From e3a5c495d7f3849dc222e07dcf96fe0c1fd9a85f Mon Sep 17 00:00:00 2001 From: Ian Cottrell Date: Tue, 15 Aug 2023 17:52:15 -0400 Subject: [PATCH] internal/scan: add -version flag Only print the config block when -version is present Change to be more verbose but more readable now it is not always printed. Also don't print the usage just because there were no patterns. Fixes #53867 Change-Id: I282a5332c11eef535286133fc2425afa7f46942b Reviewed-on: https://go-review.googlesource.com/c/vuln/+/519815 Run-TryBot: Ian Cottrell TryBot-Result: Gopher Robot Reviewed-by: Maceo Thompson Reviewed-by: Zvonimir Pavlinovic Auto-Submit: Ian Cottrell --- cmd/govulncheck/main_command_118_test.go | 8 ++-- cmd/govulncheck/testdata/binary_fail.ct | 2 - cmd/govulncheck/testdata/binary_text.ct | 2 - cmd/govulncheck/testdata/convert_text.ct | 2 - cmd/govulncheck/testdata/source_fail.ct | 4 -- .../testdata/source_informational_text.ct | 2 - .../testdata/source_multientry_text.ct | 4 -- .../testdata/source_replace_text.ct | 2 - .../testdata/source_stdlib_text.ct | 4 -- .../testdata/source_subdir_text.ct | 4 -- cmd/govulncheck/testdata/source_vuln_text.ct | 4 -- cmd/govulncheck/testdata/strip/strip.ct | 2 - cmd/govulncheck/testdata/usage.ct | 39 +++++++----------- internal/scan/flags.go | 9 +++-- internal/scan/source.go | 3 ++ internal/scan/testdata/binary.txt | 2 - internal/scan/testdata/multi-stacks.txt | 2 - internal/scan/testdata/no-vulns.txt | 2 - internal/scan/testdata/platform-all.txt | 2 - .../scan/testdata/platform-one-arch-only.txt | 2 - .../scan/testdata/platform-one-import.txt | 2 - .../scan/testdata/platform-two-imports.txt | 2 - .../scan/testdata/platform-two-os-only.txt | 2 - internal/scan/testdata/source.txt | 2 - internal/scan/testdata/source_traces.txt | 2 - internal/scan/text.go | 40 ++++++++++--------- 26 files changed, 49 insertions(+), 102 deletions(-) diff --git a/cmd/govulncheck/main_command_118_test.go b/cmd/govulncheck/main_command_118_test.go index 4a5eeacb..7f056c4e 100644 --- a/cmd/govulncheck/main_command_118_test.go +++ b/cmd/govulncheck/main_command_118_test.go @@ -59,8 +59,8 @@ var fixups = []fixup{ pattern: `Scanning your code and (\d+) packages across (\d+)`, replace: `Scanning your code and P packages across M`, }, { - pattern: `govulncheck@v([^ ]*) `, - replace: `govulncheck@v0.0.0-00000000000-20000101010101 `, + pattern: `Scanner: govulncheck@v.*`, + replace: `Scanner: govulncheck@v1.0.0`, }, { pattern: `"([^"]*") is a file`, replace: `govulncheck: myfile is a file`, @@ -77,8 +77,8 @@ var fixups = []fixup{ pattern: `modified (.*)\)`, replace: `modified 01 Jan 21 00:00 UTC)`, }, { - pattern: `Using (go1.[\.\d]*|devel).* and`, - replace: `Using go1.18 and`, + pattern: `Go: (go1.[\.\d]*|devel).*`, + replace: `Go: go1.18`, }, { pattern: `"go_version": "go[^\s"]*"`, replace: `"go_version": "go1.18"`, diff --git a/cmd/govulncheck/testdata/binary_fail.ct b/cmd/govulncheck/testdata/binary_fail.ct index e2d6120a..07548d02 100644 --- a/cmd/govulncheck/testdata/binary_fail.ct +++ b/cmd/govulncheck/testdata/binary_fail.ct @@ -6,8 +6,6 @@ $ govulncheck -mode=binary notafile --> FAIL 2 ##### # Test of passing a non-binary file to -mode=binary $ govulncheck -mode=binary ${moddir}/vuln/go.mod --> FAIL 1 -Using govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your binary for known vulnerabilities... govulncheck: could not parse provided binary: unrecognized file format diff --git a/cmd/govulncheck/testdata/binary_text.ct b/cmd/govulncheck/testdata/binary_text.ct index 453f610b..1c151d35 100644 --- a/cmd/govulncheck/testdata/binary_text.ct +++ b/cmd/govulncheck/testdata/binary_text.ct @@ -1,8 +1,6 @@ ##### # Test basic binary scanning with text output $ govulncheck -mode=binary ${vuln_binary} --> FAIL 3 -Using govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your binary for known vulnerabilities... Vulnerability #1: GO-2021-0265 diff --git a/cmd/govulncheck/testdata/convert_text.ct b/cmd/govulncheck/testdata/convert_text.ct index 7accd04e..e12cbc25 100644 --- a/cmd/govulncheck/testdata/convert_text.ct +++ b/cmd/govulncheck/testdata/convert_text.ct @@ -1,8 +1,6 @@ ##### # Test using the conversion from json on stdin to text on stdout $ govulncheck -mode=convert < convert_input.json -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... Vulnerability #1: GO-2021-0265 diff --git a/cmd/govulncheck/testdata/source_fail.ct b/cmd/govulncheck/testdata/source_fail.ct index 7128a2dc..1853e8f2 100644 --- a/cmd/govulncheck/testdata/source_fail.ct +++ b/cmd/govulncheck/testdata/source_fail.ct @@ -1,8 +1,6 @@ ##### # Test of missing go.mod error message. $ govulncheck -C ${moddir}/nogomod . --> FAIL 1 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - govulncheck: no go.mod file govulncheck only works with Go modules. Try navigating to your module directory. @@ -24,8 +22,6 @@ For details, run govulncheck -h. ##### # Test of handing an invalid package pattern to source mode $ govulncheck -C ${moddir}/vuln blah --> FAIL 1 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - govulncheck: loading packages: There are errors with the provided package patterns: diff --git a/cmd/govulncheck/testdata/source_informational_text.ct b/cmd/govulncheck/testdata/source_informational_text.ct index a8d1047e..1e6e36c6 100644 --- a/cmd/govulncheck/testdata/source_informational_text.ct +++ b/cmd/govulncheck/testdata/source_informational_text.ct @@ -1,8 +1,6 @@ ##### # Test souce mode with no callstacks $ govulncheck -C ${moddir}/informational -show=traces . -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... === Informational === diff --git a/cmd/govulncheck/testdata/source_multientry_text.ct b/cmd/govulncheck/testdata/source_multientry_text.ct index d2776ee6..575fa63b 100644 --- a/cmd/govulncheck/testdata/source_multientry_text.ct +++ b/cmd/govulncheck/testdata/source_multientry_text.ct @@ -1,8 +1,6 @@ ##### # Test for multiple call stacks in source mode with expanded traces $ govulncheck -C ${moddir}/multientry . --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent module for known vulnerabilities... Vulnerability #1: GO-2021-0113 @@ -25,8 +23,6 @@ Share feedback at https://go.dev/s/govulncheck-feedback. ##### # Test for multple call stacks in source mode with expanded traces $ govulncheck -C ${moddir}/multientry -show=traces ./... --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent module for known vulnerabilities... Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/source_replace_text.ct b/cmd/govulncheck/testdata/source_replace_text.ct index 5861e67d..efcad002 100644 --- a/cmd/govulncheck/testdata/source_replace_text.ct +++ b/cmd/govulncheck/testdata/source_replace_text.ct @@ -2,8 +2,6 @@ # Test of source mode on a module with a replace directive. $ govulncheck -C ${moddir}/replace ./... --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent module for known vulnerabilities... Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/source_stdlib_text.ct b/cmd/govulncheck/testdata/source_stdlib_text.ct index 5b4f2041..2b4a0cef 100644 --- a/cmd/govulncheck/testdata/source_stdlib_text.ct +++ b/cmd/govulncheck/testdata/source_stdlib_text.ct @@ -1,8 +1,6 @@ ##### # Test finding stdlib vulnerability in source mode $ govulncheck -C ${moddir}/stdlib . --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... Vulnerability #1: GO-2022-0969 @@ -23,8 +21,6 @@ Share feedback at https://go.dev/s/govulncheck-feedback. ##### # Test finding stdlib vulnerability in source mode with expanded traces $ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... Vulnerability #1: GO-2022-0969 diff --git a/cmd/govulncheck/testdata/source_subdir_text.ct b/cmd/govulncheck/testdata/source_subdir_text.ct index 8faabf07..18990557 100644 --- a/cmd/govulncheck/testdata/source_subdir_text.ct +++ b/cmd/govulncheck/testdata/source_subdir_text.ct @@ -1,8 +1,6 @@ ##### # Test govulncheck runs on the subdirectory of a module $ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent module for known vulnerabilities... Vulnerability #1: GO-2021-0113 @@ -24,8 +22,6 @@ Share feedback at https://go.dev/s/govulncheck-feedback. ##### # Test govulncheck runs on the subdirectory of a module $ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent module for known vulnerabilities... Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/source_vuln_text.ct b/cmd/govulncheck/testdata/source_vuln_text.ct index 47dad389..90163856 100644 --- a/cmd/govulncheck/testdata/source_vuln_text.ct +++ b/cmd/govulncheck/testdata/source_vuln_text.ct @@ -1,8 +1,6 @@ ##### # Test of basic govulncheck in source mode $ govulncheck -C ${moddir}/vuln ./... --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... Vulnerability #1: GO-2021-0265 @@ -50,8 +48,6 @@ Share feedback at https://go.dev/s/govulncheck-feedback. ##### # Test of basic govulncheck in source mode with expanded traces $ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3 -Using go1.18 and govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your code and P packages across M dependent modules for known vulnerabilities... Vulnerability #1: GO-2021-0265 diff --git a/cmd/govulncheck/testdata/strip/strip.ct b/cmd/govulncheck/testdata/strip/strip.ct index 0ca35ebd..04f07c79 100644 --- a/cmd/govulncheck/testdata/strip/strip.ct +++ b/cmd/govulncheck/testdata/strip/strip.ct @@ -1,8 +1,6 @@ # Test for stripped binaries (see #57764). $ govulncheck -mode=binary ${strip_binary} --> FAIL 3 -Using govulncheck@v0.0.0-00000000000-20000101010101 with vulnerability data from testdata/vulndb-v1 (last modified 01 Jan 21 00:00 UTC). - Scanning your binary for known vulnerabilities... Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/usage.ct b/cmd/govulncheck/testdata/usage.ct index b9fa3fbd..778aec85 100644 --- a/cmd/govulncheck/testdata/usage.ct +++ b/cmd/govulncheck/testdata/usage.ct @@ -25,35 +25,26 @@ Usage: comma-separated list of build tags -test analyze test files (only valid for source mode) + -version + print the version information For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck. ##### -# Same output as -h, but failure. -$ govulncheck --> FAIL 2 -Govulncheck reports known vulnerabilities in dependencies. +# Not scanning anything. +$ govulncheck +No vulnerabilities found. -Usage: +Share feedback at https://go.dev/s/govulncheck-feedback. - govulncheck [flags] [patterns] - govulncheck -mode=binary [flags] [binary] +##### +# Reporting version without scanning anything. +$ govulncheck -version +Go: go1.18 +Scanner: govulncheck@v1.0.0 +DB: testdata/vulndb-v1 +DB updated: 2023-04-03 15:57:51 +0000 UTC - -C dir - change to dir before running govulncheck - -db url - vulnerability database url (default "https://vuln.go.dev") - -json - output JSON - -mode string - supports source or binary (default "source") - -scan string - set the scanning level desired, one of module, package or symbol (default "symbol") - -show list - enable display of additional information specified by the comma separated list - The only supported value is 'traces' - -tags list - comma-separated list of build tags - -test - analyze