Google Git
Sign in
go / vuln / 0aeb78bd3e1e219ff1dab725284f52676aeb277a
commit0aeb78bd3e1e219ff1dab725284f52676aeb277a[log] [tgz]
authorHana (Hyang-Ah) Kim <hyangah@gmail.com>Fri Sep 30 17:03:59 2022 -0400
committerHyang-Ah Hana Kim <hyangah@gmail.com>Sun Oct 02 13:39:02 2022 +0000
treed99cc200449448598680eef57dafec57dcfc2552
parentd16fc2264ea583fe2c4c3cc6888b95ec7d953a48 [diff]
exp/govulncheck: add part of experimental govulncheck API

Gopls wants to invoke the govulncheck command line tool to get
high-level summary of vulnerability scanning. Then it will translate
any findings to LSP messages.

The govulncheck command line tool is under active development
and there is no stable API built around it yet. While govulncheck
is evolving, it can break the assumption a released version of gopls
made any time. When users independently install gopls and govulncheck,
it is hard to keep them compatible. There could be many different ways
of solving this problem, but we think it is the easiest to embed the
govulncheck logic in the gopls. This is basically equivalent to
pin the version of govulncheck. We will evaluate different approaches
(e.g. invoke govulncheck found from PATH and hope it works) as the
govulncheck command line tool interface becomes stable.

Main is a wrapper of govulncheck command's main. This never returns.

Change-Id: I050cf114827bde3f3450e06909d1501f381804c3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/435902
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
2 files changed
tree: d99cc200449448598680eef57dafec57dcfc2552
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. exp/
  6. internal/
  7. osv/
  8. vulncheck/
  9. .gitignore
  10. all_test.go
  11. checks.bash
  12. CONTRIBUTING.md
  13. go.mod
  14. go.sum
  15. LICENSE
  16. PATENTS
  17. README.md
  18. tools_test.go
README.md

Go Vulnerability Management

Go Reference

This repository contains packages for accessing and analyzing data from the Go Vulnerability Database. It contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.

Privacy Policy

The privacy policy for govulncheck can be found at https://vuln.go.dev/privacy.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.