commit | a90fa8a757053f228ac2b5209dc60f313210a01f | [log] [tgz] |
---|---|---|
author | Hana <hyangah@gmail.com> | Fri Mar 11 16:11:30 2022 -0500 |
committer | Hyang-Ah Hana Kim <hyangah@gmail.com> | Mon Mar 21 17:32:39 2022 +0000 |
tree | 2f41858dec171e8ebebc90ddb238c9a2691a0462 | |
parent | aaef6dbbfd827cd314d6b08f589a5a751f1fedd4 [diff] |
vulncheck: remove isLocal check from fetchVulnerabilities isLocal check was added to improve efficiency by avoiding fetch of data that's not going to be used. Version info is inaccurate or unavailable for modules that are in writable local directories so vuln check for those modules are skipped anyway. With the check, fetchVulnerabilities excludes vulnerabilities for modules if their source files are outside the module cache. The location of the module cache was determined by querying GOMODCACHE and GOPATH environment variables of the govulncheck process. That worked well for govulncheck when it is used for source scanning. The logic was copied to vulncheck API internal. However, relying on process's GOMODCACHE/GOPATH environment variables limit the API's utility. For example, Gopls may use different GOMODCACHE/GOPATH for each workspace it's processing and they can be different from the Gopls's own GOMODCACHE/GOPATH env vars. Test data can be loaded with a fake GOMODCACHE that's different from the GOMODCACHE env var of the test process. There was an escape flag to skip this check to work with the test environment where the module cache and GOPATH are different from the test process's. But that is unexported; external packages cannot utilize it and that prevents writing tests from external packages. This CL proposes to remove the isLocal check. There is already a cache that reduces volume of data fetch over network, and vulncheck can potentially address the efficiency issue in different ways. Users and applications that need to exclude vulnerabilities of local modules, may utilize golang.org/x/vuln/client.Client and implement filtering from GetByModule. Or, if this problem is common, we may consider an explicit setting in the vulncheck.Config. Change-Id: Iced93351b91a00fdc623a6d1c3076da86fbe2c70 Reviewed-on: https://go-review.googlesource.com/c/exp/+/391914 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This subrepository holds experimental and deprecated (in the old
directory) packages.
The idea for this subrepository originated as the pkg/exp
directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get
these packages.
Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.
In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)
Caveat emptor.