README
¶
internal/govulncheck package
This package is a literal copy of the cmd/govulncheck/internal/govulncheck package in the vuln repo (https://go.googlesource.com/vuln).
The copy.sh does the copying, after removing all .go files here. To use it:
-
Clone the vuln repo to a directory next to the directory holding this repo (tools). After doing that your directory structure should look something like
~/repos/x/tools/gopls/... ~/repos/x/vuln/... -
cd to this directory.
-
Run
copy.sh. -
Re-add build tags for go1.18
Documentation
¶
Overview ¶
Package govulncheck provides an experimental govulncheck API.
Index ¶
- Variables
- func AbsRelShorter(path string) string
- func FuncName(fn *vulncheck.FuncNode) string
- func FuncPos(call *vulncheck.CallSite) string
- func LatestFixed(modulePath string, as []osv.Affected) string
- func LoadPackages(cfg *packages.Config, patterns ...string) ([]*vulncheck.Package, error)
- func NewInMemoryCache(underlying vulnc.Cache) *inMemoryCache
- func PkgPath(fn *vulncheck.FuncNode) string
- func SummarizeCallStack(cs vulncheck.CallStack, topPkgs map[string]bool, vulnPkg string) string
- type AnalysisMode
- type CallInfo
- type CallStack
- type Config
- type Module
- type Package
- type PackageError
- type Result
- type StackFrame
- type Vuln
Constants ¶
This section is empty.
Variables ¶
var ( // Source reports vulnerabilities that affect the analyzed packages. Source = govulncheck.Source // DefaultCache constructs cache for a vulnerability database client. DefaultCache = govulncheck.DefaultCache )
Functions ¶
func AbsRelShorter ¶ added in v0.9.5
AbsRelShorter takes path and returns its path relative to the current directory, if shorter. Returns path when path is an empty string or upon any error.
func LatestFixed ¶
LatestFixed returns the latest fixed version in the list of affected ranges, or the empty string if there are no fixed versions.
func LoadPackages ¶
LoadPackages loads the packages matching patterns using cfg, after setting the cfg mode flags that vulncheck needs for analysis. If the packages contain errors, a PackageError is returned containing a list of the errors, along with the packages themselves.
func NewInMemoryCache ¶ added in v0.11.0
NewInMemoryCache returns a new memory-based cache that decorates the provided cache (file-based, perhaps).
func SummarizeCallStack ¶
SummarizeCallStack returns a short description of the call stack. It uses one of two forms, depending on what the lowest function F in topPkgs calls:
- If it calls a function V from the vulnerable package, then summarizeCallStack returns "F calls V".
- If it calls a function G in some other package, which eventually calls V, it returns "F calls G, which eventually calls V".
If it can't find any of these functions, summarizeCallStack returns the empty string.
Types ¶
type AnalysisMode ¶ added in v0.11.0
type AnalysisMode string
const ( ModeInvalid AnalysisMode = "" // zero value ModeGovulncheck AnalysisMode = "govulncheck" ModeImports AnalysisMode = "imports" )
type CallInfo ¶
type CallInfo struct {
// CallStacks contains all call stacks to vulnerable functions.
CallStacks map[*vulncheck.Vuln][]vulncheck.CallStack
// VulnGroups contains vulnerabilities grouped by ID and package.
VulnGroups [][]*vulncheck.Vuln
// ModuleVersions is a map of module paths to versions.
ModuleVersions map[string]string
// TopPackages contains the top-level packages in the call info.
TopPackages map[string]bool
}
CallInfo is information about calls to vulnerable functions.
type CallStack ¶ added in v0.11.0
type CallStack = govulncheck.CallStack
CallStacks contains a representative call stack for each vulnerable symbol that is called.
type Config ¶ added in v0.11.0
type Config = govulncheck.Config
Config is the configuration for Main.
type Module ¶ added in v0.11.0
type Module = govulncheck.Module
Module represents a specific vulnerability relevant to a single module or package.
type Package ¶ added in v0.11.0
type Package = govulncheck.Package
Package is a Go package with known vulnerable symbols.
type PackageError ¶
A PackageError contains errors from loading a set of packages.
func (*PackageError) Error ¶
func (e *PackageError) Error() string
type Result ¶ added in v0.11.0
type Result struct {
// Vulns contains all vulnerabilities that are called or imported by
// the analyzed module.
Vulns []*Vuln
// Mode contains the source of the vulnerability info.
// Clients of the gopls.fetch_vulncheck_result command may need
// to interprete the vulnerabilities differently based on the
// analysis mode. For example, Vuln without callstack traces
// indicate a vulnerability that is not used if the result was
// from 'govulncheck' analysis mode. On the other hand, Vuln
// without callstack traces just implies the package with the
// vulnerability is known to the workspace and we do not know
// whether the vulnerable symbols are actually used or not.
Mode AnalysisMode
}
Result is the result of vulnerability scanning.
type StackFrame ¶ added in v0.11.0
type StackFrame = govulncheck.StackFrame
StackFrame represents a call stack entry.
Source Files
Directories