| // Copyright 2020 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package mod |
| |
| import ( |
| "bytes" |
| "context" |
| "fmt" |
| "sort" |
| "strings" |
| |
| "golang.org/x/mod/modfile" |
| "golang.org/x/mod/semver" |
| "golang.org/x/tools/gopls/internal/govulncheck" |
| "golang.org/x/tools/gopls/internal/lsp/protocol" |
| "golang.org/x/tools/gopls/internal/lsp/source" |
| "golang.org/x/tools/internal/event" |
| ) |
| |
| func Hover(ctx context.Context, snapshot source.Snapshot, fh source.FileHandle, position protocol.Position) (*protocol.Hover, error) { |
| var found bool |
| for _, uri := range snapshot.ModFiles() { |
| if fh.URI() == uri { |
| found = true |
| break |
| } |
| } |
| |
| // We only provide hover information for the view's go.mod files. |
| if !found { |
| return nil, nil |
| } |
| |
| ctx, done := event.Start(ctx, "mod.Hover") |
| defer done() |
| |
| // Get the position of the cursor. |
| pm, err := snapshot.ParseMod(ctx, fh) |
| if err != nil { |
| return nil, fmt.Errorf("getting modfile handle: %w", err) |
| } |
| offset, err := pm.Mapper.Offset(position) |
| if err != nil { |
| return nil, fmt.Errorf("computing cursor position: %w", err) |
| } |
| |
| // Confirm that the cursor is at the position of a require statement. |
| var req *modfile.Require |
| var startPos, endPos int |
| for _, r := range pm.File.Require { |
| dep := []byte(r.Mod.Path) |
| s, e := r.Syntax.Start.Byte, r.Syntax.End.Byte |
| i := bytes.Index(pm.Mapper.Content[s:e], dep) |
| if i == -1 { |
| continue |
| } |
| // Shift the start position to the location of the |
| // dependency within the require statement. |
| startPos, endPos = s+i, e |
| if startPos <= offset && offset <= endPos { |
| req = r |
| break |
| } |
| } |
| // TODO(hyangah): find position for info about vulnerabilities in Go |
| |
| // The cursor position is not on a require statement. |
| if req == nil { |
| return nil, nil |
| } |
| |
| // Get the vulnerability info. |
| fromGovulncheck := true |
| vs := snapshot.View().Vulnerabilities(fh.URI())[fh.URI()] |
| if vs == nil && snapshot.View().Options().Vulncheck == source.ModeVulncheckImports { |
| vs, err = snapshot.ModVuln(ctx, fh.URI()) |
| if err != nil { |
| return nil, err |
| } |
| fromGovulncheck = false |
| } |
| affecting, nonaffecting := lookupVulns(vs, req.Mod.Path, req.Mod.Version) |
| |
| // Get the `go mod why` results for the given file. |
| why, err := snapshot.ModWhy(ctx, fh) |
| if err != nil { |
| return nil, err |
| } |
| explanation, ok := why[req.Mod.Path] |
| if !ok { |
| return nil, nil |
| } |
| |
| // Get the range to highlight for the hover. |
| // TODO(hyangah): adjust the hover range to include the version number |
| // to match the diagnostics' range. |
| rng, err := pm.Mapper.OffsetRange(startPos, endPos) |
| if err != nil { |
| return nil, err |
| } |
| options := snapshot.View().Options() |
| isPrivate := snapshot.View().IsGoPrivatePath(req.Mod.Path) |
| header := formatHeader(req.Mod.Path, options) |
| explanation = formatExplanation(explanation, req, options, isPrivate) |
| vulns := formatVulnerabilities(req.Mod.Path, affecting, nonaffecting, options, fromGovulncheck) |
| |
| return &protocol.Hover{ |
| Contents: protocol.MarkupContent{ |
| Kind: options.PreferredContentFormat, |
| Value: header + vulns + explanation, |
| }, |
| Range: rng, |
| }, nil |
| } |
| |
| func formatHeader(modpath string, options *source.Options) string { |
| var b strings.Builder |
| // Write the heading as an H3. |
| b.WriteString("#### " + modpath) |
| if options.PreferredContentFormat == protocol.Markdown { |
| b.WriteString("\n\n") |
| } else { |
| b.WriteRune('\n') |
| } |
| return b.String() |
| } |
| |
| func lookupVulns(vulns *govulncheck.Result, modpath, version string) (affecting, nonaffecting []*govulncheck.Vuln) { |
| if vulns == nil { |
| return nil, nil |
| } |
| for _, vuln := range vulns.Vulns { |
| for _, mod := range vuln.Modules { |
| if mod.Path != modpath { |
| continue |
| } |
| // It is possible that the source code was changed since the last |
| // govulncheck run and information in the `vulns` info is stale. |
| // For example, imagine that a user is in the middle of updating |
| // problematic modules detected by the govulncheck run by applying |
| // quick fixes. Stale diagnostics can be confusing and prevent the |
| // user from quickly locating the next module to fix. |
| // Ideally we should rerun the analysis with the updated module |
| // dependencies or any other code changes, but we are not yet |
| // in the position of automatically triggerring the analysis |
| // (govulncheck can take a while). We also don't know exactly what |
| // part of source code was changed since `vulns` was computed. |
