golangci-lint icon indicating copy to clipboard operation
golangci-lint copied to clipboard

Published 20 hours ago verified publisher icon golangci

Add golang.org/x/vuln/vulncheck as a linter

Open joerdav opened this issue 3 years ago • 10 comments
trafficstars

Your feature request related to a problem? Please describe.

govulncheck allows you to check if your code is calling any vulnerable code.

Describe the solution you'd like.

Add https://pkg.go.dev/golang.org/x/vuln/vulncheck as a linter.

Describe alternatives you've considered.

I can't find another vulnerability checker that can determine if the vulnerable code is being called or not.

Additional context.

No response

joerdav avatar Aug 12 '22 11:08 joerdav

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

boring-cyborg[bot] avatar Aug 12 '22 11:08 boring-cyborg[bot]

Hello,

There are several problems:

  • vulncheck doesn't use the go/analysis API
  • vulncheck is not designed to be used as a library

https://golangci-lint.run/contributing/new-linters/#how-to-add-a-public-linter-to-golangci-lint https://github.com/golang/vuln/tree/master/cmd/govulncheck

So I will decline this proposal.

ldez avatar Aug 12 '22 15:08 ldez

Hi,

I think the issue should be re-opened because of https://go.dev/blog/vuln and the vulncheck library that's used by the command govulncheck. I can work on it

luxifer avatar Sep 06 '22 15:09 luxifer

Looks like they have a API now, I havent looked at it though.

To directly integrate vulnerability checking into other tools and processes, the vulncheck package exports govulncheck’s functionality as a Go API.

ryancurrah avatar Sep 06 '22 18:09 ryancurrah

It seems mentioned PR is currently Draft, and since they have an API as Ryan mentioned above, we can re-open this one. @ldez Wdyt?

Dentrax avatar Sep 12 '22 09:09 Dentrax

As vulncheck is based on SSA, I think the integration will not work but I will re-open.

ldez avatar Sep 12 '22 09:09 ldez

Thanks!

@luxifer Is your PR final? If so, can you please remove draft tag?

Dentrax avatar Sep 12 '22 10:09 Dentrax

I need to rewrite the commit as it's with the wrong address. But yes, I need some feedback on my proposal because it's the first time I'm using go/analysis

luxifer avatar Sep 12 '22 10:09 luxifer

I can help you on that if you add me as collaborator in your fork.

Dentrax avatar Sep 12 '22 10:09 Dentrax

Having this tool running as part of the linters will be extremely useful

acabarbaye avatar Sep 14 '22 10:09 acabarbaye

I didn't really provide my opinion on this topic: I think that vulncheck is not a linter. It's a vulnerability/security tool and should be run as a standalone tool.

Also, as the "rules" of vulncheck are outside the configuration file, golangci-lint will ignore any "rule" changes because it's not a part of the information used to handle the cache. This will lead to the same kind of problems as ruleguard (a part of go-critic) #1999

As you can understand, for now, I disagree with the integration of vulncheck, but I'm not alone on this project, and I can change my mind over time, I will wait for feedback from other maintainers.

I'm not making any decision at this time.

ldez avatar Jul 14 '23 16:07 ldez

I understand your concerns about that. And the afct that the database is external make it difficult to integrate properly with caching. Anyway, if it's not integrated, it's not a big deal for me and it helped me better understand the internal structure of this project.

luxifer avatar Jul 15 '23 16:07 luxifer

Maybe we can close this issue as well?

luxifer avatar Sep 08 '23 15:09 luxifer

yes I will close it, thank you @luxifer

ldez avatar Sep 08 '23 15:09 ldez