govulncheck

package
v0.14.17 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package govulncheck implements a reachability analyzer for Go modules backed by govulncheck (https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck).

The runner is backed by the vendored golang.org/x/vuln/scan library and runs the analysis in-process so users never need a govulncheck binary on PATH. The Runner interface is preserved (rather than calling scan.Source directly from the analyzer) so unit tests can inject a fake runner for deterministic behavior.

Index

Constants

View Source
const Name = "govulncheck"

Name is the analyzer's stable identifier (used in selectors and output).

Variables

This section is empty.

Functions

This section is empty.

Types

type Analyzer

type Analyzer struct {
	// Runner is the underlying govulncheck driver. Defaults to
	// NewRunner(Logger) when nil.
	Runner Runner
	Logger *zap.Logger
	// CacheDir overrides the default per-module result cache location.
	// Empty means "use the OS user cache directory under bomly/analyzers/govulncheck".
	CacheDir string
	// CacheTTL overrides the default 24h cache lifetime. Zero means use
	// the default. Negative values are treated as "no cache" (the cache
	// helper coerces them to default; explicit disable is via DisableCache).
	CacheTTL time.Duration
	// DisableCache turns off the on-disk result cache entirely. Useful in
	// CI smoke runs where freshness matters more than speed.
	DisableCache bool
}

Analyzer is a Go reachability analyzer backed by govulncheck.

It groups Go packages in the input graph by module root, runs the configured Runner once per module, and annotates each registry vulnerability on Go packages with a Reachability result.

func (Analyzer) Analyze

Analyze runs govulncheck per Go module root and writes Reachability onto every Go registry vulnerability in the graph. Errors degrade to Status=Unknown with a stable Reason — the engine relies on this to keep the pipeline running.

func (Analyzer) Applicable

func (a Analyzer) Applicable(_ context.Context, req model.AnalyzeRequest) (bool, error)

Applicable reports whether the request graph contains at least one Go package with attached vulnerabilities. Without vulnerabilities to annotate, the analyzer would do work without producing output.

func (Analyzer) Descriptor

func (a Analyzer) Descriptor() model.AnalyzerDescriptor

Descriptor returns the registration metadata for the govulncheck analyzer.

func (Analyzer) Ready

func (a Analyzer) Ready() bool

Ready reports whether the analyzer is callable. Always true; the runner surfaces missing-toolchain errors at Run time as Status=Unknown rather than blocking applicability.

type Finding

type Finding struct {
	OSV        string
	Aliases    []string
	FixedIn    string
	Modules    []string
	Symbols    []model.AffectedSymbol
	CallPaths  []model.CallPath
	ImportedBy bool // app source imports the affected module/package
	CalledBy   bool // app source calls into an affected symbol
}

Finding captures one vulnerability govulncheck found in the module (or determined to be present-but-unreachable). Each entry collapses every "trace" govulncheck emitted for the same OSV ID.

type Runner

type Runner interface {
	// Name returns a stable identifier (e.g. "library") for telemetry and
	// Reason fields.
	Name() string
	// Run executes govulncheck rooted at moduleDir and returns the parsed
	// findings. moduleDir must contain a go.mod file.
	Run(ctx context.Context, moduleDir string) (RunnerResult, error)
}

Runner executes govulncheck against one Go module root and returns the findings. Implementations must NEVER panic and should map missing toolchains, build failures, and other recoverable conditions to a (RunnerResult, error) pair where the error is descriptive but does not abort the pipeline.

func NewRunner

func NewRunner(logger *zap.Logger) Runner

NewRunner returns the analyzer's Runner implementation, backed by the vendored golang.org/x/vuln/scan library. The runner executes govulncheck in-process and streams the same JSON output the CLI binary would emit, so users never need a govulncheck binary on PATH.

type RunnerResult

type RunnerResult struct {
	// Findings keyed by canonical OSV ID (e.g. "GO-2023-2049").
	Findings map[string]Finding
	// ImportedModules is the set of module paths the application
	// transitively imports, keyed by module path. Used to distinguish
	// package-level reachability ("imported but no symbol called") from
	// "not imported at all".
	ImportedModules map[string]struct{}
}

RunnerResult is the parsed govulncheck output shape consumed by the analyzer. Findings are grouped by OSV ID; aliases include CVE/GHSA identifiers when govulncheck supplies them.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL