�ce��:�G�qP;J
�gő!'nD�]>���J+�_"~3[3u�V�ᅪ5GA�ͦ�Ib^)i5Or|L�A"��5��yqϗcCn~d%:wtZl#'*8�c 6aD2�'!UM�YR!�2
=�)/{�*#*�=rN�_)�~%N`50Qd0Qo�7*Q��_P:ק ?�Gٟ3�4�*FHY#o,
K1Z
֑D|+=�COw�-]}|y�,�dE�0BB[:1*Hta6!PdVݤ�r�aRt Y��fH4}xd�R�MIVTE
Q7�D̝3P0}(վs=J�@8\@ߌA:�y~Ft/`'ϯ^8�:vH�7�[{zq{\�`2�B�E�&Ui�B(��+ԐͰHx,1^'�TD�_7�[72ƨ�ҭGtrƙiFz2�mk��yxd6`�ʩ2g�u2�^W�$JQp$98H�ֱ?2DLXGp�un'��T tf)[ȅ`(�&pW-3���ώ 4�gOI立:�W~�c~��
@9ה:Z
coay>h�M�(]
7m�:ǣsK|3w R0? g'^v�ש��c�NSf}[5sRЏ̗AJCz9` |)z5-]\.�չ#����L�V�;*�y~�k�Pvߋrmx97EQ'ڕy�HV\Ӫ[fUvkM
Ym/̺i
I�UB'���"=�\^ g) \J�xHW~�_n]٢��Pllv7s}3ŶrV9J�35A�]Q>,jk�%.V'�y�HEGoj@O?G {]^$4~buKO[nk%Uz-|*/*:Õe��i_t/Fi^
LjSr;�P6ߍ}Ո?bqwhR:o4w�7�aa<8�!Wz��]]d.{m~=L�;�Nf*R�N�a��}+p̓u{��8p�Kҷx5f [k!EGPm;[NDe^Ue5$G'!DQ7_Z82T\CYN)U1C�6��['㵠]@�akAy/�~Ǐ=��}
Tt�
rP=ěZsk�z�Ix�`g,?W�;=?�K@/yt"Q}!J��dP�e(��j2{^_9# s}�ev٥oK�}!~�1mC�;SKòJd��^$s�!�%1d��e'�'#�Ker��<ˬ8rұ8�_G�Cg(_vmo6g��˗ۍFkh3j8Z50&);�z{��95#:�?|0}+.}[~YҫFFI,p�9�+AReO/t7;^>�S��V3hw�^�ּ遯0QqdI߀%`���OwJ̹_WzK?"�^=:�ǨQ#���ad7�#�!KȓiXB]s$fvo�~�סSAv[��_zYW,k@
�x�BGrqk_>ںo�nUF6-`�,9h|w9n7574-�]:?,�>W)I�2vCcK]=i]I*�Jq?=]F1q,(I)VbRұ�t�tTxpt^t<$�I6�ݟqw8:$1sW4,o]rZfCIb�s;qB\~:�]nƥ]JRJp�isxo��0�o�?�NjIMNN ĎX
F1�2t<̕=ĿB���0ݣ.~^t�@&�-T�5t}�s��T'_�}�|�O�-T�-h$>{qA�RE![GbįE���> 祭r/Nպ#u�X�m~[4a%ؽӇsx�;pB(�A젅Nj ��5�?�)
DseQ�vi�~dF6P^MsT�M=0��:BIŵ�\I`ZrEI�Z.OǞ9v�<.S�'q���8COE>�9$|�'�|мz5�rr"5]e�-|SqV�F)l�AP-#|#eȸ�dP)�:~#�g+ү8�SX���ko�+F4u^�;:�
Qi\"Y0 2�߱<�(?Ĥ��>=Lr[V�AT"ȇK
5���_$-iLb şLS|)iY�f,33[>N���؇x=i�GXpQ��"znc5�r�я�QɊR�o:hQ-5�j�"�zI(O�p6Z�|
陉=�3st#-7?�4htLF=^L�z�!4��L�}-�LO
�zk�_W{��aGN�wljêP.[;9p>T�ϤupR��B7r!EIR�,L�"��PF1lT�Iӕ$'2Vn%�ԍ$#He=DЌ�㈖n�J��YAH
�:3l "d�G�_wB�sDQd�|FZ�S1OF
�X(�CƇ"-(߯)&[HUn<Ǟ|
A|�BǞw�u�߂�6���tQvU�E��(X�*sI�vծ��~"4Z�.P8̵:vkoSպvꦪI"\�F"8P��gF�H(8S�S�2M�6�[#9ܿHDJfMA�<�'� b�d�|\�F!i,z9~�҉|*[g�T//�&s�?==>�@(ke#ޯ�3lU|��ħFG3؆} �So ~8E5�jL'ဌ)'́r"T@�a�S^�*w+�Ʈu�()�F?@=dJo0!��BM�qϱ,Qd`Y¢;O=x��z|0>�P;�G^�缗74ԯ�ݰ!FwgT;h�ef
�\�OMC0]�2qK�.N�':Vh,�:M0�U� gdoO���\�g3&���k#Q��ί|+} #8�i�-�D:)]ө> 5yB�[�aC7ׅ��j
Ȝ̦h�6;�rkH��n=O6R�uMPOj;8�C�_R(�j�v?reM
�(�0[sݰcN?��ϼvr���N;h�Sώ�*fNe^9�F�5<�SU[D�s���A`֢�覊��i�":HG=Q�J/�X��.6�apsx:ReM�D;�Y-Q�6mhAdV�JU
x!~h3XA�~��x}� |u7�By8%�[W6w�dh1ptG\t"2?�\TmYH[9}")�dHL?I7�{t�>SJ��M7F){�_�#�V.B[t�s5a�e$���D�t4-\�
TJ֨&c탊mu!4�Ƃyvw�~vP2�G�O�#~>y �'2Bt�3;oW 2/~K �_GȣL~~~Ô����2j\?�YB3�q}ap:��FQ
ߵ,@�\�Bp#�]ܦ���δM�&@v8c�0�@�;B}1 VD0^$Nw~���?xIC|{(VyqKP)y��c9S
�Y#dKOя82���6~ĿCP~�7>ΡnjzHzm2M' m=J:ӫ5v+߾k@.,Qʶ>e��n_#כ8*�HCC
.3$$�B�=aɍl�J3L@?6//hwm8�zC�ot�'7U`M˕�ݶ<�"'#U[Z{�+HJ8�ꮝf@QY��Axo:�!%#�3�|p2R^T?{:�%�4�V^ckl8Jly'3�Qs"h�pBt�1t�~��[, ~/_m8$#d�^%]V~7R\F-�H\i^(�����t��\6RY�MgY��t<!iRQ],�$Rf()�xs/^;�{7�w:ۊ"4�) `}b�mn~Ʊ9/B8W� ���Oo�f{���Ca@sPE �sopxޢѿh
h|n_�y��z,�k3HlRVt}Pg
R��+�s쨩744;,]�f* 5DJSNrwv>�G�Btc�xHƋ�CWs}lqM %t@1h YmeBP^W|=e^_)ʳ�Jr`4~71�U�R.E;�oGG=Io]m�k�Arvb~$Iυ�gmd��{F:]�/�u>4ن!u)O"=�a��>;{��8?ǿ��I��"|H3_ۻg}�;
z�>��L�LL:Ts�N}^mE*W6Qs,0�?2�0ylAM�4֯@ȹx.�z�%Z}(�v�䖿-��ᣘg��=Ohl)@aksδ�J�m0 �4lQ�l��e�:8#5�S8b6?�XsQ�O'`u��<��
�w~{)ğGOO{�Լ<ܔ1FX4qaӘ��x��8�x�]�K22gYtl�Jw2ehos{iL.�9�ZV�kpf|&|*_
%z�8}N�"J� i�v,W9a=)*~�P[Y8k"��rtԳ�}h�_1H�
~kܼ[ţ�=_c�s�vڰlɂ�+ꛛ�V}vƫ�O|ݷ:Դ?��7AʠO)r��/Rm٫X�/� <'o?1��}ɳ��Py1�2ͼ*Ӱ<>! (�dSk+h���-ҷ쟪`,]#i#,
����1Y!~Z�%ͬL�/�#�jf}�i`=ȓ [9͕�T�ÎS>K@@X�1e-$�j:�|,Iy
@��3)_8vݩh��lX5�qQ
(*CDY~0&꿑
_���
�L��x�%X|44t1eJ�ʇ&P'(�y!.B����Ѳ�smg"_SDBſ(dȓ�
BX�},ܿS�k�V0�!�otk"Z¹G�#E?!r&@l}4=-��Pͯ b�hub֤4d^жQn:hwRxR5>* �|B�
��1MuvQ�ζ�x_UCslm ,
t��{*�h["�YB{&X
�1,W��3
n*.
�?�[�jOrK. g`#�V$2t(�?*ԻxCQo`Ol4WJ+IT,�-;�]]�@F>P^lmo~+#E�(�f-�7Pm>t�@ـQ4d�8�c#PLHY�Ɋ9�]Àb��fc�_E<
jX_OLBB쒟��B?�y��Q7�Ca7\\Z\uhG5؟i�4_4uIj^LfK�0�Bc���PHjJWS���RB1>#^��7XMO&�b�
SX�V~;-+6��B�
b)ib�Ւ�
Ի]W3|�94|�ho���sjBMR
����kz�
�E鎗�8����<;��̳{D�ӝ\9t`,ܜ0Q(%չF_rT��:yK4ѫT�l67�l$�DKwnE2�/F(�F"~)BD��N�iTSck<@Gq�Um_ѝ���r�
ym�3>�V��@
~O� )y`f �l_C",4Tp�B��\V,�m
Uƿ�={5h}PhuW+~ź =�\]f9l_0�۞l
'K2ZZ\�H/V�Ỳ^zN�� I:huy=컝\f��B ';[�Oa/s|�v�{�\OE]�v#��>�2����Gw7�#y�;^'k|("Зs:S7h\@�e
¥!�
�G�~K5E}#���A$6�OA�QqR�$߈ Uf:t'K"f{9�3\w;կF|�ca�G\D�I8O:ȉ75q&My=mJоn�ْf)/��
_9�Sd0�Gsn&$+�9,C{3K/�,%(B>G��-"�>E{w�'�ޒ��r`#Hoq��Ӎ5�8;�p� =a�_! K8+%9�=�ޡg(TE"gpD�|�^!~ ºDoل��U-3FN6({(yUt�Mv;WZ3$&�I?Pv�XH :�~��|(St��>uR<{
u�SX_><9ҹ9�ًM+V.ilX�F|
l��~qRp�})O�ubIɻ2�m܅�E'~�oNO/4b`2n7B!�RLZΧ3`
1�s�KQ<
|T?oE؝gV�#�.Hsq83��Z�w�>퐞/@ePx5(�97Q�t:;pr�u� �@1W>#�~USW�><=P/� 2HL菬��I`%f@hPa�!1S/a�@ �_�m�Yf/b?$ܓNB+%`"Hjs>B0�;f&)aR�ՀC�μ_�=x� tO/x�7x~U�Vڹҿ3;,^�~�><_V6AM,ǃ�3�#`)I1*�C��'u"Ym_�z�#�B��#yRqu[:q~C=5
ݪ�ξhס%{@v;'m\I r_HЙ�7�EZ�D
#Z8$5C{M�B!x.A�B
{�"�|��)�!Wh�;���.京SN=ceKδû*iUv<<-+�P\�8^t;P df{Ի�쯭m_;�ΑPhn�C (=�0ߞ@��'h2,�D��pܜmr'7|@><�v4q�s[hnU�=4b�Wiq�S0���~�� �%8|o^�Mi/�ӳIOO8��'!tS ǡ8ԣ
մ|yS#(�*DE���%F3r
3s��yo�?&u?/s<\F��Rr=ɼ�~D6�.joQzUy!�A2B Wfj5>F F�2;z_cA^&oF_\}{ēz0ҫW�pe�WzcU84mGi-MNk٫kbR[hXa~+>jqćz~;C:�
3?��ȸ4�4COs%?q��E��J���_@�>/B >\sǬFBY$5PRHDv}Sȣ]S>��͔? '%?/hvu3۩p<وB�AG.~�_�==~MF| ==~nOz��~#NX;6nЎ�q�z,d-G.�
Q S<$�k2P?�4ud}ק,�زfst!SEyuͫ(�
�oQrʩ+:ë4_=}1�{�qd>;5y{~7id/��2y¤GA|i*a�-L/GkD_�W|;.4AqJ� [OEZn>O���A��P����=,�@Tz���NF}(��rmt /İJ
&)z.,/KbB�?:'>f��Vt$_G[
�a�\Aa+IR焇��)ր�n٩�!~_oFkY1#"l,v�緞`T~Y
�X�^x�_";xƹK#rz�:NSzc}d_3�?|k_�q~t�~B:썝=MX�/ <�UjZ%L%�EZB+
T�A;lxO=nׇ�kpPJK@�4���I�(r�7I1ϪD)?yH
�,]hӓ��9c2&$ᠧY"UC&4*���=U$J)4��(|է#ZKd)�ye"ƄҢT+J��/�_v5
D�*>�QIۄ�7)iJ�mڔ�5%�v��Gv|ՋY9�.h�ٓ%�at�QH�Z�Cp6�!��P&�(J]��Ηfz)6S��
='4009:*7<чR�5zT+
MgiuaXXwGT
M`1fj$@p8-;!-|T0ɮumU_O�G|)BS_ϿH�?�N�/!֎_bI
��$)5Az�=,=R;F#=[e�;�U�Nu%^#~��Oo�%=Ɩ�Qr
uһԠ��~�zj7Dn7/y:Ntftk�sE\:
;б>�߉+� )uTZ=ټd�ݪQII�zs"�>t?ƧKU2?$=u�4�3'@~PlAe�^��i�.�/QŢ^T�X�'�ijR*�c~6!�^*%R?F|�R?�e�u>o㞃Z|M�X({sִ&�/�F�Ό"҆&�M悐Y~M�ӷ&��o�P#ihCo@�$L*Q:a9EN}˼�ߎVWߤrFz -ws�y�:R}si%ʬv/:`y�KvA.7^SerU}W�6A|�|��Ջ�$�.oqXǏldC_�?O`2{�0M^Urr�D%�LJ'o#l_y|w Z|>E�IhMȈȈ.A
�|R~b�f���$�>��}�"J�d}�t�*|Ѽ=n<>(,�_YîQ5F}{8z%HOv+2wZa\_#��)t/y/f8RU*�X&��i�IY
%DӰ�鳳�]ó
�v�x�
�X}nc�ğFYUE:�6|供�g�Nۺ>~�;���]a�e[�F5>Rd!Y5"f=-W�+pd��[:0~
+Z64�w$K5*crP+vʻ>��]wGn6��FX\�$��=آƐ�J�Ru�DQ�PANCP�2:�[ �� �g ~�5X�Ӄ�Uw/k5K|d��H�:8u1ȿioRJf
=J�G��5K#X-#7aw@d]�`wa֫bWB8eW��-km��;a|hͪn~2s@�I&�UNgn/'(haw0T!F*dU�i�u��4ԕcC<:x;x|�Ga�:V: �n+##˨FD�mGG��ʇzt�C|#1a%�aɑB3�H�2BQb2$1�Ukб�=��CvK{�ma$�;:}ھhm¥8Dh�μ�Ei2EO��-0Oԩ~��F�0�ЈcAwLJyZ:y�V͝!{0?}p'gSfs7�Ʊ��BױC?Q�ȴdW��ݿ+FL'\:��nCϺʇ�<)gkHZ(f#��GE�r'_;Bs�)�7rpFӊLF3�+�j~BA7SG�D(п*/&
