diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct index 31e4806b..b48f5744 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct @@ -17,6 +17,16 @@ $ govulncheck -format json -mode binary ${common_vuln_binary} "message": "Scanning your binary for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct index f1435c22..94a8669c 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct @@ -17,6 +17,16 @@ $ govulncheck -format json -mode binary ${common_vendored_binary} "message": "Scanning your binary for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct index d41d68e6..7eb8029f 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct @@ -17,6 +17,16 @@ $ govulncheck -format json -mode binary -scan module ${common_vuln_binary} "message": "Scanning your binary for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct index cac29b3b..43e08c48 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct @@ -17,6 +17,16 @@ $ govulncheck -format json -mode binary -scan package ${common_vuln_binary} "message": "Scanning your binary for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct index 8ab84e64..1f055c2e 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct @@ -17,6 +17,16 @@ $ govulncheck -C ${moddir}/vuln -format json ./... "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct index f03625a9..ee2303fe 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct @@ -101,6 +101,10 @@ Use '-show verbose' for more details. $ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3 Scanning your code and P packages across M dependent modules for known vulnerabilities... +Fetching vulnerabilities from the database... + +Checking the code against the vulnerabilities... + === Symbol Results === Vulnerability #1: GO-2021-0265 diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct index f316fb61..58d77058 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct @@ -18,6 +18,16 @@ $ govulncheck -format json -C ${moddir}/multientry . "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct index d6138db9..5e03a39f 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct @@ -26,6 +26,10 @@ Use '-show verbose' for more details. $ govulncheck -show verbose -C ${moddir}/multientry -show=traces ./... --> FAIL 3 Scanning your code and P packages across M dependent modules for known vulnerabilities... +Fetching vulnerabilities from the database... + +Checking the code against the vulnerabilities... + === Symbol Results === Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct index bf643579..c94fef5a 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct @@ -18,6 +18,16 @@ $ govulncheck -C ${moddir}/replace -format json ./... "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct index 3c1fca21..5464bf8c 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct @@ -18,6 +18,16 @@ $ govulncheck -C ${moddir}/vendored -format json ./... "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_text.ct index 10f7e79d..b0bd512c 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_text.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_text.ct @@ -3,6 +3,10 @@ $ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3 Scanning your code and P packages across M dependent modules for known vulnerabilities... +Fetching vulnerabilities from the database... + +Checking the code against the vulnerabilities... + === Symbol Results === Vulnerability #1: GO-2021-0265 diff --git a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct index fff11902..f27ec8d9 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct @@ -18,6 +18,16 @@ $ govulncheck -format json -scan module -C ${moddir}/multientry "message": "Scanning your code across 2 dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct index 63851115..d0f09881 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct @@ -22,6 +22,10 @@ Use '-scan symbol' for more fine grained vulnerability detection. $ govulncheck -scan module -show verbose -C ${moddir}/multientry --> FAIL 3 Scanning your code across 2 dependent modules for known vulnerabilities... +Fetching vulnerabilities from the database... + +Checking the code against the vulnerabilities... + === Module Results === Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct index 140dc801..5bc1c797 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct @@ -18,6 +18,16 @@ $ govulncheck -format json -scan package -C ${moddir}/multientry . "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct index e56b84b7..69ff2a7b 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct @@ -23,6 +23,10 @@ verbose' for more details. $ govulncheck -show verbose -scan package -C ${moddir}/multientry . --> FAIL 3 Scanning your code and P packages across M dependent modules for known vulnerabilities... +Fetching vulnerabilities from the database... + +Checking the code against the vulnerabilities... + === Package Results === Vulnerability #1: GO-2021-0113 diff --git a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct index 32dbf0fa..884dd59b 100644 --- a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct +++ b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct @@ -18,6 +18,16 @@ $ govulncheck -C ${moddir}/stdlib -format json . "message": "Scanning your code and P packages across M dependent module for known vulnerabilities..." } } +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} { "osv": { "schema_version": "1.3.1", diff --git a/internal/vulncheck/binary.go b/internal/vulncheck/binary.go index c8fa1d36..dbe89756 100644 --- a/internal/vulncheck/binary.go +++ b/internal/vulncheck/binary.go @@ -49,6 +49,10 @@ func binary(ctx context.Context, handler govulncheck.Handler, bin *Bin, cfg *gov graph.AddModules(bin.Modules...) mods := append(bin.Modules, graph.GetModule(internal.GoStdModulePath)) + if err := handler.Progress(&govulncheck.Progress{Message: fetchingVulnsMessage}); err != nil { + return nil, err + } + mv, err := FetchVulnerabilities(ctx, client, mods) if err != nil { return nil, err @@ -59,6 +63,10 @@ func binary(ctx context.Context, handler govulncheck.Handler, bin *Bin, cfg *gov return nil, err } + if err := handler.Progress(&govulncheck.Progress{Message: checkingVulnsMessage}); err != nil { + return nil, err + } + if bin.GOOS == "" || bin.GOARCH == "" { fmt.Printf("warning: failed to extract build system specification GOOS: %s GOARCH: %s\n", bin.GOOS, bin.GOARCH) } diff --git a/internal/vulncheck/source.go b/internal/vulncheck/source.go index 4014eff7..e0087176 100644 --- a/internal/vulncheck/source.go +++ b/internal/vulncheck/source.go @@ -57,6 +57,10 @@ func source(ctx context.Context, handler govulncheck.Handler, cfg *govulncheck.C }() } + if err := handler.Progress(&govulncheck.Progress{Message: fetchingVulnsMessage}); err != nil { + return nil, err + } + mv, err := FetchVulnerabilities(ctx, client, graph.Modules()) if err != nil { return nil, err @@ -67,6 +71,10 @@ func source(ctx context.Context, handler govulncheck.Handler, cfg *govulncheck.C return nil, err } + if err := handler.Progress(&govulncheck.Progress{Message: checkingVulnsMessage}); err != nil { + return nil, err + } + affVulns := affectingVulnerabilities(mv, "", "") if err := emitModuleFindings(handler, affVulns); err != nil { return nil, err diff --git a/internal/vulncheck/vulncheck.go b/internal/vulncheck/vulncheck.go index 96db7159..ac61087a 100644 --- a/internal/vulncheck/vulncheck.go +++ b/internal/vulncheck/vulncheck.go @@ -16,6 +16,11 @@ import ( "golang.org/x/vuln/internal/semver" ) +const ( + fetchingVulnsMessage = "Fetching vulnerabilities from the database..." + checkingVulnsMessage = "Checking the code against the vulnerabilities..." +) + // Result contains information on detected vulnerabilities. // For call graph analysis, it provides information on reachability // of vulnerable symbols through entry points of the program.