raven/vendor/golang.org/x/vuln/internal/vulncheck/source.go

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package vulncheck

import (
	"context"
	"sync"

	"golang.org/x/tools/go/callgraph"
	"golang.org/x/tools/go/packages"
	"golang.org/x/tools/go/ssa"
	"golang.org/x/vuln/internal/client"
	"golang.org/x/vuln/internal/govulncheck"
	"golang.org/x/vuln/internal/osv"
)

// Source detects vulnerabilities in pkgs and emits the findings to handler.
func Source(ctx context.Context, handler govulncheck.Handler, cfg *govulncheck.Config, client *client.Client, graph *PackageGraph) error {
	vr, err := source(ctx, handler, cfg, client, graph)
	if err != nil {
		return err
	}

	if cfg.ScanLevel.WantSymbols() {
		return emitCallFindings(handler, sourceCallstacks(vr))
	}
	return nil
}

// source detects vulnerabilities in packages. It emits findings to handler
// and produces a Result that contains info on detected vulnerabilities.
//
// Assumes that pkgs are non-empty and belong to the same program.
func source(ctx context.Context, handler govulncheck.Handler, cfg *govulncheck.Config, client *client.Client, graph *PackageGraph) (*Result, error) {
	ctx, cancel := context.WithCancel(ctx)
	defer cancel()

	// If we are building the callgraph, build ssa and the callgraph in parallel
	// with fetching vulnerabilities. If the vulns set is empty, return without
	// waiting for SSA construction or callgraph to finish.
	var (
		wg       sync.WaitGroup // guards entries, cg, and buildErr
		entries  []*ssa.Function
		cg       *callgraph.Graph
		buildErr error
	)
	if cfg.ScanLevel.WantSymbols() {
		fset := graph.TopPkgs()[0].Fset
		wg.Add(1)
		go func() {
			defer wg.Done()
			prog, ssaPkgs := buildSSA(graph.TopPkgs(), fset)
			entries = entryPoints(ssaPkgs)
			cg, buildErr = callGraph(ctx, prog, entries)
		}()
	}

	if err := handler.SBOM(graph.SBOM()); err != nil {
		return nil, err
	}

	if err := handler.Progress(&govulncheck.Progress{Message: fetchingVulnsMessage}); err != nil {
		return nil, err
	}

	mv, err := FetchVulnerabilities(ctx, client, graph.Modules())
	if err != nil {
		return nil, err
	}

	// Emit OSV entries immediately in their raw unfiltered form.
	if err := emitOSVs(handler, mv); err != nil {
		return nil, err
	}

	if err := handler.Progress(&govulncheck.Progress{Message: checkingSrcVulnsMessage}); err != nil {
		return nil, err
	}

	affVulns := affectingVulnerabilities(mv, "", "")
	if err := emitModuleFindings(handler, affVulns); err != nil {
		return nil, err
	}

	if !cfg.ScanLevel.WantPackages() || len(affVulns) == 0 {
		return &Result{}, nil
	}

	impVulns := importedVulnPackages(affVulns, graph)
	// Emit information on imported vulnerable packages now as
	// call graph computation might take a while.
	if err := emitPackageFindings(handler, impVulns); err != nil {
		return nil, err
	}

	// Return result immediately if not in symbol mode or
	// if there are no vulnerabilities imported.
	if !cfg.ScanLevel.WantSymbols() || len(impVulns) == 0 {
		return &Result{Vulns: impVulns}, nil
	}

	wg.Wait() // wait for build to finish
	if buildErr != nil {
		return nil, err
	}

	entryFuncs, callVulns := calledVulnSymbols(entries, affVulns, cg, graph)
	return &Result{EntryFunctions: entryFuncs, Vulns: callVulns}, nil
}

