From db8be72a60914fd9bc72b127b3cd85be4b125f6f Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Wed, 7 Sep 2022 15:21:15 +0200 Subject: [PATCH 01/12] init vuncheck linter --- go.mod | 4 +- go.sum | 7 ++- pkg/config/linters_settings.go | 5 ++ pkg/golinters/vulncheck.go | 84 ++++++++++++++++++++++++++++++++++ pkg/lint/lintersdb/manager.go | 7 +++ 5 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 pkg/golinters/vulncheck.go diff --git a/go.mod b/go.mod index a9a44d009b96..6d00c2f3c0d2 100644 --- a/go.mod +++ b/go.mod @@ -113,7 +113,9 @@ require ( github.com/ykadowak/zerologlint v0.1.1 gitlab.com/bosi/decorder v0.2.3 go.tmz.dev/musttag v0.6.0 + golang.org/x/net v0.9.0 golang.org/x/tools v0.8.0 + golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 gopkg.in/yaml.v3 v3.0.1 honnef.co/go/tools v0.4.3 mvdan.cc/gofumpt v0.5.0 @@ -187,7 +189,7 @@ require ( golang.org/x/mod v0.10.0 // indirect golang.org/x/sync v0.1.0 // indirect golang.org/x/sys v0.7.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/text v0.9.0 // indirect google.golang.org/protobuf v1.28.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index fbf7a3e3d398..06cd382886a4 100644 --- a/go.sum +++ b/go.sum @@ -105,6 +105,7 @@ github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8/go.mod h1:gakxgyXa github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -691,6 +692,7 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -798,8 +800,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -874,6 +877,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 h1:501+NfNjDh4IT4HOzdeezTOFD7njtY49aXJN1oY3E1s= +golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go index 9386b4631e19..2ef051192e04 100644 --- a/pkg/config/linters_settings.go +++ b/pkg/config/linters_settings.go @@ -224,6 +224,7 @@ type LintersSettings struct { Whitespace WhitespaceSettings Wrapcheck WrapcheckSettings WSL WSLSettings + Vulncheck VulncheckSettings Custom map[string]CustomLinterSettings } @@ -744,6 +745,10 @@ type VarnamelenSettings struct { IgnoreDecls []string `mapstructure:"ignore-decls"` } +type VulncheckSettings struct { + VulnDatabase []string `mapstructure:"vuln-database"` +} + type WhitespaceSettings struct { MultiIf bool `mapstructure:"multi-if"` MultiFunc bool `mapstructure:"multi-func"` diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go new file mode 100644 index 000000000000..346fb73e577c --- /dev/null +++ b/pkg/golinters/vulncheck.go @@ -0,0 +1,84 @@ +package golinters + +import ( + "sync" + + "golang.org/x/net/context" + "golang.org/x/tools/go/analysis" + "golang.org/x/vuln/client" + "golang.org/x/vuln/vulncheck" + + "github.com/golangci/golangci-lint/pkg/config" + "github.com/golangci/golangci-lint/pkg/golinters/goanalysis" + "github.com/golangci/golangci-lint/pkg/lint/linter" + "github.com/golangci/golangci-lint/pkg/result" +) + +const ( + vulncheckName = "vulncheck" + vulncheckDoc = "Package vulncheck detects uses of known vulnerabilities in Go programs." +) + +func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { + var mu sync.Mutex + var resIssues []goanalysis.Issue + + var analyzer = &analysis.Analyzer{ + Name: vulncheckName, + Doc: vulncheckDoc, + Run: goanalysis.DummyRun, + } + + return goanalysis.NewLinter( + "vulncheck", + "Package vulncheck detects uses of known vulnerabilities in Go programs.", + []*analysis.Analyzer{analyzer}, + nil, + ).WithContextSetter(func(lintCtx *linter.Context) { + analyzer.Run = func(pass *analysis.Pass) (interface{}, error) { + issues, err := vulncheckRun(lintCtx, pass, settings) + + if err != nil { + return nil, err + } + + mu.Lock() + resIssues = append(resIssues, issues...) + mu.Unlock() + + return nil, nil + } + }).WithIssuesReporter(func(*linter.Context) []goanalysis.Issue { + return resIssues + }) +} + +func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) { + dbs := []string{"https://vuln.go.dev"} + if len(settings.VulnDatabase) > 0 { + dbs = settings.VulnDatabase + } + dbClient, err := client.NewClient(dbs, client.Options{}) + if err != nil { + return nil, err + } + + vcfg := &vulncheck.Config{Client: dbClient, SourceGoVersion: lintCtx.Cfg.Run.Go} + vpkgs := vulncheck.Convert(lintCtx.Packages) + ctx := context.Background() + + r, err := vulncheck.Source(ctx, vpkgs, vcfg) + if err != nil { + return nil, err + } + + issues := make([]goanalysis.Issue, len(r.Vulns)) + + for _, vuln := range r.Vulns { + issues = append(issues, goanalysis.NewIssue(&result.Issue{ + Text: vuln.OSV.ID, + }, pass)) + } + + return issues, nil +} diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go index ffe10721cf43..428a35f22d9e 100644 --- a/pkg/lint/lintersdb/manager.go +++ b/pkg/lint/lintersdb/manager.go @@ -178,6 +178,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { whitespaceCfg *config.WhitespaceSettings wrapcheckCfg *config.WrapcheckSettings wslCfg *config.WSLSettings + vulncheckCfg *config.VulncheckSettings ) if m.cfg != nil { @@ -258,6 +259,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { whitespaceCfg = &m.cfg.LintersSettings.Whitespace wrapcheckCfg = &m.cfg.LintersSettings.Wrapcheck wslCfg = &m.cfg.LintersSettings.WSL + vulncheckCfg = &m.cfg.LintersSettings.Vulncheck if govetCfg != nil { govetCfg.Go = m.cfg.Run.Go @@ -897,6 +899,11 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { WithPresets(linter.PresetBugs). WithLoadForGoAnalysis(). WithURL("https://github.com/ykadowak/zerologlint"), + + linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)). + WithSince("v1.53.0"). + WithPresets(linter.PresetModule). + WithURL("https://vuln.go.dev/"), } enabledByDefault := map[string]bool{ From dc80ef0ddb2f091bf4c8ec145bf0d10b9228facf Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Thu, 15 Sep 2022 16:13:13 +0200 Subject: [PATCH 02/12] set slice capacity instead of length --- pkg/golinters/vulncheck.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go index 346fb73e577c..48eda3851829 100644 --- a/pkg/golinters/vulncheck.go +++ b/pkg/golinters/vulncheck.go @@ -23,7 +23,7 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { var mu sync.Mutex var resIssues []goanalysis.Issue - var analyzer = &analysis.Analyzer{ + analyzer := &analysis.Analyzer{ Name: vulncheckName, Doc: vulncheckDoc, Run: goanalysis.DummyRun, @@ -37,7 +37,6 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { ).WithContextSetter(func(lintCtx *linter.Context) { analyzer.Run = func(pass *analysis.Pass) (interface{}, error) { issues, err := vulncheckRun(lintCtx, pass, settings) - if err != nil { return nil, err } @@ -72,7 +71,7 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config return nil, err } - issues := make([]goanalysis.Issue, len(r.Vulns)) + issues := make([]goanalysis.Issue, 0, len(r.Vulns)) for _, vuln := range r.Vulns { issues = append(issues, goanalysis.NewIssue(&result.Issue{ From 7f14758821b5e516e0ec0d70b9b1afecba44092d Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Thu, 15 Sep 2022 16:51:32 +0200 Subject: [PATCH 03/12] improvu vuln output --- pkg/golinters/vulncheck.go | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go index 48eda3851829..65d58f9c929f 100644 --- a/pkg/golinters/vulncheck.go +++ b/pkg/golinters/vulncheck.go @@ -1,6 +1,8 @@ package golinters import ( + "fmt" + "strings" "sync" "golang.org/x/net/context" @@ -71,13 +73,34 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config return nil, err } + imports := vulncheck.ImportChains(r) issues := make([]goanalysis.Issue, 0, len(r.Vulns)) - for _, vuln := range r.Vulns { + for idx, vuln := range r.Vulns { issues = append(issues, goanalysis.NewIssue(&result.Issue{ - Text: vuln.OSV.ID, + Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImorts(imports[vuln])), }, pass)) } return issues, nil } + +func writeImorts(imports []vulncheck.ImportChain) string { + var s strings.Builder + for _, i := range imports { + indent := 0 + for _, pkg := range i { + s.WriteString(fmt.Sprintf("%s|_ %s", strings.Repeat(" ", indent), pkg.Name)) + } + } + + return s.String() +} + +func writeVulnerability(idx int, id, details, imports string) string { + return fmt.Sprintf(`Vulnerability #%d: %s +%s +%s + More info: https://pkg.go.dev/vuln/%s +`, idx, id, details, imports, id) +} From 69500baa683319e5a4b8d4f5f630f6a8680258b2 Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Sat, 10 Dec 2022 12:13:08 +0100 Subject: [PATCH 04/12] fix typo --- pkg/golinters/vulncheck.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go index 65d58f9c929f..62c852d197a2 100644 --- a/pkg/golinters/vulncheck.go +++ b/pkg/golinters/vulncheck.go @@ -78,14 +78,14 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config for idx, vuln := range r.Vulns { issues = append(issues, goanalysis.NewIssue(&result.Issue{ - Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImorts(imports[vuln])), + Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImports(imports[vuln])), }, pass)) } return issues, nil } -func writeImorts(imports []vulncheck.ImportChain) string { +func writeImports(imports []vulncheck.ImportChain) string { var s strings.Builder for _, i := range imports { indent := 0 From 6d86e2dd8cd340bfa0a0f8f7f64cdf3b50b8e4b6 Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Sat, 10 Dec 2022 12:13:49 +0100 Subject: [PATCH 05/12] add vulncheck to reference --- .golangci.reference.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.golangci.reference.yml b/.golangci.reference.yml index 37324b856153..1d5b5dee4448 100644 --- a/.golangci.reference.yml +++ b/.golangci.reference.yml @@ -1944,6 +1944,9 @@ linters-settings: - T any - m map[string]int + vulncheck: + vuln-database: [https://vuln.go.dev] + whitespace: # Enforces newlines (or comments) after every multi-line if statement. # Default: false @@ -2159,6 +2162,7 @@ linters: - usestdlibvars - varcheck - varnamelen + - vulncheck - wastedassign - whitespace - wrapcheck @@ -2272,6 +2276,7 @@ linters: - usestdlibvars - varcheck - varnamelen + - vulncheck - wastedassign - whitespace - wrapcheck From 3654c76eff472a9023bd25f2501cb72b03b1eeb6 Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Sat, 10 Dec 2022 12:14:07 +0100 Subject: [PATCH 06/12] add vulncheck failing testcase --- test/linters_test.go | 1 + test/testdata/vulncheck/go.mod | 7 +++++++ test/testdata/vulncheck/vulncheck.go | 7 +++++++ 3 files changed, 15 insertions(+) create mode 100644 test/testdata/vulncheck/go.mod create mode 100644 test/testdata/vulncheck/vulncheck.go diff --git a/test/linters_test.go b/test/linters_test.go index dd130db3e7db..d519b2ac0f4f 100644 --- a/test/linters_test.go +++ b/test/linters_test.go @@ -32,6 +32,7 @@ func TestSourcesFromTestdataSubDir(t *testing.T) { "loggercheck", "ginkgolinter", "zerologlint", + "vulncheck", } for _, dir := range subDirs { diff --git a/test/testdata/vulncheck/go.mod b/test/testdata/vulncheck/go.mod new file mode 100644 index 000000000000..3b96339713df --- /dev/null +++ b/test/testdata/vulncheck/go.mod @@ -0,0 +1,7 @@ +module vulncheck + +go 1.19 + +require ( + golang.org/x/text/languag v0.37.0 +) diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go new file mode 100644 index 000000000000..32f1391f5859 --- /dev/null +++ b/test/testdata/vulncheck/vulncheck.go @@ -0,0 +1,7 @@ +package vulncheck + +import "golang.org/x/text/language" + +func testvuln() { + _ = language.MustParseRegion("US") +} From 0c74e27a4207dbed6ef502fe92bd1cd1b060b0b8 Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Sat, 10 Dec 