vulncheck/source.go - vuln - Git at Google

 // Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package vulncheck

 import (
 	"golang.org/x/tools/go/packages"
 )

 // Source detects vulnerabilities in pkgs and computes slices of
 //  - imports graph related to an import of a package with some
 //    known vulnerabilities
 //  - requires graph related to a require of a module with a
 //    package that has some known vulnerabilities
 //  - call graph leading to the use of a known vulnerable function
 //    or method
 func Source(pkgs []*packages.Package, cfg *Config) (*Result, error) {
 	if !cfg.ImportsOnly {
 		panic("call graph feature is currently unsupported")
 	}

 	modVulns, err := fetchVulnerabilities(cfg.Client, extractModules(pkgs))
 	if err != nil {
 		return nil, err
 	}

 	result := &Result{
 		Imports:  &ImportGraph{Packages: make(map[int]*PkgNode)},
 		Requires: &RequireGraph{Modules: make(map[int]*ModNode)},
 	}
 	vulnPkgImportSlice(pkgs, modVulns, result)
 	// TODO(zpavlinovic): compute module and call graph slice.
 	return result, nil
 }

 // pkgId is an id counter for nodes of Imports graph.
 var pkgID int = 0

 func nextPkgID() int {
 	pkgID += 1
 	return pkgID
 }

 // vulnPkgImportSlice computes the slice of pkg imports graph leading to imports of vulnerable
 // packages in modVulns and stores the slice to result.
 func vulnPkgImportSlice(pkgs []*packages.Package, modVulns moduleVulnerabilities, result *Result) {
 	// analyzed contains information on packages analyzed thus far.
 	// If a package is mapped to nil, this means it has been visited
 	// but it does not lead to a vulnerable imports. Otherwise, a
 	// visited package is mapped to Imports package node.
 	analyzed := make(map[*packages.Package]*PkgNode)
 	for _, pkg := range pkgs {
 		// Top level packages that lead to vulnerable imports are
 		// stored as result.Imports graph entry points.
 		if e := vulnImportSlice(pkg, modVulns, result, analyzed); e != nil {
 			result.Imports.Entries = append(result.Imports.Entries, e)
 		}
 	}
 }

 // vulnImportSlice checks if pkg has some vulnerabilities or transitively imports
 // a package with known vulnerabilities. If that is the case, populates result.Imports
 // graph with this reachability information and returns the result.Imports package
 // node for pkg. Otherwise, returns nil.
 func vulnImportSlice(pkg *packages.Package, modVulns moduleVulnerabilities, result *Result, analyzed map[*packages.Package]*PkgNode) *PkgNode {
 	if pn, ok := analyzed[pkg]; ok {
 		return pn
 	}
 	analyzed[pkg] = nil
 	// Recursively compute which direct dependencies lead to an import of
 	// a vulnerable package and remember the nodes of such dependencies.
 	var onSlice []*PkgNode
 	for _, imp := range pkg.Imports {
 		if impNode := vulnImportSlice(imp, modVulns, result, analyzed); impNode != nil {
 			onSlice = append(onSlice, impNode)
 		}
 	}

 	// Check if pkg has known vulnerabilities.
 	vulns := modVulns.VulnsForPackage(pkg.PkgPath)

 	// If pkg is not vulnerable nor it transitively leads
 	// to vulnerabilities, jump out.
 	if len(onSlice) == 0 && len(vulns) == 0 {
 		return nil
 	}

 	// Module id gets populated later.
 	pkgNode := &PkgNode{
 		Name: pkg.Name,
 		Path: pkg.PkgPath,
 	}
 	analyzed[pkg] = pkgNode

 	id := nextPkgID()
 	result.Imports.Packages[id] = pkgNode

 	// Save node predecessor information.
 	for _, impSliceNode := range onSlice {
 		impSliceNode.ImportedBy = append(impSliceNode.ImportedBy, id)
 	}

 	// Create Vuln entry for each symbol of known OSV entries for pkg.
 	for _, osv := range vulns {
 		for _, affected := range osv.Affected {
 			if affected.Package.Name != pkgNode.Path {
 				continue
 			}
 			for _, symbol := range affected.EcosystemSpecific.Symbols {
 				vuln := &Vuln{
 					OSV:        osv,
 					Symbol:     symbol,
 					PkgPath:    pkgNode.Path,
 					ModPath:    modPath(pkg.Module),
 					ImportSink: id,
 				}
 				result.Vulns = append(result.Vulns, vuln)
 			}
 		}
 	}
 	return pkgNode
 }
	// Copyright 2021 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package vulncheck

	import (
	"golang.org/x/tools/go/packages"
	)

