cmd/govulncheck: move filtering logic for vulns
Logic to filter out only vulnerabilities that are called is moved to
cmd/govulncheck.
This change is made to enable printing unaffected modules in the next
CL.
Change-Id: I6a7a33ff4e30f72d776649d2e26ab3fa430fc74a
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/409815
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/cmd/govulncheck/internal/govulncheck/source.go b/cmd/govulncheck/internal/govulncheck/source.go
index 6bac213..23028b9 100644
--- a/cmd/govulncheck/internal/govulncheck/source.go
+++ b/cmd/govulncheck/internal/govulncheck/source.go
@@ -59,6 +59,8 @@
// Source calls vulncheck.Source on the Go source in pkgs. It returns the result
// with Vulns trimmed to those that are actually called.
+//
+// This function is being used by the Go IDE team.
func Source(ctx context.Context, pkgs []*vulncheck.Package, c client.Client) (*vulncheck.Result, error) {
r, err := vulncheck.Source(ctx, pkgs, &vulncheck.Config{Client: c})
if err != nil {
diff --git a/cmd/govulncheck/main.go b/cmd/govulncheck/main.go
index a96eeba..74c3fc6 100644
--- a/cmd/govulncheck/main.go
+++ b/cmd/govulncheck/main.go
@@ -113,11 +113,13 @@
if err != nil {
die("govulncheck: %v", err)
}
- r, err = govulncheck.Source(ctx, pkgs, dbClient)
+ r, err = vulncheck.Source(ctx, pkgs, &vulncheck.Config{Client: dbClient})
if err != nil {
die("govulncheck: %v", err)
}
+ r.Vulns = filterCalled(r)
}
+
if *jsonFlag {
writeJSON(r)
} else {
@@ -139,6 +141,17 @@
os.Exit(exitCode)
}
+// filterCalled returns vulnerabilities where the symbols are actually called.
+func filterCalled(r *vulncheck.Result) []*vulncheck.Vuln {
+ var vulns []*vulncheck.Vuln
+ for _, v := range r.Vulns {
+ if v.CallSink != 0 {
+ vulns = append(vulns, v)
+ }
+ }
+ return vulns
+}
+
func writeJSON(r *vulncheck.Result) {
b, err := json.MarshalIndent(r, "", "\t")
if err != nil {
