Documentation
¶
Overview ¶
Package govulncheck implements a reachability analyzer for Go modules backed by govulncheck (https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck).
The runner is backed by the vendored golang.org/x/vuln/scan library and runs the analysis in-process so users never need a govulncheck binary on PATH. The Runner interface is preserved (rather than calling scan.Source directly from the analyzer) so unit tests can inject a fake runner for deterministic behavior.
Index ¶
Constants ¶
const Name = "govulncheck"
Name is the analyzer's stable identifier (used in selectors and output).
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Analyzer ¶
type Analyzer struct {
// Runner is the underlying govulncheck driver. Defaults to
// NewRunner(Logger) when nil.
Runner Runner
Logger *zap.Logger
// CacheDir overrides the default per-module result cache location.
// Empty means "use the OS user cache directory under bomly/analyzers/govulncheck".
CacheDir string
// CacheTTL overrides the default 24h cache lifetime. Zero means use
// the default. Negative values are treated as "no cache" (the cache
// helper coerces them to default; explicit disable is via DisableCache).
CacheTTL time.Duration
// DisableCache turns off the on-disk result cache entirely. Useful in
// CI smoke runs where freshness matters more than speed.
DisableCache bool
}
Analyzer is a Go reachability analyzer backed by govulncheck.
It groups Go packages in the input graph by module root, runs the configured Runner once per module, and annotates each registry vulnerability on Go packages with a Reachability result.
func (Analyzer) Analyze ¶
func (a Analyzer) Analyze(ctx context.Context, req model.AnalyzeRequest) (model.AnalyzeResult, error)
Analyze runs govulncheck per Go module root and writes Reachability onto every Go registry vulnerability in the graph. Errors degrade to Status=Unknown with a stable Reason — the engine relies on this to keep the pipeline running.
func (Analyzer) Applicable ¶
Applicable reports whether the request graph contains at least one Go package with attached vulnerabilities. Without vulnerabilities to annotate, the analyzer would do work without producing output.
func (Analyzer) Descriptor ¶
func (a Analyzer) Descriptor() model.AnalyzerDescriptor
Descriptor returns the registration metadata for the govulncheck analyzer.
type Finding ¶
type Finding struct {
OSV string
Aliases []string
FixedIn string
Modules []string
Symbols []model.AffectedSymbol
CallPaths []model.CallPath
ImportedBy bool // app source imports the affected module/package
CalledBy bool // app source calls into an affected symbol
}
Finding captures one vulnerability govulncheck found in the module (or determined to be present-but-unreachable). Each entry collapses every "trace" govulncheck emitted for the same OSV ID.
type Runner ¶
type Runner interface {
// Name returns a stable identifier (e.g. "library") for telemetry and
// Reason fields.
Name() string
// Run executes govulncheck rooted at moduleDir and returns the parsed
// findings. moduleDir must contain a go.mod file.
Run(ctx context.Context, moduleDir string) (RunnerResult, error)
}
Runner executes govulncheck against one Go module root and returns the findings. Implementations must NEVER panic and should map missing toolchains, build failures, and other recoverable conditions to a (RunnerResult, error) pair where the error is descriptive but does not abort the pipeline.
type RunnerResult ¶
type RunnerResult struct {
// Findings keyed by canonical OSV ID (e.g. "GO-2023-2049").
Findings map[string]Finding
// ImportedModules is the set of module paths the application
// transitively imports, keyed by module path. Used to distinguish
// package-level reachability ("imported but no symbol called") from
// "not imported at all".
ImportedModules map[string]struct{}
}
RunnerResult is the parsed govulncheck output shape consumed by the analyzer. Findings are grouped by OSV ID; aliases include CVE/GHSA identifiers when govulncheck supplies them.