vulncheck: remove synthetic nodes from call graph

This removes ~20% edges for k8s call graph. It also skips call stacks
that go through one level of indirection with wrappers.

The reason why this change is correct is as follows. Vulnerability db
entries never specify ssa wrappers as dbs are unaware of these. The only
type of wrappers applicable are the ones that are generated for calls to
pointer receivers where the source defines methods only on value
receivers. Vulnerability dbs do not care about this distinction nor do
the users, so it should be safe to inline the wrappers. This is exactly
what callgraph.DeleteSyntheticNodes does.

Change-Id: I2d76c0570d95f78ff4a2463ddf7cd95110fff15c
Reviewed-by: Jonathan Amsterdam <>
Run-TryBot: Zvonimir Pavlinovic <>
Reviewed-by: Julie Qiu <>
TryBot-Result: Gopher Robot <>
2 files changed
tree: dfc118289f1c5f263f6299228b2230de61bad3be
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  11. checks.bash
  14. go.mod
  15. go.sum
  19. tools_test.go

Go Vulnerability Management

Go Reference

This repository contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at are distributed under the terms of the CC-BY 4.0 license.