internal/scan/template/core.tmpl - vuln - Git at Google

 {{define "govulncheck-intro"}}{{/*
 This template is a text template used to communicate to the
 user the environment used for vulnerability analysis, namely
 the Go version, govulncheck version, vuln dbs with their last
 modified timestamp.
 */ -}}
 govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

 Using
 {{- if .GoVersion}} {{block "Go" .GoVersion}}{{.}}{{end}} and{{end}}
 {{- if .ScannerName}} {{block "Scanner" .ScannerName}}{{.}}{{end}}
 {{- if .ScannerVersion}}@{{.ScannerVersion}}{{end}} with{{end}}
 vulnerability data from {{.DB}}
 {{- if .DBLastModified}} (last modified {{.DBLastModified}}){{end}}.
 {{end}}{{/*Preamble*/}}

 {{define "govulncheck-summary"}}{{/*
 This template is a text template used to print out vulncheck output.
 It consists of three sections showing:
 1) The number of vulnerabilities detected.
 2) Callstacks detected for each pair of module and vulnerability.
 3) Vulnerabilities that are only imported but not called.
 */ -}}
 {{- template "VulnCount" . -}}
 {{- template "Vulnerability" .Affected -}}
 {{- template "Informational" . -}}
 {{- template "Vulnerability" .Unaffected -}}
 {{- end}}{{/*Summary*/}}

 {{define "VulnCount" -}}
 {{if eq (len .Affected) 0}}No vulnerabilities found.
 {{else}}Your code is affected by {{template "Value" (len .Affected)}}
 {{- if eq (len .Affected) 1}} vulnerability{{else}} vulnerabilities{{end}} from
 {{- if eq .AffectedModules 0}}{{else if eq .AffectedModules 1}} 1 module{{else}} {{template "Value" .AffectedModules}} modules{{end}}
 {{- if .StdlibAffected}}{{if ne .AffectedModules 0}} and{{end}} the Go standard library{{end}}.
 {{- end}}
 {{- end}}{{/*VulnCount*/}}

 {{- define "Informational" -}}
 {{if len .Unaffected}}
 {{block "InformationalTitle" .}}=== Informational ==={{end}}

 Found {{if eq (len .Unaffected) 1}}1 vulnerability{{else}}{{len .Unaffected}} vulnerabilities{{end}} in packages that you import, but there are no call
 stacks leading to the use of {{if eq (len .Unaffected) 1}}this vulnerability{{else}}these vulnerabilities{{end}}. You may not need to
 take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
 for details.
 {{- end -}}
 {{- end}}{{/*Informational*/}}

 {{- define "Vulnerability" -}}
 {{- if len . -}}
 {{- $idx := 0}}{{range $vulnInfo := .}}
 {{- $idx = inc $idx}}

 {{template "Key" "Vulnerability"}} #{{$idx}}: {{block "OSV" $vulnInfo}}{{.OSV}}{{end}}
 {{block "Details" $vulnInfo.Details}}{{wrap . | indent 4}}{{end}}
   {{template "Key" "More info:"}} {{$vulnInfo.URL}}
 {{- range $modInfo := $vulnInfo.Modules}}
 {{- if $modInfo.IsStd}}
   Standard library
 {{- else}}
   {{template "Key" "Module:"}} {{$modInfo.Module}}
 {{- end}}
     {{template "Key" "Found in:"}} {{$modInfo.FoundVersion}}
     {{template "Key" "Fixed in:"}} {{if $modInfo.FixedVersion}}{{$modInfo.FixedVersion}}{{else}}N/A{{end}}
 {{- if $modInfo.Platforms}}
     {{template "Key" "Platforms:"}} {{template "Platforms" $modInfo.Platforms}}
 {{- end}}
 {{- template "Traces" $modInfo.Traces}}{{end}}
 {{- end -}}
 {{- end -}}
 {{- end -}}{{/*Vulnerability*/}}

 {{- define "Platforms" -}}
   {{$sep := ""}}{{range .}}{{$sep}}{{.}}{{$sep = ", "}}{{end}}
 {{- end}}{{/*Platforms*/}}

 {{- define "Traces" -}}
 {{- $count:=0}}{{range $entry := .}}{{if .Compact}}{{$count = inc $count}}{{end}}{{end}}
 {{- if $count}}
     {{template "Key" "Call stacks in your code:"}}
 {{range $entry := .}}{{if .Compact}}      {{.Compact}}
 {{end}}{{end}}
 {{- end -}}
 {{- end}}{{/*Traces*/}}

 {{define "Key"}}{{.}}{{end}}
 {{define "Value"}}{{.}}{{end}}
	{{define "govulncheck-intro"}}{{/*
	This template is a text template used to communicate to the
	user the environment used for vulnerability analysis, namely
	the Go version, govulncheck version, vuln dbs with their last
	modified timestamp.
	*/ -}}
	govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

	Using
	{{- if .GoVersion}} {{block "Go" .GoVersion}}{{.}}{{end}} and{{end}}
	{{- if .ScannerName}} {{block "Scanner" .ScannerName}}{{.}}{{end}}
	{{- if .ScannerVersion}}@{{.ScannerVersion}}{{end}} with{{end}}
	vulnerability data from {{.DB}}
	{{- if .DBLastModified}} (last modified {{.DBLastModified}}){{end}}.
	{{end}}{{/Preamble/}}

	{{define "govulncheck-summary"}}{{/*
	This template is a text template used to print out vulncheck output.
	It consists of three sections showing:
	1) The number of vulnerabilities detected.
	2) Callstacks detected for each pair of module and vulnerability.
	3) Vulnerabilities that are only imported but not called.
	*/ -}}
	{{- template "VulnCount" . -}}
	{{- template "Vulnerability" .Affected -}}
	{{- template "Informational" . -}}
	{{- template "Vulnerability" .Unaffected -}}
	{{- end}}{{/Summary/}}

	{{define "VulnCount" -}}
	{{if eq (len .Affected) 0}}No vulnerabilities found.
	{{else}}Your code is affected by {{template "Value" (len .Affected)}}
	{{- if eq (len .Affected) 1}} vulnerability{{else}} vulnerabilities{{end}} from
	{{- if eq .AffectedModules 0}}{{else if eq .AffectedModules 1}} 1 module{{else}} {{template "Value" .AffectedModules}} modules{{end}}
	{{- if .StdlibAffected}}{{if ne .AffectedModules 0}} and{{end}} the Go standard library{{end}}.
	{{- end}}
	{{- end}}{{/VulnCount/}}

	{{- define "Informational" -}}
	{{if len .Unaffected}}
	{{block "InformationalTitle" .}}=== Informational ==={{end}}

	Found {{if eq (len .Unaffected) 1}}1 vulnerability{{else}}{{len .Unaffected}} vulnerabilities{{end}} in packages that you import, but there are no call
	stacks leading to the use of {{if eq (len .Unaffected) 1}}this vulnerability{{else}}these vulnerabilities{{end}}. You may not need to
	take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
	for details.
	{{- end -}}
	{{- end}}{{/Informational/}}

	{{- define "Vulnerability" -}}
	{{- if len . -}}
	{{- $idx := 0}}{{range $vulnInfo := .}}
	{{- $idx = inc $idx}}

	{{template "Key" "Vulnerability"}} #{{$idx}}: {{block "OSV" $vulnInfo}}{{.OSV}}{{end}}
	{{block "Details" $vulnInfo.Details}}{{wrap . \| indent 4}}{{end}}
	{{template "Key" "More info:"}} {{$vulnInfo.URL}}
	{{- range $modInfo := $vulnInfo.Modules}}
	{{- if $modInfo.IsStd}}
	Standard library
	{{- else}}
	{{template "Key" "Module:"}} {{$modInfo.Module}}
	{{- end}}
	{{template "Key" "Found in:"}} {{$modInfo.FoundVersion}}
	{{template "Key" "Fixed in:"}} {{if $modInfo.FixedVersion}}{{$modInfo.FixedVersion}}{{else}}N/A{{end}}
	{{- if $modInfo.Platforms}}
	{{template "Key" "Platforms:"}} {{template "Platforms" $modInfo.Platforms}}
	{{- end}}
	{{- template "Traces" $modInfo.Traces}}{{end}}
	{{- end -}}
	{{- end -}}
	{{- end -}}{{/Vulnerability/}}

	{{- define "Platforms" -}}
	{{$sep := ""}}{{range .}}{{$sep}}{{.}}{{$sep = ", "}}{{end}}
	{{- end}}{{/Platforms/}}

	{{- define "Traces" -}}
	{{- $count:=0}}{{range $entry := .}}{{if .Compact}}{{$count = inc $count}}{{end}}{{end}}
	{{- if $count}}
	{{template "Key" "Call stacks in your code:"}}
	{{range $entry := .}}{{if .Compact}} {{.Compact}}
	{{end}}{{end}}
	{{- end -}}
	{{- end}}{{/Traces/}}

	{{define "Key"}}{{.}}{{end}}
	{{define "Value"}}{{.}}{{end}}