x/vuln:  govulncheck seg faults when used against project using 1.22.0

We have a go project that we build using go1.21.6. We've been using `govulncheck` to check the project for vulnerabilities. 

Today, we upgraded from 1.21.6 to 1.22.0. Now when we run `govulncheck` we see a stack trace.

```
% govulncheck -version
Go: go1.22.0
Scanner: govulncheck@v1.0.4
DB: https://vuln.go.dev
DB updated: 2024-02-07 04:19:28 +0000 UTC

No vulnerabilities found.
% govulncheck ./...
Scanning your code and 608 packages across 118 dependent modules for known vulnerabilities...

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x28 pc=0x10115154c]

goroutine 9467 [running]:
golang.org/x/tools/go/ssa.memberFromObject(0x1403764dc00, {0x0, 0x0?}, {0x1013282a0, 0x1401ac69500}, {0x0, 0x0})
	/Users/lambere/go/pkg/mod/golang.org/x/tools@v0.17.0/go/ssa/create.go:55 +0x3c
golang.org/x/tools/go/ssa.membersFromDecl(0x1403764dc00, {0x101329798?, 0x1401ac69500?}, {0x0, 0x0})
	/Users/lambere/go/pkg/mod/golang.org/x/tools@v0.17.0/go/ssa/create.go:184 +0xf4
golang.org/x/tools/go/ssa.(*Program).CreatePackage(0x140108b1380, 0x1401ac6c900, {0x140193f8cb0, 0x1, 0x1}, 0x1401aaee230, 0x1)
	/Users/lambere/go/pkg/mod/golang.org/x/tools@v0.17.0/go/ssa/create.go:250 +0x7e8
golang.org/x/vuln/internal/vulncheck.buildSSA.func1(0x0?)
	/Users/lambere/go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/vulncheck/utils.go:38 +0xc0
golang.org/x/vuln/internal/vulncheck.buildSSA({0x140004f0600, 0x59, 0x14001380798?}, 0x14000158740)
	/Users/lambere/go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/vulncheck/utils.go:46 +0x268
golang.org/x/vuln/internal/vulncheck.source.func1()
	/Users/lambere/go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/vulncheck/source.go:54 +0x88
created by golang.org/x/vuln/internal/vulncheck.source in goroutine 35
	/Users/lambere/go/pkg/mod/golang.org/x/vuln@v1.0.4/internal/vulncheck/source.go:52 +0x204
```

If i down grade the project back to 1.21.6, govuln works as expected
```
% govulncheck -version
Go: go1.21.6
Scanner: govulncheck@v1.0.4
DB: https://vuln.go.dev
DB updated: 2024-02-07 04:19:28 +0000 UTC

No vulnerabilities found.
% govulncheck ./...
Scanning your code and 605 packages across 118 dependent modules for known vulnerabilities...

No vulnerabilities found.
```

Go version details
```
% go version
go version go1.22.0 darwin/arm64
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vuln: govulncheck seg faults when used against project using 1.22.0 #65590

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vuln: govulncheck seg faults when used against project using 1.22.0 #65590

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions