internal/vulncheck/source.go - vuln - Git at Google

 // Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package vulncheck

 import (
 	"context"
 	"fmt"
 	"go/token"
 	"sync"

 	"golang.org/x/tools/go/callgraph"
 	"golang.org/x/tools/go/packages"
 	"golang.org/x/tools/go/ssa"
 	"golang.org/x/vuln/internal/client"
 	"golang.org/x/vuln/internal/govulncheck"
 	"golang.org/x/vuln/internal/osv"
 )

 // Source detects vulnerabilities in packages. The result will contain:
 //
 // 1) An ImportGraph related to an import of a package with some known
 // vulnerabilities.
 //
 // 2) A RequireGraph related to a require of a module with a package that has
 // some known vulnerabilities.
 //
 // 3) A CallGraph leading to the use of a known vulnerable function or method.
 func Source(ctx context.Context, pkgs []*packages.Package, cfg *govulncheck.Config, client *client.Client, graph *PackageGraph) (_ *Result, err error) {
 	// buildSSA builds a whole program that assumes all packages use the same FileSet.
 	// Check all packages in pkgs are using the same FileSet.
 	// TODO(https://go.dev/issue/59729): take FileSet out of Package and
 	// let Source take a single FileSet. That will make the enforcement
 	// clearer from the API level.
 	var fset *token.FileSet
 	for _, p := range pkgs {
 		if fset == nil {
 			fset = p.Fset
 		} else {
 			if fset != p.Fset {
 				return nil, fmt.Errorf("[]*Package must have created with the same FileSet")
 			}
 		}
 	}

 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

 	// If we are building the callgraph, build ssa and the callgraph in parallel
 	// with fetching vulnerabilities. If the vulns set is empty, return without
 	// waiting for SSA construction or callgraph to finish.
 	var (
 		wg       sync.WaitGroup // guards entries, cg, and buildErr
 		entries  []*ssa.Function
 		cg       *callgraph.Graph
 		buildErr error
 	)
 	if cfg.ScanLevel.WantSymbols() {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			prog, ssaPkgs := buildSSA(pkgs, fset)
 			entries = entryPoints(ssaPkgs)
 			cg, buildErr = callGraph(ctx, prog, entries)
 		}()
 	}

 	mods := extractModules(pkgs)
 	mv, err := FetchVulnerabilities(ctx, client, mods)
 	if err != nil {
 		return nil, err
 	}
 	modVulns := moduleVulnerabilities(mv)
 	modVulns = modVulns.filter("", "")
 	result := &Result{}

 	vulnPkgModSlice(pkgs, modVulns, result)
 	// Return result immediately if not in symbol mode or
 	// if there are no vulnerable packages.
 	if !cfg.ScanLevel.WantSymbols() || len(result.EntryPackages) == 0 {
 		return result, nil
 	}

 	wg.Wait() // wait for build to finish
 	if buildErr != nil {
 		return nil, err
 	}

 	vulnCallGraphSlice(entries, modVulns, cg, result, graph)

 	return result, nil
 }

 // vulnPkgModSlice computes the slice of pkgs imports and requires graph
 // leading to imports/requires of vulnerable packages/modules in modVulns
 // and stores the computed slices to result.
 func vulnPkgModSlice(pkgs []*packages.Package, modVulns moduleVulnerabilities, result *Result) {
 	// analyzedPkgs contains information on packages analyzed thus far.
 	// If a package is mapped to false, this means it has been visited
 	// but it does not lead to a vulnerable imports. Otherwise, a
 	// visited package is mapped to true.
 	analyzedPkgs := make(map[*packages.Package]bool)
 	for _, pkg := range pkgs {
 		// Top level packages that lead to vulnerable imports are
 		// stored as result.EntryPackages graph entry points.
 		if vulnerable := vulnImportSlice(pkg, modVulns, result, analyzedPkgs); vulnerable {
 			result.EntryPackages = append(result.EntryPackages, pkg)
 		}
 	}
 }

