vulncheck: include call graph edges that could be missed due to recursion

Consider the call graph G <--> F -> V where F is an entry point function
and V is a vulnerable function. The current algorithm for creation of
vulnerability graphs might start with F, visit V, figure out that V is
vulnerable and hence add F -> V to the vulnerability graph. Then, since
F is in this graph, G will be added too as G calls F and vice versa.

But if we start by analyzing first F -> G, then G won't be added to the
vulnerability graph as F is not yet added to that graph (since we have
not yet analyzed V). Hence, we might miss adding some edges to the
vulnerability graph.

Note that this bug does *not* miss vulnerabilities, just some paths from
entry points to vulnerabilities. In the above example, the missed paths
can be characterized with (F -> G)+ -> V.

The fix is to compute the vulnerability graph by 1) computing a
backwards slice from vulnerabilities, 2) computing a forward slice from
affected entry points, and 3) creating a vulnerability graph from the
intersection of the two call graph slices.

Note that imports and module vulnerability graph creation is not
affected as there can be no recursion in such graphs.

Change-Id: I4509a639ab60a5441b1998d56420f6cc3c38f960
Reviewed-by: Jonathan Amsterdam <>
3 files changed
tree: 84a50d7416c721aa42652afca59a08fe4dfe3b29
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  11. checks.bash
  14. go.mod
  15. go.sum
  19. tools_test.go

Go Vulnerability Management

Go Reference

This repository contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at are distributed under the terms of the CC-BY 4.0 license.