-
Notifications
You must be signed in to change notification settings - Fork 1
/
matcher.go
58 lines (47 loc) · 1.58 KB
/
matcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package golang
import (
"strings"
"github.com/nextlinux/govulners/govulners/distro"
"github.com/nextlinux/govulners/govulners/match"
"github.com/nextlinux/govulners/govulners/pkg"
"github.com/nextlinux/govulners/govulners/search"
"github.com/nextlinux/govulners/govulners/vulnerability"
syftPkg "github.com/anchore/syft/syft/pkg"
)
type Matcher struct {
cfg MatcherConfig
}
type MatcherConfig struct {
UseCPEs bool
}
func NewGolangMatcher(cfg MatcherConfig) *Matcher {
return &Matcher{
cfg: cfg,
}
}
func (m *Matcher) PackageTypes() []syftPkg.Type {
return []syftPkg.Type{syftPkg.GoModulePkg}
}
func (m *Matcher) Type() match.MatcherType {
return match.GoModuleMatcher
}
func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
matches := make([]match.Match, 0)
mainModule := ""
if m, ok := p.Metadata.(pkg.GolangBinMetadata); ok {
mainModule = m.MainModule
}
// Golang currently does not have a standard way of incorporating the vcs version
// into the compiled binary: https://github.com/golang/go/issues/50603
// current version information for the main module is incomplete leading to multiple FP
// TODO: remove this exclusion when vcs information is included in future go version
isNotCorrected := strings.HasPrefix(p.Version, "v0.0.0-") || strings.HasPrefix(p.Version, "(devel)")
if p.Name == mainModule && isNotCorrected {
return matches, nil
}
criteria := search.CommonCriteria
if m.cfg.UseCPEs {
criteria = append(criteria, search.ByCPE)
}
return search.ByCriteria(store, d, p, m.Type(), criteria...)
}