internal/scan: print progress messages only in verbose mode
And also update the documentation.
Updates golang/go#66872
Change-Id: I73f0c7e9c1f46b66711b878748bf78571d26f66b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/580175
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index ac73865..18229fa 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -41,25 +41,27 @@
comma-separated list of build tags, and the -test flag to indicate that test
files should be included.
-To include more detailed stack traces, pass -show=traces, this will cause it to
+To include more detailed stack traces, pass '-show traces', this will cause it to
print the full call stack for each entry.
-To run govulncheck on a compiled binary, pass it the path to the binary file
-with the -mode=binary flag:
+To include progress messages and more details on findings, pass '-show verbose'.
- $ govulncheck -mode=binary $HOME/go/bin/my-go-program
+To run govulncheck on a compiled binary, pass it the path to the binary file
+with the '-mode binary' flag:
+
+ $ govulncheck -mode binary $HOME/go/bin/my-go-program
Govulncheck uses the binary's symbol information to find mentions of vulnerable
functions. Its output omits call stacks, which require source code analysis.
-Govulncheck also supports -mode=extract on a Go binary for extraction of minimal
+Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
information needed to analyze the binary. This will produce a blob, typically much
smaller than the binary, that can also be passed to govulncheck as an argument with
--mode=binary. The users should not rely on the contents or representation of the blob.
+'-mode binary'. The users should not rely on the contents or representation of the blob.
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if the -json flag
-is provided, regardless of the number of detected vulnerabilities.
+(or '-format json') is provided, regardless of the number of detected vulnerabilities.
Govulncheck supports streaming JSON. For more details, please see [golang.org/x/vuln/internal/govulncheck].
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct
index 54dd19a..81f0a47 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct
@@ -1,8 +1,6 @@
#####
# Test basic binary scanning with text output
$ govulncheck -mode=binary ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_text.ct b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_text.ct
index 2565cfb..97e1f62 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_text.ct
@@ -1,8 +1,6 @@
#####
# Test binary scanning at the module level
$ govulncheck -mode=binary -scan module ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
=== Module Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_text.ct b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_text.ct
index 712aa26..a83b5b2 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_text.ct
@@ -1,7 +1,5 @@
# Test binary scanning at the package level.
$ govulncheck -mode=binary -scan package ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
=== Package Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/convert/convert_text.ct b/cmd/govulncheck/testdata/common/testfiles/convert/convert_text.ct
index 91a175b..e43176a 100644
--- a/cmd/govulncheck/testdata/common/testfiles/convert/convert_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/convert/convert_text.ct
@@ -2,8 +2,6 @@
# Test using the conversion from json on stdin to text on stdout
# location of convert input is subdirectory/convert_intput
$ govulncheck -mode=convert < convert/convert_input.json --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/extract/binary_extract.ct b/cmd/govulncheck/testdata/common/testfiles/extract/binary_extract.ct
index 4316fad..98f8f79 100644
--- a/cmd/govulncheck/testdata/common/testfiles/extract/binary_extract.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/extract/binary_extract.ct
@@ -1,8 +1,6 @@
#####
# Test binary mode using the extracted binary blob.
$ govulncheck -mode=binary ${testdir}/extract/vuln.blob --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct
index f866ede..f03625a 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct
@@ -1,8 +1,6 @@
#####
# Test of basic govulncheck in source mode
$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
@@ -47,8 +45,6 @@
#####
# Test of basic govulncheck in source mode with expanded traces
$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_informational_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_informational_text.ct
index 7bbaa29..151f465 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_informational_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_informational_text.ct
@@ -1,8 +1,6 @@
#####
# Test source mode with no callstacks
$ govulncheck -C ${moddir}/informational -show=traces .
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
No vulnerabilities found.
