blob: 077901d13d0099c2494939e4d37c1526e2166f3a [file] [log] [blame]
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// This program runs govulncheck on a module in source mode and then
// writes the result as JSON. It is intended to be run in a sandbox.
// For running govulncheck on binaries, see cmd/compare_sandbox.
// Unless it panics, this program always terminates with exit code 0.
// If there is an error, it writes a JSON object with field "Error".
// Otherwise, it writes a internal/govulncheck.SandboxResponse as JSON.
package main
import (
// main function for govulncheck sandbox that accepts four inputs
// in the following order:
// - path to govulncheck
// - govulncheck mode
// - input module or binary to analyze
// - full path to the vulnerability database
func main() {
run(os.Stdout, flag.Args())
func run(w io.Writer, args []string) {
fail := func(err error) {
fmt.Fprintf(w, `{"Error": %q}`, err)
if len(args) != 4 {
fail(errors.New("need four args: govulncheck path, mode, input module dir or binary, full path to vuln db"))
modeFlag := args[1]
if modeFlag == govulncheck.FlagBinary {
fail(errors.New("binaries are only analyzed in compare_sandbox"))
resp, err := runGovulncheck(args[0], modeFlag, args[2], args[3])
if err != nil {
b, err := json.MarshalIndent(resp, "", "\t")
if err != nil {
fail(fmt.Errorf("json.MarshalIndent: %v", err))
func runGovulncheck(govulncheckPath, modeFlag, filePath, vulnDBDir string) (*govulncheck.SandboxResponse, error) {
response := govulncheck.SandboxResponse{
Stats: govulncheck.ScanStats{},
findings, err := govulncheck.RunGovulncheckCmd(govulncheckPath, modeFlag, "./...", filePath, vulnDBDir, &response.Stats)
if err != nil {
return nil, err
response.Findings = findings
return &response, nil