x/tools/gopls: add analyzer for vulnerability check #50577
Comments
gopherbot
added
Tools
suzmue
added
the
FeatureRequest
It is similar to the command line tool govulncheck, but takes configuration parameters from the given snapshot and runs from the root directory of the snapshot. Currently we define result types in this package. When it is wired to gopls to implement a custom command, they will be moved to the internal/lsp/ command definition package. This functionality will be offered only when go1.18+ is used to build gopls. Updates golang/go#50577 Updates golang/vscode-go#2096 Change-Id: I08ab6b408d0a40a86cfefff919ab670aa6b2859b Reviewed-on: https://go-review.googlesource.com/c/tools/+/392538 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Robert Findley <rfindley@google.com>
|
Change https://go.dev/cl/392538 mentions this issue: |
|
Change https://go.dev/cl/395575 mentions this issue: |
|
Change https://go.dev/cl/395574 mentions this issue: |
|
Change https://go.dev/cl/395576 mentions this issue: |
This is a utility that manages vulnerability information local cache. Updates golang/vscode-go#2096 Updates golang/go#50577 Change-Id: I1903a529adda499d078156c3f1ba38bfab75a958 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395574 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
And move types defined in gopls/internal/vulncheck to internal/lsp/command so VulncheckResult can use them. Another approach considered is to encode Vuln as a json raw message. However, presenting the data structure in gopls api documentation is too nice to give up. Updates golang/vscode-go#2096 Updates golang/go#50577 Change-Id: I8587d19f9c47cf786dacaae8cfe1727c77cda711 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395575 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> Reviewed-by: Robert Findley <rfindley@google.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
This is a command that runs govulncheck-like analysis. This is highly experimental and can change any time, so we mark it with the "Exp" suffix. Once the interface becomes stable, we will rename this command. It returns VulncheckResult that can be encoded as a JSON message. The result includes all potentially affecting vulnerabilities, and sample traces. This feature is currently available only when gopls is compiled with go1.18. Otherwise, the command will return an error. Updates golang/go#50577 Updates golang/vscode-go#2096 Change-Id: Ia37b0555f7bf98760292c9f68e50fb70dd494522 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395576 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
Change https://go.dev/cl/404575 mentions this issue: |
|
Change https://go.dev/cl/404574 mentions this issue: |
Instead of invoking the command through the LSP custom command, call the vulncheck command hook directly. That reduces the extra overhead of bringing up the full gopls server & package loading. The vulncheck hook loads packages again any way, so the benefit of running the check inside gopls's custom command framework is not huge any more. Still `gopls vulncheck` is useful - editors don't need to install another binary for vulncheck feature, and it will output the result in the format easier to handle than what `govulncheck` currently offers. Updates golang/go#50577 Change-Id: Ia21e6d7e0c37c4a1b02dc8bbca860143524c3d1b Reviewed-on: https://go-review.googlesource.com/c/tools/+/404574 Reviewed-by: Robert Findley <rfindley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> gopls-CI: kokoro <noreply+kokoro@google.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
If -config=true, gopls vulncheck reads the package load configuration JSON (build flags, env, tests, and later maybe overlay info) from stdin. And, add some logging to gopls/internal/vulncheck/command.go that helps measuring the package loading overhead. Update golang/go#50577 Change-Id: I5c1ce145b07f2bed03911613f42c09a3d6be6c28 Reviewed-on: https://go-review.googlesource.com/c/tools/+/404575 Reviewed-by: Robert Findley <rfindley@google.com>
|
We realized two different analysis types using the Vuln DB are feasible and useful. One is a real-time analysis of the package import paths and surfacing the fact in real time using diagnostics. Another is a full callgraph analysis (golang.org/x/vuln/cmd/govulncheck) that performs the whole program analysis and reports only the vulnerabilities that actually affect the analyzed packages. That can be expensive and it's suitable as one-off analysis command run. Gopls will export that interface as a custom gopls command and gopls vulncheck command (~= govulncheck packaged inside gopls). #52972 This issue is tracking the progress for the first one. |
|
@hyangah may I suggest contributing the second analysis to golangci-lint instead? Or make it available as a goanalysis pass that is easy to integrate into golangci-lint? The reason is that I am not aware of any CI/CD pipeline that runs gopls commands. But I am aware of dozens of golangci-lint integrations in CI/CD pipelines. Integrating most linter work actually happens primarily there. |
|
Thanks for the suggestion. From our experiment - the second analysis takes easily a couple of minutes for a good size repo & accesses the network to retrieve the data. Is it really a good idea to add to a linter? But, I think - adding |
|
We learned gopls does not compute/hold analysis facts for all packages in the workspace (#48738), so there is some ground work to be done before integrating to gopls. For short term, we are currently working on the analyzer that is pluggable to a linter that uses the go/analysis framework. (moving off of gopls/v0.9.0 milestone) |
|
We ended up with a slightly different approach which supports a hybrid mode of vulnerability scanning.
For CI uses, For more details - https://github.com/golang/vscode-go/wiki/features#analyze-vulnerabilities-in-dependencies |
References:
Experimental command line tool: https://pkg.go.dev/golang.org/x/exp/vulndb/govulncheck
Experimental API: https://pkg.go.dev/golang.org/x/exp/vulncheck
Vuln DB access API: https://pkg.go.dev/golang.org/x/vuln
cc @julieqiu @zpavlinovic
The text was updated successfully, but these errors were encountered: