// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package vulncheck

import (
	"go/token"
	"os"
	"path/filepath"
	"strings"

	"golang.org/x/tools/go/packages"
	"golang.org/x/vuln/internal/govulncheck"
)

// emitOSVs emits all OSV vuln entries in modVulns to handler.
func emitOSVs(handler govulncheck.Handler, modVulns []*ModVulns) error {
	for _, mv := range modVulns {
		for _, v := range mv.Vulns {
			if err := handler.OSV(v); err != nil {
				return err
			}
		}
	}
	return nil
}

// emitModuleFindings emits module-level findings for vulnerabilities in modVulns.
func emitModuleFindings(handler govulncheck.Handler, affVulns affectingVulns) error {
	for _, vuln := range affVulns {
		for _, osv := range vuln.Vulns {
			if err := handler.Finding(&govulncheck.Finding{
				OSV:          osv.ID,
				FixedVersion: FixedVersion(modPath(vuln.Module), modVersion(vuln.Module), osv.Affected),
				Trace:        []*govulncheck.Frame{frameFromModule(vuln.Module)},
			}); err != nil {
				return err
			}
		}
	}
	return nil
}

// emitPackageFinding emits package-level findings fod vulnerabilities in vulns.
func emitPackageFindings(handler govulncheck.Handler, vulns []*Vuln) error {
	for _, v := range vulns {
		if err := handler.Finding(&govulncheck.Finding{
			OSV:          v.OSV.ID,
			FixedVersion: FixedVersion(modPath(v.Package.Module), modVersion(v.Package.Module), v.OSV.Affected),
			Trace:        []*govulncheck.Frame{frameFromPackage(v.Package)},
		}); err != nil {
			return err
		}
	}
	return nil
}

// emitCallFindings emits call-level findings for vulnerabilities
// that have a call stack in callstacks.
func emitCallFindings(handler govulncheck.Handler, callstacks map[*Vuln]CallStack) error {
	var vulns []*Vuln
	for v := range callstacks {
		vulns = append(vulns, v)
	}

	for _, vuln := range vulns {
		stack := callstacks[vuln]
		if stack == nil {
			continue
		}
		fixed := FixedVersion(modPath(vuln.Package.Module), modVersion(vuln.Package.Module), vuln.OSV.Affected)
		if err := handler.Finding(&govulncheck.Finding{
			OSV:          vuln.OSV.ID,
			FixedVersion: fixed,
			Trace:        traceFromEntries(stack),
		}); err != nil {
			return err
		}
	}
	return nil
}

// traceFromEntries creates a sequence of
// frames from vcs. Position of a Frame is the
// call position of the corresponding stack entry.
func traceFromEntries(vcs CallStack) []*govulncheck.Frame {
	var frames []*govulncheck.Frame
	for i := len(vcs) - 1; i >= 0; i-- {
		e := vcs[i]
		fr := frameFromPackage(e.Function.Package)
		fr.Function = e.Function.Name
		fr.Receiver = e.Function.Receiver()
		isSink := i == (len(vcs) - 1)
		fr.Position = posFromStackEntry(e, isSink)
		frames = append(frames, fr)
	}
	return frames
}

func posFromStackEntry(e StackEntry, sink bool) *govulncheck.Position {
	var p *token.Position
	var f *FuncNode
	if sink && e.Function != nil && e.Function.Pos != nil {
		// For sinks, i.e., vulns we take the position
		// of the symbol.
		p = e.Function.Pos
		f = e.Function
	} else if e.Call != nil && e.Call.Pos != nil {
		// Otherwise, we take the position of
		// the call statement.
		p = e.Call.Pos
		f = e.Call.Parent
	}

	if p == nil {
		return nil
	}
	return &govulncheck.Position{
		Filename: pathRelativeToMod(p.Filename, f),
		Offset:   p.Offset,
		Line:     p.Line,
		Column:   p.Column,
	}
}

// pathRelativeToMod computes a version of path
// relative to the module of f. If it does not
// have all the necessary information, returns
// an empty string.
//
// The returned paths always use slash as separator
// so they can work across different platforms.
func pathRelativeToMod(path string, f *FuncNode) string {
	if path == "" || f == nil || f.Package == nil { // sanity
		return ""
	}

	mod := f.Package.Module
	if mod.Replace != nil {
		mod = mod.Replace // for replace directive
	}

	modDir := modDirWithVendor(mod.Dir, path, mod.Path)
	p, err := filepath.Rel(modDir, path)
	if err != nil {
		return ""
	}
	// make sure paths are portable.
	return filepath.ToSlash(p)
}

// modDirWithVendor returns modDir if modDir is not empty.
// Otherwise, the module might be located in the vendor
// directory. This function attempts to reconstruct the
// vendored module directory from path and module. It
// returns an empty string if reconstruction fails.
func modDirWithVendor(modDir, path, module string) string {
	if modDir != "" {
		return modDir
	}

	sep := string(os.PathSeparator)
	vendor := sep + "vendor" + sep
	vendorIndex := strings.Index(path, vendor)
	if vendorIndex == -1 {
		return ""
	}
	return filepath.Join(path[:vendorIndex], "vendor", filepath.FromSlash(module))
}

func frameFromPackage(pkg *packages.Package) *govulncheck.Frame {
	fr := &govulncheck.Frame{}
	if pkg != nil {
		fr.Module = pkg.Module.Path
		fr.Version = pkg.Module.Version
		fr.Package = pkg.PkgPath
	}
	if pkg.Module.Replace != nil {
		fr.Module = pkg.Module.Replace.Path
		fr.Version = pkg.Module.Replace.Version
	}
	return fr
}

func frameFromModule(mod *packages.Module) *govulncheck.Frame {
	fr := &govulncheck.Frame{
		Module:  mod.Path,
		Version: mod.Version,
	}

	if mod.Replace != nil {
		fr.Module = mod.Replace.Path
		fr.Version = mod.Replace.Version
	}

	return fr
}