| // Copyright 2021 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package audit |
| |
| import ( |
| "golang.org/x/tools/go/packages" |
| "golang.org/x/vulndb/osv" |
| ) |
| |
| type dbClient interface { |
| Get([]string) ([]*osv.Entry, error) |
| } |
| |
| // FetchVulnerabilities fetches vulnerabilities that affect the supplied modules. |
| func FetchVulnerabilities(client dbClient, modules []*packages.Module) (ModuleVulnerabilities, error) { |
| mv := ModuleVulnerabilities{} |
| for _, mod := range modules { |
| modPath := mod.Path |
| modVersion := mod.Version |
| if mod.Replace != nil { |
| modPath = mod.Replace.Path |
| modVersion = mod.Replace.Version |
| } |
| vulns, err := client.Get([]string{modPath}) |
| if err != nil { |
| return nil, err |
| } |
| // TODO(rolandshoemaker): we may want to consider moving this functionality into |
| // ModuleVulnerabilities.Filter, consolidating the filtering logic in one place. |
| var filteredVulns []*osv.Entry |
| for _, v := range vulns { |
| if v.Affects.AffectsSemver(modVersion) { |
| filteredVulns = append(filteredVulns, v) |
| } |
| } |
| if len(filteredVulns) == 0 { |
| continue |
| } |
| mv = append(mv, modVulns{ |
| mod: mod, |
| vulns: filteredVulns, |
| }) |
| } |
| return mv, nil |
| } |