// importedVulnPackages detects imported vulnerable packages.
func importedVulnPackages(affVulns affectingVulns, graph *PackageGraph) []*Vuln {
	var vulns []*Vuln
	analyzed := make(map[*packages.Package]bool) // skip analyzing the same package multiple times
	var vulnImports func(pkg *packages.Package)
	vulnImports = func(pkg *packages.Package) {
		if analyzed[pkg] {
			return
		}

		osvs := affVulns.ForPackage(pkgModPath(pkg), pkg.PkgPath)
		// Create Vuln entry for each OSV entry for pkg.
		for _, osv := range osvs {
			vuln := &Vuln{
				OSV:     osv,
				Package: graph.GetPackage(pkg.PkgPath),
			}
			vulns = append(vulns, vuln)
		}

		analyzed[pkg] = true
		for _, imp := range pkg.Imports {
			vulnImports(imp)
		}
	}

	for _, pkg := range graph.TopPkgs() {
		vulnImports(pkg)
	}
	return vulns
}

// calledVulnSymbols detects vuln symbols transitively reachable from sources
// via call graph cg.
//
// A slice of call graph is computed related to the reachable vulnerabilities. Each
// reachable Vuln has attached FuncNode that can be upward traversed to the entry points.
// Entry points that reach the vulnerable symbols are also returned.
func calledVulnSymbols(sources []*ssa.Function, affVulns affectingVulns, cg *callgraph.Graph, graph *PackageGraph) ([]*FuncNode, []*Vuln) {
	sinksWithVulns := vulnFuncs(cg, affVulns, graph)

	// Compute call graph backwards reachable
	// from vulnerable functions and methods.
	var sinks []*callgraph.Node
	for n := range sinksWithVulns {
		sinks = append(sinks, n)
	}
	bcg := callGraphSlice(sinks, false)

	// Interesect backwards call graph with forward
	// reachable graph to remove redundant edges.
	var filteredSources []*callgraph.Node
	for _, e := range sources {
		if n, ok := bcg.Nodes[e]; ok {
			filteredSources = append(filteredSources, n)
		}
	}
	fcg := callGraphSlice(filteredSources, true)

	// Get the sinks that are in fact reachable from entry points.
	filteredSinks := make(map[*callgraph.Node][]*osv.Entry)
	for n, vs := range sinksWithVulns {
		if fn, ok := fcg.Nodes[n.Func]; ok {
			filteredSinks[fn] = vs
		}
	}

	// Transform the resulting call graph slice into
	// vulncheck representation.
	return vulnCallGraph(filteredSources, filteredSinks, graph)
}

// callGraphSlice computes a slice of callgraph beginning at starts
// in the direction (forward/backward) controlled by forward flag.
func callGraphSlice(starts []*callgraph.Node, forward bool) *callgraph.Graph {
	g := &callgraph.Graph{Nodes: make(map[*ssa.Function]*callgraph.Node)}

	visited := make(map[*callgraph.Node]bool)
	var visit func(*callgraph.Node)
	visit = func(n *callgraph.Node) {
		if visited[n] {
			return
		}
		visited[n] = true

		var edges []*callgraph.Edge
		if forward {
			edges = n.Out
		} else {
			edges = n.In
		}

		for _, edge := range edges {
			nCallee := g.CreateNode(edge.Callee.Func)
			nCaller := g.CreateNode(edge.Caller.Func)
			callgraph.AddEdge(nCaller, edge.Site, nCallee)

			if forward {
				visit(edge.Callee)
			} else {
				visit(edge.Caller)
			}
		}
	}

	for _, s := range starts {
		visit(s)
	}
	return g
}

// vulnCallGraph creates vulnerability call graph in terms of sources and sinks.
func vulnCallGraph(sources []*callgraph.Node, sinks map[*callgraph.Node][]*osv.Entry, graph *PackageGraph) ([]*FuncNode, []*Vuln) {
	var entries []*FuncNode
	var vulns []*Vuln
	nodes := make(map[*ssa.Function]*FuncNode)

	// First create entries and sinks and store relevant information.
	for _, s := range sources {
		fn := createNode(nodes, s.Func, graph)
		entries = append(entries, fn)
	}

	for s, osvs := range sinks {
		f := s.Func
		funNode := createNode(nodes, s.Func, graph)

		// Populate CallSink field for each detected vuln symbol.
		for _, osv := range osvs {
			vulns = append(vulns, calledVuln(funNode, osv, dbFuncName(f), funNode.Package))
		}
	}

	visited := make(map[*callgraph.Node]bool)
	var visit func(*callgraph.Node)
	visit = func(n *callgraph.Node) {
		if visited[n] {
			return
		}
		visited[n] = true

		for _, edge := range n.In {
			nCallee := createNode(nodes, edge.Callee.Func, graph)
			nCaller := createNode(nodes, edge.Caller.Func, graph)

