vulncheck/vulncheck.go - exp - Git at Google

 // Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // Package vulncheck detects uses of known vulnerabilities
 // in Go binaries and source code.
 package vulncheck

 import (
 	"go/token"

 	"golang.org/x/vulndb/client"
 	"golang.org/x/vulndb/osv"
 )

 // Config is used for configuring vulncheck algorithms.
 type Config struct {
 	// ImportsOnly flag, if true, signals vulncheck to analyze import chains only.
 	// Otherwise, call chains are analyzed too.
 	ImportsOnly bool
 	// Client is used for querying data from a vulnerability database.
 	Client client.Client
 }

 // Result contains information on which vulnerabilities are potentially affecting
 // user code and how are they affecting it via call graph, package imports graph,
 // and module requires graph.
 type Result struct {
 	// Calls is a call graph whose roots are program entry functions/methods and
 	// sinks are vulnerable functions/methods. Empty when Config.ImportsOnly=true
 	// or when no vulnerable symbols are reachable via program call graph.
 	Calls *CallGraph
 	// Imports is a package dependency graph whose roots are entry user packages
 	// and sinks are the packages with some vulnerable symbols. Empty when no
 	// packages with some vulnerabilities are imported in the program.
 	Imports *ImportGraph
 	// Requires is a module dependency graph whose roots are entry user modules
 	// and sinks are modules with some vulnerable packages. Empty when no modules
 	// with some vulnerabilities are required by the program.
 	Requires *RequireGraph

 	// Vulns contains information on detected vulnerabilities and their place in
 	// the above graphs. Only vulnerabilities whose symbols are reachable in Calls,
 	// or whose packages are imported in Imports, or whose modules are required in
 	// Requires, have an entry in Vulns.
 	Vulns []*Vuln
 }

 // Vuln provides information on how a vulnerability is affecting user code by
 // connecting it to the Result.{Calls,Imports,Requires} graphs. Vulnerabilities
 // detected in Go binaries do not have a place in the Result graphs.
 type Vuln struct {
 	// The next four fields identify a vulnerability. Note that *osv.Entry
 	// describes potentially multiple symbols from multiple packages.

 	// OSV contains information on detected vulnerability in the shared
 	// vulnerability format.
 	OSV *osv.Entry
 	// Symbol is the name of the detected vulnerable function or method.
 	Symbol string
 	// PkgPath is the package path of the detected Symbol.
 	PkgPath string
 	// ModPath is the module path corresponding to PkgPath.
 	ModPath string

 	// CallSink is the ID of the sink node in Calls graph corresponding to
 	// the use of Symbol. ID is not available (denoted with 0) in binary mode,
 	// or if Symbol is not reachable, or if Config.ImportsOnly=true.
 	CallSink int
 	// ImportSink is the ID of the sink node in the Imports graph corresponding
 	// to the import of PkgPath. ID is not available (denoted with 0) in binary
 	// mode or if PkgPath is not imported.
 	ImportSink int
 	// RequireSink is the ID of the sink node in Requires graph corresponding
 	// to the require statement of ModPath. ID is not available (denoted with 0)
 	// in binary mode.
 	RequireSink int
 }

 // CallGraph whose sinks are vulnerable functions and sources are entry points of user
 // packages. CallGraph is backwards directed, i.e., from a function node to the place
 // where the function is called.
 type CallGraph struct {
 	// Funcs contains all call graph nodes as a map: func node id -> func node.
 	Funcs map[int]*FuncNode
 	// Entries are a subset of Funcs representing vulncheck entry points.
 	Entries []*FuncNode
 }

 type FuncNode struct {
 	ID   int
 	Name string
 	// RecvType is the receiver object type of this function, if any.
 	RecvType string
 	PkgPath  string
 	Pos      *token.Position
 	// CallSites is a set of call sites where this function is called.
 	CallSites []*CallSite
 }

 type CallSite struct {
 	// Parent is ID of the enclosing function where the call is made.
 	Parent int
 	// Name stands for the name of the function (variable) being called.
 	Name string
 	// RecvType is the full path of the receiver object type, if any.
 	RecvType string
 	Pos      *token.Position
 	// Resolved indicates if the called function can be statically resolved.
 	Resolved bool
 }

 // RequireGraph models part of module requires graph where sinks are modules with
 // some known vulnerabilities and sources are modules of user entry packages.
 // RequireGraph is backwards directed, i.e., from a module to the set of modules
 // it is required by.
 type RequireGraph struct {
 	// Modules contains all module nodes as a map: module node id -> module node.
 	Modules map[int]*ModNode
 	// Entries are a subset of Modules representing modules of vulncheck entry points.
 	Entries []*ModNode
 }

 type ModNode struct {
 	Path    string
 	Version string
 	Replace *ModNode
 	// RequiredBy contains IDs of the modules requiring this module.
 	RequiredBy []int
 }

 // ImportGraph models part of package import graph where sinks are packages with
 // some known vulnerabilities and sources are user specified packages. The graph
 // is backwards directed, i.e., from a package to the set of packages importing it.
 type ImportGraph struct {
 	// Packages contains all package nodes as a map: package node id -> package node.
 	Packages map[int]*PkgNode
 	// Entries are a subset of Packages representing packages of vulncheck entry points.
 	Entries []*PkgNode
 }

 type PkgNode struct {
 	// Name is the package identifier as it appears in the source code.
 	Name string
 	Path string
 	// Module holds ID of the corresponding module (node) in Requires graph.
 	Module int
 	// ImportedBy contains IDs of packages directly importing this package.
 	ImportedBy []int
 }
	// Copyright 2021 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// Package vulncheck detects uses of known vulnerabilities
	// in Go binaries and source code.
	package vulncheck

	import (
	"go/token"

	"golang.org/x/vulndb/client"
	"golang.org/x/vulndb/osv"
	)

	// Config is used for configuring vulncheck algorithms.
	type Config struct {
	// ImportsOnly flag, if true, signals vulncheck to analyze import chains only.
	// Otherwise, call chains are analyzed too.
	ImportsOnly bool
	// Client is used for querying data from a vulnerability database.
	Client client.Client
	}

	// Result contains information on which vulnerabilities are potentially affecting
	// user code and how are they affecting it via call graph, package imports graph,
	// and module requires graph.
	type Result struct {
	// Calls is a call graph whose roots are program entry functions/methods and
	// sinks are vulnerable functions/methods. Empty when Config.ImportsOnly=true
	// or when no vulnerable symbols are reachable via program call graph.
	Calls *CallGraph
	// Imports is a package dependency graph whose roots are entry user packages
	// and sinks are the packages with some vulnerable symbols. Empty when no
	// packages with some vulnerabilities are imported in the program.
	Imports *ImportGraph
	// Requires is a module dependency graph whose roots are entry user modules
	// and sinks are modules with some vulnerable packages. Empty when no modules
	// with some vulnerabilities are required by the program.
	Requires *RequireGraph

	// Vulns contains information on detected vulnerabilities and their place in
	// the above graphs. Only vulnerabilities whose symbols are reachable in Calls,
	// or whose packages are imported in Imports, or whose modules are required in
	// Requires, have an entry in Vulns.
	Vulns []*Vuln
	}

	// Vuln provides information on how a vulnerability is affecting user code by
	// connecting it to the Result.{Calls,Imports,Requires} graphs. Vulnerabilities
	// detected in Go binaries do not have a place in the Result graphs.
	type Vuln struct {
	// The next four fields identify a vulnerability. Note that *osv.Entry
	// describes potentially multiple symbols from multiple packages.

	// OSV contains information on detected vulnerability in the shared
	// vulnerability format.
	OSV *osv.Entry
	// Symbol is the name of the detected vulnerable function or method.
	Symbol string
	// PkgPath is the package path of the detected Symbol.
	PkgPath string
	// ModPath is the module path corresponding to PkgPath.
	ModPath string

	// CallSink is the ID of the sink node in Calls graph corresponding to
	// the use of Symbol. ID is not available (denoted with 0) in binary mode,
	// or if Symbol is not reachable, or if Config.ImportsOnly=true.
	CallSink int
	// ImportSink is the ID of the sink node in the Imports graph corresponding
	// to the import of PkgPath. ID is not available (denoted with 0) in binary
	// mode or if PkgPath is not imported.
	ImportSink int
	// RequireSink is the ID of the sink node in Requires graph corresponding
	// to the require statement of ModPath. ID is not available (denoted with 0)
	// in binary mode.
	RequireSink int
	}

	// CallGraph whose sinks are vulnerable functions and sources are entry points of user
	// packages. CallGraph is backwards directed, i.e., from a function node to the place
	// where the function is called.
	type CallGraph struct {
	// Funcs contains all call graph nodes as a map: func node id -> func node.
	Funcs map[int]*FuncNode
	// Entries are a subset of Funcs representing vulncheck entry points.
	Entries []*FuncNode
	}

	type FuncNode struct {
	ID int
	Name string
	// RecvType is the receiver object type of this function, if any.
	RecvType string
	PkgPath string
	Pos *token.Position
	// CallSites is a set of call sites where this function is called.
	CallSites []*CallSite
	}

	type CallSite struct {
	// Parent is ID of the enclosing function where the call is made.
	Parent int
	// Name stands for the name of the function (variable) being called.
	Name string
	// RecvType is the full path of the receiver object type, if any.
	RecvType string
	Pos *token.Position
	// Resolved indicates if the called function can be statically resolved.
	Resolved bool
	}

	// RequireGraph models part of module requires graph where sinks are modules with
	// some known vulnerabilities and sources are modules of user entry packages.
	// RequireGraph is backwards directed, i.e., from a module to the set of modules
	// it is required by.
	type RequireGraph struct {
	// Modules contains all module nodes as a map: module node id -> module node.
	Modules map[int]*ModNode
	// Entries are a subset of Modules representing modules of vulncheck entry points.
	Entries []*ModNode
	}

	type ModNode struct {
	Path string
	Version string
	Replace *ModNode
	// RequiredBy contains IDs of the modules requiring this module.
	RequiredBy []int
	}

	// ImportGraph models part of package import graph where sinks are packages with
	// some known vulnerabilities and sources are user specified packages. The graph
	// is backwards directed, i.e., from a package to the set of packages importing it.
	type ImportGraph struct {
	// Packages contains all package nodes as a map: package node id -> package node.
	Packages map[int]*PkgNode
	// Entries are a subset of Packages representing packages of vulncheck entry points.
	Entries []*PkgNode
	}

	type PkgNode struct {
	// Name is the package identifier as it appears in the source code.
	Name string
	Path string
	// Module holds ID of the corresponding module (node) in Requires graph.
	Module int
	// ImportedBy contains IDs of packages directly importing this package.
	ImportedBy []int
	}