"�B[B qJc{5JFzVzz���=;NS#CvǤp��3o8@�1(J-LAZE�oV
$*:dAؤͲz�S\c~��
]�=��'_]><5ޑ)mY&x�Hci}乺c0H�d%(kɐh�U{^�ʑ(4UTL{!J
־jǜ*�pB?"~3�|*>�tW,]8'�Fn�8m|29 �\ïkr'UQU|�R�EW-7G Fz
"
QV�u?�[D(� g;x{.t`dW��
Fx��8\�"
�1V?^h6�s}�aɧ54.K�H.Y�_D&G#.F!-8(8><,�v(��&�=�}R}��8B�6�MZhQѢB�3*
َ�
rj�k��j5�0~ACk3tM%M-rg~�`5nbc�#t͟Pa�>iyÌy+�Dy�}X7.0�S�%B/ �@�;v�/hƺc]G߅51tS
n(at�JW�<@e|�DH1R0�-V�8dw6p�5���-c=ykG.6.ƙxO�m67zS[)v0vƂ)viLI~J̅�s`:�$<}O��еl�'�P�_K�gF6�(Sq@HST�?ҜJEqOC8u�/nx �F�\-�u`Oh:��2;�.�W
B�[|`7鷨ʋ^�E�j*<*�xoo�ρ -�|�Lt *\r��ŧ��?7�3D[4IG7ۿr>!l��C~;9~>e슦]D:*7bْESW.G{)ef۩l-N��~ (|d7
8%1���J���}��o�B�\jF��A�գ"냠��銢�g}Çjt:08F&#��/F⸣ð{D�+ȟ s>_@�G4mL/!UwS�JY�MIΧrktuXÇbl��yǎg@���3`m?4IDj(Acs�&BC.�jg^k?z;sy튦s'jKXC��/R(w'��r&xU`��je���#%��9߁�QtJz�m?��w�{�EԵ.{}�_8l\xGG/K�OXMN�rӳ$J18lb)H2X2dÐ:1?�&z|S'1R8x�{ŋ5ng�'fo~���!j4oh4���+b$Of�B��JK#h7��J>�aBԷ�8n��JE�Ly/#�YH��o'�SO�=,�5UCSj���s10���j
�-�fmJ;i.ݬ`�|-fsxܨ��Ksm*|3��TI:�;l�t�4C *�@6F3XOB���/ﶱ���D|�'5�
))edXѭ?`{
Ƞ!s�G���[�F/4ڇA��B7YP�C�92�~"�|_E/z#r2$c�*$˙ P췃hY-�Վ=8]@�k�ȳ_�{�ZTKxqJZVb搭F&`}T'dV49KGdO>�:��Ni˵F�t�zY5
%-JBz�}MXOL׀}=VNl�pr�2LUn5tՀ_�0���'ǧZ 3I�趙,a>Ie���ԃ\İ`Z_��S�m/}Mp烦x�D)S2u��2gsr헉�{�3jaePr�Gc6�DE
\68�B??���[Gɬ_XZ+�m\
~6%\��`$6=hzgL1?K�ŔQ#%�}�l!ʷ;Et�o~�#�dwx�$᳸/��I4ͣg23�fOYnȥlɎ!dmD.Eۮ0r�5~翌nc�qvB�;4g4Xuk�%\yƇu.2�;�FbT÷H�.XQ;ݥ�/�Q2��5�x/�t�'9Q�'x�/ �7��K[iAjA�#OB:D@dI%KL%TN7��ӽOBaaKEUIFJǓ�i�ǔ�s5>�]xJE˖zcɳRΒ N~>ë��r_A00ڰB��ֺ'oJC'Jvˇ�SiG_6+)rc[���pL:ė͌OG,�bL�\! זUв&Ûi9�zvSNn-+:-�Ɲ��F'.4\ן.⬓�4Z꒳ޓ+h�rKa�>05XhI,�-LS
{O;�4cObB5>8+]s:ID�E]:?'p���ұ$�?��:Dɺ����gzA4ѵnyb�=|�Sf4;��1�g6f$/����W!QcN!@_3�co��OΘuyޅ�:DvH�pjשL}c�qu6#ٞ\�y�f�e\ڃ?z,hhi]t�u=�{mYܹ�\*#�ޭ
sp2T{�U9 �
\po�;�>?r2#�'wW=y�g*YETA�LL'O//n^� o]Fwo7�"`Ωt_L_�$VYїZ�HT۷�T!%�)n|fg�%%��i7q�d��?S��0�G?
nG@DU4dWQMnw9/�:�W1*"M�@|o^h�3�f͏gHJh 8U4D�C.U.IIȕ[zȴE�fa>U7�Ac|_v��/�d'ǩxѝU`9&m<,X�Z�-q&!\+ZoFؼ4wc5McOr2Ej'Tr>���HRu�K1�FI�4GzE/:�րv�=�,]\k.vBK(g'Z\|Emm'ļ���g8T�S :O
%RY�p�x;o͎��IMx2QOk�$[Q2�Ip7#4W _xsVZB&=MJdC� �j%C�krڽQ�^Il�G_b�$&=І<��]Z߿I�4
D("i�F4p;w�e�Uˬ
]�5�O'YgUΨ2�&ͧa'�O�Tx wmxy6V |�6ѿ)x|k6x.x�t[yN'kgh9$l[�7d|�?�^;bב]3cQąs#+7H|��ozM�3fWWUh�&L]:73|�wҸo�WOTΪ2Nyn?q>�߈do^r�e 7}a�u]d+���*�W�U3gVWWQ�" �/�|0�;{?jfT@(�ït[p�W��R�jEB+�P9}i�a÷5o}R[]5z&eV$2�)&g7}wJz2_R5b�@Hhe�_sA[g{�}~Q[I9 PR[a��\4��!7t_�V&?0˻Kޟ�$۬�;j �I~+WCz͘]�{� O1��˹�sCEH9?*ZGxW���WCQ:A<�պ/y�79,A{R($�~)ֻeB7�&ߋ|�)ۍ2�n3?�L#V%l("٘S��{Dwlp-Qp�X*{/&pJW�\�H*+N J� &�coh0ʤ
�XG��]v�+mp]|��G�33UջwhUp~|h>�����c\Q1�꿯���
V=eҵ?3�l僼yҪ[Fz{Q|�ގ�_<0?�f�M%O8wZqܙ�g1l�p�mpC45�^��Fz�*M8}68Y6�P�ᜲ8?N�c�� VykYv� tlȋ3=i3Lb��Y̾e��{�wW>*a p�Y̎��;">ӽ��6
^kmE0�e��p8K�Q!-}[]g��]�zڃtpRR0/h\xQN#>k �_���FCbu)l^p8OT!zH?�9�mu�ZӿW(bBӻJu"Nƕ!*�!c
5P�2,>gL?kp��A�s!7+,�F#���IE*&up#Hw{)m.EGܫ%$��$X|/�s)=24Arθ8j)4]q�ephU�ڜeZpKpkHnMOr]kv�-ssm�i8yR2K��)4qʬ
0H�MZ�_ Ubè歍) ([UVLS%bƧnhӬWY5a�iK?yߌp�q[rYz"|�_�Qz�]{_�|�/�3J~5�IYIQ-i n~ߙ5v`Z�OsTrhpM8�?�f�d�IOAOH�O��z$y�I�!g_l`$��2vK+_I�_D�{mƉD0` �IYZ=K[M�~�
>6�|��kd:tT52cd|�a�d&+r{! ɬ['RDӱɚ�i�X(EU`uU w�¿d;~�xN�Ɗ4gDuUv�O}ViB9~T2��7m݆n6�$�9ѿAD-I^1RU3�eanjx�|SosZo�<#F�n
ᕐ
n"�QM� |ZiO�π
/y~?љ7C�mmOG8(2-y/FZLU�r�?U�$KYT�p1Z?V&+��ͯWa�-n6pk�BȢ-"]Q>
~ˬ{�։"�$�'�L
vI�wX)OL�NߵMEr]&$VkpV+n*���p27o>Vm[md8��[/�ѪL��jm�_I�as~N�P
N'>hW"<�rŃVΥ`*V.�99}rY�w7! d�x63�`kz֩:LdSfN=hm|mH�dc�i�$�6|)j<ٔHZ��؏ܪ{Q�o[R]>�og5O@NĒ�%'&8Gu#F���&o�n�f[��w�2ah&W[s:�~ �iߛ�&�V�v�ܟ?`#u;~Б7$��eHV�W2�)� �wX3�gՎf 7>lw#
&�~"�n)m%a�x
hI&ak���(;K|[gC�Xwy�WF�>=tN$f:Cs륅�YA|q2u46:�$=&��O
G2�y«[y7�fuH'O~Nz.vjk�8zf��/�h
aų:[O�3qvF8tD,��ìH:QG;ϐ��@`�]�n�AH.CO�gz/�J+gL-gRphî3'bp
J2_ۈ+!HSV_ff�Di�$*}L� v�z�v;HW{*�n{a{%}߄b{@�Ul� f�n
4d#�Z}I~7B{1�ua�w2S�ը}q�G�v�Qm_�Gx!Gwβ/�ot^4vt�U1\�+;qs]-ϝ
q]}�S+ߓ<�}�ƦJ_R/@B�#!US!.��c=j4�@njt"<�21gZdI�o7�'�SJJKX%e�[63�zI㒱kKY:�kUJceC7QwcgIZ�R;wp;�|A��7p/ARȕ�s�^��>i͙>m
�4�@q<)8>,i�o8'柭kٳT? ̮` � ��
ᥐ�#|{�G(o�({Yq;S�r.9�O> _�߰�N�!xʞ0x"\�ixYĖ<8hߢpPD���:
��%Ś��u�&��wod�N
6��7�ν�[3W.!yB]j^"7�7;cJ�qP"]�Epp�.�]{�;"_�%}F�!w
c\c�k _8UD0'ѐ= |(�苎b�wh*Қ�m�w?�JȬ��_ѕ]l�h:%hls�4��+ 5ʀ]^Կ35߁jߞFC��6ȣ9FP$[}JvgKس�]l-�8`z2;�~�'}}Oyϕˌͷ�42Y^�]xEa!A!!o��
�2
ӣ
{�,\�(אݐ�
(Cm4A* �k!;! ���l��R
w�v���4_T؏!OBV@�A�}���́L>x@6C! #!x�}q*�DC
;�酴B
�� @}Va@B��
{�r��r9d4佃
;����g'b�p8:=��I&6+O�QOߋ1ѓE7
�7:���0�p��,@8^
|ip��]]:~\�s,7
qx-_,Pt|5�2Bn,�rR]�GZRmmvLh FDX{AJIEBN)^`[�ȧH0�M���Sh�E,�g7dh"02Y;�FR洦Y-->Q��.4Z��:�=r�=y�K�"V�M:ۻΓ�4�_<�w�:��}�CBE{>X�YEUӚ��s.h�(vجjg8
v�T[.�0
ϭ~qh6m}e�)Ш{G6=%ИQÄޭK#˚bфSD<+^"oD���-W�R\\�'
I�m)&�rZk4jKšg7�[:8u(�Ȏky.?�
�PtӁΫNkg�afF' �_�TVЍ(?)"\Hq SO$BD���~?�#?�lIlP/p�=D78!_?��i4�������������������������������������������������������vuln-1.0.1/internal/vulncheck/packages.go�����������������������������������������������������������0000664�0000000�0000000�00000010452�14467454515�0020421�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"fmt"
"strings"
"golang.org/x/tools/go/packages"
"golang.org/x/vuln/internal"
"golang.org/x/vuln/internal/semver"
)
// PackageGraph holds a complete module and package graph.
// Its primary purpose is to allow fast access to the nodes by path.
type PackageGraph struct {
modules map[string]*packages.Module
packages map[string]*packages.Package
}
func NewPackageGraph(goVersion string) *PackageGraph {
graph := &PackageGraph{
modules: map[string]*packages.Module{},
packages: map[string]*packages.Package{},
}
graph.AddModules(&packages.Module{
Path: internal.GoStdModulePath,
Version: semver.GoTagToSemver(goVersion),
})
return graph
}
// AddModules adds the modules and any replace modules provided.
// It will ignore modules that have duplicate paths to ones the graph already holds.
func (g *PackageGraph) AddModules(mods ...*packages.Module) {
for _, mod := range mods {
if _, found := g.modules[mod.Path]; found {
//TODO: check duplicates are okay?
continue
}
g.modules[mod.Path] = mod
if mod.Replace != nil {
g.AddModules(mod.Replace)
}
}
}
// .
func (g *PackageGraph) GetModule(path string) *packages.Module {
if mod, ok := g.modules[path]; ok {
return mod
}
mod := &packages.Module{
Path: path,
Version: "",
}
g.AddModules(mod)
return mod
}
// AddPackages adds the packages and the full graph of imported packages.