			call := edge.Site
			cs := &CallSite{
				Parent:   nCaller,
				Name:     call.Common().Value.Name(),
				RecvType: callRecvType(call),
				Resolved: resolved(call),
				Pos:      instrPosition(call),
			}
			nCallee.CallSites = append(nCallee.CallSites, cs)

			visit(edge.Caller)
		}
	}

	for s := range sinks {
		visit(s)
	}
	return entries, vulns
}

// vulnFuncs returns vulnerability information for vulnerable functions in cg.
func vulnFuncs(cg *callgraph.Graph, affVulns affectingVulns, graph *PackageGraph) map[*callgraph.Node][]*osv.Entry {
	m := make(map[*callgraph.Node][]*osv.Entry)
	for f, n := range cg.Nodes {
		p := pkgPath(f)
		vulns := affVulns.ForSymbol(pkgModPath(graph.GetPackage(p)), p, dbFuncName(f))
		if len(vulns) > 0 {
			m[n] = vulns
		}
	}
	return m
}

func createNode(nodes map[*ssa.Function]*FuncNode, f *ssa.Function, graph *PackageGraph) *FuncNode {
	if fn, ok := nodes[f]; ok {
		return fn
	}
	fn := &FuncNode{
		Name:     f.Name(),
		Package:  graph.GetPackage(pkgPath(f)),
		RecvType: funcRecvType(f),
		Pos:      funcPosition(f),
	}
	nodes[f] = fn
	return fn
}

func calledVuln(call *FuncNode, osv *osv.Entry, symbol string, pkg *packages.Package) *Vuln {
	return &Vuln{
		Symbol:   symbol,
		Package:  pkg,
		OSV:      osv,
		CallSink: call,
	}
}
Initialize module and dependencies 2026-01-04 20:57:40 +00:00			`// Copyright 2021 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package vulncheck`

			`import (`
			`"context"`
			`"sync"`

			`"golang.org/x/tools/go/callgraph"`
			`"golang.org/x/tools/go/packages"`
			`"golang.org/x/tools/go/ssa"`
			`"golang.org/x/vuln/internal/client"`
			`"golang.org/x/vuln/internal/govulncheck"`
			`"golang.org/x/vuln/internal/osv"`
			`)`

			`// Source detects vulnerabilities in pkgs and emits the findings to handler.`
			`func Source(ctx context.Context, handler govulncheck.Handler, cfg govulncheck.Config, client client.Client, graph *PackageGraph) error {`
			`vr, err := source(ctx, handler, cfg, client, graph)`
			`if err != nil {`
			`return err`
			`}`

			`if cfg.ScanLevel.WantSymbols() {`
			`return emitCallFindings(handler, sourceCallstacks(vr))`
			`}`
			`return nil`
			`}`

			`// source detects vulnerabilities in packages. It emits findings to handler`
			`// and produces a Result that contains info on detected vulnerabilities.`
			`//`
			`// Assumes that pkgs are non-empty and belong to the same program.`
			`func source(ctx context.Context, handler govulncheck.Handler, cfg govulncheck.Config, client client.Client, graph PackageGraph) (Result, error) {`
			`ctx, cancel := context.WithCancel(ctx)`
			`defer cancel()`

			`// If we are building the callgraph, build ssa and the callgraph in parallel`
			`// with fetching vulnerabilities. If the vulns set is empty, return without`
			`// waiting for SSA construction or callgraph to finish.`
			`var (`
			`wg sync.WaitGroup // guards entries, cg, and buildErr`
			`entries []*ssa.Function`
			`cg *callgraph.Graph`
			`buildErr error`
			`)`
			`if cfg.ScanLevel.WantSymbols() {`
			`fset := graph.TopPkgs()[0].Fset`
			`wg.Add(1)`
			`go func() {`
			`defer wg.Done()`
			`prog, ssaPkgs := buildSSA(graph.TopPkgs(), fset)`
			`entries = entryPoints(ssaPkgs)`
			`cg, buildErr = callGraph(ctx, prog, entries)`
			`}()`
			`}`

			`if err := handler.SBOM(graph.SBOM()); err != nil {`
			`return nil, err`
			`}`

			`if err := handler.Progress(&govulncheck.Progress{Message: fetchingVulnsMessage}); err != nil {`
			`return nil, err`
			`}`

			`mv, err := FetchVulnerabilities(ctx, client, graph.Modules())`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Emit OSV entries immediately in their raw unfiltered form.`
			`if err := emitOSVs(handler, mv); err != nil {`
			`return nil, err`
			`}`

