vulncheck

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Package vulncheck runs govulncheck on registered anvils and creates beads for discovered vulnerabilities.

It can run as a background daemon goroutine (scheduled scanning) or be invoked on-demand via the "forge scan" CLI subcommand.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Finding 

type Finding struct {
	OSV   string `json:"osv"`
	Trace []struct {
		Module  string `json:"module"`
		Version string `json:"version"`
		Package string `json:"package"`
	} `json:"trace"`
}

Finding groups a vulnerability with its call stacks for govulncheck v1 JSON.

type ParsedVuln 

type ParsedVuln struct {
	ID          string   // e.g. "GO-2024-1234"
	CVEs        []string // extracted CVE IDs
	Summary     string
	Details     string
	Severity    string // "CRITICAL", "HIGH", "MEDIUM", "LOW"
	AffectedPkg string // module path
	FixedIn     string // version that fixes it
	Symbols     []string
}

ParsedVuln is a processed vulnerability ready for bead creation.

type ScanResult 

type ScanResult struct {
	Anvil   string
	Path    string
	Vulns   []ParsedVuln
	Err     error
	Scanned time.Time
}

ScanResult holds the outcome of scanning a single anvil.

func (ScanResult) MarshalJSON 

func (sr ScanResult) MarshalJSON() ([]byte, error)

MarshalJSON provides a custom JSON encoding for ScanResult that renders Err as a string field, so that JSON output includes a meaningful error message.

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner runs govulncheck on anvils.

func New 

func New(db *state.DB, logger *slog.Logger, anvils map[string]config.AnvilConfig, timeout time.Duration) *Scanner

New creates a Scanner. timeout caps each govulncheck subprocess; pass 0 to use the default of 10 minutes. The binary is resolved once at construction; if govulncheck is not installed a single warning is logged and the scanner is marked unavailable (ScanAll returns immediately, RunScheduled is a no-op).

func (*Scanner) Available 

func (s *Scanner) Available() bool

Available reports whether govulncheck was found at construction time.

func (*Scanner) CreateBeads 

func (s *Scanner) CreateBeads(ctx context.Context, results []ScanResult) (int, error)

CreateBeads creates bead issues for discovered vulnerabilities via `bd create`.

func (*Scanner) RunScheduled 

func (s *Scanner) RunScheduled(ctx context.Context, interval time.Duration)

RunScheduled is a blocking loop that runs scans on a configurable interval. It should be launched as a goroutine alongside bellows. If govulncheck is not installed, the loop exits immediately (a warning was logged at construction).

func (*Scanner) ScanAll 

func (s *Scanner) ScanAll(ctx context.Context) []ScanResult

ScanAll runs govulncheck on all Go-based anvils and returns results. If govulncheck was not found at construction time, it returns a single error result without logging an event (the warning was already emitted once).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.