// It will ignore packages that have duplicate paths to ones the graph already holds.
func (g *PackageGraph) AddPackages(pkgs ...*packages.Package) {
for _, pkg := range pkgs {
if _, found := g.packages[pkg.PkgPath]; found {
//TODO: check duplicates are okay?
continue
}
g.packages[pkg.PkgPath] = pkg
g.fixupPackage(pkg)
for _, child := range pkg.Imports {
g.AddPackages(child)
}
}
}
func (g *PackageGraph) fixupPackage(pkg *packages.Package) {
if pkg.Module != nil {
g.AddModules(pkg.Module)
return
}
pkg.Module = g.findModule(pkg.PkgPath)
}
// findModule finds a module for package.
// It does a longest prefix search amongst the existing modules, if that does
// not find anything, it returns the "unknown" module.
func (g *PackageGraph) findModule(pkgPath string) *packages.Module {
//TODO: better stdlib test
if !strings.Contains(pkgPath, ".") {
return g.GetModule(internal.GoStdModulePath)
}
for _, m := range g.modules {
//TODO: not first match, best match...
if pkgPath == m.Path || strings.HasPrefix(pkgPath, m.Path+"/") {
return m
}
}
return g.GetModule(internal.UnknownModulePath)
}
// GetPackage returns the package matching the path.
// If the graph does not already know about the package, a new one is added.
func (g *PackageGraph) GetPackage(path string) *packages.Package {
if pkg, ok := g.packages[path]; ok {
return pkg
}
pkg := &packages.Package{
PkgPath: path,
}
g.AddPackages(pkg)
return pkg
}
// LoadPackages loads the packages specified by the patterns into the graph.
// See golang.org/x/tools/go/packages.Load for details of how it works.
func (g *PackageGraph) LoadPackages(cfg *packages.Config, tags []string, patterns []string) ([]*packages.Package, error) {
if len(tags) > 0 {
cfg.BuildFlags = []string{fmt.Sprintf("-tags=%s", strings.Join(tags, ","))}
}
cfg.Mode |=
packages.NeedDeps |
packages.NeedImports |
packages.NeedModule |
packages.NeedSyntax |
packages.NeedTypes |
packages.NeedTypesInfo |
packages.NeedName
pkgs, err := packages.Load(cfg, patterns...)
if err != nil {
return nil, err
}
var perrs []packages.Error
packages.Visit(pkgs, nil, func(p *packages.Package) {
perrs = append(perrs, p.Errors...)
})
if len(perrs) > 0 {
err = &packageError{perrs}
}
g.AddPackages(pkgs...)
return pkgs, err
}
// packageError contains errors from loading a set of packages.
type packageError struct {
Errors []packages.Error
}
func (e *packageError) Error() string {
var b strings.Builder
fmt.Fprintln(&b, "\nThere are errors with the provided package patterns:")
fmt.Fprintln(&b, "")
for _, e := range e.Errors {
fmt.Fprintln(&b, e)
}
fmt.Fprintln(&b, "\nFor details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.")
return b.String()
}
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/slicing.go������������������������������������������������������������0000664�0000000�0000000�00000002415�14467454515�0020273�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"golang.org/x/tools/go/callgraph"
"golang.org/x/tools/go/ssa"
)
// forwardSlice computes the transitive closure of functions forward reachable
// via calls in cg or referred to in an instruction starting from `sources`.
func forwardSlice(sources map[*ssa.Function]bool, cg *callgraph.Graph) map[*ssa.Function]bool {
seen := make(map[*ssa.Function]bool)
var visit func(f *ssa.Function)
visit = func(f *ssa.Function) {
if seen[f] {
return
}
seen[f] = true
if n := cg.Nodes[f]; n != nil {
for _, e := range n.Out {
if e.Site != nil {
visit(e.Callee.Func)
}
}
}
var buf [10]*ssa.Value // avoid alloc in common case
for _, b := range f.Blocks {
for _, instr := range b.Instrs {
for _, op := range instr.Operands(buf[:0]) {
if fn, ok := (*op).(*ssa.Function); ok {
visit(fn)
}
}
}
}
}
for source := range sources {
visit(source)
}
return seen
}
// pruneSet removes functions in `set` that are in `toPrune`.
func pruneSet(set, toPrune map[*ssa.Function]bool) {
for f := range set {
if !toPrune[f] {
delete(set, f)
}
}
}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/slicing_test.go�������������������������������������������������������0000664�0000000�0000000�00000004211�14467454515�0021326�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"path"
"reflect"
"testing"
"golang.org/x/tools/go/callgraph/cha"
"golang.org/x/tools/go/packages/packagestest"
"golang.org/x/tools/go/ssa"
"golang.org/x/tools/go/ssa/ssautil"
)
// funcNames returns a set of function names for `funcs`.
func funcNames(funcs map[*ssa.Function]bool) map[string]bool {
fs := make(map[string]bool)
for f := range funcs {
fs[dbFuncName(f)] = true
}
return fs
}
func TestSlicing(t *testing.T) {
// test program
p := `
package slice
func X() {}
func Y() {}
// not reachable
func id(i int) int {
return i
}
// not reachable
func inc(i int) int {
return i + 1
}
func Apply(b bool, h func()) {
if b {
func() {
print("applied")
}()
return
}
h()
}
type I interface {
Foo()
}
type A struct{}
func (a A) Foo() {}
// not reachable
func (a A) Bar() {}
type B struct{}
func (b B) Foo() {}
func debug(s string) {
print(s)
}
func Do(i I, input string) {
debug(input)
i.Foo()
func(x string) {
func(l int) {
print(l)
}(len(x))
}(input)
}`
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "some/module",
Files: map[string]interface{}{"slice/slice.go": p},
},
})
pkgs, err := loadTestPackages(e, path.Join(e.Temp(), "/module/slice"))
if err != nil {
t.Fatal(err)
}
prog, ssaPkgs := ssautil.AllPackages(pkgs, 0)
prog.Build()
pkg := ssaPkgs[0]
sources := map[*ssa.Function]bool{pkg.Func("Apply"): true, pkg.Func("Do"): true}
fs := funcNames(forwardSlice(sources, cha.CallGraph(prog)))
want := map[string]bool{
"Apply": true,
"Apply$1": true,
"X": true,
"Y": true,
"Do": true,
"Do$1": true,
"Do$1$1": true,
"debug": true,
"A.Foo": true,
"B.Foo": true,
}
if !reflect.DeepEqual(want, fs) {
t.Errorf("want %v; got %v", want, fs)
}
}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/source.go�������������������������������������������������������������0000664�0000000�0000000�00000025412�14467454515�0020145�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"context"
"fmt"
"go/token"
"sync"
"golang.org/x/tools/go/callgraph"
"golang.org/x/tools/go/packages"
"golang.org/x/tools/go/ssa"
"golang.org/x/vuln/internal/client"
"golang.org/x/vuln/internal/govulncheck"
"golang.org/x/vuln/internal/osv"
)
// Source detects vulnerabilities in packages. The result will contain:
//
// 1) An ImportGraph related to an import of a package with some known
// vulnerabilities.
//
// 2) A RequireGraph related to a require of a module with a package that has
// some known vulnerabilities.
//
// 3) A CallGraph leading to the use of a known vulnerable function or method.
func Source(ctx context.Context, pkgs []*packages.Package, cfg *govulncheck.Config, client *client.Client, graph *PackageGraph) (_ *Result, err error) {
// buildSSA builds a whole program that assumes all packages use the same FileSet.
// Check all packages in pkgs are using the same FileSet.
// TODO(https://go.dev/issue/59729): take FileSet out of Package and
// let Source take a single FileSet. That will make the enforcement
// clearer from the API level.
var fset *token.FileSet
for _, p := range pkgs {
if fset == nil {
fset = p.Fset
} else {
if fset != p.Fset {
return nil, fmt.Errorf("[]*Package must have created with the same FileSet")
}
}
}
ctx, cancel := context.WithCancel(ctx)
defer cancel()
// If we are building the callgraph, build ssa and the callgraph in parallel
// with fetching vulnerabilities. If the vulns set is empty, return without
// waiting for SSA construction or callgraph to finish.
var (
wg sync.WaitGroup // guards entries, cg, and buildErr
entries []*ssa.Function
cg *callgraph.Graph
buildErr error
)
if cfg.ScanLevel.WantSymbols() {
wg.Add(1)
go func() {
defer wg.Done()
prog, ssaPkgs := buildSSA(pkgs, fset)
entries = entryPoints(ssaPkgs)
cg, buildErr = callGraph(ctx, prog, entries)
}()
}
mods := extractModules(pkgs)
mv, err := FetchVulnerabilities(ctx, client, mods)
if err != nil {
return nil, err
}
modVulns := moduleVulnerabilities(mv)
modVulns = modVulns.filter("", "")
result := &Result{}
vulnPkgModSlice(pkgs, modVulns, result)
// Return result immediately if not in symbol mode or
// if there are no vulnerable packages.
if !cfg.ScanLevel.WantSymbols() || len(result.EntryPackages) == 0 {
return result, nil
}
wg.Wait() // wait for build to finish
if buildErr != nil {
return nil, err
}
vulnCallGraphSlice(entries, modVulns, cg, result, graph)
return result, nil
}
// vulnPkgModSlice computes the slice of pkgs imports and requires graph
// leading to imports/requires of vulnerable packages/modules in modVulns
// and stores the computed slices to result.
func vulnPkgModSlice(pkgs []*packages.Package, modVulns moduleVulnerabilities, result *Result) {
// analyzedPkgs contains information on packages analyzed thus far.
// If a package is mapped to false, this means it has been visited
// but it does not lead to a vulnerable imports. Otherwise, a
// visited package is mapped to true.
analyzedPkgs := make(map[*packages.Package]bool)
for _, pkg := range pkgs {
// Top level packages that lead to vulnerable imports are
// stored as result.EntryPackages graph entry points.
if vulnerable := vulnImportSlice(pkg, modVulns, result, analyzedPkgs); vulnerable {
result.EntryPackages = append(result.EntryPackages, pkg)
}
}
}
// vulnImportSlice checks if pkg has some vulnerabilities or transitively imports
// a package with known vulnerabilities. If that is the case, populates result.Imports
// graph with this reachability information and returns the result.Imports package
// node for pkg. Otherwise, returns nil.
func vulnImportSlice(pkg *packages.Package, modVulns moduleVulnerabilities, result *Result, analyzed map[*packages.Package]bool) bool {
if vulnerable, ok := analyzed[pkg]; ok {
return vulnerable
}
analyzed[pkg] = false
// Recursively compute which direct dependencies lead to an import of
// a vulnerable package and remember the nodes of such dependencies.
transitiveVulnerable := false
for _, imp := range pkg.Imports {
if impVulnerable := vulnImportSlice(imp, modVulns, result, analyzed); impVulnerable {
transitiveVulnerable = true
}
}
// Check if pkg has known vulnerabilities.
vulns := modVulns.vulnsForPackage(pkg.PkgPath)
// If pkg is not vulnerable nor it transitively leads
// to vulnerabilities, jump out.
if !transitiveVulnerable && len(vulns) == 0 {
return false
}
// Create Vuln entry for each symbol of known OSV entries for pkg.
for _, osv := range vulns {
for _, affected := range osv.Affected {
for _, p := range affected.EcosystemSpecific.Packages {
if p.Path != pkg.PkgPath {
continue
}
symbols := p.Symbols
if len(symbols) == 0 {
symbols = allSymbols(pkg.Types)
}
for _, symbol := range symbols {
vuln := &Vuln{
OSV: osv,
Symbol: symbol,
ImportSink: pkg,
}
result.Vulns = append(result.Vulns, vuln)
}
}
}
}
analyzed[pkg] = true
return true
}
// vulnCallGraphSlice checks if known vulnerabilities are transitively reachable from sources
// via call graph cg. If so, populates result.Calls graph with this reachability information.
func vulnCallGraphSlice(sources []*ssa.Function, modVulns moduleVulnerabilities, cg *callgraph.Graph, result *Result, graph *PackageGraph) {
sinksWithVulns := vulnFuncs(cg, modVulns)
// Compute call graph backwards reachable
// from vulnerable functions and methods.
var sinks []*callgraph.Node
for n := range sinksWithVulns {
sinks = append(sinks, n)
}
bcg := callGraphSlice(sinks, false)
// Interesect backwards call graph with forward
// reachable graph to remove redundant edges.
var filteredSources []*callgraph.Node
for _, e := range sources {
if n, ok := bcg.Nodes[e]; ok {
filteredSources = append(filteredSources, n)
}
}
fcg := callGraphSlice(filteredSources, true)
// Get the sinks that are in fact reachable from entry points.
filteredSinks := make(map[*callgraph.Node][]*osv.Entry)
for n, vs := range sinksWithVulns {
if fn, ok := fcg.Nodes[n.Func]; ok {
filteredSinks[fn] = vs
}
}
// Transform the resulting call graph slice into
// vulncheck representation and store it to result.
vulnCallGraph(filteredSources, filteredSinks, result, graph)
}
// callGraphSlice computes a slice of callgraph beginning at starts
// in the direction (forward/backward) controlled by forward flag.
func callGraphSlice(starts []*callgraph.Node, forward bool) *callgraph.Graph {
g := &callgraph.Graph{Nodes: make(map[*ssa.Function]*callgraph.Node)}
visited := make(map[*callgraph.Node]bool)
var visit func(*callgraph.Node)
visit = func(n *callgraph.Node) {
if visited[n] {
return
}
visited[n] = true
var edges []*callgraph.Edge
if forward {
edges = n.Out
} else {
edges = n.In
}
for _, edge := range edges {
nCallee := g.CreateNode(edge.Callee.Func)
nCaller := g.CreateNode(edge.Caller.Func)
callgraph.AddEdge(nCaller, edge.Site, nCallee)
if forward {
visit(edge.Callee)
} else {
visit(edge.Caller)
}
}
}
for _, s := range starts {
visit(s)
}
return g
}
// vulnCallGraph creates vulnerability call graph from sources -> sinks reachability info.
func vulnCallGraph(sources []*callgraph.Node, sinks map[*callgraph.Node][]*osv.Entry, result *Result, graph *PackageGraph) {
nodes := make(map[*ssa.Function]*FuncNode)
// First create entries and sinks and store relevant information.
for _, s := range sources {
fn := createNode(nodes, s.Func, graph)
result.EntryFunctions = append(result.EntryFunctions, fn)
}
for s, vulns := range sinks {
f := s.Func
funNode := createNode(nodes, s.Func, graph)
// Populate CallSink field for each detected vuln symbol.
for _, osv := range vulns {
if vulnMatchesPackage(osv, funNode.Package.PkgPath) {
addCallSinkForVuln(funNode, osv, dbFuncName(f), funNode.Package.PkgPath, result)
}
}
}
visited := make(map[*callgraph.Node]bool)
var visit func(*callgraph.Node)
visit = func(n *callgraph.Node) {
if visited[n] {
return
}
visited[n] = true
for _, edge := range n.In {
nCallee := createNode(nodes, edge.Callee.Func, graph)
nCaller := createNode(nodes, edge.Caller.Func, graph)
call := edge.Site
cs := &CallSite{
Parent: nCaller,
Name: call.Common().Value.Name(),
RecvType: callRecvType(call),
Resolved: resolved(call),
Pos: instrPosition(call),
}
nCallee.CallSites = append(nCallee.CallSites, cs)
visit(edge.Caller)
}
}
for s := range sinks {
visit(s)
}
}
// vulnFuncs returns vulnerability information for vulnerable functions in cg.
func vulnFuncs(cg *callgraph.Graph, modVulns moduleVulnerabilities) map[*callgraph.Node][]*osv.Entry {
m := make(map[*callgraph.Node][]*osv.Entry)
for f, n := range cg.Nodes {
vulns := modVulns.vulnsForSymbol(pkgPath(f), dbFuncName(f))
if len(vulns) > 0 {
m[n] = vulns
}
}
return m
}
// pkgPath returns the path of the f's enclosing package, if any.
// Otherwise, returns "".
func pkgPath(f *ssa.Function) string {
if f.Package() != nil && f.Package().Pkg != nil {
return f.Package().Pkg.Path()
}
return ""
}
func createNode(nodes map[*ssa.Function]*FuncNode, f *ssa.Function, graph *PackageGraph) *FuncNode {
if fn, ok := nodes[f]; ok {
return fn
}
fn := &FuncNode{
Name: f.Name(),
Package: graph.GetPackage(pkgPath(f)),
RecvType: funcRecvType(f),
Pos: funcPosition(f),
}
nodes[f] = fn
return fn
}
// addCallSinkForVuln adds callID as call sink to vuln of result.Vulns
// identified with .
func addCallSinkForVuln(call *FuncNode, osv *osv.Entry, symbol, pkg string, result *Result) {
for _, vuln := range result.Vulns {
if vuln.OSV == osv && vuln.Symbol == symbol && vuln.ImportSink.PkgPath == pkg {
vuln.CallSink = call
return
}
}
}
// extractModules collects modules in `pkgs` up to uniqueness of
// module path and version.
func extractModules(pkgs []*packages.Package) []*packages.Module {
modMap := map[string]*packages.Module{}
seen := map[*packages.Package]bool{}
var extract func(*packages.Package, map[string]*packages.Module)
extract = func(pkg *packages.Package, modMap map[string]*packages.Module) {
if pkg == nil || seen[pkg] {
return
}
if pkg.Module != nil {
if pkg.Module.Replace != nil {
modMap[pkg.Module.Replace.Path] = pkg.Module
} else {
modMap[pkg.Module.Path] = pkg.Module
}
}
seen[pkg] = true
for _, imp := range pkg.Imports {
extract(imp, modMap)
}
}
for _, pkg := range pkgs {
extract(pkg, modMap)
}
modules := []*packages.Module{}
for _, mod := range modMap {
modules = append(modules, mod)
}
return modules
}
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/source_test.go��������������������������������������������������������0000664�0000000�0000000�00000026131�14467454515�0021203�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"context"
"path"
"reflect"
"testing"
"golang.org/x/tools/go/packages/packagestest"
"golang.org/x/vuln/internal/client"
"golang.org/x/vuln/internal/govulncheck"
"golang.org/x/vuln/internal/osv"
)
// TestCalls checks for call graph vuln slicing correctness.
// The inlined test code has the following call graph
//
// x.X
// / | \
// / d.D1 avuln.VulnData.Vuln1
// / / |
// c.C1 d.internal.Vuln1
// |
// avuln.VulnData.Vuln2
//
// --------------------y.Y-------------------------------
// / / \ \ \ \
// / / \ \ \ \
// / / \ \ \ \
// c.C4 c.vulnWrap.V.Vuln1(=nil) c.C2 bvuln.Vuln c.C3 c.C3$1
// | | |
// y.benign e.E
//
// and this slice
//
// x.X
// / | \
// / d.D1 avuln.VulnData.Vuln1
// / /
// c.C1
// |
// avuln.VulnData.Vuln2
//
// y.Y
// |
// bvuln.Vuln
// | |
// e.E
//
// related to avuln.VulnData.{Vuln1, Vuln2} and bvuln.Vuln vulnerabilities.
func TestCalls(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import (
"golang.org/cmod/c"
"golang.org/dmod/d"
)
func X(x bool) {
if x {
c.C1().Vuln1() // vuln use: Vuln1
} else {
d.D1() // no vuln use
}
}
`,
"y/y.go": `
package y
import (
"golang.org/cmod/c"
)
func Y(y bool) {
if y {
c.C2()() // vuln use: bvuln.Vuln
} else {
c.C3()()
w := c.C4(benign)
w.V.Vuln1() // no vuln use: Vuln1 does not belong to vulnerable type
}
}
func benign(i c.I) {}
`}},
{
Name: "golang.org/cmod@v1.1.3",
Files: map[string]interface{}{"c/c.go": `
package c
import (
"golang.org/amod/avuln"
"golang.org/bmod/bvuln"
)
type I interface {
Vuln1()
}
func C1() I {
v := avuln.VulnData{}
v.Vuln2() // vuln use
return v
}
func C2() func() {
return bvuln.Vuln
}
func C3() func() {
return func() {}
}
type vulnWrap struct {
V I
}
func C4(f func(i I)) vulnWrap {
f(avuln.VulnData{})
return vulnWrap{}
}
`},
},
{
Name: "golang.org/dmod@v0.5.0",
Files: map[string]interface{}{"d/d.go": `
package d
import (
"golang.org/cmod/c"
)
type internal struct{}
func (i internal) Vuln1() {}
func D1() {
c.C1() // transitive vuln use
var i c.I
i = internal{}
i.Vuln1() // no vuln use
}
`},
},
{
Name: "golang.org/amod@v1.1.3",
Files: map[string]interface{}{"avuln/avuln.go": `
package avuln
type VulnData struct {}
func (v VulnData) Vuln1() {}
func (v VulnData) Vuln2() {}
`},
},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"bvuln/bvuln.go": `
package bvuln
import (
"golang.org/emod/e"
)
func Vuln() {
e.E(Vuln)
}
`},
},
{
Name: "golang.org/emod@v1.5.0",
Files: map[string]interface{}{"e/e.go": `
package e
func E(f func()) {
f()
}
`},
},
})
defer e.Cleanup()
// Load x and y as entry packages.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x"), path.Join(e.Temp(), "entry/y")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 2 {
t.Fatal("failed to load x and y test packages")
}
c, err := newTestClient()
if err != nil {
t.Fatal(err)
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
result, err := Source(context.Background(), pkgs, cfg, c, graph)
if err != nil {
t.Fatal(err)
}
// Check that we find the right number of vulnerabilities.
// There should be three entries as there are three vulnerable
// symbols in the two import-reachable OSVs.
if len(result.Vulns) != 3 {
t.Errorf("want 3 Vulns, got %d", len(result.Vulns))
}
// Check that call graph entry points are present.
if got := len(result.EntryFunctions); got != 2 {
t.Errorf("want 2 call graph entry points; got %v", got)
}
// Check that vulnerabilities are connected to the call graph.
// For the test example, all vulns should have a call sink.
for _, v := range result.Vulns {
if v.CallSink == nil {
t.Errorf("want CallSink !=0 for %v; got 0", v.Symbol)
}
}
wantCalls := map[string][]string{
"golang.org/entry/x.X": {"golang.org/amod/avuln.VulnData.Vuln1", "golang.org/cmod/c.C1", "golang.org/dmod/d.D1"},
"golang.org/cmod/c.C1": {"golang.org/amod/avuln.VulnData.Vuln2"},
"golang.org/dmod/d.D1": {"golang.org/cmod/c.C1"},
"golang.org/entry/y.Y": {"golang.org/bmod/bvuln.Vuln"},
"golang.org/bmod/bvuln.Vuln": {"golang.org/emod/e.E"},
"golang.org/emod/e.E": {"golang.org/bmod/bvuln.Vuln"},
}
if callStrMap := callGraphToStrMap(result); !reflect.DeepEqual(wantCalls, callStrMap) {
t.Errorf("want %v call graph; got %v", wantCalls, callStrMap)
}
}
func TestAllSymbolsVulnerable(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import "golang.org/vmod/vuln"
func X() {
vuln.V1()
}`,
},
},
{
Name: "golang.org/vmod@v1.2.3",
Files: map[string]interface{}{"vuln/vuln.go": `
package vuln
func V1() {}
func V2() {}
func v() {}
type a struct{}
func (x a) foo() {}
func (x *a) bar() {}
`},
},
})
defer e.Cleanup()
client, err := client.NewInMemoryClient(
[]*osv.Entry{
{
ID: "V",
Affected: []osv.Affected{{
Module: osv.Module{Path: "golang.org/vmod"},
Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.2.0"}}}},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "golang.org/vmod/vuln",
Symbols: []string{},
}},
},
}},
},
},
)
if err != nil {
t.Fatal(err)
}
// Load x as entry package.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 1 {
t.Fatal("failed to load x test package")
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
result, err := Source(context.Background(), pkgs, cfg, client, graph)
if err != nil {
t.Fatal(err)
}
if len(result.Vulns) != 5 {
t.Errorf("want 5 Vulns, got %d", len(result.Vulns))
}
for _, v := range result.Vulns {
if v.Symbol == "V1" && v.CallSink == nil {
t.Errorf("expected a call sink for V1; got none")
} else if v.Symbol != "V1" && v.CallSink != nil {
t.Errorf("expected no call sink for %v; got %v", v.Symbol, v.CallSink)
}
}
}
// TestNoSyntheticNodes checks that removing synthetic wrappers from
// call graph still produces correct results.
func TestNoSyntheticNodes(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import "golang.org/amod/avuln"
type i interface {
Vuln1()
}
func X() {
v := &avuln.VulnData{}
var x i = v // to force creatation of wrapper method *avuln.VulnData.Vuln1
x.Vuln1()
}`,
},
},
{
Name: "golang.org/amod@v1.1.3",
Files: map[string]interface{}{"avuln/avuln.go": `
package avuln
type VulnData struct {}
func (v VulnData) Vuln1() {}
func (v VulnData) Vuln2() {}
`},
},
})
defer e.Cleanup()
// Load x as entry package.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 1 {
t.Fatal("failed to load x test package")
}
c, err := newTestClient()
if err != nil {
t.Fatal(err)
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
result, err := Source(context.Background(), pkgs, cfg, c, graph)
if err != nil {
t.Fatal(err)
}
if len(result.Vulns) != 2 {
t.Errorf("want 2 Vulns, got %d", len(result.Vulns))
}
var vuln *Vuln
for _, v := range result.Vulns {
if v.Symbol == "VulnData.Vuln1" && v.CallSink != nil {
vuln = v
}
}
if vuln == nil {
t.Fatal("VulnData.Vuln1 should be deemed a called vulnerability")
}
stack := CallStacks(result)[vuln]
// We don't want the call stack X -> *VulnData.Vuln1 (wrapper) -> VulnData.Vuln1.
// We want X -> VulnData.Vuln1.
if len(stack) != 2 {
t.Errorf("want stack of length 2; got stack of length %v", len(stack))
}
}
func TestRecursion(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import "golang.org/bmod/bvuln"
func X() {
y()
bvuln.Vuln()
z()
}
func y() {
X()
}
func z() {}
`,
},
},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"bvuln/bvuln.go": `
package bvuln
func Vuln() {}
`},
},
})
defer e.Cleanup()
// Load x as entry package.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 1 {
t.Fatal("failed to load x test package")
}
c, err := newTestClient()
if err != nil {
t.Fatal(err)
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
result, err := Source(context.Background(), pkgs, cfg, c, graph)
if err != nil {
t.Fatal(err)
}
wantCalls := map[string][]string{
"golang.org/entry/x.X": {"golang.org/bmod/bvuln.Vuln", "golang.org/entry/x.y"},
"golang.org/entry/x.y": {"golang.org/entry/x.X"},
}
if callStrMap := callGraphToStrMap(result); !reflect.DeepEqual(wantCalls, callStrMap) {
t.Errorf("want %v call graph; got %v", wantCalls, callStrMap)
}
}
func TestIssue57174(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import "golang.org/bmod/bvuln"
func P(d [][3]int) {
p(d)
}
func p[E interface{ [3]int | [4]int }](d []E) {
c := d[0]
if c[0] > 0 {
bvuln.Vuln()
}
}
`,
},
},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"bvuln/bvuln.go": `
package bvuln
func Vuln() {}
`},
},
})
defer e.Cleanup()
// Load x as entry package.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 1 {
t.Fatal("failed to load x test package")
}
c, err := newTestClient()
if err != nil {
t.Fatal(err)
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
_, err = Source(context.Background(), pkgs, cfg, c, graph)
if err != nil {
t.Fatal(err)
}
}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/utils.go��������������������������������������������������������������0000664�0000000�0000000�00000016642�14467454515�0020012�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"bytes"
"context"
"go/token"
"go/types"
"strings"
"golang.org/x/tools/go/callgraph"
"golang.org/x/tools/go/callgraph/cha"
"golang.org/x/tools/go/callgraph/vta"
"golang.org/x/tools/go/packages"
"golang.org/x/tools/go/ssa/ssautil"
"golang.org/x/tools/go/types/typeutil"
"golang.org/x/vuln/internal/osv"
"golang.org/x/tools/go/ssa"
)
// buildSSA creates an ssa representation for pkgs. Returns
// the ssa program encapsulating the packages and top level
// ssa packages corresponding to pkgs.
func buildSSA(pkgs []*packages.Package, fset *token.FileSet) (*ssa.Program, []*ssa.Package) {
// TODO(https://go.dev/issue/57221): what about entry functions that are generics?
prog := ssa.NewProgram(fset, ssa.InstantiateGenerics)
imports := make(map[*packages.Package]*ssa.Package)
var createImports func(map[string]*packages.Package)
createImports = func(pkgs map[string]*packages.Package) {
for _, p := range pkgs {
if _, ok := imports[p]; !ok {
i := prog.CreatePackage(p.Types, p.Syntax, p.TypesInfo, true)
imports[p] = i
createImports(p.Imports)
}
}
}
for _, tp := range pkgs {
createImports(tp.Imports)
}
var ssaPkgs []*ssa.Package
for _, tp := range pkgs {
if sp, ok := imports[tp]; ok {
ssaPkgs = append(ssaPkgs, sp)
} else {
sp := prog.CreatePackage(tp.Types, tp.Syntax, tp.TypesInfo, false)
ssaPkgs = append(ssaPkgs, sp)
}
}
prog.Build()
return prog, ssaPkgs
}
// callGraph builds a call graph of prog based on VTA analysis.
func callGraph(ctx context.Context, prog *ssa.Program, entries []*ssa.Function) (*callgraph.Graph, error) {
entrySlice := make(map[*ssa.Function]bool)
for _, e := range entries {
entrySlice[e] = true
}
if err := ctx.Err(); err != nil { // cancelled?
return nil, err
}
initial := cha.CallGraph(prog)
allFuncs := ssautil.AllFunctions(prog)
fslice := forwardSlice(entrySlice, initial)
// Keep only actually linked functions.
pruneSet(fslice, allFuncs)
if err := ctx.Err(); err != nil { // cancelled?
return nil, err
}
vtaCg := vta.CallGraph(fslice, initial)
// Repeat the process once more, this time using
// the produced VTA call graph as the base graph.
fslice = forwardSlice(entrySlice, vtaCg)
pruneSet(fslice, allFuncs)
if err := ctx.Err(); err != nil { // cancelled?
return nil, err
}
cg := vta.CallGraph(fslice, vtaCg)
cg.DeleteSyntheticNodes()
return cg, nil
}
// dbTypeFormat formats the name of t according how types
// are encoded in vulnerability database:
// - pointer designation * is skipped
// - full path prefix is skipped as well
func dbTypeFormat(t types.Type) string {
switch tt := t.(type) {
case *types.Pointer:
return dbTypeFormat(tt.Elem())
case *types.Named:
return tt.Obj().Name()
default:
return types.TypeString(t, func(p *types.Package) string { return "" })
}
}
// dbFuncName computes a function name consistent with the namings used in vulnerability
// databases. Effectively, a qualified name of a function local to its enclosing package.
// If a receiver is a pointer, this information is not encoded in the resulting name. The
// name of anonymous functions is simply "". The function names are unique subject to the
// enclosing package, but not globally.
//
// Examples:
//
// func (a A) foo (...) {...} -> A.foo
// func foo(...) {...} -> foo
// func (b *B) bar (...) {...} -> B.bar
func dbFuncName(f *ssa.Function) string {
selectBound := func(f *ssa.Function) types.Type {
// If f is a "bound" function introduced by ssa for a given type, return the type.
// When "f" is a "bound" function, it will have 1 free variable of that type within
// the function. This is subject to change when ssa changes.
if len(f.FreeVars) == 1 && strings.HasPrefix(f.Synthetic, "bound ") {
return f.FreeVars[0].Type()
}
return nil
}
selectThunk := func(f *ssa.Function) types.Type {
// If f is a "thunk" function introduced by ssa for a given type, return the type.
// When "f" is a "thunk" function, the first parameter will have that type within
// the function. This is subject to change when ssa changes.
params := f.Signature.Params() // params.Len() == 1 then params != nil.
if strings.HasPrefix(f.Synthetic, "thunk ") && params.Len() >= 1 {
if first := params.At(0); first != nil {
return first.Type()
}
}
return nil
}
var qprefix string
if recv := f.Signature.Recv(); recv != nil {
qprefix = dbTypeFormat(recv.Type())
} else if btype := selectBound(f); btype != nil {
qprefix = dbTypeFormat(btype)
} else if ttype := selectThunk(f); ttype != nil {
qprefix = dbTypeFormat(ttype)
}
if qprefix == "" {
return f.Name()
}
return qprefix + "." + f.Name()
}
// dbTypesFuncName is dbFuncName defined over *types.Func.
func dbTypesFuncName(f *types.Func) string {
sig := f.Type().(*types.Signature)
if sig.Recv() == nil {
return f.Name()
}
return dbTypeFormat(sig.Recv().Type()) + "." + f.Name()
}
// memberFuncs returns functions associated with the `member`:
// 1) `member` itself if `member` is a function
// 2) `member` methods if `member` is a type
// 3) empty list otherwise
func memberFuncs(member ssa.Member, prog *ssa.Program) []*ssa.Function {
switch t := member.(type) {
case *ssa.Type:
methods := typeutil.IntuitiveMethodSet(t.Type(), &prog.MethodSets)
var funcs []*ssa.Function
for _, m := range methods {
if f := prog.MethodValue(m); f != nil {
funcs = append(funcs, f)
}
}
return funcs
case *ssa.Function:
return []*ssa.Function{t}
default:
return nil
}
}
// funcPosition gives the position of `f`. Returns empty token.Position
// if no file information on `f` is available.
func funcPosition(f *ssa.Function) *token.Position {
pos := f.Prog.Fset.Position(f.Pos())
return &pos
}
// instrPosition gives the position of `instr`. Returns empty token.Position
// if no file information on `instr` is available.
func instrPosition(instr ssa.Instruction) *token.Position {
pos := instr.Parent().Prog.Fset.Position(instr.Pos())
return &pos
}
func resolved(call ssa.CallInstruction) bool {
if call == nil {
return true
}
return call.Common().StaticCallee() != nil
}
func callRecvType(call ssa.CallInstruction) string {
if !call.Common().IsInvoke() {
return ""
}
buf := new(bytes.Buffer)
types.WriteType(buf, call.Common().Value.Type(), nil)
return buf.String()
}
func funcRecvType(f *ssa.Function) string {
v := f.Signature.Recv()
if v == nil {
return ""
}
buf := new(bytes.Buffer)
types.WriteType(buf, v.Type(), nil)
return buf.String()
}
// allSymbols returns all top-level functions and methods defined in pkg.
func allSymbols(pkg *types.Package) []string {
var names []string
scope := pkg.Scope()
for _, name := range scope.Names() {
o := scope.Lookup(name)
switch o := o.(type) {
case *types.Func:
names = append(names, dbTypesFuncName(o))
case *types.TypeName:
ms := types.NewMethodSet(types.NewPointer(o.Type()))
for i := 0; i < ms.Len(); i++ {
if f, ok := ms.At(i).Obj().(*types.Func); ok {
names = append(names, dbTypesFuncName(f))
}
}
}
}
return names
}
// vulnMatchesPackage reports whether an entry applies to pkg (an import path).
func vulnMatchesPackage(v *osv.Entry, pkg string) bool {
for _, a := range v.Affected {
for _, p := range a.EcosystemSpecific.Packages {
if p.Path == pkg {
return true
}
}
}
return false
}
����������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/vulncheck.go����������������������������������������������������������0000664�0000000�0000000�00000021433�14467454515�0020626�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"fmt"
"go/token"
"strings"
"time"
"golang.org/x/tools/go/packages"
"golang.org/x/vuln/internal"
"golang.org/x/vuln/internal/osv"
"golang.org/x/vuln/internal/semver"
)
// Result contains information on how known vulnerabilities are reachable
// in the call graph, package imports graph, and module requires graph of
// the user code.
type Result struct {
// EntryFunctions are a subset of Functions representing vulncheck entry points.
EntryFunctions []*FuncNode
// EntryPackages are a subset of Packages representing packages of vulncheck entry points.
EntryPackages []*packages.Package
// Vulns contains information on detected vulnerabilities and their place in
// the above graphs. Only vulnerabilities whose symbols are reachable in Calls,
// or whose packages are imported in Imports, or whose modules are required in
// Requires, have an entry in Vulns.
Vulns []*Vuln
}
// Vuln provides information on how a vulnerability is affecting user code by
// connecting it to the Result.{Calls,Imports,Requires} graphs. Vulnerabilities
// detected in Go binaries do not appear in the Result graphs.
type Vuln struct {
// OSV contains information on the detected vulnerability in the shared
// vulnerability format.
//
// OSV, Symbol, PkgPath, and ModPath identify a vulnerability.
//
// Note that *osv.Entry may describe multiple symbols from multiple
// packages.
OSV *osv.Entry
// Symbol is the name of the detected vulnerable function or method.
Symbol string
// CallSink is the FuncNode in Result.Calls corresponding to Symbol.
//
// When analyzing binaries, Symbol is not reachable, or cfg.ScanLevel
// is symbol, CallSink will be unavailable and set to 0.
CallSink *FuncNode
// ImportSink is the PkgNode in Result.Imports corresponding to PkgPath.
//
// When analyzing binaries or PkgPath is not imported, ImportSink will be
// unavailable and set to 0.
ImportSink *packages.Package
}
// A FuncNode describes a function in the call graph.
type FuncNode struct {
// Name is the name of the function.
Name string
// RecvType is the receiver object type of this function, if any.
RecvType string
// Package is the package the function is part of.
Package *packages.Package
// Position describes the position of the function in the file.
Pos *token.Position
// CallSites is a set of call sites where this function is called.
CallSites []*CallSite
}
func (fn *FuncNode) String() string {
if fn.RecvType == "" {
return fmt.Sprintf("%s.%s", fn.Package.PkgPath, fn.Name)
}
return fmt.Sprintf("%s.%s", fn.RecvType, fn.Name)
}
// Receiver returns the FuncNode's receiver, with package path removed.
// Pointers are preserved if present.
func (fn *FuncNode) Receiver() string {
return strings.Replace(fn.RecvType, fmt.Sprintf("%s.", fn.Package.PkgPath), "", 1)
}
// A CallSite describes a function call.
type CallSite struct {
// Parent is the enclosing function where the call is made.
Parent *FuncNode
// Name stands for the name of the function (variable) being called.
Name string
// RecvType is the full path of the receiver object type, if any.
RecvType string
// Position describes the position of the function in the file.
Pos *token.Position
// Resolved indicates if the called function can be statically resolved.
Resolved bool
}
// moduleVulnerabilities is an internal structure for
// holding and querying vulnerabilities provided by a
// vulnerability database client.
type moduleVulnerabilities []*ModVulns
// ModVulns groups vulnerabilities per module.
type ModVulns struct {
Module *packages.Module
Vulns []*osv.Entry
}
func (mv moduleVulnerabilities) filter(os, arch string) moduleVulnerabilities {
now := time.Now()
var filteredMod moduleVulnerabilities
for _, mod := range mv {
module := mod.Module
modVersion := module.Version
if module.Replace != nil {
modVersion = module.Replace.Version
}
// TODO(https://golang.org/issues/49264): if modVersion == "", try vcs?
var filteredVulns []*osv.Entry
for _, v := range mod.Vulns {
// Ignore vulnerabilities that have been withdrawn
if v.Withdrawn != nil && v.Withdrawn.Before(now) {
continue
}
var filteredAffected []osv.Affected
for _, a := range v.Affected {
// Vulnerabilities from some databases might contain
// information on related but different modules that
// were, say, reported in the same CVE. We filter such
// information out as it might lead to incorrect results:
// Computing a latest fix could consider versions of these
// different packages.
if a.Module.Path != module.Path {
continue
}
// A module version is affected if
// - it is included in one of the affected version ranges
// - and module version is not ""
if modVersion == "" {
// Module version of "" means the module version is not available,
// and so we don't want to spam users with potential false alarms.
continue
}
if !semver.Affects(a.Ranges, modVersion) {
continue
}
var filteredImports []osv.Package
for _, p := range a.EcosystemSpecific.Packages {
if matchesPlatform(os, arch, p) {
filteredImports = append(filteredImports, p)
}
}
if len(a.EcosystemSpecific.Packages) != 0 && len(filteredImports) == 0 {
continue
}
a.EcosystemSpecific.Packages = filteredImports
filteredAffected = append(filteredAffected, a)
}
if len(filteredAffected) == 0 {
continue
}
// save the non-empty vulnerability with only
// affected symbols.
newV := *v
newV.Affected = filteredAffected
filteredVulns = append(filteredVulns, &newV)
}
filteredMod = append(filteredMod, &ModVulns{
Module: module,
Vulns: filteredVulns,
})
}
return filteredMod
}
func matchesPlatform(os, arch string, e osv.Package) bool {
return matchesPlatformComponent(os, e.GOOS) &&
matchesPlatformComponent(arch, e.GOARCH)
}
// matchesPlatformComponent reports whether a GOOS (or GOARCH)
// matches a list of GOOS (or GOARCH) values from an osv.EcosystemSpecificImport.
func matchesPlatformComponent(s string, ps []string) bool {
// An empty input or an empty GOOS or GOARCH list means "matches everything."
if s == "" || len(ps) == 0 {
return true
}
for _, p := range ps {
if s == p {
return true
}
}
return false
}
// vulnsForPackage returns the vulnerabilities for the module which is the most
// specific prefix of importPath, or nil if there is no matching module with
// vulnerabilities.
func (mv moduleVulnerabilities) vulnsForPackage(importPath string) []*osv.Entry {
isStd := isStdPackage(importPath)
var mostSpecificMod *ModVulns
for _, mod := range mv {
md := mod
if isStd && mod.Module.Path == internal.GoStdModulePath {
// standard library packages do not have an associated module,
// so we relate them to the artificial stdlib module.
mostSpecificMod = md
} else if strings.HasPrefix(importPath, md.Module.Path) {
if mostSpecificMod == nil || len(mostSpecificMod.Module.Path) < len(md.Module.Path) {
mostSpecificMod = md
}
}
}
if mostSpecificMod == nil {
return nil
}
if mostSpecificMod.Module.Replace != nil {
// standard libraries do not have a module nor replace module
importPath = fmt.Sprintf("%s%s", mostSpecificMod.Module.Replace.Path, strings.TrimPrefix(importPath, mostSpecificMod.Module.Path))
}
vulns := mostSpecificMod.Vulns
packageVulns := []*osv.Entry{}
Vuln:
for _, v := range vulns {
for _, a := range v.Affected {
for _, p := range a.EcosystemSpecific.Packages {
if p.Path == importPath {
packageVulns = append(packageVulns, v)
continue Vuln
}
}
}
}
return packageVulns
}
// vulnsForSymbol returns vulnerabilities for `symbol` in `mv.VulnsForPackage(importPath)`.
func (mv moduleVulnerabilities) vulnsForSymbol(importPath, symbol string) []*osv.Entry {
vulns := mv.vulnsForPackage(importPath)
if vulns == nil {
return nil
}
symbolVulns := []*osv.Entry{}
vulnLoop:
for _, v := range vulns {
for _, a := range v.Affected {
for _, p := range a.EcosystemSpecific.Packages {
if p.Path != importPath {
continue
}
if len(p.Symbols) > 0 && !contains(p.Symbols, symbol) {
continue
}
symbolVulns = append(symbolVulns, v)
continue vulnLoop
}
}
}
return symbolVulns
}
func contains(symbols []string, target string) bool {
for _, s := range symbols {
if s == target {
return true
}
}
return false
}
func isStdPackage(pkg string) bool {
if pkg == "" {
return false
}
// std packages do not have a "." in their path. For instance, see
// Contains in pkgsite/+/refs/heads/master/internal/stdlbib/stdlib.go.
if i := strings.IndexByte(pkg, '/'); i != -1 {
pkg = pkg[:i]
}
return !strings.Contains(pkg, ".")
}
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/vulncheck_test.go�����������������������������������������������������0000664�0000000�0000000�00000034534�14467454515�0021673�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"path"
"reflect"
"testing"
"time"
"github.com/google/go-cmp/cmp"
"golang.org/x/tools/go/packages"
"golang.org/x/tools/go/packages/packagestest"
"golang.org/x/vuln/internal/osv"
)
func TestFilterVulns(t *testing.T) {
past := time.Now().Add(-3 * time.Hour)
mv := moduleVulnerabilities{
{
Module: &packages.Module{
Path: "example.mod/a",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "a", Affected: []osv.Affected{
{Module: osv.Module{Path: "example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}}},
{Module: osv.Module{Path: "a.example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}}}, // should be filtered out
{Module: osv.Module{Path: "example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "0.9.0"}}}}}, // should be filtered out
}},
{ID: "b", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.1"}}}},
EcosystemSpecific: osv.EcosystemSpecific{Packages: []osv.Package{{
GOOS: []string{"windows", "linux"},
}},
}}}},
{ID: "c", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "1.0.1"}}}},
EcosystemSpecific: osv.EcosystemSpecific{Packages: []osv.Package{{
GOARCH: []string{"arm64", "amd64"},
}},
}}}},
{ID: "d", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/a"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"windows"},
}},
}}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/b",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "e", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"arm64"},
}},
}}}},
{ID: "f", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}}}},
{ID: "g", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"amd64"},
}},
}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}, {Fixed: "2.0.1"}}}}}}},
{ID: "h", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"windows"}, GOARCH: []string{"amd64"},
}},
}}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/c",
},
Vulns: []*osv.Entry{
{ID: "i", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/c"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"amd64"},
}},
}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.0"}}}}}}},
{ID: "j", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/c"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"amd64"},
}},
}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Fixed: "3.0.0"}}}}}}},
{ID: "k"},
},
},
{
Module: &packages.Module{
Path: "example.mod/d",
Version: "v1.2.0",
},
Vulns: []*osv.Entry{
{ID: "l", Affected: []osv.Affected{
{Module: osv.Module{Path: "example.mod/d"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"windows"}, // should be filtered out
}},
}},
{Module: osv.Module{Path: "example.mod/d"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}},
}},
},
},
{
Module: &packages.Module{
Path: "example.mod/w",
Version: "v1.3.0",
},
Vulns: []*osv.Entry{
{ID: "m", Withdrawn: &past, Affected: []osv.Affected{ // should be filtered out
{Module: osv.Module{Path: "example.mod/w"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}},
}},
{ID: "n", Affected: []osv.Affected{
{Module: osv.Module{Path: "example.mod/w"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}},
}},
},
},
}
expected := moduleVulnerabilities{
{
Module: &packages.Module{
Path: "example.mod/a",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "a", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/a"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}}}}},
{ID: "c", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/a"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"arm64", "amd64"},
}},
}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "1.0.1"}}}}}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/b",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "f", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}}}},
{ID: "g", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/b"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOARCH: []string{"amd64"},
}},
}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}, {Fixed: "2.0.1"}}}}}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/c",
},
},
{
Module: &packages.Module{
Path: "example.mod/d",
Version: "v1.2.0",
},
Vulns: []*osv.Entry{
{ID: "l", Affected: []osv.Affected{{Module: osv.Module{Path: "example.mod/d"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/w",
Version: "v1.3.0",
},
Vulns: []*osv.Entry{
{ID: "n", Affected: []osv.Affected{
{Module: osv.Module{Path: "example.mod/w"}, EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
GOOS: []string{"linux"},
}},
}},
}},
},
},
}
filtered := mv.filter("linux", "amd64")
if diff := diffModuleVulnerabilities(expected, filtered); diff != "" {
t.Fatalf("Filter returned unexpected results (-want,+got):\n%s", diff)
}
}
func diffModuleVulnerabilities(a, b moduleVulnerabilities) string {
return cmp.Diff(a, b, cmp.Exporter(func(t reflect.Type) bool {
return reflect.TypeOf(moduleVulnerabilities{}) == t || reflect.TypeOf(ModVulns{}) == t
}))
}
func TestVulnsForPackage(t *testing.T) {
mv := moduleVulnerabilities{
{
Module: &packages.Module{
Path: "example.mod/a",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "a", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
}},
},
}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/a/b",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "b", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
}},
},
}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/d",
Version: "v0.0.1",
},
Vulns: []*osv.Entry{
{ID: "d", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/d"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/d",
}},
},
}}},
},
},
}
filtered := mv.vulnsForPackage("example.mod/a/b/c")
expected := []*osv.Entry{
{ID: "b", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
}},
},
}}},
}
if !reflect.DeepEqual(filtered, expected) {
t.Fatalf("VulnsForPackage returned unexpected results, got:\n%s\nwant:\n%s", vulnsToString(filtered), vulnsToString(expected))
}
}
func TestVulnsForPackageReplaced(t *testing.T) {
mv := moduleVulnerabilities{
{
Module: &packages.Module{
Path: "example.mod/a",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "a", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
}},
},
}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/a/b",
Replace: &packages.Module{
Path: "example.mod/b",
},
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "c", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/b/c",
}},
},
}}},
},
},
}
filtered := mv.vulnsForPackage("example.mod/a/b/c")
expected := []*osv.Entry{
{ID: "c", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/b/c",
}},
},
}}},
}
if !reflect.DeepEqual(filtered, expected) {
t.Fatalf("VulnsForPackage returned unexpected results, got:\n%s\nwant:\n%s", vulnsToString(filtered), vulnsToString(expected))
}
}
func TestVulnsForSymbol(t *testing.T) {
mv := moduleVulnerabilities{
{
Module: &packages.Module{
Path: "example.mod/a",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "a", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
}},
},
}}},
},
},
{
Module: &packages.Module{
Path: "example.mod/a/b",
Version: "v1.0.0",
},
Vulns: []*osv.Entry{
{ID: "b", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
Symbols: []string{"a"},
}},
},
}}},
{ID: "c", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
Symbols: []string{"b"},
}},
},
}}},
},
},
}
filtered := mv.vulnsForSymbol("example.mod/a/b/c", "a")
expected := []*osv.Entry{
{ID: "b", Affected: []osv.Affected{{
Module: osv.Module{Path: "example.mod/a/b"},
EcosystemSpecific: osv.EcosystemSpecific{
Packages: []osv.Package{{
Path: "example.mod/a/b/c",
Symbols: []string{"a"},
}},
},
}}},
}
if !reflect.DeepEqual(filtered, expected) {
t.Fatalf("VulnsForPackage returned unexpected results, got:\n%s\nwant:\n%s", vulnsToString(filtered), vulnsToString(expected))
}
}
func TestConvert(t *testing.T) {
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import _ "golang.org/amod/avuln"
`}},
{
Name: "golang.org/zmod@v0.0.0",
Files: map[string]interface{}{"z/z.go": `
package z
`},
},
{
Name: "golang.org/amod@v1.1.3",
Files: map[string]interface{}{"avuln/avuln.go": `
package avuln
import _ "golang.org/wmod/w"
`},
},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"bvuln/bvuln.go": `
package bvuln
`},
},
{
Name: "golang.org/wmod@v0.0.0",
Files: map[string]interface{}{"w/w.go": `
package w
import _ "golang.org/bmod/bvuln"
`},
},
})
defer e.Cleanup()
// Load x as entry package.
pkgs, err := loadTestPackages(e, path.Join(e.Temp(), "entry/x"))
if err != nil {
t.Fatal(err)
}
wantPkgs := map[string][]string{
"golang.org/amod/avuln": {"golang.org/wmod/w"},
"golang.org/bmod/bvuln": nil,
"golang.org/entry/x": {"golang.org/amod/avuln"},
"golang.org/wmod/w": {"golang.org/bmod/bvuln"},
}
if got := pkgPathToImports(pkgs); !reflect.DeepEqual(got, wantPkgs) {
t.Errorf("want %v;got %v", wantPkgs, got)
}
wantMods := map[string]string{
"golang.org/amod": "v1.1.3",
"golang.org/bmod": "v0.5.0",
"golang.org/entry": "",
"golang.org/wmod": "v0.0.0",
}
if got := modulePathToVersion(pkgs); !reflect.DeepEqual(got, wantMods) {
t.Errorf("want %v;got %v", wantMods, got)
}
}
func TestReceiver(t *testing.T) {
tcs := []struct {
name string
fn *FuncNode
want string
}{
{
name: "empty",
fn: &FuncNode{
RecvType: "",
Package: &packages.Package{PkgPath: "example.com/a/pkg"},
},
want: "",
},
{
name: "pointer",
fn: &FuncNode{
RecvType: "*example.com/a/pkg.Atype",
Package: &packages.Package{PkgPath: "example.com/a/pkg"},
},
want: "*Atype",
},
{
name: "not pointer",
fn: &FuncNode{
RecvType: "example.com/a/pkg.Atype",
Package: &packages.Package{PkgPath: "example.com/a/pkg"},
},
want: "Atype",
},
{
name: "no prefix",
fn: &FuncNode{
RecvType: "Atype",
Package: &packages.Package{PkgPath: "example.com/a/pkg"},
},
want: "Atype",
},
}
for _, tc := range tcs {
t.Run(tc.name, func(t *testing.T) {
got := tc.fn.Receiver()
if got != tc.want {
t.Errorf("*FuncNode.Receiver() = %s, want %s", got, tc.want)
}
})
}
}
��������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/witness.go������������������������������������������������������������0000664�0000000�0000000�00000025354�14467454515�0020346�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"container/list"
"fmt"
"go/ast"
"go/token"
"sort"
"strconv"
"strings"
"sync"
"golang.org/x/tools/go/packages"
)
// CallStack is a call stack starting with a client
// function or method and ending with a call to a
// vulnerable symbol.
type CallStack []StackEntry
// StackEntry is an element of a call stack.
type StackEntry struct {
// Function whose frame is on the stack.
Function *FuncNode
// Call is the call site inducing the next stack frame.
// nil when the frame represents the last frame in the stack.
Call *CallSite
}
// CallStacks returns representative call stacks for each
// vulnerability in res. The returned call stacks are heuristically
// ordered by how seemingly easy is to understand them: shorter
// call stacks with less dynamic call sites appear earlier in the
// returned slices.
//
// CallStacks performs a breadth-first search of res.CallGraph starting
// at the vulnerable symbol and going up until reaching an entry
// function or method in res.CallGraph.Entries. During this search,
// each function is visited at most once to avoid potential
// exponential explosion. Hence, not all call stacks are analyzed.
func CallStacks(res *Result) map[*Vuln]CallStack {
var (
wg sync.WaitGroup
mu sync.Mutex
)
stackPerVuln := make(map[*Vuln]CallStack)
for _, vuln := range res.Vulns {
vuln := vuln
wg.Add(1)
go func() {
cs := callStack(vuln, res)
mu.Lock()
stackPerVuln[vuln] = cs
mu.Unlock()
wg.Done()
}()
}
wg.Wait()
updateInitPositions(stackPerVuln)
return stackPerVuln
}
// callStack finds a representative call stack for vuln.
// This is a shortest unique call stack with the least
// number of dynamic call sites.
func callStack(vuln *Vuln, res *Result) CallStack {
vulnSink := vuln.CallSink
if vulnSink == nil {
return nil
}
entries := make(map[*FuncNode]bool)
for _, e := range res.EntryFunctions {
entries[e] = true
}
seen := make(map[*FuncNode]bool)
// Do a BFS from the vuln sink to the entry points
// and find the representative call stack. This is
// the shortest call stack that goes through the
// least number of dynamic call sites. We first
// collect all candidate call stacks of the shortest
// length and then pick the best one accordingly.
var candidates []CallStack
candDepth := 0
queue := list.New()
queue.PushBack(&callChain{f: vulnSink})
// We want to avoid call stacks that go through
// other vulnerable symbols of the same package
// for the same vulnerability. In other words,
// we want unique call stacks.
skipSymbols := make(map[*FuncNode]bool)
for _, v := range res.Vulns {
if v.CallSink != nil && v != vuln &&
v.OSV == vuln.OSV && v.ImportSink == vuln.ImportSink {
skipSymbols[v.CallSink] = true
}
}
for queue.Len() > 0 {
front := queue.Front()
c := front.Value.(*callChain)
queue.Remove(front)
f := c.f
if seen[f] {
continue
}
seen[f] = true
// Pick a single call site for each function in determinstic order.
// A single call site is sufficient as we visit a function only once.
for _, cs := range callsites(f.CallSites, seen) {
nStack := &callChain{f: cs.Parent, call: cs, child: c}
if !skipSymbols[cs.Parent] {
queue.PushBack(nStack)
}
if entries[cs.Parent] {
ns := nStack.CallStack()
if len(candidates) == 0 || len(ns) == candDepth {
// The case where we either have not identified
// any call stacks or just found one of the same
// length as the previous ones.
candidates = append(candidates, ns)
candDepth = len(ns)
} else {
// We just found a candidate call stack whose
// length is greater than what we previously
// found. We can thus safely disregard this
// call stack and stop searching since we won't
// be able to find any better candidates.
queue.Init() // clear the list, effectively exiting the outer loop
}
}
}
}
// Sort candidate call stacks by their number of dynamic call
// sites and return the first one.
sort.SliceStable(candidates, func(i int, j int) bool {
s1, s2 := candidates[i], candidates[j]
if w1, w2 := weight(s1), weight(s2); w1 != w2 {
return w1 < w2
}
// At this point, the stableness/determinism of
// sorting is guaranteed by the determinism of
// the underlying call graph and the call stack
// search algorithm.
return true
})
if len(candidates) == 0 {
return nil
}
return candidates[0]
}
// callsites picks a call site from sites for each non-visited function.
// For each such function, the smallest (posLess) call site is chosen. The
// returned slice is sorted by caller functions (funcLess). Assumes callee
// of each call site is the same.
func callsites(sites []*CallSite, visited map[*FuncNode]bool) []*CallSite {
minCs := make(map[*FuncNode]*CallSite)
for _, cs := range sites {
if visited[cs.Parent] {
continue
}
if csLess(cs, minCs[cs.Parent]) {
minCs[cs.Parent] = cs
}
}
var fs []*FuncNode
for _, cs := range minCs {
fs = append(fs, cs.Parent)
}
sort.SliceStable(fs, func(i, j int) bool { return funcLess(fs[i], fs[j]) })
var css []*CallSite
for _, f := range fs {
css = append(css, minCs[f])
}
return css
}
// callChain models a chain of function calls.
type callChain struct {
call *CallSite // nil for entry points
f *FuncNode
child *callChain
}
// CallStack converts callChain to CallStack type.
func (c *callChain) CallStack() CallStack {
if c == nil {
return nil
}
return append(CallStack{StackEntry{Function: c.f, Call: c.call}}, c.child.CallStack()...)
}
// weight computes an approximate measure of how easy is to understand the call
// stack when presented to the client as a witness. The smaller the value, the more
// understandable the stack is. Currently defined as the number of unresolved
// call sites in the stack.
func weight(stack CallStack) int {
w := 0
for _, e := range stack {
if e.Call != nil && !e.Call.Resolved {
w += 1
}
}
return w
}
// csLess compares two call sites by their locations and, if needed,
// their string representation.
func csLess(cs1, cs2 *CallSite) bool {
if cs2 == nil {
return true
}
// fast code path
if p1, p2 := cs1.Pos, cs2.Pos; p1 != nil && p2 != nil {
if posLess(*p1, *p2) {
return true
}
if posLess(*p2, *p1) {
return false
}
// for sanity, should not occur in practice
return fmt.Sprintf("%v.%v", cs1.RecvType, cs2.Name) < fmt.Sprintf("%v.%v", cs2.RecvType, cs2.Name)
}
// code path rarely exercised
if cs2.Pos == nil {
return true
}
if cs1.Pos == nil {
return false
}
// should very rarely occur in practice
return fmt.Sprintf("%v.%v", cs1.RecvType, cs2.Name) < fmt.Sprintf("%v.%v", cs2.RecvType, cs2.Name)
}
// posLess compares two positions by their line and column number,
// and filename if needed.
func posLess(p1, p2 token.Position) bool {
if p1.Line < p2.Line {
return true
}
if p2.Line < p1.Line {
return false
}
if p1.Column < p2.Column {
return true
}
if p2.Column < p1.Column {
return false
}
return strings.Compare(p1.Filename, p2.Filename) == -1
}
// funcLess compares two function nodes by locations of
// corresponding functions and, if needed, their string representation.
func funcLess(f1, f2 *FuncNode) bool {
if p1, p2 := f1.Pos, f2.Pos; p1 != nil && p2 != nil {
if posLess(*p1, *p2) {
return true
}
if posLess(*p2, *p1) {
return false
}
// for sanity, should not occur in practice
return f1.String() < f2.String()
}
if f2.Pos == nil {
return true
}
if f1.Pos == nil {
return false
}
// should happen only for inits
return f1.String() < f2.String()
}
// updateInitPositions populates non-existing positions of init functions
// and their respective calls in callStacks (see #51575).
func updateInitPositions(callStacks map[*Vuln]CallStack) {
for _, cs := range callStacks {
for i := range cs {
updateInitPosition(&cs[i])
if i != len(cs)-1 {
updateInitCallPosition(&cs[i], cs[i+1])
}
}
}
}
// updateInitCallPosition updates the position of a call to init in a stack frame, if
// one already does not exist:
//
// P1.init -> P2.init: position of call to P2.init is the position of "import P2"
// statement in P1
//
// P.init -> P.init#d: P.init is an implicit init. We say it calls the explicit
// P.init#d at the place of "package P" statement.
func updateInitCallPosition(curr *StackEntry, next StackEntry) {
call := curr.Call
if !isInit(next.Function) || (call.Pos != nil && call.Pos.IsValid()) {
// Skip non-init functions and inits whose call site position is available.
return
}
var pos token.Position
if curr.Function.Name == "init" && curr.Function.Package == next.Function.Package {
// We have implicit P.init calling P.init#d. Set the call position to
// be at "package P" statement position.
pos = packageStatementPos(curr.Function.Package)
} else {
// Choose the beginning of the import statement as the position.
pos = importStatementPos(curr.Function.Package, next.Function.Package.PkgPath)
}
call.Pos = &pos
}
func importStatementPos(pkg *packages.Package, importPath string) token.Position {
var importSpec *ast.ImportSpec
spec:
for _, f := range pkg.Syntax {
for _, impSpec := range f.Imports {
// Import spec paths have quotation marks.
impSpecPath, err := strconv.Unquote(impSpec.Path.Value)
if err != nil {
panic(fmt.Sprintf("import specification: package path has no quotation marks: %v", err))
}
if impSpecPath == importPath {
importSpec = impSpec
break spec
}
}
}
if importSpec == nil {
// for sanity, in case of a wild call graph imprecision
return token.Position{}
}
// Choose the beginning of the import statement as the position.
return pkg.Fset.Position(importSpec.Pos())
}
func packageStatementPos(pkg *packages.Package) token.Position {
if len(pkg.Syntax) == 0 {
return token.Position{}
}
// Choose beginning of the package statement as the position. Pick
// the first file since it is as good as any.
return pkg.Fset.Position(pkg.Syntax[0].Package)
}
// updateInitPosition updates the position of P.init function in a stack frame if one
// is not available. The new position is the position of the "package P" statement.
func updateInitPosition(se *StackEntry) {
fun := se.Function
if !isInit(fun) || (fun.Pos != nil && fun.Pos.IsValid()) {
// Skip non-init functions and inits whose position is available.
return
}
pos := packageStatementPos(fun.Package)
fun.Pos = &pos
}
func isInit(f *FuncNode) bool {
// A source init function, or anonymous functions used in inits, will
// be named "init#x" by vulncheck (more precisely, ssa), where x is a
// positive integer. Implicit inits are named simply "init".
return f.Name == "init" || strings.HasPrefix(f.Name, "init#")
}
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/vulncheck/witness_test.go�������������������������������������������������������0000664�0000000�0000000�00000015714�14467454515�0021404�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package vulncheck
import (
"context"
"fmt"
"path"
"path/filepath"
"reflect"
"strings"
"testing"
"github.com/google/go-cmp/cmp"
"golang.org/x/tools/go/packages"
"golang.org/x/tools/go/packages/packagestest"
"golang.org/x/vuln/internal/client"
"golang.org/x/vuln/internal/govulncheck"
"golang.org/x/vuln/internal/osv"
)
// stacksToString converts map *Vuln:stack to Vuln.Symbol:"f1->...->fN"
// string representation.
func stacksToString(stacks map[*Vuln]CallStack) map[string]string {
m := make(map[string]string)
for v, st := range stacks {
var stStr []string
for _, call := range st {
stStr = append(stStr, call.Function.Name)
}
m[v.Symbol] = strings.Join(stStr, "->")
}
return m
}
func TestCallStacks(t *testing.T) {
// Call graph structure for the test program
// entry1 entry2
// | |
// interm1 |
// | \ /
// | interm2(interface)
// | / |
// vuln1 vuln2
o := &osv.Entry{ID: "o"}
e1 := &FuncNode{Name: "entry1"}
e2 := &FuncNode{Name: "entry2"}
i1 := &FuncNode{Name: "interm1", CallSites: []*CallSite{{Parent: e1, Resolved: true}}}
i2 := &FuncNode{Name: "interm2", CallSites: []*CallSite{{Parent: e2, Resolved: true}, {Parent: i1, Resolved: true}}}
v1 := &FuncNode{Name: "vuln1", CallSites: []*CallSite{{Parent: i1, Resolved: true}, {Parent: i2, Resolved: false}}}
v2 := &FuncNode{Name: "vuln2", CallSites: []*CallSite{{Parent: i2, Resolved: false}}}
vp := &packages.Package{PkgPath: "v1", Module: &packages.Module{Path: "m1"}}
vuln1 := &Vuln{CallSink: v1, ImportSink: vp, OSV: o, Symbol: "vuln1"}
vuln2 := &Vuln{CallSink: v2, ImportSink: vp, OSV: o, Symbol: "vuln2"}
res := &Result{
EntryFunctions: []*FuncNode{e1, e2},
Vulns: []*Vuln{vuln1, vuln2},
}
want := map[string]string{
"vuln1": "entry1->interm1->vuln1",
"vuln2": "entry2->interm2->vuln2",
}
stacks := CallStacks(res)
if got := stacksToString(stacks); !reflect.DeepEqual(want, got) {
t.Errorf("want %v; got %v", want, got)
}
}
func TestUniqueCallStack(t *testing.T) {
// Call graph structure for the test program
// entry1 entry2
// | |
// vuln1 interm1
// | |
// | interm2
// | /
// vuln2
o := &osv.Entry{ID: "o"}
e1 := &FuncNode{Name: "entry1"}
e2 := &FuncNode{Name: "entry2"}
i1 := &FuncNode{Name: "interm1", CallSites: []*CallSite{{Parent: e2}}}
i2 := &FuncNode{Name: "interm2", CallSites: []*CallSite{{Parent: i1}}}
v1 := &FuncNode{Name: "vuln1", CallSites: []*CallSite{{Parent: e1}}}
v2 := &FuncNode{Name: "vuln2", CallSites: []*CallSite{{Parent: v1}, {Parent: i2}}}
vp := &packages.Package{PkgPath: "v1", Module: &packages.Module{Path: "m1"}}
vuln1 := &Vuln{CallSink: v1, ImportSink: vp, OSV: o, Symbol: "vuln1"}
vuln2 := &Vuln{CallSink: v2, ImportSink: vp, OSV: o, Symbol: "vuln2"}
res := &Result{
EntryFunctions: []*FuncNode{e1, e2},
Vulns: []*Vuln{vuln1, vuln2},
}
want := map[string]string{
"vuln1": "entry1->vuln1",
"vuln2": "entry2->interm1->interm2->vuln2",
}
stacks := CallStacks(res)
if got := stacksToString(stacks); !reflect.DeepEqual(want, got) {
t.Errorf("want %v; got %v", want, got)
}
}
// TestInits checks for correct positions of init functions
// and their respective calls (see #51575).
func TestInits(t *testing.T) {
testClient, err := client.NewInMemoryClient(
[]*osv.Entry{
{
ID: "A", Affected: []osv.Affected{{Module: osv.Module{Path: "golang.org/amod"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver}},
EcosystemSpecific: osv.EcosystemSpecific{Packages: []osv.Package{{
Path: "golang.org/amod/avuln", Symbols: []string{"A"}},
}},
}},
},
{
ID: "C", Affected: []osv.Affected{{Module: osv.Module{Path: "golang.org/cmod"}, Ranges: []osv.Range{{Type: osv.RangeTypeSemver}},
EcosystemSpecific: osv.EcosystemSpecific{Packages: []osv.Package{{
Path: "golang.org/cmod/cvuln", Symbols: []string{"C"}},
}},
}},
},
})
if err != nil {
t.Fatal(err)
}
e := packagestest.Export(t, packagestest.Modules, []packagestest.Module{
{
Name: "golang.org/entry",
Files: map[string]interface{}{
"x/x.go": `
package x
import (
_ "golang.org/amod/avuln"
_ "golang.org/bmod/b"
)
`,
},
},
{
Name: "golang.org/amod@v0.5.0",
Files: map[string]interface{}{"avuln/avuln.go": `
package avuln
func init() {
A()
}
func A() {}
`},
},
{
Name: "golang.org/bmod@v0.5.0",
Files: map[string]interface{}{"b/b.go": `
package b
import _ "golang.org/cmod/cvuln"
`},
},
{
Name: "golang.org/cmod@v0.5.0",
Files: map[string]interface{}{"cvuln/cvuln.go": `
package cvuln
var x int = C()
func C() int {
return 0
}
`},
},
})
defer e.Cleanup()
// Load x as entry package.
graph := NewPackageGraph("go1.18")
pkgs, err := graph.LoadPackages(e.Config, nil, []string{path.Join(e.Temp(), "entry/x")})
if err != nil {
t.Fatal(err)
}
if len(pkgs) != 1 {
t.Fatal("failed to load x test package")
}
cfg := &govulncheck.Config{ScanLevel: "symbol"}
result, err := Source(context.Background(), pkgs, cfg, testClient, graph)
if err != nil {
t.Fatal(err)
}
cs := CallStacks(result)
want := map[string][]string{
"A": {
// Entry init's position is the package statement.
// It calls avuln.init at avuln import statement.
