Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/tools/gopls: gopls vulncheck and a custom command #52972

Closed
hyangah opened this issue May 18, 2022 · 1 comment
Closed

x/tools/gopls: gopls vulncheck and a custom command #52972

hyangah opened this issue May 18, 2022 · 1 comment
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. Tools This label describes issues relating to any tools in the x/tools repository. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
gopls/v0.8.4

Comments

@hyangah
Copy link
Contributor

hyangah commented May 18, 2022
edited

Spin-off from #50577

We realized two different analysis types using the Vuln DB are feasible and useful.

  • One is a real-time analysis of the package import paths and surfacing the fact in real time using diagnostics.
  • Another is a full callgraph analysis (golang.org/x/vuln/cmd/govulncheck) that performs the whole program analysis and reports only the vulnerabilities that actually affect the analyzed packages. That can be expensive and it's suitable as one-off analysis command run. Gopls will export that interface as a custom gopls command and gopls vulncheck command (~= govulncheck packaged inside gopls).

This issue is tracking the progress for the second one.

An example of the integration in IDE:

vulncheck-demo-480p.mov
@gopherbot gopherbot added Tools This label describes issues relating to any tools in the x/tools repository. gopls Issues related to the Go language server, gopls. labels May 18, 2022
@gopherbot gopherbot added this to the Unreleased milestone May 18, 2022
@hyangah hyangah modified the milestones: Unreleased, gopls/v0.8.4 May 18, 2022
@hyangah hyangah mentioned this issue May 18, 2022
Closed
@hyangah
Copy link
Contributor Author

hyangah commented May 18, 2022

v0.8.4 will have an updated gopls vulncheck command that outputs more simplified -json that is consistent with govulncheck's behavior.

https://go-review.googlesource.com/c/tools/+/399040
https://go-review.googlesource.com/c/tools/+/404574
https://go-review.googlesource.com/c/tools/+/405794
https://go-review.googlesource.com/c/tools/+/405795

And as a follow up work, @jba is working on automating govulncheck code copy.

@hyangah hyangah closed this as completed May 18, 2022
@hyangah hyangah mentioned this issue May 18, 2022
Closed
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
@golang golang locked and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. Tools This label describes issues relating to any tools in the x/tools repository. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
gopls/v0.8.4
Development

No branches or pull requests
3 participants
@hyangah @julieqiu @gopherbot