	// Source detects vulnerabilities in pkgs and computes slices of
	// - imports graph related to an import of a package with some
	// known vulnerabilities
	// - requires graph related to a require of a module with a
	// package that has some known vulnerabilities
	// - call graph leading to the use of a known vulnerable function
	// or method
	func Source(pkgs []packages.Package, cfg Config) (*Result, error) {
	if !cfg.ImportsOnly {
	panic("call graph feature is currently unsupported")
	}

	modVulns, err := fetchVulnerabilities(cfg.Client, extractModules(pkgs))
	if err != nil {
	return nil, err
	}

	result := &Result{
	Imports: &ImportGraph{Packages: make(map[int]*PkgNode)},
	Requires: &RequireGraph{Modules: make(map[int]*ModNode)},
	}
	vulnPkgImportSlice(pkgs, modVulns, result)
	// TODO(zpavlinovic): compute module and call graph slice.
	return result, nil
	}

	// pkgId is an id counter for nodes of Imports graph.
	var pkgID int = 0

	func nextPkgID() int {
	pkgID += 1
	return pkgID
	}

	// vulnPkgImportSlice computes the slice of pkg imports graph leading to imports of vulnerable
	// packages in modVulns and stores the slice to result.
	func vulnPkgImportSlice(pkgs []packages.Package, modVulns moduleVulnerabilities, result Result) {
	// analyzed contains information on packages analyzed thus far.
	// If a package is mapped to nil, this means it has been visited
	// but it does not lead to a vulnerable imports. Otherwise, a
	// visited package is mapped to Imports package node.
	analyzed := make(map[packages.Package]PkgNode)
	for _, pkg := range pkgs {
	// Top level packages that lead to vulnerable imports are
	// stored as result.Imports graph entry points.
	if e := vulnImportSlice(pkg, modVulns, result, analyzed); e != nil {
	result.Imports.Entries = append(result.Imports.Entries, e)
	}
	}
	}

	// vulnImportSlice checks if pkg has some vulnerabilities or transitively imports
	// a package with known vulnerabilities. If that is the case, populates result.Imports
	// graph with this reachability information and returns the result.Imports package
	// node for pkg. Otherwise, returns nil.
	func vulnImportSlice(pkg packages.Package, modVulns moduleVulnerabilities, result Result, analyzed map[packages.Package]PkgNode) *PkgNode {
	if pn, ok := analyzed[pkg]; ok {
	return pn
	}
	analyzed[pkg] = nil
	// Recursively compute which direct dependencies lead to an import of
	// a vulnerable package and remember the nodes of such dependencies.
	var onSlice []*PkgNode
	for _, imp := range pkg.Imports {
	if impNode := vulnImportSlice(imp, modVulns, result, analyzed); impNode != nil {
	onSlice = append(onSlice, impNode)
	}
	}

	// Check if pkg has known vulnerabilities.
	vulns := modVulns.VulnsForPackage(pkg.PkgPath)

	// If pkg is not vulnerable nor it transitively leads
	// to vulnerabilities, jump out.
	if len(onSlice) == 0 && len(vulns) == 0 {
	return nil
	}

	// Module id gets populated later.
	pkgNode := &PkgNode{
	Name: pkg.Name,
	Path: pkg.PkgPath,
	}
	analyzed[pkg] = pkgNode

	id := nextPkgID()
	result.Imports.Packages[id] = pkgNode

	// Save node predecessor information.
	for _, impSliceNode := range onSlice {
	impSliceNode.ImportedBy = append(impSliceNode.ImportedBy, id)
	}

	// Create Vuln entry for each symbol of known OSV entries for pkg.
	for _, osv := range vulns {
	for _, affected := range osv.Affected {
	if affected.Package.Name != pkgNode.Path {
	continue
	}
	for _, symbol := range affected.EcosystemSpecific.Symbols {
	vuln := &Vuln{
	OSV: osv,
	Symbol: symbol,
	PkgPath: pkgNode.Path,
	ModPath: modPath(pkg.Module),
	ImportSink: id,
	}
	result.Vulns = append(result.Vulns, vuln)
	}
	}
	}
	return pkgNode
	}