			`if err := handler.Progress(&govulncheck.Progress{Message: checkingSrcVulnsMessage}); err != nil {`
			`return nil, err`
			`}`

			`affVulns := affectingVulnerabilities(mv, "", "")`
			`if err := emitModuleFindings(handler, affVulns); err != nil {`
			`return nil, err`
			`}`

			`if !cfg.ScanLevel.WantPackages() \|\| len(affVulns) == 0 {`
			`return &Result{}, nil`
			`}`

			`impVulns := importedVulnPackages(affVulns, graph)`
			`// Emit information on imported vulnerable packages now as`
			`// call graph computation might take a while.`
			`if err := emitPackageFindings(handler, impVulns); err != nil {`
			`return nil, err`
			`}`

			`// Return result immediately if not in symbol mode or`
			`// if there are no vulnerabilities imported.`
			`if !cfg.ScanLevel.WantSymbols() \|\| len(impVulns) == 0 {`
			`return &Result{Vulns: impVulns}, nil`
			`}`

			`wg.Wait() // wait for build to finish`
			`if buildErr != nil {`
			`return nil, err`
			`}`

			`entryFuncs, callVulns := calledVulnSymbols(entries, affVulns, cg, graph)`
			`return &Result{EntryFunctions: entryFuncs, Vulns: callVulns}, nil`
			`}`

			`// importedVulnPackages detects imported vulnerable packages.`
			`func importedVulnPackages(affVulns affectingVulns, graph PackageGraph) []Vuln {`
			`var vulns []*Vuln`
			`analyzed := make(map[*packages.Package]bool) // skip analyzing the same package multiple times`
			`var vulnImports func(pkg *packages.Package)`
			`vulnImports = func(pkg *packages.Package) {`
			`if analyzed[pkg] {`
			`return`
			`}`

			`osvs := affVulns.ForPackage(pkgModPath(pkg), pkg.PkgPath)`
			`// Create Vuln entry for each OSV entry for pkg.`
			`for _, osv := range osvs {`
			`vuln := &Vuln{`
			`OSV: osv,`
			`Package: graph.GetPackage(pkg.PkgPath),`
			`}`
			`vulns = append(vulns, vuln)`
			`}`

			`analyzed[pkg] = true`
			`for _, imp := range pkg.Imports {`
			`vulnImports(imp)`
			`}`
			`}`

			`for _, pkg := range graph.TopPkgs() {`
			`vulnImports(pkg)`
			`}`
			`return vulns`
			`}`

			`// calledVulnSymbols detects vuln symbols transitively reachable from sources`
			`// via call graph cg.`
			`//`
			`// A slice of call graph is computed related to the reachable vulnerabilities. Each`
			`// reachable Vuln has attached FuncNode that can be upward traversed to the entry points.`
			`// Entry points that reach the vulnerable symbols are also returned.`
			`func calledVulnSymbols(sources []ssa.Function, affVulns affectingVulns, cg callgraph.Graph, graph PackageGraph) ([]FuncNode, []*Vuln) {`
			`sinksWithVulns := vulnFuncs(cg, affVulns, graph)`

			`// Compute call graph backwards reachable`
			`// from vulnerable functions and methods.`
			`var sinks []*callgraph.Node`
			`for n := range sinksWithVulns {`
			`sinks = append(sinks, n)`
			`}`
			`bcg := callGraphSlice(sinks, false)`

			`// Interesect backwards call graph with forward`
			`// reachable graph to remove redundant edges.`
			`var filteredSources []*callgraph.Node`
			`for _, e := range sources {`
			`if n, ok := bcg.Nodes[e]; ok {`
			`filteredSources = append(filteredSources, n)`
			`}`
			`}`
			`fcg := callGraphSlice(filteredSources, true)`

			`// Get the sinks that are in fact reachable from entry points.`
			`filteredSinks := make(map[callgraph.Node][]osv.Entry)`
			`for n, vs := range sinksWithVulns {`
			`if fn, ok := fcg.Nodes[n.Func]; ok {`
			`filteredSinks[fn] = vs`
			`}`
			`}`

			`// Transform the resulting call graph slice into`
			`// vulncheck representation.`
			`return vulnCallGraph(filteredSources, filteredSinks, graph)`
			`}`

			`// callGraphSlice computes a slice of callgraph beginning at starts`
			`// in the direction (forward/backward) controlled by forward flag.`
			`func callGraphSlice(starts []callgraph.Node, forward bool) callgraph.Graph {`
			`g := &callgraph.Graph{Nodes: make(map[ssa.Function]callgraph.Node)}`

			`visited := make(map[*callgraph.Node]bool)`
			`var visit func(*callgraph.Node)`
			`visit = func(n *callgraph.Node) {`
			`if visited[n] {`
			`return`
			`}`
			`visited[n] = true`

			`var edges []*callgraph.Edge`
			`if forward {`
			`edges = n.Out`
			`} else {`
			`edges = n.In`
			`}`

			`for _, edge := range edges {`
			`nCallee := g.CreateNode(edge.Callee.Func)`
			`nCaller := g.CreateNode(edge.Caller.Func)`
			`callgraph.AddEdge(nCaller, edge.Site, nCallee)`

			`if forward {`
			`visit(edge.Callee)`
			`} else {`
			`visit(edge.Caller)`
			`}`
			`}`
			`}`

			`for _, s := range starts {`
			`visit(s)`
			`}`
			`return g`
			`}`

			`// vulnCallGraph creates vulnerability call graph in terms of sources and sinks.`
			`func vulnCallGraph(sources []callgraph.Node, sinks map[callgraph.Node][]osv.Entry, graph PackageGraph) ([]FuncNode, []Vuln) {`
			`var entries []*FuncNode`
			`var vulns []*Vuln`
			`nodes := make(map[ssa.Function]FuncNode)`

			`// First create entries and sinks and store relevant information.`
			`for _, s := range sources {`
			`fn := createNode(nodes, s.Func, graph)`
			`entries = append(entries, fn)`
			`}`

			`for s, osvs := range sinks {`
			`f := s.Func`
			`funNode := createNode(nodes, s.Func, graph)`

			`// Populate CallSink field for each detected vuln symbol.`
			`for _, osv := range osvs {`
			`vulns = append(vulns, calledVuln(funNode, osv, dbFuncName(f), funNode.Package))`
			`}`
			`}`

			`visited := make(map[*callgraph.Node]bool)`
			`var visit func(*callgraph.Node)`
			`visit = func(n *callgraph.Node) {`
			`if visited[n] {`
			`return`
			`}`
			`visited[n] = true`

			`for _, edge := range n.In {`
			`nCallee := createNode(nodes, edge.Callee.Func, graph)`
			`nCaller := createNode(nodes, edge.Caller.Func, graph)`

			`call := edge.Site`
			`cs := &CallSite{`
			`Parent: nCaller,`
			`Name: call.Common().Value.Name(),`
			`RecvType: callRecvType(call),`
			`Resolved: resolved(call),`
			`Pos: instrPosition(call),`
			`}`
			`nCallee.CallSites = append(nCallee.CallSites, cs)`

			`visit(edge.Caller)`
			`}`
			`}`

			`for s := range sinks {`
			`visit(s)`
			`}`
			`return entries, vulns`
			`}`

			`// vulnFuncs returns vulnerability information for vulnerable functions in cg.`
			`func vulnFuncs(cg callgraph.Graph, affVulns affectingVulns, graph PackageGraph) map[callgraph.Node][]osv.Entry {`
			`m := make(map[callgraph.Node][]osv.Entry)`
			`for f, n := range cg.Nodes {`
			`p := pkgPath(f)`
			`vulns := affVulns.ForSymbol(pkgModPath(graph.GetPackage(p)), p, dbFuncName(f))`
			`if len(vulns) > 0 {`
			`m[n] = vulns`
			`}`
			`}`
			`return m`
			`}`

			`func createNode(nodes map[ssa.Function]FuncNode, f ssa.Function, graph PackageGraph) *FuncNode {`
			`if fn, ok := nodes[f]; ok {`
			`return fn`
			`}`
			`fn := &FuncNode{`
			`Name: f.Name(),`
			`Package: graph.GetPackage(pkgPath(f)),`
			`RecvType: funcRecvType(f),`
			`Pos: funcPosition(f),`
			`}`
			`nodes[f] = fn`
			`return fn`
			`}`

			`func calledVuln(call FuncNode, osv osv.Entry, symbol string, pkg packages.Package) Vuln {`
			`return &Vuln{`
			`Symbol: symbol,`
			`Package: pkg,`
			`OSV: osv,`
			`CallSink: call,`
			`}`
			`}`