blob: dba73743d64ad83b43b3b9c4ee0343486402b556 [file] [log] [blame]
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package vulncheck detects uses of known vulnerabilities
// in Go programs. The two main APIs of vulncheck, Source
// and Binary, allow vulnerability detection in Go source
// code and binaries, respectively.
// vulncheck identifies vulnerability uses in Go programs
// at the level of call graph, package import graph, and module
// requires graph. For instance, vulncheck identifies which
// vulnerable functions and methods are transitively called
// from the program entry points. vulncheck also detects
// transitively imported packages and required modules that
// contain known vulnerable functions and methods.
// TODO(zpavlinovic): add a link to a more detailed overview of vulncheck
// Inputs
// Source accepts a list of vulncheck.Package objects, which
// are a trimmed version of packages.Package objects to reduce
// memory consumption. Binary accepts a path to a Go binary file
// that must have been compiled with Go 1.18 or greater. Otherwise,
// the list of modules used by the binary is unavailable and
// vulncheck hence might miss vulnerabilities present in the binary.
// Both Source and Binary require information about known
// vulnerabilities in the form of a vulnerability database
// The vulnerabilities
// are modeled using the shared format.
// Results
// The result of vulncheck are slices of the call graph, package
// imports graph, and module requires graph leading to the use
// of an identified vulnerability. Parts of these graphs not
// related to any vulnerabilities are omitted.
// Vulnerability Witnesses
// CallStacks and ImportChains APIs search the returned slices
// for user-friendly representative call stacks and import chains.
// Clients of vulncheck can use these stacks and chains as a
// witness of a vulnerability use during, for instance, security
// review.
// Limitations
// Note that since statically constructing an exact call graph of
// a program is impossible, the produced call graph information
// is over-approximate: the results might contain call stacks not
// realizable in practice. On the other hand, vulncheck might
// miss some call graph edges in the presence of unsafe and reflect.
package vulncheck