internal/worker: remove ScanModeBinarySymbol scan mode
This scan mode was never actually really used: we never save a row with
its value. We used it to stitch some things together. We now refactor
other code so we can get rid of this scan mode. Otherwise, things are
confusing.
Change-Id: I55b8eedc270b9a94ea4a0891bfb1ff8ce5f628a5
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/589076
Reviewed-by: Maceo Thompson <maceothompson@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/internal/worker/govulncheck_scan.go b/internal/worker/govulncheck_scan.go
index c9b7c01..b614b02 100644
--- a/internal/worker/govulncheck_scan.go
+++ b/internal/worker/govulncheck_scan.go
@@ -62,13 +62,6 @@
// Note that this is not an ecosystem metrics mode.
scanModeSourceModule string = "REQUIRES"
- // scanModeBinarySymbol is used to designate results at govulncheck binary
- // '-scan symbol' level of precision.
- //
- // Note that this is not an ecosystem metrics mode. Its value is "BINARY"
- // for historical reasons.
- scanModeBinarySymbol string = "BINARY"
-
// scanModeCompareBinary is used to designate results for govulncheck
// binary (symbol) precision level in compare mode.
scanModeCompareBinary string = "COMPARE - BINARY"
@@ -83,15 +76,6 @@
sandboxGoCache = "root/.cache/go-build"
)
-func modeToGovulncheckFlag(mode string) string {
- switch mode {
- case scanModeBinarySymbol:
- return govulncheck.FlagBinary
- default:
- return govulncheck.FlagSource
- }
-}
-
var (
// gReqCounter counts requests to govulncheck handleScan
gReqCounter = event.NewCounter("govulncheck-requests", &event.MetricOptions{Namespace: metricNamespace})
@@ -277,8 +261,8 @@
continue
}
- binRow := createComparisonRow(pkg, &results.BinaryResults, baseRow, scanModeBinarySymbol)
- srcRow := createComparisonRow(pkg, &results.SourceResults, baseRow, scanModeSourceSymbol)
+ binRow := createComparisonRow(pkg, &results.BinaryResults, baseRow, true)
+ srcRow := createComparisonRow(pkg, &results.SourceResults, baseRow, false)
log.Infof(ctx, "found %d vulns in binary mode and %d vulns in source mode for package %s (module: %s)", len(binRow.Vulns), len(srcRow.Vulns), pkg, sreq.Path())
rows = append(rows, binRow, srcRow)
}
@@ -295,17 +279,17 @@
return nil
}
-func createComparisonRow(pkg string, response *govulncheck.AnalysisResponse, baseRow *govulncheck.Result, scanMode string) *govulncheck.Result {
+func createComparisonRow(pkg string, response *govulncheck.AnalysisResponse, baseRow *govulncheck.Result, binary bool) *govulncheck.Result {
row := *baseRow
row.Suffix = pkg
- if scanMode == scanModeBinarySymbol {
+ if binary {
row.ScanMode = scanModeCompareBinary
row.BinaryBuildSeconds = bigquery.NullFloat(response.Stats.BuildTime.Seconds())
} else {
row.ScanMode = scanModeCompareSource
}
- row.Vulns = vulnsForScanMode(response, scanMode)
+ row.Vulns = vulnsForScanMode(response, scanModeSourceSymbol) // we want vulns at the symbol level, binary or source
row.ScanMemory = int64(response.Stats.ScanMemory)
row.ScanSeconds = response.Stats.ScanSeconds
return &row
@@ -359,7 +343,8 @@
return nil, nil
}
-// CheckModule govulnchecks a module specified by sreq.
+// CheckModule govulnchecks a module specified by sreq. Currently, only source
+// analysis is conducted. For binary analysis, see CompareModule.
func (s *scanner) CheckModule(ctx context.Context, w http.ResponseWriter, sreq *govulncheck.Request, baseRow *govulncheck.Result) (*govulncheck.WorkState, error) {
log.Infof(ctx, "running scanner.runScanModule: %s@%s", sreq.Path(), sreq.Version)
response, err := s.runScanModule(ctx, sreq.Module, baseRow.Version, sreq.Mode)
@@ -432,12 +417,12 @@
// vulnsForScanMode produces Vulns from findings at the specified
// govulncheck scan mode.
-func vulnsForScanMode(response *govulncheck.AnalysisResponse, mode string) []*govulncheck.Vuln {
+func vulnsForScanMode(response *govulncheck.AnalysisResponse, scanMode string) []*govulncheck.Vuln {
var modeFindings []*govulncheckapi.Finding
for _, f := range response.Findings {
fr := f.Trace[0]
- switch mode {
- case scanModeSourceSymbol, scanModeBinarySymbol:
+ switch scanMode {
+ case scanModeSourceSymbol:
if fr.Function != "" {
modeFindings = append(modeFindings, f)
}
@@ -506,7 +491,8 @@
log.Debugf(ctx, "Sandbox running %s", goOut)
}
log.Infof(ctx, "running govulncheck in sandbox: mode %s, arg %q", mode, arg)
- cmd := s.sbox.Command(filepath.Join(s.binaryDir, "govulncheck_sandbox"), s.govulncheckPath, modeToGovulncheckFlag(mode), arg, s.vulnDBDir)
+ // currently, only source analysis is done in govulncheck_sandbox (binary is done elsewhere)
+ cmd := s.sbox.Command(filepath.Join(s.binaryDir, "govulncheck_sandbox"), s.govulncheckPath, govulncheck.FlagSource, arg, s.vulnDBDir)
stdout, err := cmd.Output()
log.Infof(ctx, "govulncheck in sandbox finished with err=%v", err)
if err != nil {
@@ -527,7 +513,8 @@
}
func (s *scanner) runGovulncheckScanInsecure(inputPath, mode string) (_ *govulncheck.AnalysisResponse, err error) {
- return govulncheck.RunGovulncheckCmd(s.govulncheckPath, modeToGovulncheckFlag(mode), "./...", inputPath, s.vulnDBDir)
+ // currently, only source analysis is done individually (binary is done in compare mode)
+ return govulncheck.RunGovulncheckCmd(s.govulncheckPath, govulncheck.FlagSource, "./...", inputPath, s.vulnDBDir)
}
func isGovulncheckLoadError(err error) bool {
diff --git a/internal/worker/govulncheck_scan_test.go b/internal/worker/govulncheck_scan_test.go
index d9c53d1..c90e226 100644
--- a/internal/worker/govulncheck_scan_test.go
+++ b/internal/worker/govulncheck_scan_test.go
@@ -49,7 +49,6 @@
want string
}{
{scanModeSourceSymbol, "M1:P1"},
- {scanModeBinarySymbol, "M1:P1"},
{scanModeSourcePackage, "M1:P1"},
{scanModeSourceModule, "M1:, M2:"},
} {
