Initialize module and dependencies

vendor/golang.org/x/vuln/cmd/govulncheck/doc.go

@@ -0,0 +1,106 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Govulncheck reports known vulnerabilities that affect Go code. It uses static
+analysis of source code or a binary's symbol table to narrow down reports to
+only those that could affect the application.
+
+By default, govulncheck makes requests to the Go vulnerability database at
+https://vuln.go.dev. Requests to the vulnerability database contain only module
+paths with vulnerabilities already known to the database, not code or other
+properties of your program. See https://vuln.go.dev/privacy.html for more.
+Use the -db flag to specify a different database, which must implement the
+specification at https://go.dev/security/vuln/database.
+
+Govulncheck looks for vulnerabilities in Go programs using a specific build
+configuration. For analyzing source code, that configuration is the Go version
+specified by the “go” command found on the PATH. For binaries, the build
+configuration is the one used to build the binary. Note that different build
+configurations may have different known vulnerabilities.
+
+# Usage
+
+To analyze source code, run govulncheck from the module directory, using the
+same package path syntax that the go command uses:
+
+	$ cd my-module
+	$ govulncheck ./...
+
+If no vulnerabilities are found, govulncheck will display a short message. If
+there are vulnerabilities, each is displayed briefly, with a summary of a call
+stack. The summary shows in brief how the package calls a vulnerable function.
+For example, it might say
+
+	main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
+
+To control which files are processed, use the -tags flag to provide a
+comma-separated list of build tags, and the -test flag to indicate that test
+files should be included.
+
+To include more detailed stack traces, pass '-show traces', this will cause it to
+print the full call stack for each entry.
+
+To include progress messages and more details on findings, pass '-show verbose'.
+
+To run govulncheck on a compiled binary, pass it the path to the binary file
+with the '-mode binary' flag:
+
+	$ govulncheck -mode binary $HOME/go/bin/my-go-program
+
+Govulncheck uses the binary's symbol information to find mentions of vulnerable
+functions. These functions can belong to binary's transitive dependencies and
+also the main module of the binary. The latter functions are checked for only
+when the precise version of the binary module is known. Govulncheck output on
+binaries omits call stacks, which require source code analysis.
+
+Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
+information needed to analyze the binary. This will produce a blob, typically much
+smaller than the binary, that can also be passed to govulncheck as an argument with
+'-mode binary'. The users should not rely on the contents or representation of the blob.
+
+# Integrations
+
+Govulncheck supports streaming JSON. For more details, please see [golang.org/x/vuln/internal/govulncheck].
+
+Govulncheck also supports Static Analysis Results Interchange Format (SARIF) output
+format, following the specification at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
+For more details, please see [golang.org/x/vuln/internal/sarif].
+
+Govulncheck supports the Vulnerability EXchange (VEX) output format, following
+the specification at https://github.com/openvex/spec.
+For more details, please see [golang.org/x/vuln/internal/openvex].
+
+# Exit codes
+
+Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
+and exits unsuccessfully if there are. It also exits successfully if the
+'format -json' ('-json'), '-format sarif', or '-format openvex' is provided,
+regardless of the number of detected vulnerabilities.
+
+# Limitations
+
+Govulncheck has these limitations:
+
+  - Govulncheck analyzes function pointer and interface calls conservatively,
+    which may result in false positives or inaccurate call stacks in some cases.
+  - Calls to functions made using package reflect are not visible to static
+    analysis. Vulnerable code reachable only through those calls will not be
+    reported in source scan mode. Similarly, use of the unsafe package may
+    result in false negatives.
+  - Because Go binaries do not contain detailed call information, govulncheck
+    cannot show the call graphs for detected vulnerabilities. It may also
+    report false positives for code that is in the binary but unreachable.
+  - There is no support for silencing vulnerability findings. See https://go.dev/issue/61211 for
+    updates.
+  - Govulncheck reports only standard library vulnerabilities for binaries
+    built with Go versions prior to Go 1.18.
+  - For binaries where the symbol information cannot be extracted, govulncheck
+    reports vulnerabilities for all modules on which the binary depends.
+
+# Feedback
+
+To share feedback, see https://go.dev/security/vuln#feedback.
+*/
+package main

vendor/golang.org/x/vuln/cmd/govulncheck/gotypesalias.go

@@ -0,0 +1,12 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.23
+
+//go:debug gotypesalias=1
+
+package main
+
+// Materialize aliases whenever the go toolchain version is after 1.23 (#69772).
+// Remove this file after go.mod >= 1.23 (which implies gotypesalias=1).

vendor/golang.org/x/vuln/cmd/govulncheck/main.go

@@ -0,0 +1,34 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"golang.org/x/telemetry"
+	"golang.org/x/vuln/scan"
+)
+
+func main() {
+	telemetry.Start(telemetry.Config{ReportCrashes: true})
+
+	ctx := context.Background()
+
+	cmd := scan.Command(ctx, os.Args[1:]...)
+	err := cmd.Start()
+	if err == nil {
+		err = cmd.Wait()
+	}
+	switch err := err.(type) {
+	case nil:
+	case interface{ ExitCode() int }:
+		os.Exit(err.ExitCode())
+	default:
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

vendor/golang.org/x/vuln/cmd/govulncheck/test_utils.go

@@ -0,0 +1,128 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"testing"
+)
+
+// copyTestCase copies the test case at dir into a
+// temporary directory. The created files have 0644
+// permission and directories 0755. It does not create
+// symlinks.
+func copyTestCase(dir string, t *testing.T) string {
+	newDir, err := filepath.Abs(t.TempDir())
+	if err != nil {
+		t.Fatalf("failed to copy test case %s: cannot create root %v", dir, err)
+	}
+
+	if err := copyDir(dir, newDir); err != nil {
+		t.Fatalf("failed to copy test case %s: copy failure %v", dir, err)
+	}
+	return newDir
+}
+
+func copyDir(srcDir, destDir string) error {
+	entries, err := os.ReadDir(srcDir)
+	if err != nil {
+		return err
+	}
+	for _, entry := range entries {
+		src := filepath.Join(srcDir, entry.Name())
+		dest := filepath.Join(destDir, entry.Name())
+
+		fileInfo, err := os.Stat(src)
+		if err != nil {
+			return err
+		}
+
+		switch fileInfo.Mode() & os.ModeType {
+		case os.ModeDir:
+			if err := os.MkdirAll(dest, 0755); err != nil {
+				return err
+			}
+			if err := copyDir(src, dest); err != nil {
+				return err
+			}
+		default:
+			if err := copyFile(src, dest); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func copyFile(src, dest string) error {
+	b, err := os.ReadFile(src)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(dest, b, 0644)
+}
+
+type config struct {
+	// SkipGOOS is a list of GOOS to skip
+	SkipGOOS []string `json:"skipGOOS,omitempty"`
+	// Copy the folder to isolate it
+	Copy bool `json:"copy,omitempty"`
+	// SkipBuild the test case
+	SkipBuild bool `json:"skipBuild,omitempty"`
+	// Strip indicates if binaries should be stripped
+	Strip bool `json:"strip,omitempty"`
+	// EnableSBOM indicates if sbom should be
+	// printed in JSON.
+	EnableSBOM bool `json:"sbom,omitempty"`
+
+	Fixups []fixup `json:"fixups,omitempty"`
+}
+
+func (c *config) skip() bool {
+	for _, sg := range c.SkipGOOS {
+		if runtime.GOOS == sg {
+			return true
+		}
+	}
+	return false
+}
+
+type fixup struct {
+	Pattern     string `json:"pattern,omitempty"`
+	Replace     string `json:"replace,omitempty"`
+	compiled    *regexp.Regexp
+	replaceFunc func(b []byte) []byte
+}
+
+func (f *fixup) init() {
+	f.compiled = regexp.MustCompile(f.Pattern)
+}
+
+func (f *fixup) apply(data []byte) []byte {
+	if f.replaceFunc != nil {
+		return f.compiled.ReplaceAllFunc(data, f.replaceFunc)
+	}
+	return f.compiled.ReplaceAll(data, []byte(f.Replace))
+}
+
+// loadConfig loads and initializes the config from path.
+func loadConfig(path string) (*config, error) {
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	var cfg config
+	if err := json.Unmarshal(b, &cfg); err != nil {
+		return nil, err
+	}
+	for i := range cfg.Fixups {
+		cfg.Fixups[i].init()
+	}
+	return &cfg, nil
+}