"N:golang.org/entry/x.init F:x.go:2:4 C:x.go:5:5",
// implicit avuln.init is calls explicit init at the avuln
// package statement.
"N:golang.org/amod/avuln.init F:avuln.go:2:4 C:avuln.go:2:4",
"N:golang.org/amod/avuln.init#1 F:avuln.go:4:9 C:avuln.go:5:6",
"N:golang.org/amod/avuln.A F:avuln.go:8:9 C:",
},
"C": {
"N:golang.org/entry/x.init F:x.go:2:4 C:x.go:6:5",
"N:golang.org/bmod/b.init F:b.go:2:4 C:b.go:4:11",
"N:golang.org/cmod/cvuln.init F:cvuln.go:2:4 C:cvuln.go:4:17",
"N:golang.org/cmod/cvuln.C F:cvuln.go:6:9 C:",
},
}
if diff := cmp.Diff(want, fullStacksToString(cs)); diff != "" {
t.Errorf("modules mismatch (-want, +got):\n%s", diff)
}
}
// fullStacksToString is like stacksToString but the stack stringification
// is a slice of strings, each containing detailed information on each on
// the corresponding frame.
func fullStacksToString(callStacks map[*Vuln]CallStack) map[string][]string {
m := make(map[string][]string)
for v, cs := range callStacks {
var scs []string
for _, se := range cs {
fPos := se.Function.Pos
fp := fmt.Sprintf("%s:%d:%d", filepath.Base(fPos.Filename), fPos.Line, fPos.Column)
var cp string
if se.Call != nil && se.Call.Pos.IsValid() {
cPos := se.Call.Pos
cp = fmt.Sprintf("%s:%d:%d", filepath.Base(cPos.Filename), cPos.Line, cPos.Column)
}
sse := fmt.Sprintf("N:%s.%s\tF:%v\tC:%v", se.Function.Package.PkgPath, se.Function.Name, fp, cp)
scs = append(scs, sse)
}
m[v.OSV.ID] = scs
}
return m
}
����������������������������������������������������vuln-1.0.1/internal/web/����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14467454515�0015105�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/web/url.go����������������������������������������������������������������������0000664�0000000�0000000�00000007600�14467454515�0016241�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Code copied from
// https://github.com/golang/go/blob/2ebe77a2fda1ee9ff6fd9a3e08933ad1ebaea039/src/cmd/go/internal/web/url.go
// TODO(https://go.dev/issue/32456): if accepted, use the new API.
package web
import (
"errors"
"net/url"
"path/filepath"
"runtime"
"strings"
)
var errNotAbsolute = errors.New("path is not absolute")
// URLToFilePath converts a file-scheme url to a file path.
func URLToFilePath(u *url.URL) (string, error) {
if u.Scheme != "file" {
return "", errors.New("non-file URL")
}
checkAbs := func(path string) (string, error) {
if !filepath.IsAbs(path) {
return "", errNotAbsolute
}
return path, nil
}
if u.Path == "" {
if u.Host != "" || u.Opaque == "" {
return "", errors.New("file URL missing path")
}
return checkAbs(filepath.FromSlash(u.Opaque))
}
path, err := convertFileURLPath(u.Host, u.Path)
if err != nil {
return path, err
}
return checkAbs(path)
}
// URLFromFilePath converts the given absolute path to a URL.
func URLFromFilePath(path string) (*url.URL, error) {
if !filepath.IsAbs(path) {
return nil, errNotAbsolute
}
// If path has a Windows volume name, convert the volume to a host and prefix
// per https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/.
if vol := filepath.VolumeName(path); vol != "" {
if strings.HasPrefix(vol, `\\`) {
path = filepath.ToSlash(path[2:])
i := strings.IndexByte(path, '/')
if i < 0 {
// A degenerate case.
// \\host.example.com (without a share name)
// becomes
// file://host.example.com/
return &url.URL{
Scheme: "file",
Host: path,
Path: "/",
}, nil
}
// \\host.example.com\Share\path\to\file
// becomes
// file://host.example.com/Share/path/to/file
return &url.URL{
Scheme: "file",
Host: path[:i],
Path: filepath.ToSlash(path[i:]),
}, nil
}
// C:\path\to\file
// becomes
// file:///C:/path/to/file
return &url.URL{
Scheme: "file",
Path: "/" + filepath.ToSlash(path),
}, nil
}
// /path/to/file
// becomes
// file:///path/to/file
return &url.URL{
Scheme: "file",
Path: filepath.ToSlash(path),
}, nil
}
func convertFileURLPath(host, path string) (string, error) {
if runtime.GOOS == "windows" {
return convertFileURLPathWindows(host, path)
}
switch host {
case "", "localhost":
default:
return "", errors.New("file URL specifies non-local host")
}
return filepath.FromSlash(path), nil
}
func convertFileURLPathWindows(host, path string) (string, error) {
if len(path) == 0 || path[0] != '/' {
return "", errNotAbsolute
}
path = filepath.FromSlash(path)
// We interpret Windows file URLs per the description in
// https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/.
// The host part of a file URL (if any) is the UNC volume name,
// but RFC 8089 reserves the authority "localhost" for the local machine.
if host != "" && host != "localhost" {
// A common "legacy" format omits the leading slash before a drive letter,
// encoding the drive letter as the host instead of part of the path.
// (See https://blogs.msdn.microsoft.com/freeassociations/2005/05/19/the-bizarre-and-unhappy-story-of-file-urls/.)
// We do not support that format, but we should at least emit a more
// helpful error message for it.
if filepath.VolumeName(host) != "" {
return "", errors.New("file URL encodes volume in host field: too few slashes?")
}
return `\\` + host + path, nil
}
// If host is empty, path must contain an initial slash followed by a
// drive letter and path. Remove the slash and verify that the path is valid.
if vol := filepath.VolumeName(path[1:]); vol == "" || strings.HasPrefix(vol, `\\`) {
return "", errors.New("file URL missing drive letter")
}
return path[1:], nil
}
��������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/internal/web/url_test.go�����������������������������������������������������������������0000664�0000000�0000000�00000012365�14467454515�0017304�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package web
import (
"net/url"
"runtime"
"testing"
)
func TestURLToFilePath(t *testing.T) {
for _, tc := range urlTests() {
if tc.url == "" {
continue
}
tc := tc
t.Run(tc.url, func(t *testing.T) {
u, err := url.Parse(tc.url)
if err != nil {
t.Fatalf("url.Parse(%q): %v", tc.url, err)
}
path, err := URLToFilePath(u)
if err != nil {
if err.Error() == tc.wantErr {
return
}
if tc.wantErr == "" {
t.Fatalf("urlToFilePath(%v): %v; want ", u, err)
} else {
t.Fatalf("urlToFilePath(%v): %v; want %s", u, err, tc.wantErr)
}
}
if path != tc.filePath || tc.wantErr != "" {
t.Fatalf("urlToFilePath(%v) = %q, ; want %q, %s", u, path, tc.filePath, tc.wantErr)
}
})
}
}
func TestURLFromFilePath(t *testing.T) {
for _, tc := range urlTests() {
if tc.filePath == "" {
continue
}
tc := tc
t.Run(tc.filePath, func(t *testing.T) {
u, err := URLFromFilePath(tc.filePath)
if err != nil {
if err.Error() == tc.wantErr {
return
}
if tc.wantErr == "" {
t.Fatalf("urlFromFilePath(%v): %v; want ", tc.filePath, err)
} else {
t.Fatalf("urlFromFilePath(%v): %v; want %s", tc.filePath, err, tc.wantErr)
}
}
if tc.wantErr != "" {
t.Fatalf("urlFromFilePath(%v) = ; want error: %s", tc.filePath, tc.wantErr)
}
wantURL := tc.url
if tc.canonicalURL != "" {
wantURL = tc.canonicalURL
}
if u.String() != wantURL {
t.Errorf("urlFromFilePath(%v) = %v; want %s", tc.filePath, u, wantURL)
}
})
}
}
func urlTests() []urlTest {
if runtime.GOOS == "windows" {
return urlTestsWindows
}
return urlTestsOthers
}
type urlTest struct {
url string
filePath string
canonicalURL string // If empty, assume equal to url.
wantErr string
}
var urlTestsOthers = []urlTest{
// Examples from RFC 8089:
{
url: `file:///path/to/file`,
filePath: `/path/to/file`,
},
{
url: `file:/path/to/file`,
filePath: `/path/to/file`,
canonicalURL: `file:///path/to/file`,
},
{
url: `file://localhost/path/to/file`,
filePath: `/path/to/file`,
canonicalURL: `file:///path/to/file`,
},
// We reject non-local files.
{
url: `file://host.example.com/path/to/file`,
wantErr: "file URL specifies non-local host",
},
}
var urlTestsWindows = []urlTest{
// Examples from https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/:
{
url: `file://laptop/My%20Documents/FileSchemeURIs.doc`,
filePath: `\\laptop\My Documents\FileSchemeURIs.doc`,
},
{
url: `file:///C:/Documents%20and%20Settings/davris/FileSchemeURIs.doc`,
filePath: `C:\Documents and Settings\davris\FileSchemeURIs.doc`,
},
{
url: `file:///D:/Program%20Files/Viewer/startup.htm`,
filePath: `D:\Program Files\Viewer\startup.htm`,
},
{
url: `file:///C:/Program%20Files/Music/Web%20Sys/main.html?REQUEST=RADIO`,
filePath: `C:\Program Files\Music\Web Sys\main.html`,
canonicalURL: `file:///C:/Program%20Files/Music/Web%20Sys/main.html`,
},
{
url: `file://applib/products/a-b/abc_9/4148.920a/media/start.swf`,
filePath: `\\applib\products\a-b\abc_9\4148.920a\media\start.swf`,
},
{
url: `file:////applib/products/a%2Db/abc%5F9/4148.920a/media/start.swf`,
wantErr: "file URL missing drive letter",
},
{
url: `C:\Program Files\Music\Web Sys\main.html?REQUEST=RADIO`,
wantErr: "non-file URL",
},
// The example "file://D:\Program Files\Viewer\startup.htm" errors out in
// url.Parse, so we substitute a slash-based path for testing instead.
{
url: `file://D:/Program Files/Viewer/startup.htm`,
wantErr: "file URL encodes volume in host field: too few slashes?",
},
// The blog post discourages the use of non-ASCII characters because they
// depend on the user's current codepage. However, when we are working with Go
// strings we assume UTF-8 encoding, and our url package refuses to encode
// URLs to non-ASCII strings.
{
url: `file:///C:/exampleㄓ.txt`,
filePath: `C:\exampleㄓ.txt`,
canonicalURL: `file:///C:/example%E3%84%93.txt`,
},
{
url: `file:///C:/example%E3%84%93.txt`,
filePath: `C:\exampleㄓ.txt`,
},
// Examples from RFC 8089:
// We allow the drive-letter variation from section E.2, because it is
// simpler to support than not to. However, we do not generate the shorter
// form in the reverse direction.
{
url: `file:c:/path/to/file`,
filePath: `c:\path\to\file`,
canonicalURL: `file:///c:/path/to/file`,
},
// We encode the UNC share name as the authority following section E.3.1,
// because that is what the Microsoft blog post explicitly recommends.
{
url: `file://host.example.com/Share/path/to/file.txt`,
filePath: `\\host.example.com\Share\path\to\file.txt`,
},
// We decline the four- and five-slash variations from section E.3.2.
// The paths in these URLs would change meaning under path.Clean.
{
url: `file:////host.example.com/path/to/file`,
wantErr: "file URL missing drive letter",
},
{
url: `file://///host.example.com/path/to/file`,
wantErr: "file URL missing drive letter",
},
}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/scan/������������������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14467454515�0013440�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������vuln-1.0.1/scan/scan.go�����������������������������������������������������������������������������0000664�0000000�0000000�00000004773�14467454515�0014726�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Package scan provides functionality for running govulncheck.
See [cmd/govulncheck/main.go] as a usage example.
[cmd/govulncheck/main.go]: https://go.googlesource.com/vuln/+/master/cmd/govulncheck/main.go
*/
package scan
import (
"context"
"errors"
"io"
"os"
"golang.org/x/vuln/internal/scan"
)
// Cmd represents an external govulncheck command being prepared or run,
// similar to exec.Cmd.
type Cmd struct {
// Stdin specifies the standard input. If provided, it is expected to be
// the output of govulncheck -json.
Stdin io.Reader
// Stdout specifies the standard output. If nil, Run connects os.Stdout.
Stdout io.Writer
// Stderr specifies the standard error. If nil, Run connects os.Stderr.
Stderr io.Writer
// Env is the environment to use.
// If Env is nil, the current environment is used.
// As in os/exec's Cmd, only the last value in the slice for
// each environment key is used. To specify the setting of only
// a few variables, append to the current environment, as in:
//
// opt.Env = append(os.Environ(), "GOOS=plan9", "GOARCH=386")
//
Env []string
ctx context.Context
args []string
done chan struct{}
err error
}
// Command returns the Cmd struct to execute govulncheck with the given
// arguments.
func Command(ctx context.Context, arg ...string) *Cmd {
return &Cmd{
ctx: ctx,
args: arg,
}
}
// Start starts the specified command but does not wait for it to complete.
//
// After a successful call to Start the Wait method must be called in order to
// release associated system resources.
func (c *Cmd) Start() error {
if c.done != nil {
return errors.New("vuln: already started")
}
if c.Stdin == nil {
c.Stdin = os.Stdin
}
if c.Stdout == nil {
c.Stdout = os.Stdout
}
if c.Stderr == nil {
c.Stderr = os.Stderr
}
if c.Env == nil {
c.Env = os.Environ()
}
c.done = make(chan struct{})
go func() {
defer close(c.done)
c.err = c.scan()
}()
return nil
}
// Wait waits for the command to exit. The command must have been started by
// Start.
//
// Wait releases any resources associated with the Cmd.
func (c *Cmd) Wait() error {
if c.done == nil {
return errors.New("vuln: start must be called before wait")
}
<-c.done
return c.err
}
func (c *Cmd) scan() error {
if err := c.ctx.Err(); err != nil {
return err
}
return scan.RunGovulncheck(c.ctx, c.Env, c.Stdin, c.Stdout, c.Stderr, c.args)
}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������