 // vulnImportSlice checks if pkg has some vulnerabilities or transitively imports
 // a package with known vulnerabilities. If that is the case, populates result.Imports
 // graph with this reachability information and returns the result.Imports package
 // node for pkg. Otherwise, returns nil.
 func vulnImportSlice(pkg *packages.Package, modVulns moduleVulnerabilities, result *Result, analyzed map[*packages.Package]bool) bool {
 	if vulnerable, ok := analyzed[pkg]; ok {
 		return vulnerable
 	}
 	analyzed[pkg] = false
 	// Recursively compute which direct dependencies lead to an import of
 	// a vulnerable package and remember the nodes of such dependencies.
 	transitiveVulnerable := false
 	for _, imp := range pkg.Imports {
 		if impVulnerable := vulnImportSlice(imp, modVulns, result, analyzed); impVulnerable {
 			transitiveVulnerable = true
 		}
 	}

 	// Check if pkg has known vulnerabilities.
 	vulns := modVulns.vulnsForPackage(pkg.PkgPath)

 	// If pkg is not vulnerable nor it transitively leads
 	// to vulnerabilities, jump out.
 	if !transitiveVulnerable && len(vulns) == 0 {
 		return false
 	}

 	// Create Vuln entry for each symbol of known OSV entries for pkg.
 	for _, osv := range vulns {
 		for _, affected := range osv.Affected {
 			for _, p := range affected.EcosystemSpecific.Packages {
 				if p.Path != pkg.PkgPath {
 					continue
 				}

 				symbols := p.Symbols
 				if len(symbols) == 0 {
 					symbols = allSymbols(pkg.Types)
 				}

 				for _, symbol := range symbols {
 					vuln := &Vuln{
 						OSV:        osv,
 						Symbol:     symbol,
 						ImportSink: pkg,
 					}
 					result.Vulns = append(result.Vulns, vuln)
 				}
 			}
 		}
 	}
 	analyzed[pkg] = true
 	return true
 }

 // vulnCallGraphSlice checks if known vulnerabilities are transitively reachable from sources
 // via call graph cg. If so, populates result.Calls graph with this reachability information.
 func vulnCallGraphSlice(sources []*ssa.Function, modVulns moduleVulnerabilities, cg *callgraph.Graph, result *Result, graph *PackageGraph) {
 	sinksWithVulns := vulnFuncs(cg, modVulns)

 	// Compute call graph backwards reachable
 	// from vulnerable functions and methods.
 	var sinks []*callgraph.Node
 	for n := range sinksWithVulns {
 		sinks = append(sinks, n)
 	}
 	bcg := callGraphSlice(sinks, false)

 	// Interesect backwards call graph with forward
 	// reachable graph to remove redundant edges.
 	var filteredSources []*callgraph.Node
 	for _, e := range sources {
 		if n, ok := bcg.Nodes[e]; ok {
 			filteredSources = append(filteredSources, n)
 		}
 	}
 	fcg := callGraphSlice(filteredSources, true)

 	// Get the sinks that are in fact reachable from entry points.
 	filteredSinks := make(map[*callgraph.Node][]*osv.Entry)
 	for n, vs := range sinksWithVulns {
 		if fn, ok := fcg.Nodes[n.Func]; ok {
 			filteredSinks[fn] = vs
 		}
 	}

 	// Transform the resulting call graph slice into
 	// vulncheck representation and store it to result.
 	vulnCallGraph(filteredSources, filteredSinks, result, graph)
 }

 // callGraphSlice computes a slice of callgraph beginning at starts
 // in the direction (forward/backward) controlled by forward flag.
 func callGraphSlice(starts []*callgraph.Node, forward bool) *callgraph.Graph {
 	g := &callgraph.Graph{Nodes: make(map[*ssa.Function]*callgraph.Node)}

 	visited := make(map[*callgraph.Node]bool)
 	var visit func(*callgraph.Node)
 	visit = func(n *callgraph.Node) {
 		if visited[n] {
 			return
 		}
 		visited[n] = true

 		var edges []*callgraph.Edge
 		if forward {
 			edges = n.Out
 		} else {
 			edges = n.In
 		}

 		for _, edge := range edges {
 			nCallee := g.CreateNode(edge.Callee.Func)
 			nCaller := g.CreateNode(edge.Caller.Func)
 			callgraph.AddEdge(nCaller, edge.Site, nCallee)

 			if forward {
 				visit(edge.Callee)
 			} else {
 				visit(edge.Caller)
 			}
 		}
 	}

 	for _, s := range starts {
 		visit(s)
 	}
 	return g
 }

 // vulnCallGraph creates vulnerability call graph from sources -> sinks reachability info.
 func vulnCallGraph(sources []*callgraph.Node, sinks map[*callgraph.Node][]*osv.Entry, result *Result, graph *PackageGraph) {
 	nodes := make(map[*ssa.Function]*FuncNode)

 	// First create entries and sinks and store relevant information.
 	for _, s := range sources {
 		fn := createNode(nodes, s.Func, graph)
 		result.EntryFunctions = append(result.EntryFunctions, fn)
 	}

 	for s, vulns := range sinks {
 		f := s.Func
 		funNode := createNode(nodes, s.Func, graph)

 		// Populate CallSink field for each detected vuln symbol.
 		for _, osv := range vulns {
 			if vulnMatchesPackage(osv, funNode.Package.PkgPath) {
 				addCallSinkForVuln(funNode, osv, dbFuncName(f), funNode.Package.PkgPath, result)
 			}
 		}
 	}

 	visited := make(map[*callgraph.Node]bool)
 	var visit func(*callgraph.Node)
 	visit = func(n *callgraph.Node) {
 		if visited[n] {
 			return
 		}
 		visited[n] = true

 		for _, edge := range n.In {
 			nCallee := createNode(nodes, edge.Callee.Func, graph)
 			nCaller := createNode(nodes, edge.Caller.Func, graph)

 			call := edge.Site
 			cs := &CallSite{
 				Parent:   nCaller,
 				Name:     call.Common().Value.Name(),
 				RecvType: callRecvType(call),
 				Resolved: resolved(call),
 				Pos:      instrPosition(call),
 			}
 			nCallee.CallSites = append(nCallee.CallSites, cs)

 			visit(edge.Caller)
 		}
 	}

 	for s := range sinks {
 		visit(s)
 	}
 }

 // vulnFuncs returns vulnerability information for vulnerable functions in cg.
 func vulnFuncs(cg *callgraph.Graph, modVulns moduleVulnerabilities) map[*callgraph.Node][]*osv.Entry {
 	m := make(map[*callgraph.Node][]*osv.Entry)
 	for f, n := range cg.Nodes {
 		vulns := modVulns.vulnsForSymbol(pkgPath(f), dbFuncName(f))
 		if len(vulns) > 0 {
 			m[n] = vulns
 		}
 	}
 	return m
 }

 // pkgPath returns the path of the f's enclosing package, if any.
 // Otherwise, returns "".
 func pkgPath(f *ssa.Function) string {
 	if f.Package() != nil && f.Package().Pkg != nil {
 		return f.Package().Pkg.Path()
 	}
 	return ""
 }

 func createNode(nodes map[*ssa.Function]*FuncNode, f *ssa.Function, graph *PackageGraph) *FuncNode {
 	if fn, ok := nodes[f]; ok {
 		return fn
 	}
 	fn := &FuncNode{
 		Name:     f.Name(),
 		Package:  graph.GetPackage(pkgPath(f)),
 		RecvType: funcRecvType(f),
 		Pos:      funcPosition(f),
 	}
 	nodes[f] = fn
 	return fn
 }

 // addCallSinkForVuln adds callID as call sink to vuln of result.Vulns
 // identified with <osv, symbol, pkg>.
 func addCallSinkForVuln(call *FuncNode, osv *osv.Entry, symbol, pkg string, result *Result) {
 	for _, vuln := range result.Vulns {
 		if vuln.OSV == osv && vuln.Symbol == symbol && vuln.ImportSink.PkgPath == pkg {
 			vuln.CallSink = call
 			return
 		}
 	}
 }

 // extractModules collects modules in `pkgs` up to uniqueness of
 // module path and version.
 func extractModules(pkgs []*packages.Package) []*packages.Module {
 	modMap := map[string]*packages.Module{}
 	seen := map[*packages.Package]bool{}
 	var extract func(*packages.Package, map[string]*packages.Module)
 	extract = func(pkg *packages.Package, modMap map[string]*packages.Module) {
 		if pkg == nil || seen[pkg] {
 			return
 		}
 		if pkg.Module != nil {
 			if pkg.Module.Replace != nil {
 				modMap[pkg.Module.Replace.Path] = pkg.Module
 			} else {
 				modMap[pkg.Module.Path] = pkg.Module
 			}
 		}
 		seen[pkg] = true
 		for _, imp := range pkg.Imports {
 			extract(imp, modMap)
 		}
 	}
 	for _, pkg := range pkgs {
 		extract(pkg, modMap)
 	}

 	modules := []*packages.Module{}
 	for _, mod := range modMap {
 		modules = append(modules, mod)
 	}
 	return modules
 }
	// Copyright 2021 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package vulncheck

	import (
	"context"
	"fmt"
	"go/token"
	"sync"

	"golang.org/x/tools/go/callgraph"
	"golang.org/x/tools/go/packages"
	"golang.org/x/tools/go/ssa"
	"golang.org/x/vuln/internal/client"
	"golang.org/x/vuln/internal/govulncheck"
	"golang.org/x/vuln/internal/osv"
	)

	// Source detects vulnerabilities in packages. The result will contain:
	//
	// 1) An ImportGraph related to an import of a package with some known
	// vulnerabilities.
	//
	// 2) A RequireGraph related to a require of a module with a package that has
	// some known vulnerabilities.
	//
	// 3) A CallGraph leading to the use of a known vulnerable function or method.
	func Source(ctx context.Context, pkgs []packages.Package, cfg govulncheck.Config, client client.Client, graph PackageGraph) (_ *Result, err error) {
	// buildSSA builds a whole program that assumes all packages use the same FileSet.
	// Check all packages in pkgs are using the same FileSet.
	// TODO(https://go.dev/issue/59729): take FileSet out of Package and
	// let Source take a single FileSet. That will make the enforcement
	// clearer from the API level.
	var fset *token.FileSet
	for _, p := range pkgs {
	if fset == nil {
	fset = p.Fset
	} else {
	if fset != p.Fset {
	return nil, fmt.Errorf("[]*Package must have created with the same FileSet")
	}
	}
	}

	ctx, cancel := context.WithCancel(ctx)
	defer cancel()

	// If we are building the callgraph, build ssa and the callgraph in parallel
	// with fetching vulnerabilities. If the vulns set is empty, return without
	// waiting for SSA construction or callgraph to finish.
	var (
	wg sync.WaitGroup // guards entries, cg, and buildErr
	entries []*ssa.Function
	cg *callgraph.Graph
	buildErr error
	)
	if cfg.ScanLevel.WantSymbols() {
	wg.Add(1)
	go func() {
	defer wg.Done()
	prog, ssaPkgs := buildSSA(pkgs, fset)
	entries = entryPoints(ssaPkgs)
	cg, buildErr = callGraph(ctx, prog, entries)
	}()
	}

	mods := extractModules(pkgs)
	mv, err := FetchVulnerabilities(ctx, client, mods)
	if err != nil {
	return nil, err
	}
	modVulns := moduleVulnerabilities(mv)
	modVulns = modVulns.filter("", "")
	result := &Result{}

	vulnPkgModSlice(pkgs, modVulns, result)
	// Return result immediately if not in symbol mode or
	// if there are no vulnerable packages.
	if !cfg.ScanLevel.WantSymbols() \|\| len(result.EntryPackages) == 0 {
	return result, nil
	}

	wg.Wait() // wait for build to finish
	if buildErr != nil {
	return nil, err
	}

	vulnCallGraphSlice(entries, modVulns, cg, result, graph)

	return result, nil
	}

	// vulnPkgModSlice computes the slice of pkgs imports and requires graph
	// leading to imports/requires of vulnerable packages/modules in modVulns
	// and stores the computed slices to result.
	func vulnPkgModSlice(pkgs []packages.Package, modVulns moduleVulnerabilities, result Result) {
	// analyzedPkgs contains information on packages analyzed thus far.
	// If a package is mapped to false, this means it has been visited
	// but it does not lead to a vulnerable imports. Otherwise, a
	// visited package is mapped to true.
	analyzedPkgs := make(map[*packages.Package]bool)
	for _, pkg := range pkgs {
	// Top level packages that lead to vulnerable imports are
	// stored as result.EntryPackages graph entry points.
	if vulnerable := vulnImportSlice(pkg, modVulns, result, analyzedPkgs); vulnerable {
	result.EntryPackages = append(result.EntryPackages, pkg)
	}
	}
	}

	// vulnImportSlice checks if pkg has some vulnerabilities or transitively imports
	// a package with known vulnerabilities. If that is the case, populates result.Imports
	// graph with this reachability information and returns the result.Imports package
	// node for pkg. Otherwise, returns nil.
	func vulnImportSlice(pkg packages.Package, modVulns moduleVulnerabilities, result Result, analyzed map[*packages.Package]bool) bool {
	if vulnerable, ok := analyzed[pkg]; ok {
	return vulnerable
	}
	analyzed[pkg] = false
	// Recursively compute which direct dependencies lead to an import of
	// a vulnerable package and remember the nodes of such dependencies.
	transitiveVulnerable := false
	for _, imp := range pkg.Imports {
	if impVulnerable := vulnImportSlice(imp, modVulns, result, analyzed); impVulnerable {
	transitiveVulnerable = true
	}
	}

	// Check if pkg has known vulnerabilities.
	vulns := modVulns.vulnsForPackage(pkg.PkgPath)

	// If pkg is not vulnerable nor it transitively leads
	// to vulnerabilities, jump out.
	if !transitiveVulnerable && len(vulns) == 0 {
	return false
	}

	// Create Vuln entry for each symbol of known OSV entries for pkg.
	for _, osv := range vulns {
	for _, affected := range osv.Affected {
	for _, p := range affected.EcosystemSpecific.Packages {
	if p.Path != pkg.PkgPath {
	continue
	}

	symbols := p.Symbols
	if len(symbols) == 0 {
	symbols = allSymbols(pkg.Types)
	}

	for _, symbol := range symbols {
	vuln := &Vuln{
	OSV: osv,
	Symbol: symbol,
	ImportSink: pkg,
	}
	result.Vulns = append(result.Vulns, vuln)
	}
	}
	}
	}
	analyzed[pkg] = true
	return true
	}

	// vulnCallGraphSlice checks if known vulnerabilities are transitively reachable from sources
	// via call graph cg. If so, populates result.Calls graph with this reachability information.
	func vulnCallGraphSlice(sources []ssa.Function, modVulns moduleVulnerabilities, cg callgraph.Graph, result Result, graph PackageGraph) {
	sinksWithVulns := vulnFuncs(cg, modVulns)

	// Compute call graph backwards reachable
	// from vulnerable functions and methods.
	var sinks []*callgraph.Node
	for n := range sinksWithVulns {
	sinks = append(sinks, n)
	}
	bcg := callGraphSlice(sinks, false)

	// Interesect backwards call graph with forward
	// reachable graph to remove redundant edges.
	var filteredSources []*callgraph.Node
	for _, e := range sources {
	if n, ok := bcg.Nodes[e]; ok {
	filteredSources = append(filteredSources, n)
	}
	}
	fcg := callGraphSlice(filteredSources, true)

	// Get the sinks that are in fact reachable from entry points.
	filteredSinks := make(map[callgraph.Node][]osv.Entry)
	for n, vs := range sinksWithVulns {
	if fn, ok := fcg.Nodes[n.Func]; ok {
	filteredSinks[fn] = vs
	}
	}

	// Transform the resulting call graph slice into
	// vulncheck representation and store it to result.
	vulnCallGraph(filteredSources, filteredSinks, result, graph)
	}

	// callGraphSlice computes a slice of callgraph beginning at starts
	// in the direction (forward/backward) controlled by forward flag.
	func callGraphSlice(starts []callgraph.Node, forward bool) callgraph.Graph {
	g := &callgraph.Graph{Nodes: make(map[ssa.Function]callgraph.Node)}

	visited := make(map[*callgraph.Node]bool)
	var visit func(*callgraph.Node)
	visit = func(n *callgraph.Node) {
	if visited[n] {
	return
	}
	visited[n] = true

	var edges []*callgraph.Edge
	if forward {
	edges = n.Out
	} else {
	edges = n.In
	}

	for _, edge := range edges {
	nCallee := g.CreateNode(edge.Callee.Func)
	nCaller := g.CreateNode(edge.Caller.Func)
	callgraph.AddEdge(nCaller, edge.Site, nCallee)

	if forward {
	visit(edge.Callee)
	} else {
	visit(edge.Caller)
	}
	}
	}

	for _, s := range starts {
	visit(s)
	}
	return g
	}

	// vulnCallGraph creates vulnerability call graph from sources -> sinks reachability info.
	func vulnCallGraph(sources []callgraph.Node, sinks map[callgraph.Node][]osv.Entry, result Result, graph *PackageGraph) {
	nodes := make(map[ssa.Function]FuncNode)

	// First create entries and sinks and store relevant information.
	for _, s := range sources {
	fn := createNode(nodes, s.Func, graph)
	result.EntryFunctions = append(result.EntryFunctions, fn)
	}

	for s, vulns := range sinks {
	f := s.Func
	funNode := createNode(nodes, s.Func, graph)

	// Populate CallSink field for each detected vuln symbol.
	for _, osv := range vulns {
	if vulnMatchesPackage(osv, funNode.Package.PkgPath) {
	addCallSinkForVuln(funNode, osv, dbFuncName(f), funNode.Package.PkgPath, result)
	}
	}
	}

	visited := make(map[*callgraph.Node]bool)
	var visit func(*callgraph.Node)
	visit = func(n *callgraph.Node) {
	if visited[n] {
	return
	}
	visited[n] = true

	for _, edge := range n.In {
	nCallee := createNode(nodes, edge.Callee.Func, graph)
	nCaller := createNode(nodes, edge.Caller.Func, graph)

	call := edge.Site
	cs := &CallSite{
	Parent: nCaller,
	Name: call.Common().Value.Name(),
	RecvType: callRecvType(call),
	Resolved: resolved(call),
	Pos: instrPosition(call),
	}
	nCallee.CallSites = append(nCallee.CallSites, cs)

	visit(edge.Caller)
	}
	}

	for s := range sinks {
	visit(s)
	}
	}

	// vulnFuncs returns vulnerability information for vulnerable functions in cg.
	func vulnFuncs(cg callgraph.Graph, modVulns moduleVulnerabilities) map[callgraph.Node][]*osv.Entry {
	m := make(map[callgraph.Node][]osv.Entry)
	for f, n := range cg.Nodes {
	vulns := modVulns.vulnsForSymbol(pkgPath(f), dbFuncName(f))
	if len(vulns) > 0 {
	m[n] = vulns
	}
	}
	return m
	}

	// pkgPath returns the path of the f's enclosing package, if any.
	// Otherwise, returns "".
	func pkgPath(f *ssa.Function) string {
	if f.Package() != nil && f.Package().Pkg != nil {
	return f.Package().Pkg.Path()
	}
	return ""
	}

	func createNode(nodes map[ssa.Function]FuncNode, f ssa.Function, graph PackageGraph) *FuncNode {
	if fn, ok := nodes[f]; ok {
	return fn
	}
	fn := &FuncNode{
	Name: f.Name(),
	Package: graph.GetPackage(pkgPath(f)),
	RecvType: funcRecvType(f),
	Pos: funcPosition(f),
	}
	nodes[f] = fn
	return fn
	}

	// addCallSinkForVuln adds callID as call sink to vuln of result.Vulns
	// identified with <osv, symbol, pkg>.
	func addCallSinkForVuln(call FuncNode, osv osv.Entry, symbol, pkg string, result *Result) {
	for _, vuln := range result.Vulns {
	if vuln.OSV == osv && vuln.Symbol == symbol && vuln.ImportSink.PkgPath == pkg {
	vuln.CallSink = call
	return
	}
	}
	}

	// extractModules collects modules in `pkgs` up to uniqueness of
	// module path and version.
	func extractModules(pkgs []packages.Package) []packages.Module {
	modMap := map[string]*packages.Module{}
	seen := map[*packages.Package]bool{}
	var extract func(packages.Package, map[string]packages.Module)
	extract = func(pkg packages.Package, modMap map[string]packages.Module) {
	if pkg == nil \|\| seen[pkg] {
	return
	}
	if pkg.Module != nil {
	if pkg.Module.Replace != nil {
	modMap[pkg.Module.Replace.Path] = pkg.Module
	} else {
	modMap[pkg.Module.Path] = pkg.Module
	}
	}
	seen[pkg] = true
	for _, imp := range pkg.Imports {
	extract(imp, modMap)
	}
	}
	for _, pkg := range pkgs {
	extract(pkg, modMap)
	}

	modules := []*packages.Module{}
	for _, mod := range modMap {
	modules = append(modules, mod)
	}
	return modules
	}