test files (only valid for source mode) +No vulnerabilities found. -For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck. +Share feedback at https://go.dev/s/govulncheck-feedback. \ No newline at end of file diff --git a/internal/scan/flags.go b/internal/scan/flags.go index 071a3365..ce7096d7 100644 --- a/internal/scan/flags.go +++ b/internal/scan/flags.go @@ -39,6 +39,7 @@ const ( func parseFlags(cfg *config, stderr io.Writer, args []string) error { var tagsFlag buildutil.TagsFlag var showFlag showFlag + var version bool flags := flag.NewFlagSet("", flag.ContinueOnError) flags.SetOutput(stderr) flags.BoolVar(&cfg.json, "json", false, "output JSON") @@ -48,6 +49,7 @@ func parseFlags(cfg *config, stderr io.Writer, args []string) error { flags.StringVar(&cfg.mode, "mode", modeSource, "supports source or binary") flags.Var(&tagsFlag, "tags", "comma-separated `list` of build tags") flags.Var(&showFlag, "show", "enable display of additional information specified by the comma separated `list`\nThe only supported value is 'traces'") + flags.BoolVar(&version, "version", false, "print the version information") scanLevel := flags.String("scan", "symbol", "set the scanning level desired, one of module, package or symbol") flags.Usage = func() { fmt.Fprint(flags.Output(), `Govulncheck reports known vulnerabilities in dependencies. @@ -68,12 +70,11 @@ Usage: return err } cfg.patterns = flags.Args() - if cfg.mode != modeConvert && len(cfg.patterns) == 0 { - flags.Usage() - return errUsage - } cfg.tags = tagsFlag cfg.show = showFlag + if version { + cfg.show = append(cfg.show, "version") + } cfg.ScanLevel = govulncheck.ScanLevel(*scanLevel) if err := validateConfig(cfg); err != nil { fmt.Fprintln(flags.Output(), err) diff --git a/internal/scan/source.go b/internal/scan/source.go index cfdc1227..ca3f2e0a 100644 --- a/internal/scan/source.go +++ b/internal/scan/source.go @@ -23,6 +23,9 @@ import ( // symbol is actually exercised) or just imported by the package // (likely having a non-affecting outcome). func runSource(ctx context.Context, handler govulncheck.Handler, cfg *config, client *client.Client, dir string) error { + if len(cfg.patterns) == 0 { + return nil + } var pkgs []*packages.Package graph := vulncheck.NewPackageGraph(cfg.GoVersion) pkgConfig := &packages.Config{ diff --git a/internal/scan/testdata/binary.txt b/internal/scan/testdata/binary.txt index 9bbd7516..aabc895b 100644 --- a/internal/scan/testdata/binary.txt +++ b/internal/scan/testdata/binary.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - Vulnerability #1: GO-0000-0002 Stdlib vulnerability More info: https://pkg.go.dev/vuln/GO-0000-0002 diff --git a/internal/scan/testdata/multi-stacks.txt b/internal/scan/testdata/multi-stacks.txt index 8fd6a20e..fd8a6293 100644 --- a/internal/scan/testdata/multi-stacks.txt +++ b/internal/scan/testdata/multi-stacks.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - Vulnerability #1: GO-0000-0001 Third-party vulnerability More info: https://pkg.go.dev/vuln/GO-0000-0001 diff --git a/internal/scan/testdata/no-vulns.txt b/internal/scan/testdata/no-vulns.txt index dd753c19..45389ff7 100644 --- a/internal/scan/testdata/no-vulns.txt +++ b/internal/scan/testdata/no-vulns.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/platform-all.txt b/internal/scan/testdata/platform-all.txt index 1c456fe9..d3ae80bd 100644 --- a/internal/scan/testdata/platform-all.txt +++ b/internal/scan/testdata/platform-all.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/platform-one-arch-only.txt b/internal/scan/testdata/platform-one-arch-only.txt index 2884b459..81283df2 100644 --- a/internal/scan/testdata/platform-one-arch-only.txt +++ b/internal/scan/testdata/platform-one-arch-only.