-
Notifications
You must be signed in to change notification settings - Fork 728
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ui: expose vulnerability analysis results (preview) #2096
Comments
It is similar to the command line tool govulncheck, but takes configuration parameters from the given snapshot and runs from the root directory of the snapshot. Currently we define result types in this package. When it is wired to gopls to implement a custom command, they will be moved to the internal/lsp/ command definition package. This functionality will be offered only when go1.18+ is used to build gopls. Updates golang/go#50577 Updates golang/vscode-go#2096 Change-Id: I08ab6b408d0a40a86cfefff919ab670aa6b2859b Reviewed-on: https://go-review.googlesource.com/c/tools/+/392538 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Robert Findley <rfindley@google.com>
Change https://go.dev/cl/392538 mentions this issue: |
Change https://go.dev/cl/395575 mentions this issue: |
Change https://go.dev/cl/395574 mentions this issue: |
Change https://go.dev/cl/395576 mentions this issue: |
This is a utility that manages vulnerability information local cache. Updates golang/vscode-go#2096 Updates golang/go#50577 Change-Id: I1903a529adda499d078156c3f1ba38bfab75a958 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395574 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
And move types defined in gopls/internal/vulncheck to internal/lsp/command so VulncheckResult can use them. Another approach considered is to encode Vuln as a json raw message. However, presenting the data structure in gopls api documentation is too nice to give up. Updates golang/vscode-go#2096 Updates golang/go#50577 Change-Id: I8587d19f9c47cf786dacaae8cfe1727c77cda711 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395575 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> Reviewed-by: Robert Findley <rfindley@google.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
This is a command that runs govulncheck-like analysis. This is highly experimental and can change any time, so we mark it with the "Exp" suffix. Once the interface becomes stable, we will rename this command. It returns VulncheckResult that can be encoded as a JSON message. The result includes all potentially affecting vulnerabilities, and sample traces. This feature is currently available only when gopls is compiled with go1.18. Otherwise, the command will return an error. Updates golang/go#50577 Updates golang/vscode-go#2096 Change-Id: Ia37b0555f7bf98760292c9f68e50fb70dd494522 Reviewed-on: https://go-review.googlesource.com/c/tools/+/395576 Trust: Hyang-Ah Hana Kim <hyangah@gmail.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> gopls-CI: kokoro <noreply+kokoro@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Change https://go.dev/cl/395794 mentions this issue: |
This change adds a vulncheck command that displays vulncheck results as an output channel. For #2096. Change-Id: If4ace89a379859b3cdcf959c32d5c4f72a64de4a Reviewed-on: https://go-review.googlesource.com/c/vscode-go/+/395794 Trust: Jamal Carvalho <jamal@golang.org> Run-TryBot: Jamal Carvalho <jamal@golang.org> Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Suzy Mueller <suzmue@golang.org> TryBot-Result: kokoro <noreply+kokoro@google.com>
Change https://go.dev/cl/402194 mentions this issue: |
And fixed - The line number from gopls is 0-based. Fix that before printing in the output channel. - The file name may be missing if the file is a generated file, and most likely the line number is bogus too. - Adjust nesting to handle deep call stacks. For #2096 Change-Id: I37d067bcedfe5a5618388cb723a32d0b5c54d317 Reviewed-on: https://go-review.googlesource.com/c/vscode-go/+/402194 Reviewed-by: Suzy Mueller <suzmue@golang.org> Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
https://go-review.googlesource.com/c/vscode-go/+/406300 Are the last batch of changes for this feature. |
Gopls issue: golang/go#52972
(And golang/go#50577 is a different type of analysis we are planning to add)
vulncheck-demo-480p.mov
The text was updated successfully, but these errors were encountered: