vulndb/internal/audit/vulnerability.go - exp - Git at Google

 // Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package audit

 import (
 	"go/build"
 	"os"
 	"path/filepath"
 	"strings"

 	"golang.org/x/tools/go/packages"
 	"golang.org/x/vulndb/client"
 )

 // FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.
 func FetchVulnerabilities(client client.Client, modules []*packages.Module) (ModuleVulnerabilities, error) {
 	mv := ModuleVulnerabilities{}
 	for _, mod := range modules {
 		modPath := mod.Path
 		if mod.Replace != nil {
 			modPath = mod.Replace.Path
 		}

 		// skip loading vulns for local imports
 		if isLocal(mod) {
 			// TODO: what if client has its own db
 			// with local vulns?
 			continue
 		}
 		vulns, err := client.Get(modPath)
 		if err != nil {
 			return nil, err
 		}
 		if len(vulns) == 0 {
 			continue
 		}
 		mv = append(mv, modVulns{
 			mod:   mod,
 			vulns: vulns,
 		})
 	}
 	return mv, nil
 }

 func isLocal(mod *packages.Module) bool {
 	modDir := mod.Dir
 	if mod.Replace != nil {
 		modDir = mod.Replace.Dir
 	}
 	return !strings.HasPrefix(modDir, modCacheDirectory())
 }

 func modCacheDirectory() string {
 	var modCacheDir string
 	// TODO: define modCacheDir using cmd/go/internal/cfg.GOMODCACHE
 	if modCacheDir = os.Getenv("GOMODCACHE"); modCacheDir == "" {
 		if modCacheDir = os.Getenv("GOPATH"); modCacheDir == "" {
 			modCacheDir = build.Default.GOPATH
 		}
 		modCacheDir = filepath.Join(modCacheDir, "pkg", "mod")
 	}
 	return modCacheDir
 }
	// Copyright 2021 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package audit

	import (
	"go/build"
	"os"
	"path/filepath"
	"strings"

	"golang.org/x/tools/go/packages"
	"golang.org/x/vulndb/client"
	)

	// FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.
	func FetchVulnerabilities(client client.Client, modules []*packages.Module) (ModuleVulnerabilities, error) {
	mv := ModuleVulnerabilities{}
	for _, mod := range modules {
	modPath := mod.Path
	if mod.Replace != nil {
	modPath = mod.Replace.Path
	}

	// skip loading vulns for local imports
	if isLocal(mod) {
	// TODO: what if client has its own db
	// with local vulns?
	continue
	}
	vulns, err := client.Get(modPath)
	if err != nil {
	return nil, err
	}
	if len(vulns) == 0 {
	continue
	}
	mv = append(mv, modVulns{
	mod: mod,
	vulns: vulns,
	})
	}
	return mv, nil
	}

	func isLocal(mod *packages.Module) bool {
	modDir := mod.Dir
	if mod.Replace != nil {
	modDir = mod.Replace.Dir
	}
	return !strings.HasPrefix(modDir, modCacheDirectory())
	}

	func modCacheDirectory() string {
	var modCacheDir string
	// TODO: define modCacheDir using cmd/go/internal/cfg.GOMODCACHE
	if modCacheDir = os.Getenv("GOMODCACHE"); modCacheDir == "" {
	if modCacheDir = os.Getenv("GOPATH"); modCacheDir == "" {
	modCacheDir = build.Default.GOPATH
	}
	modCacheDir = filepath.Join(modCacheDir, "pkg", "mod")
	}
	return modCacheDir
	}