2022 12:16:06 +0100 Subject: [PATCH 07/12] fix failing test vulncheck --- test/testdata/vulncheck/go.mod | 4 +--- test/testdata/vulncheck/go.sum | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 test/testdata/vulncheck/go.sum diff --git a/test/testdata/vulncheck/go.mod b/test/testdata/vulncheck/go.mod index 3b96339713df..53b79c11c515 100644 --- a/test/testdata/vulncheck/go.mod +++ b/test/testdata/vulncheck/go.mod @@ -2,6 +2,4 @@ module vulncheck go 1.19 -require ( - golang.org/x/text/languag v0.37.0 -) +require golang.org/x/text v0.3.7 diff --git a/test/testdata/vulncheck/go.sum b/test/testdata/vulncheck/go.sum new file mode 100644 index 000000000000..1f78e039072f --- /dev/null +++ b/test/testdata/vulncheck/go.sum @@ -0,0 +1,2 @@ +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= From 127d2be23236103850152434a7396564396845ff Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Sun, 11 Dec 2022 10:37:07 +0100 Subject: [PATCH 08/12] add test args for vulncheck test case --- test/testdata/vulncheck/vulncheck.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go index 32f1391f5859..0b0aecc7a93f 100644 --- a/test/testdata/vulncheck/vulncheck.go +++ b/test/testdata/vulncheck/vulncheck.go @@ -1,7 +1,13 @@ +//golangcitest:args -Evulncheck package vulncheck -import "golang.org/x/text/language" +import ( + "fmt" -func testvuln() { - _ = language.MustParseRegion("US") + "golang.org/x/text/language" +) + +func ParseRegion() { + us := language.MustParseRegion("US") + fmt.Println(us) } From 48bcbcb6970bfee9502e65758d99ce2a42068bdc Mon Sep 17 00:00:00 2001 From: Craig Rodrigues Date: Sat, 1 Jul 2023 15:02:41 -0700 Subject: [PATCH 09/12] Replace interface{} with any --- pkg/golinters/vulncheck.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go index 62c852d197a2..13b34068fc0f 100644 --- a/pkg/golinters/vulncheck.go +++ b/pkg/golinters/vulncheck.go @@ -37,7 +37,7 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { []*analysis.Analyzer{analyzer}, nil, ).WithContextSetter(func(lintCtx *linter.Context) { - analyzer.Run = func(pass *analysis.Pass) (interface{}, error) { + analyzer.Run = func(pass *analysis.Pass) (any, error) { issues, err := vulncheckRun(lintCtx, pass, settings) if err != nil { return nil, err From 3386b9c46551ce3a92b93d7500fa8eeddd974bbf Mon Sep 17 00:00:00 2001 From: Craig Rodrigues Date: Sat, 1 Jul 2023 15:47:48 -0700 Subject: [PATCH 10/12] Update go/vuln dependency --- go.mod | 4 ++-- go.sum | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index aeb8dfa5a2ad..ca6c68835a95 100644 --- a/go.mod +++ b/go.mod @@ -119,12 +119,12 @@ require ( golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea golang.org/x/net v0.11.0 golang.org/x/tools v0.10.0 - golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 + golang.org/x/vuln v0.2.0 gopkg.in/yaml.v3 v3.0.1 honnef.co/go/tools v0.4.3 mvdan.cc/gofumpt v0.5.0 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed - mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d + mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 ) require ( diff --git a/go.sum b/go.sum index acff1d758b37..5f0a858f95dd 100644 --- a/go.sum +++ b/go.sum @@ -107,7 +107,6 @@ github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8/go.mod h1:gakxgyXa github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -880,8 +879,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg= golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= -golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 h1:501+NfNjDh4IT4HOzdeezTOFD7njtY49aXJN1oY3E1s= -golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ= +golang.org/x/vuln v0.2.0 h1:Dlz47lW0pvPHU7tnb10S8vbMn9GnV2B6eyT7Tem5XBI= +golang.org/x/vuln v0.2.0/go.mod h1:V0eyhHwaAaHrt42J9bgrN6rd12f6GU4T0Lu0ex2wDg4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1011,8 +1010,8 @@ mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wp mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= -mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d h1:3rvTIIM22r9pvXk+q3swxUQAQOxksVMGK7sml4nG57w= -mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d/go.mod h1:IeHQjmn6TOD+e4Z3RFiZMMsLVL+A96Nvptar8Fj71is= +mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 h1:VuJo4Mt0EVPychre4fNlDWDuE5AjXtPJpRUWqZDQhaI= +mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8/go.mod h1:Oh/d7dEtzsNHGOq1Cdv8aMm3KdKhVvPbRQcM8WFpBR8= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= From 2d64977573d2fdcd1aee39d83d192a72aadb32e1 Mon Sep 17 00:00:00 2001 From: Craig Rodrigues Date: Sat, 1 Jul 2023 17:05:07 -0700 Subject: [PATCH 11/12] Fix pkg/lint/lintersdb/manager.go --- pkg/lint/lintersdb/manager.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go index b16991690b87..921e4390dbb2 100644 --- a/pkg/lint/lintersdb/manager.go +++ b/pkg/lint/lintersdb/manager.go @@ -138,10 +138,10 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { usestdlibvars *config.UseStdlibVarsSettings varcheckCfg *config.VarCheckSettings varnamelenCfg *config.VarnamelenSettings + vulncheckCfg *config.VulncheckSettings whitespaceCfg *config.WhitespaceSettings wrapcheckCfg *config.WrapcheckSettings wslCfg *config.WSLSettings - vulncheckCfg *config.VulncheckSettings ) if m.cfg != nil { @@ -219,10 +219,10 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { usestdlibvars = &m.cfg.LintersSettings.UseStdlibVars varcheckCfg = &m.cfg.LintersSettings.Varcheck varnamelenCfg = &m.cfg.LintersSettings.Varnamelen + vulncheckCfg = &m.cfg.LintersSettings.Vulncheck whitespaceCfg = &m.cfg.LintersSettings.Whitespace wrapcheckCfg = &m.cfg.LintersSettings.Wrapcheck wslCfg = &m.cfg.LintersSettings.WSL - vulncheckCfg = &m.cfg.LintersSettings.Vulncheck if govetCfg != nil { govetCfg.Go = m.cfg.Run.Go @@ -853,6 +853,11 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { WithLoadForGoAnalysis(). WithURL("https://github.com/blizzy78/varnamelen"), + linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)). + WithSince("v1.53.0"). + WithPresets(linter.PresetModule). + WithURL("https://vuln.go.dev/"), + linter.NewConfig(golinters.NewWastedAssign()). WithSince("v1.38.0"). WithPresets(linter.PresetStyle). @@ -882,11 +887,6 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config { WithLoadForGoAnalysis(). WithURL("https://github.com/ykadowak/zerologlint"), - linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)). - WithSince("v1.53.0"). - WithPresets(linter.PresetModule). - WithURL("https://vuln.go.dev/"), - // nolintlint must be last because it looks at the results of all the previous linters for unused nolint directives linter.NewConfig(golinters.NewNoLintLint(noLintLintCfg)). WithSince("v1.26.0"). From cd2e05e597b98a0e932fa7f4f245e885cb77f668 Mon Sep 17 00:00:00 2001 From: Craig Rodrigues Date: Fri, 8 Sep 2023 07:24:18 -0700 Subject: [PATCH 12/12] Update --- pkg/config/linters_settings.go | 2 +- pkg/golinters/vulncheck.go | 79 ++++++++++------------------ test/linters_test.go | 1 + test/testdata/vulncheck/vulncheck.go | 2 +- 4 files changed, 32 insertions(+), 52 deletions(-) diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go index 1a970108f186..cb2c33a4e0ab 100644 --- a/pkg/config/linters_settings.go +++ b/pkg/config/linters_settings.go @@ -224,10 +224,10 @@ type LintersSettings struct { UseStdlibVars UseStdlibVarsSettings Varcheck VarCheckSettings Varnamelen VarnamelenSettings + Vulncheck VulncheckSettings Whitespace WhitespaceSettings Wrapcheck WrapcheckSettings WSL WSLSettings - Vulncheck VulncheckSettings Custom map[string]CustomLinterSettings } diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go index 13b34068fc0f..278ded0103ba 100644 --- a/pkg/golinters/vulncheck.go +++ b/pkg/golinters/vulncheck.go @@ -1,14 +1,13 @@ package golinters import ( - "fmt" - "strings" + "bytes" + "path/filepath" "sync" "golang.org/x/net/context" "golang.org/x/tools/go/analysis" - "golang.org/x/vuln/client" - "golang.org/x/vuln/vulncheck" + "golang.org/x/vuln/scan" "github.com/golangci/golangci-lint/pkg/config" "github.com/golangci/golangci-lint/pkg/golinters/goanalysis" @@ -18,7 +17,7 @@ import ( const ( vulncheckName = "vulncheck" - vulncheckDoc = "Package vulncheck detects uses of known vulnerabilities in Go programs." + vulncheckDoc = "vulncheck detects uses of known vulnerabilities in Go programs." ) func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { @@ -32,8 +31,8 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { } return goanalysis.NewLinter( - "vulncheck", - "Package vulncheck detects uses of known vulnerabilities in Go programs.", + vulncheckName, + vulncheckDoc, []*analysis.Analyzer{analyzer}, nil, ).WithContextSetter(func(lintCtx *linter.Context) { @@ -54,53 +53,33 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter { }) } -func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) { - dbs := []string{"https://vuln.go.dev"} - if len(settings.VulnDatabase) > 0 { - dbs = settings.VulnDatabase - } - dbClient, err := client.NewClient(dbs, client.Options{}) - if err != nil { - return nil, err - } +func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, _ *config.VulncheckSettings) ([]goanalysis.Issue, error) { + files := getFileNames(pass) - vcfg := &vulncheck.Config{Client: dbClient, SourceGoVersion: lintCtx.Cfg.Run.Go} - vpkgs := vulncheck.Convert(lintCtx.Packages) ctx := context.Background() - - r, err := vulncheck.Source(ctx, vpkgs, vcfg) - if err != nil { - return nil, err - } - - imports := vulncheck.ImportChains(r) - issues := make([]goanalysis.Issue, 0, len(r.Vulns)) - - for idx, vuln := range r.Vulns { + lintCtx.Log.Errorf("%v\n", files) + + issues := []goanalysis.Issue{} + for _, file := range files { + lintCtx.Log.Errorf("%s %s %s %s\n", "-json", "-C", filepath.Dir(file), ".") + cmd := scan.Command(ctx, "-json", "-C", filepath.Dir(file), ".") + buf := &bytes.Buffer{} + cmd.Stderr = buf + cmd.Stdout = buf + err := cmd.Start() + if err != nil { + return issues, err + } + err = cmd.Wait() + if err != nil { + return issues, err + } issues = append(issues, goanalysis.NewIssue(&result.Issue{ - Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImports(imports[vuln])), - }, pass)) + Text: buf.String(), + FromLinter: vulncheckName}, + pass)) } + lintCtx.Log.Errorf("%v\n", issues) return issues, nil } - -func writeImports(imports []vulncheck.ImportChain) string { - var s strings.Builder - for _, i := range imports { - indent := 0 - for _, pkg := range i { - s.WriteString(fmt.Sprintf("%s|_ %s", strings.Repeat(" ", indent), pkg.Name)) - } - } - - return s.String() -} - -func writeVulnerability(idx int, id, details, imports string) string { - return fmt.Sprintf(`Vulnerability #%d: %s -%s -%s - More info: https://pkg.go.dev/vuln/%s -`, idx, id, details, imports, id) -} diff --git a/test/linters_test.go b/test/linters_test.go index d519b2ac0f4f..1f2de5df1bfc 100644 --- a/test/linters_test.go +++ b/test/linters_test.go @@ -69,6 +69,7 @@ func testSourcesFromDir(t *testing.T, dir string) { rel, err := filepath.Rel(dir, source) require.NoError(t, err) + log.Warnf("TESTING: [%v] [%v] [%v] [%v]", subTest, log, binPath, rel) testOneSource(subTest, log, binPath, rel) }) } diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go index 0b0aecc7a93f..573515250e0c 100644 --- a/test/testdata/vulncheck/vulncheck.go +++ b/test/testdata/vulncheck/vulncheck.go @@ -1,4 +1,4 @@ -//golangcitest:args -Evulncheck +//golangcitest:args --disable-all -Evulncheck . package vulncheck import (