cmd/govulncheck: don't skip vulns with no CallSink for binaries

When we analyze a binary, we don't have call stacks. The code that
skipped vulns with CallSink==0 was skipping all vulns in binaries.
Now we filter out those vulns only when we run on source.

Fixes golang/go#51412.

Change-Id: If11b079fd771ccfb05360da4a1db64102e0db182
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/399114
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
1 file changed
tree: ab9384f09a59cce16c5242a6af3fb15075a99bfa
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  10. AUTHORS
  11. checks.bash
  12. CONTRIBUTING.md
  13. CONTRIBUTORS
  14. go.mod
  15. go.sum
  16. LICENSE
  17. PATENTS
  18. README.md
  19. tools_test.go
README.md

Go Vulnerability Management

Go Reference

This repository contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license.