vulncheck: introduce vulncheck module and core structures

Change-Id: Idaa0b01bc7fd44681629b43ad26fe3e7761b77d7
Trust: Julie Qiu <>
Run-TryBot: Julie Qiu <>
Reviewed-by: Jonathan Amsterdam <>
diff --git a/vulncheck/go.mod b/vulncheck/go.mod
new file mode 100644
index 0000000..de7dce9
--- /dev/null
+++ b/vulncheck/go.mod
@@ -0,0 +1,10 @@
+go 1.17
+require v0.0.0-20211020161650-d192a0cd6149
+require (
+ v0.4.1 // indirect
+ v0.0.0-20191204190536-9bdfabe68543 // indirect
diff --git a/vulncheck/go.sum b/vulncheck/go.sum
new file mode 100644
index 0000000..4d817b1
--- /dev/null
+++ b/vulncheck/go.sum
@@ -0,0 +1,89 @@ v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0= v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc= v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY= v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= v0.0.0-20211020161650-d192a0cd6149 h1:xCvKnKNK/wBCJAR3Xm1N294PIuxhVJDi570Fz6lh2O0= v0.0.0-20211020161650-d192a0cd6149/go.mod h1:dbogqFEsxyrr+RMtOySAr6gAr9NWRrrtJoQLSdq5fLk= v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/vulncheck/vulncheck.go b/vulncheck/vulncheck.go
new file mode 100644
index 0000000..4d8cc90
--- /dev/null
+++ b/vulncheck/vulncheck.go
@@ -0,0 +1,150 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Package vulncheck detects uses of known vulnerabilities
+// in Go binaries and source code.
+package vulncheck
+import (
+	"go/token"
+	""
+	""
+// Config is used for configuring vulncheck algorithms.
+type Config struct {
+	// ImportsOnly flag, if true, signals vulncheck to analyze import chains only.
+	// Otherwise, call chains are analyzed too.
+	ImportsOnly bool
+	// Client is used for querying data from a vulnerability database.
+	Client client.Client
+// Result contains information on which vulnerabilities are potentially affecting
+// user code and how are they affecting it via call graph, package imports graph,
+// and module requires graph.
+type Result struct {
+	// Calls is a call graph whose roots are program entry functions/methods and
+	// sinks are vulnerable functions/methods. Empty when Config.ImportsOnly=true
+	// or when no vulnerable symbols are reachable via program call graph.
+	Calls *CallGraph
+	// Imports is a package dependency graph whose roots are entry user packages
+	// and sinks are the packages with some vulnerable symbols. Empty when no
+	// packages with some vulnerabilities are imported in the program.
+	Imports *ImportGraph
+	// Requires is a module dependency graph whose roots are entry user modules
+	// and sinks are modules with some vulnerable packages. Empty when no modules
+	// with some vulnerabilities are required by the program.
+	Requires *RequireGraph
+	// Vulns contains information on detected vulnerabilities and their place in
+	// the above graphs. Only vulnerabilities whose symbols are reachable in Calls,
+	// or whose packages are imported in Imports, or whose modules are required in
+	// Requires, have an entry in Vulns.
+	Vulns []*Vuln
+// Vuln provides information on how a vulnerability is affecting user code by
+// connecting it to the Result.{Calls,Imports,Requires} graphs. Vulnerabilities
+// detected in Go binaries do not have a place in the Result graphs.
+type Vuln struct {
+	// The next four fields identify a vulnerability. Note that *osv.Entry
+	// describes potentially multiple symbols from multiple packages.
+	// OSV contains information on detected vulnerability in the shared
+	// vulnerability format.
+	OSV *osv.Entry
+	// Symbol is the name of the detected vulnerable function or method.
+	Symbol string
+	// PkgPath is the package path of the detected Symbol.
+	PkgPath string
+	// ModPath is the module path corresponding to PkgPath.
+	ModPath string
+	// CallSink is the ID of the sink node in Calls graph corresponding to
+	// the use of Symbol. ID is not available (denoted with 0) in binary mode,
+	// or if Symbol is not reachable, or if Config.ImportsOnly=true.
+	CallSink int
+	// ImportSink is the ID of the sink node in the Imports graph corresponding
+	// to the import of PkgPath. ID is not available (denoted with 0) in binary
+	// mode or if PkgPath is not imported.
+	ImportSink int
+	// RequireSink is the ID of the sink node in Requires graph corresponding
+	// to the require statement of ModPath. ID is not available (denoted with 0)
+	// in binary mode.
+	RequireSink int
+// CallGraph whose sinks are vulnerable functions and sources are entry points of user
+// packages. CallGraph is backwards directed, i.e., from a function node to the place
+// where the function is called.
+type CallGraph struct {
+	// Funcs contains all call graph nodes as a map: func node id -> func node.
+	Funcs map[int]*FuncNode
+	// Entries are a subset of Funcs representing vulncheck entry points.
+	Entries []*FuncNode
+type FuncNode struct {
+	ID   int
+	Name string
+	// RecvType is the receiver object type of this function, if any.
+	RecvType string
+	PkgPath  string
+	Pos      *token.Position
+	// CallSites is a set of call sites where this function is called.
+	CallSites []*CallSite
+type CallSite struct {
+	// Parent is ID of the enclosing function where the call is made.
+	Parent int
+	// Name stands for the name of the function (variable) being called.
+	Name string
+	// RecvType is the full path of the receiver object type, if any.
+	RecvType string
+	Pos      *token.Position
+	// Resolved indicates if the called function can be statically resolved.
+	Resolved bool
+// RequireGraph models part of module requires graph where sinks are modules with
+// some known vulnerabilities and sources are modules of user entry packages.
+// RequireGraph is backwards directed, i.e., from a module to the set of modules
+// it is required by.
+type RequireGraph struct {
+	// Modules contains all module nodes as a map: module node id -> module node.
+	Modules map[int]*ModNode
+	// Entries are a subset of Modules representing modules of vulncheck entry points.
+	Entries []*ModNode
+type ModNode struct {
+	Path    string
+	Version string
+	Replace *ModNode
+	// RequiredBy contains IDs of the modules requiring this module.
+	RequiredBy []int
+// ImportGraph models part of package import graph where sinks are packages with
+// some known vulnerabilities and sources are user specified packages. The graph
+// is backwards directed, i.e., from a package to the set of packages importing it.
+type ImportGraph struct {
+	// Packages contains all package nodes as a map: package node id -> package node.
+	Packages map[int]*PkgNode
+	// Entries are a subset of Packages representing packages of vulncheck entry points.
+	Entries []*PkgNode
+type PkgNode struct {
+	// Name is the package identifier as it appears in the source code.
+	Name string
+	Path string
+	// Module holds ID of the corresponding module (node) in Requires graph.
+	Module int
+	// ImportedBy contains IDs of packages directly importing this package.
+	ImportedBy []int