Documentation
¶
Overview ¶
Package govulncheck provides functionality to support the govulncheck command.
Index ¶
- Variables
- type CallStack
- type Config
- type FSCache
- func (c *FSCache) ReadEntries(dbName string, p string) ([]*osv.Entry, error)
- func (c *FSCache) ReadIndex(dbName string) (client.DBIndex, time.Time, error)
- func (c *FSCache) WriteEntries(dbName string, p string, entries []*osv.Entry) error
- func (c *FSCache) WriteIndex(dbName string, index client.DBIndex, retrieved time.Time) error
- type Module
- type Package
- type Result
- type StackFrame
- type Vuln
Constants ¶
This section is empty.
Variables ¶
var LoadMode = packages.NeedName | packages.NeedImports | packages.NeedTypes | packages.NeedSyntax | packages.NeedTypesInfo | packages.NeedDeps | packages.NeedModule
LoadMode is the level of information needed for each package for running golang.org/x/tools/go/packages.Load.
Functions ¶
This section is empty.
Types ¶
type CallStack ¶
type CallStack struct {
// Symbol is the name of the detected vulnerable function
// or method.
//
// This follows the naming convention in the OSV report.
Symbol string
// Summary is a one-line description of the callstack, used by the
// default govulncheck mode.
//
// Example: module3.main calls github.com/shiyanhui/dht.DHT.Run
Summary string
// Frames contains an entry for each stack in the call stack.
//
// Frames are sorted starting from the entry point to the
// imported vulnerable symbol. The last frame in Frames should match
// Symbol.
Frames []*StackFrame
}
CallStacks contains a representative call stack for a vulnerable symbol.
type Config ¶
type Config struct {
// Client is the client used to make requests to a vulnerability
// database(s). If nil, a default client is constructed that makes requests
// to vuln.go.dev.
Client client.Client
// GoVersion specifies the Go version used when analyzing source code.
//
// By default, GoVersion is the go command version found from the PATH.
GoVersion string
}
Config is used for configuring the output of govulncheck.
type FSCache ¶
type FSCache struct {
// contains filtered or unexported fields
}
FSCache is a thread-safe file-system cache implementing osv.Cache
TODO: use something like cmd/go/internal/lockedfile for thread safety?
func DefaultCache ¶
func (*FSCache) ReadEntries ¶
func (*FSCache) WriteEntries ¶
type Module ¶
type Module struct {
// Path is the module path of the module containing the vulnerability.
//
// Importable packages in the standard library will have the path "stdlib".
Path string
// FoundVersion is the module version where the vulnerability was found.
FoundVersion string
// FixedVersion is the module version where the vulnerability was
// fixed. If there are multiple fixed versions in the OSV report, this will
// be the latest fixed version.
//
// This is empty if a fix is not available.
FixedVersion string
// Packages contains all the vulnerable packages in OSV entry that are
// imported by the target source code or binary.
//
// For example, given a module M with two packages M/p1 and M/p2, where
// both p1 and p2 are vulnerable, p1 and p2 will each only appear in this
// list they are individually imported by the target source code or binary.
Packages []*Package
}
Module represents a specific vulnerability relevant to a single module.
type Package ¶
type Package struct {
// Path is the import path of the package containing the vulnerability.
Path string
// CallStacks contains a representative call stack for each
// vulnerable symbol that is called.
//
// For vulnerabilities found from binary analysis, only CallStack.Symbol
// will be provided.
//
// For non-affecting vulnerabilities reported from the source mode
// analysis, this will be empty.
CallStacks []CallStack
}
Package is a Go package with known vulnerable symbols.
type Result ¶
type Result struct {
// Vulns contains all vulnerabilities that are called or imported by
// the analyzed module.
Vulns []*Vuln
}
Result is the result of executing Source or Binary.
func Binary ¶
Binary detects presence of vulnerable symbols in exe.
This function is used for binary analysis by cmd/govulncheck.
func Source ¶
Source reports vulnerabilities that affect the analyzed packages.
Vulnerabilities can be called (affecting the package, because a vulnerable symbol is actually exercised) or just imported by the package (likely having a non-affecting outcome).
This function is used for source code analysis by cmd/govulncheck and exp/govulncheck.
type StackFrame ¶
type StackFrame struct {
// PackagePath is the import path.
PkgPath string
// FuncName is the function name.
FuncName string
// RecvType is the fully qualified receiver type,
// if the called symbol is a method.
//
// The client can create the final symbol name by
// prepending RecvType to FuncName.
RecvType string
// Position describes an arbitrary source position
// including the file, line, and column location.
// A Position is valid if the line number is > 0.
Position token.Position
}
StackFrame represents a call stack entry.
func (*StackFrame) Name ¶
func (sf *StackFrame) Name() string
Name returns the full qualified function name from sf, adjusted to remove pointer annotations.
func (*StackFrame) Pos ¶
func (sf *StackFrame) Pos() string
Pos returns the position of the call in sf as string. If position is not available, return "".
type Vuln ¶
type Vuln struct {
// OSV contains all data from the OSV entry for this vulnerability.
OSV *osv.Entry
// Modules contains all of the modules in the OSV entry where a
// vulnerable package is imported by the target source code or binary.
//
// For example, a module M with two packages M/p1 and M/p2, where only p1
// is vulnerable, will appear in this list if and only if p1 is imported by
// the target source code or binary.
Modules []*Module
}
Vuln represents a single OSV entry.
Source Files