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/platform-one-import.txt b/internal/scan/testdata/platform-one-import.txt index 80d3cc8e..9f372a7a 100644 --- a/internal/scan/testdata/platform-one-import.txt +++ b/internal/scan/testdata/platform-one-import.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/platform-two-imports.txt b/internal/scan/testdata/platform-two-imports.txt index 0445288d..554e5f87 100644 --- a/internal/scan/testdata/platform-two-imports.txt +++ b/internal/scan/testdata/platform-two-imports.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/platform-two-os-only.txt b/internal/scan/testdata/platform-two-os-only.txt index 68e54c83..d3d6b185 100644 --- a/internal/scan/testdata/platform-two-os-only.txt +++ b/internal/scan/testdata/platform-two-os-only.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - === Informational === Found 1 vulnerability in packages that you import, but there are no call diff --git a/internal/scan/testdata/source.txt b/internal/scan/testdata/source.txt index abdf57a8..5278bc8f 100644 --- a/internal/scan/testdata/source.txt +++ b/internal/scan/testdata/source.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - Vulnerability #1: GO-0000-0001 Third-party vulnerability More info: https://pkg.go.dev/vuln/GO-0000-0001 diff --git a/internal/scan/testdata/source_traces.txt b/internal/scan/testdata/source_traces.txt index 18769f59..7155ef38 100644 --- a/internal/scan/testdata/source_traces.txt +++ b/internal/scan/testdata/source_traces.txt @@ -1,5 +1,3 @@ -Using govulncheck with vulnerability data from . - Vulnerability #1: GO-0000-0001 Third-party vulnerability More info: https://pkg.go.dev/vuln/GO-0000-0001 diff --git a/internal/scan/text.go b/internal/scan/text.go index 0364d5ea..879f5ab7 100644 --- a/internal/scan/text.go +++ b/internal/scan/text.go @@ -18,8 +18,6 @@ type style int const ( defaultStyle = style(iota) - goStyle - scannerStyle osvCalledStyle osvImportedStyle detailsStyle @@ -40,8 +38,9 @@ type TextHandler struct { err error - showColor bool - showTraces bool + showColor bool + showTraces bool + showVersion bool } const ( @@ -57,6 +56,8 @@ func (h *TextHandler) Show(show []string) { h.showTraces = true case "color": h.showColor = true + case "version": + h.showVersion = true } } } @@ -82,25 +83,32 @@ func (h *TextHandler) Flush() error { return nil } -// Config writes text output formatted according to govulncheck-intro.tmpl. +// Config writes version information only if --version was set. func (h *TextHandler) Config(config *govulncheck.Config) error { - h.print("Using ") + if !h.showVersion { + return nil + } if config.GoVersion != "" { - h.style(goStyle, config.GoVersion) - h.print(` and `) + h.style(keyStyle, "Go: ") + h.print(config.GoVersion, "\n") } if config.ScannerName != "" { - h.style(scannerStyle, config.ScannerName) + h.style(keyStyle, "Scanner: ") + h.print(config.ScannerName) if config.ScannerVersion != "" { h.print(`@`, config.ScannerVersion) } - h.print(` with `) + h.print("\n") } - h.print(`vulnerability data from `, config.DB) - if config.DBLastModified != nil { - h.print(` (last modified `, *config.DBLastModified, `)`) + if config.DB != "" { + h.style(keyStyle, "DB: ") + h.print(config.DB, "\n") + if config.DBLastModified != nil { + h.style(keyStyle, "DB updated: ") + h.print(*config.DBLastModified, "\n") + } } - h.print(".\n\n") + h.print("\n") return h.err } @@ -279,10 +287,6 @@ func (h *TextHandler) style(style style, values ...any) { switch style { default: h.print(colorReset) - case goStyle: - h.print(colorBold) - case scannerStyle: - h.print(colorBold) case osvCalledStyle: h.print(colorBold, fgRed) case osvImportedStyle: