Google Git
Sign in
go / exp / a90fa8a757053f228ac2b5209dc60f313210a01f
commita90fa8a757053f228ac2b5209dc60f313210a01f[log] [tgz]
authorHana <hyangah@gmail.com>Fri Mar 11 16:11:30 2022 -0500
committerHyang-Ah Hana Kim <hyangah@gmail.com>Mon Mar 21 17:32:39 2022 +0000
tree2f41858dec171e8ebebc90ddb238c9a2691a0462
parentaaef6dbbfd827cd314d6b08f589a5a751f1fedd4 [diff]
vulncheck: remove isLocal check from fetchVulnerabilities

isLocal check was added to improve efficiency by avoiding
fetch of data that's not going to be used. Version info is
inaccurate or unavailable for modules that are in writable
local directories so vuln check for those modules are skipped
anyway.

With the check, fetchVulnerabilities excludes vulnerabilities
for modules if their source files are outside the module cache.
The location of the module cache was determined by querying
GOMODCACHE and GOPATH environment variables of the govulncheck
process. That worked well for govulncheck when it is used
for source scanning.

The logic was copied to vulncheck API internal. However,
relying on process's GOMODCACHE/GOPATH environment variables
limit the API's utility. For example, Gopls may use different
GOMODCACHE/GOPATH for each workspace it's processing and they
can be different from the Gopls's own GOMODCACHE/GOPATH env vars.
Test data can be loaded with a fake GOMODCACHE that's different
from the GOMODCACHE env var of the test process.

There was an escape flag to skip this check to work with
the test environment where the module cache and GOPATH
are different from the test process's. But that is unexported;
external packages cannot utilize it and that prevents
writing tests from external packages.

This CL proposes to remove the isLocal check. There is already
a cache that reduces volume of data fetch over network, and
vulncheck can potentially address the efficiency issue in different
ways. Users and applications that need to exclude
vulnerabilities of local modules, may utilize
golang.org/x/vuln/client.Client
and implement filtering from GetByModule. Or, if this problem
is common, we may consider an explicit setting in the
vulncheck.Config.

Change-Id: Iced93351b91a00fdc623a6d1c3076da86fbe2c70
Reviewed-on: https://go-review.googlesource.com/c/exp/+/391914
Trust: Hyang-Ah Hana Kim <hyangah@gmail.com>
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
4 files changed
tree: 2f41858dec171e8ebebc90ddb238c9a2691a0462
  1. apidiff/
  2. cmd/
  3. constraints/
  4. devtools/
  5. ebnf/
  6. ebnflint/
  7. errors/
  8. event/
  9. fsnotify/
  10. inotify/
  11. io/
  12. jsonrpc2/
  13. maps/
  14. mmap/
  15. rand/
  16. shiny/
  17. shootout/
  18. slices/
  19. sumdb/
  20. typeparams/
  21. utf8string/
  22. vulncheck/
  23. vulndb/
  24. winfsnotify/
  25. .gitattributes
  26. .gitignore
  27. AUTHORS
  28. codereview.cfg
  29. CONTRIBUTING.md
  30. CONTRIBUTORS
  31. go.mod
  32. go.sum
  33. LICENSE
  34. PATENTS
  35. README.md
README.md

exp

PkgGoDev

This subrepository holds experimental and deprecated (in the old directory) packages.

The idea for this subrepository originated as the pkg/exp directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get these packages.

Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.

In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)

Caveat emptor.