| // As a heuristic, we assume that a user upgrades the affecting |
| // module to the version with the fix or the latest one, and if the |
| // version in the require statement is equal to or higher than the |
| // fixed version, skip the vulnerability information in the hover. |
| // Eventually, the user has to rerun govulncheck. |
| if mod.FixedVersion != "" && semver.IsValid(version) && semver.Compare(mod.FixedVersion, version) <= 0 { |
| continue |
| } |
| if vuln.IsCalled() { |
| affecting = append(affecting, vuln) |
| } else { |
| nonaffecting = append(nonaffecting, vuln) |
| } |
| } |
| } |
| sort.Slice(nonaffecting, func(i, j int) bool { return nonaffecting[i].OSV.ID < nonaffecting[j].OSV.ID }) |
| sort.Slice(affecting, func(i, j int) bool { return affecting[i].OSV.ID < affecting[j].OSV.ID }) |
| return affecting, nonaffecting |
| } |
| |
| func formatVulnerabilities(modPath string, affecting, nonaffecting []*govulncheck.Vuln, options *source.Options, fromGovulncheck bool) string { |
| if len(affecting) == 0 && len(nonaffecting) == 0 { |
| return "" |
| } |
| |
| // TODO(hyangah): can we use go templates to generate hover messages? |
| // Then, we can use a different template for markdown case. |
| useMarkdown := options.PreferredContentFormat == protocol.Markdown |
| |
| var b strings.Builder |
| |
| if len(affecting) > 0 { |
| // TODO(hyangah): make the message more eyecatching (icon/codicon/color) |
| if len(affecting) == 1 { |
| b.WriteString(fmt.Sprintf("\n**WARNING:** Found %d reachable vulnerability.\n", len(affecting))) |
| } else { |
| b.WriteString(fmt.Sprintf("\n**WARNING:** Found %d reachable vulnerabilities.\n", len(affecting))) |
| } |
| } |
| for _, v := range affecting { |
| fix := fixedVersionInfo(v, modPath) |
| |
| if useMarkdown { |
| fmt.Fprintf(&b, "- [**%v**](%v) %v %v\n", v.OSV.ID, href(v.OSV), formatMessage(v), fix) |
| } else { |
| fmt.Fprintf(&b, " - [%v] %v (%v) %v\n", v.OSV.ID, formatMessage(v), href(v.OSV), fix) |
| } |
| } |
| if len(nonaffecting) > 0 { |
| if fromGovulncheck { |
| fmt.Fprintf(&b, "\n**Note:** The project imports packages with known vulnerabilities, but does not call the vulnerable code.\n") |
| } else { |
| fmt.Fprintf(&b, "\n**Note:** The project imports packages with known vulnerabilities. Use `govulncheck` to check if the project uses vulnerable symbols.\n") |
| } |
| } |
| for _, v := range nonaffecting { |
| fix := fixedVersionInfo(v, modPath) |
| if useMarkdown { |
| fmt.Fprintf(&b, "- [%v](%v) %v %v\n", v.OSV.ID, href(v.OSV), formatMessage(v), fix) |
| } else { |
| fmt.Fprintf(&b, " - [%v] %v %v (%v)\n", v.OSV.ID, formatMessage(v), fix, href(v.OSV)) |
| } |
| } |
| b.WriteString("\n") |
| return b.String() |
| } |
| |
| func fixedVersionInfo(v *govulncheck.Vuln, modPath string) string { |
| fix := "\n\n **No fix is available.**" |
| for _, m := range v.Modules { |
| if m.Path != modPath { |
| continue |
| } |
| if m.FixedVersion != "" { |
| fix = "\n\n Fixed in " + m.FixedVersion + "." |
| } |
| break |
| } |
| return fix |
| } |
| |
| func formatExplanation(text string, req *modfile.Require, options *source.Options, isPrivate bool) string { |
| text = strings.TrimSuffix(text, "\n") |
| splt := strings.Split(text, "\n") |
| length := len(splt) |
| |
| var b strings.Builder |
| |
| // If the explanation is 2 lines, then it is of the form: |
| // # golang.org/x/text/encoding |
| // (main module does not need package golang.org/x/text/encoding) |
| if length == 2 { |
| b.WriteString(splt[1]) |
| return b.String() |
| } |
| |
| imp := splt[length-1] // import path |
| reference := imp |
| // See golang/go#36998: don't link to modules matching GOPRIVATE. |
| if !isPrivate && options.PreferredContentFormat == protocol.Markdown { |
| target := imp |
| if strings.ToLower(options.LinkTarget) == "pkg.go.dev" { |
| target = strings.Replace(target, req.Mod.Path, req.Mod.String(), 1) |
| } |
| reference = fmt.Sprintf("[%s](%s)", imp, source.BuildLink(options.LinkTarget, target, "")) |
| } |
| b.WriteString("This module is necessary because " + reference + " is imported in") |
| |
| // If the explanation is 3 lines, then it is of the form: |
| // # golang.org/x/tools |
| // modtest |
| // golang.org/x/tools/go/packages |
| if length == 3 { |
| msg := fmt.Sprintf(" `%s`.", splt[1]) |
| b.WriteString(msg) |
| return b.String() |
| } |
| |
| // If the explanation is more than 3 lines, then it is of the form: |
| // # golang.org/x/text/language |
| // rsc.io/quote |
| // rsc.io/sampler |
| // golang.org/x/text/language |
| b.WriteString(":\n```text") |
| dash := "" |
| for _, imp := range splt[1 : length-1] { |
| dash += "-" |
| b.WriteString("\n" + dash + " " + imp) |
| } |
| b.WriteString("\n```") |
| return b.String() |
| } |
