commit	8957372cdf327922ff87e08e4ac22aabba60684d	[log] [tgz]
author	Zvonimir Pavlinovic <zpavlinovic@google.com>	Wed Jun 01 18:36:13 2022 -0700
committer	Zvonimir Pavlinovic <zpavlinovic@google.com>	Thu Jun 02 17:42:04 2022 +0000
tree	dfc118289f1c5f263f6299228b2230de61bad3be
parent	4bd4888cc0609c2fdddc1eb4e66fa070397d921e [diff]

vulncheck: remove synthetic nodes from call graph

This removes ~20% edges for k8s call graph. It also skips call stacks
that go through one level of indirection with wrappers.

The reason why this change is correct is as follows. Vulnerability db
entries never specify ssa wrappers as dbs are unaware of these. The only
type of wrappers applicable are the ones that are generated for calls to
pointer receivers where the source defines methods only on value
receivers. Vulnerability dbs do not care about this distinction nor do
the users, so it should be safe to inline the wrappers. This is exactly
what callgraph.DeleteSyntheticNodes does.

Change-Id: I2d76c0570d95f78ff4a2463ddf7cd95110fff15c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/410054
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

2 files changed

tree: dfc118289f1c5f263f6299228b2230de61bad3be

README.md

Go Vulnerability Management

This repository contains the following:

Package client: a client for interacting with the Go vulnerability database
Package vulncheck: an API for detecting vulnerabilities in Go packages
Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.