google · another-rex · Feb 27, 2023 · Jan 25, 2023 · Jan 29, 2023 · Jan 30, 2023
diff --git a/cmd/osv-scanner/main.go b/cmd/osv-scanner/main.go
@@ -89,6 +89,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Usage:   "check subdirectories",
 				Value:   false,
 			},
+			&cli.BoolFlag{
+				Name:  "call-analysis",
+				Usage: "attempt call analysis on code to detect only active vulnerabilities",
+				Value: false,
+			},
 			&cli.BoolFlag{
 				Name:  "no-ignore",
 				Usage: "also scan files that would be ignored by .gitignore",
@@ -106,14 +111,15 @@ func run(args []string, stdout, stderr io.Writer) int {
 			r = output.NewReporter(stdout, stderr, format)
 
 			vulnResult, err := osvscanner.DoScan(osvscanner.ScannerActions{
-				LockfilePaths:        context.StringSlice("lockfile"),
-				SBOMPaths:            context.StringSlice("sbom"),
-				DockerContainerNames: context.StringSlice("docker"),
-				Recursive:            context.Bool("recursive"),
-				SkipGit:              context.Bool("skip-git"),
-				NoIgnore:             context.Bool("no-ignore"),
-				ConfigOverridePath:   context.String("config"),
-				DirectoryPaths:       context.Args().Slice(),
+				LockfilePaths:            context.StringSlice("lockfile"),
+				SBOMPaths:                context.StringSlice("sbom"),
+				DockerContainerNames:     context.StringSlice("docker"),
+				Recursive:                context.Bool("recursive"),
+				SkipGit:                  context.Bool("skip-git"),
+				NoIgnore:                 context.Bool("no-ignore"),
+				ConfigOverridePath:       context.String("config"),
+				DirectoryPaths:           context.Args().Slice(),
+				ExperimentalCallAnalysis: context.Bool("experimental-call-analysis"),
 			}, r)
 
 			if errPrint := r.PrintResult(&vulnResult); errPrint != nil {

diff --git a/go.mod b/go.mod
@@ -15,6 +15,8 @@ require (
 	golang.org/x/exp v0.0.0-20230212135524-a684f29349b6
 	golang.org/x/mod v0.8.0
 	golang.org/x/term v0.5.0
+	golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2
+	golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -39,7 +41,7 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
 	golang.org/x/sys v0.5.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -14,6 +14,7 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/cloudflare/circl v1.1.0 h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
@@ -115,10 +116,12 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -148,11 +151,15 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2 h1:v0FhRDmSCNH/0EurAT6T8KRY4aNuUhz6/WwBMxG+gvQ=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6 h1:XZD8apnMaMVuqE3ZEzf5JJncKMlOsMnnov7U+JRT/d4=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6/go.mod h1:cBP4HMKv0X+x96j8IJWCKk0eqpakBmmHjKGSSC0NaYE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -170,4 +177,6 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
+mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/internal/govulncheckshim/client.go b/internal/govulncheckshim/client.go
@@ -0,0 +1,110 @@
+package govulncheckshim
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/google/osv-scanner/pkg/models"
+	"golang.org/x/vuln/client"
+	gvcOSV "golang.org/x/vuln/osv"
+)
+
+type localSource struct {
+	vulnList         []models.Vulnerability
+	vulnsByID        map[string]*models.Vulnerability
+	vulnsByAlias     map[string][]*models.Vulnerability
+	vulnsByModule    map[string][]*models.Vulnerability
+	lastModifiedTime time.Time
+	client.Client
+}
+
+func newClient(vulns []models.Vulnerability) *localSource {
+	client := localSource{
+		vulnList:         vulns,
+		vulnsByID:        make(map[string]*models.Vulnerability),
+		vulnsByAlias:     make(map[string][]*models.Vulnerability),
+		vulnsByModule:    make(map[string][]*models.Vulnerability),
+		lastModifiedTime: time.Unix(0, 0),
+	}
+	for idx := range vulns {
+		// Iterate on reference to avoid copying entire data structure
+		v := &client.vulnList[idx]
+		client.vulnsByID[v.ID] = v
+		for _, alias := range v.Aliases {
+			client.vulnsByAlias[alias] = append(client.vulnsByAlias[alias], v)
+		}
+		for _, affected := range v.Affected {
+			client.vulnsByModule[affected.Package.Name] = append(client.vulnsByModule[affected.Package.Name], v)
+		}
+		if client.lastModifiedTime.Before(v.Modified) {
+			client.lastModifiedTime = v.Modified
+		}
+	}
+
+	return &client
+}
+
+func convertToGvcOSV(osv models.Vulnerability) gvcOSV.Entry {
+	val, err := json.Marshal(osv)
+	if err != nil {
+		panic("failed to convert vulnerability")
+	}
+	response := gvcOSV.Entry{}
+	err = json.Unmarshal(val, &response)
+	if err != nil {
+		panic("gvc format is no longer compatible with osv format")
+	}
+
+	return response
+}
+
+func (ls *localSource) GetByModule(ctx context.Context, modulePath string) ([]*gvcOSV.Entry, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var entries []*gvcOSV.Entry
+	for _, v := range ls.vulnsByModule[modulePath] {
+		res := convertToGvcOSV(*v)
+		entries = append(entries, &res)
+	}
+
+	return entries, nil
+}
+
+func (ls *localSource) GetByID(ctx context.Context, id string) (*gvcOSV.Entry, error) {
+	entry, ok := ls.vulnsByID[id]
+	if !ok {
+		//nolint:nilnil // This follows govulncheck's client implementation
+		// See: https://github.com/golang/vuln/blob/master/client/client.go
+		return nil, nil
+	}
+	response := convertToGvcOSV(*entry)
+
+	return &response, nil
+}
+
+func (ls *localSource) GetByAlias(ctx context.Context, alias string) ([]*gvcOSV.Entry, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var entries []*gvcOSV.Entry
+
+	for _, v := range ls.vulnsByAlias[alias] {
+		res := convertToGvcOSV(*v)
+		entries = append(entries, &res)
+	}
+
+	return entries, nil
+}
+
+func (ls *localSource) ListIDs(ctx context.Context) ([]string, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var ids []string
+	for i := range ls.vulnList {
+		ids = append(ids, ls.vulnList[i].ID)
+	}
+
+	return ids, nil
+}
+
+func (ls *localSource) LastModifiedTime(context.Context) (time.Time, error) {
+	// Assume that if anything changes, the index does.
+	return ls.lastModifiedTime, nil
+}