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct
index 0bfc9fe..d6138db 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct
@@ -1,8 +1,6 @@
#####
# Test for multiple call stacks in source mode
$ govulncheck -C ${moddir}/multientry . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_text.ct
index b59d31d..3075589 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_text.ct
@@ -2,8 +2,6 @@
# Test of source mode on a module with a replace directive.
$ govulncheck -C ${moddir}/replace ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_subdir_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_subdir_text.ct
index 4b4ec42..1b2d28f 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_subdir_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_subdir_text.ct
@@ -1,8 +1,6 @@
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
@@ -26,8 +24,6 @@
#####
# Test govulncheck runs on the subdirectory of a module
$ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_wholemodvuln_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_wholemodvuln_text.ct
index 3ca4a07..98e409e 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_wholemodvuln_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_wholemodvuln_text.ct
@@ -2,8 +2,6 @@
# Test of govulncheck call analysis for vulns with no package info available.
# All symbols of the module are vulnerable.
$ govulncheck -C ${moddir}/wholemodvuln ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2022-0956
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct
index da1803a..6385111 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct
@@ -2,8 +2,6 @@
# Testing that govulncheck doesn't mention calls when it doesn't
# have callstack information
$ govulncheck -scan module -C ${moddir}/multientry --> FAIL 3
-Scanning your code across 2 dependent modules for known vulnerabilities...
-
=== Module Results ===
Vulnerability #1: GO-2021-0113
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct
index 0032ece..e56b84b 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct
@@ -1,8 +1,6 @@
#####
# Testing that govulncheck doesn't mention calls when it doesn't have the relevant info
$ govulncheck -scan package -C ${moddir}/multientry . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Package Results ===
Vulnerability #1: GO-2021-0113
diff --git a/cmd/govulncheck/testdata/common/testfiles/usage/format.ct b/cmd/govulncheck/testdata/common/testfiles/usage/format.ct
index dcc75b0..a2747e0 100644
--- a/cmd/govulncheck/testdata/common/testfiles/usage/format.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/usage/format.ct
@@ -1,8 +1,6 @@
#####
# Test of explicit text format
$ govulncheck -C ${moddir}/informational -format text .
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
=== Symbol Results ===
No vulnerabilities found.
diff --git a/cmd/govulncheck/testdata/common/testfiles/usage/source_no_packages.ct b/cmd/govulncheck/testdata/common/testfiles/usage/source_no_packages.ct
index 80ae136..cb6fbb6 100644
--- a/cmd/govulncheck/testdata/common/testfiles/usage/source_no_packages.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/usage/source_no_packages.ct
@@ -1,6 +1,4 @@
#####
# Test message when there are no packages matching the provided pattern (#59623).
$ govulncheck -C ${moddir}/vuln pkg/no-govulncheck/...
-No packages matching the provided pattern.
-
No vulnerabilities found.
diff --git a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_text.ct b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_text.ct
index 477c42b..90ea925 100644
--- a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_text.ct
+++ b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_text.ct
@@ -1,8 +1,6 @@
#####
# Test finding stdlib vulnerability in source mode
$ govulncheck -C ${moddir}/stdlib . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
@@ -25,8 +23,6 @@
#####
# Test finding stdlib vulnerability in source mode with expanded traces
$ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2022-0969
@@ -55,8 +51,6 @@
#####
# Test finding stdlib vulnerability in source mode at the package level
$ govulncheck -C ${moddir}/stdlib -scan package . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
=== Package Results ===
Vulnerability #1: GO-2022-0969
@@ -77,8 +71,6 @@
#####
# Test finding stdlib vulnerability in source mode at the module level
$ govulncheck -C ${moddir}/stdlib -scan module --> FAIL 3
-Scanning your code across 1 dependent module for known vulnerabilities...
-
=== Module Results ===
Vulnerability #1: GO-2022-0969
diff --git a/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct b/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
index 5d8a6b7..5bc8aa2 100644
--- a/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
+++ b/cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct
@@ -1,8 +1,6 @@
#####
# Test for stripped binaries (see #57764)
$ govulncheck -mode=binary ${strip_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
=== Symbol Results ===
Vulnerability #1: GO-2021-0113
diff --git a/internal/scan/run.go b/internal/scan/run.go
index c59a136..02ef8f4 100644
--- a/internal/scan/run.go
+++ b/internal/scan/run.go
@@ -47,7 +47,6 @@
handler = th
}
- // Write the introductory message to the user.
if err := handler.Config(&cfg.Config); err != nil {
return err
}
diff --git a/internal/scan/text.go b/internal/scan/text.go
index 16ab6b5..2050c66 100644
--- a/internal/scan/text.go
+++ b/internal/scan/text.go
@@ -116,7 +116,9 @@
// Progress writes progress updates during govulncheck execution.
func (h *TextHandler) Progress(progress *govulncheck.Progress) error {
- h.print(progress.Message, "\n\n")
+ if h.showVerbose {
+ h.print(progress.Message, "\n\n")
+ }
return h.err
}
