[vuln] cmd/govulncheck: update docs

28 views
Skip to first unread message

Gopher Robot (Gerrit)

unread,
Apr 18, 2023, 2:55:20 PM4/18/23
to Julie Qiu, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Julie Qiu, Zvonimir Pavlinovic, Todd Kulesza, Tatiana Bradley, golang-co...@googlegroups.com

Gopher Robot submitted this change.

View Change



6 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: cmd/govulncheck/doc.go
Insertions: 3, Deletions: 6.

@@ -37,9 +37,6 @@
 
 	main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
 
-For a more detailed call path that resembles Go panic stack traces, use the -v
-flag.
-
 To control which files are processed, use the -tags flag to provide a
 comma-separated list of build tags, and the -test flag to indicate that test
 files should be included.
@@ -60,9 +57,9 @@
 
 A few flags control govulncheck's behavior.
 
-The -C flag causes govulncheck to change to the provided directory before
-running. Any patterns or files named on the command line are interpreted after
-changing directories.
+The -C flag causes govulncheck to change its working directory to the provided
+directory before running. Any patterns or files named on the command line are
+interpreted after changing directories.
 
 The -db flag causes govulncheck to read from the specified database, which must
 implement the specification at https://go.dev/security/vuln/database. By
```
```
The name of the file: cmd/govulncheck/testdata/usage.ct
Insertions: 2, Deletions: 2.

@@ -18,7 +18,7 @@
     	comma-separated list of build tags
   -test
     	analyze test files (only valid for source mode)
-  -v	print a full call stack for each vulnerability
+  -v	print additional information
 
 For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
 
@@ -44,6 +44,6 @@
     	comma-separated list of build tags
   -test
     	analyze test files (only valid for source mode)
-  -v	print a full call stack for each vulnerability
+  -v	print additional information
 
 For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
```

Approvals: Julie Qiu: Looks good to me, but someone else must approve; Run TryBots; Automatically submit change Tatiana Bradley: Looks good to me, approved Zvonimir Pavlinovic: Looks good to me, approved Gopher Robot: TryBots succeeded 
cmd/govulncheck: update docs

Change-Id: I5bf46972831392c270ac98443ae05ec8954da947
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/485899
Reviewed-by: Julie Qiu <juli...@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavl...@google.com>
Auto-Submit: Julie Qiu <juli...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Julie Qiu <juli...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
---
M cmd/govulncheck/doc.go
M cmd/govulncheck/testdata/usage.ct
M internal/scan/flags.go
M internal/scan/scan.go
4 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index d6046c1..849ed23 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -10,9 +10,9 @@
 By default, govulncheck makes requests to the Go vulnerability database at
 https://vuln.go.dev. Requests to the vulnerability database contain only module
 paths, not code or other properties of your program. See
-https://vuln.go.dev/privacy.html for more. Set the GOVULNDB environment
-variable to specify a different database, which must implement the
-specification at https://go.dev/security/vuln/database.
+https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a
+different database, which must implement the specification at
+https://go.dev/security/vuln/database.
 
 Govulncheck looks for vulnerabilities in Go programs using a specific build
 configuration. For analyzing source code, that configuration is the Go version
@@ -37,15 +37,14 @@
 
 	main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
 
-For a more detailed call path that resembles Go panic stack traces, use the -v flag.
-
 To control which files are processed, use the -tags flag to provide a
 comma-separated list of build tags, and the -test flag to indicate that test
 files should be included.
 
-To run govulncheck on a compiled binary, pass it the path to the binary file:
+To run govulncheck on a compiled binary, pass it the path to the binary file
+with the -mode=binary flag:
 
-	$ govulncheck $HOME/go/bin/my-go-program
+	$ govulncheck -mode=binary $HOME/go/bin/my-go-program
 
 Govulncheck uses the binary's symbol information to find mentions of vulnerable
 functions. Its output omits call stacks, which require source code analysis.
@@ -58,18 +57,29 @@
 
 A few flags control govulncheck's behavior.
 
-The -v flag causes govulncheck to output more information about call stacks
-when run on source. It has no effect when run on a binary.
+The -C flag causes govulncheck to change its working directory to the provided
+directory before running. Any patterns or files named on the command line are
+interpreted after changing directories.
+
+The -db flag causes govulncheck to read from the specified database, which must
+implement the specification at https://go.dev/security/vuln/database. By
+default, govulncheck fetches vulnerability data from https://vuln.go.dev.
 
 The -json flag causes govulncheck to print its output as a JSON object
 corresponding to the type [golang.org/x/vuln/internal/govulncheck.Result]. The
 exit code of govulncheck is 0 when this flag is provided.
 
+The -mode flag causes govulncheck to run source or binary analysis. By default,
+govulnchecks runs source analysis.
+
 The -tags flag accepts a comma-separated list of build tags to control which
 files should be included in loaded packages for source analysis.
 
 The -test flag causes govulncheck to include test files in the source analysis.
 
+The -v flag causes govulncheck to output more information when run on source.
+It has no effect when run on a binary.
+
 # Limitations
 
 Govulncheck has these limitations:
diff --git a/cmd/govulncheck/testdata/usage.ct b/cmd/govulncheck/testdata/usage.ct
index 41c6f02..c9edc03 100644
--- a/cmd/govulncheck/testdata/usage.ct
+++ b/cmd/govulncheck/testdata/usage.ct
@@ -18,7 +18,7 @@
     	comma-separated list of build tags
   -test
     	analyze test files (only valid for source mode)
-  -v	print a full call stack for each vulnerability
+  -v	print additional information
 
 For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
 
@@ -44,6 +44,6 @@
     	comma-separated list of build tags
   -test
     	analyze test files (only valid for source mode)
-  -v	print a full call stack for each vulnerability
+  -v	print additional information
 
 For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
diff --git a/internal/scan/flags.go b/internal/scan/flags.go
index 379db32..d8e0c65 100644
--- a/internal/scan/flags.go
+++ b/internal/scan/flags.go
@@ -36,7 +36,7 @@
 	var tagsFlag buildutil.TagsFlag
 	flags := flag.NewFlagSet("", flag.ContinueOnError)
 	flags.BoolVar(&cfg.json, "json", false, "output JSON")
-	flags.BoolVar(&cfg.verbose, "v", false, "print a full call stack for each vulnerability")
+	flags.BoolVar(&cfg.verbose, "v", false, "print additional information")
 	flags.BoolVar(&cfg.test, "test", false, "analyze test files (only valid for source mode)")
 	flags.StringVar(&cfg.dir, "C", "", "change to dir before running govulncheck")
 	flags.StringVar(&cfg.db, "db", "https://vuln.go.dev", "vulnerability database URL")
diff --git a/internal/scan/scan.go b/internal/scan/scan.go
index 40a74cd..a9c17b9 100644
--- a/internal/scan/scan.go
+++ b/internal/scan/scan.go
@@ -24,23 +24,8 @@
 	err     error
 }
 
-// Command is the equivalent of exec.Command
-//
 // Command returns the Cmd struct to execute govulncheck with the given
-// arguments. It does not invoke an external command when started; the
-// vulnerability scan happens in process.
-//
-// It sets only the Path and Args in the returned structure.
-//
-// The returned Cmd's Args field is constructed from the command name (which is
-// always unused, but present to model the exec.Command API), followed
-// by the elements of arg, so arg should not include the command name itself.
-//
-// For example, Command("echo", "hello"). Args[0] is always name, not the
-// possibly resolved Path.
-//
-// It is designed to be very easy to switch to running an external command
-// instead.
+// arguments.
 func Command(ctx context.Context, arg ...string) *Cmd {
 	return &Cmd{
 		ctx:  ctx,

To view, visit change 485899. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: vuln
Gerrit-Branch: master
Gerrit-Change-Id: I5bf46972831392c270ac98443ae05ec8954da947
Gerrit-Change-Number: 485899
Gerrit-PatchSet: 10
Gerrit-Owner: Julie Qiu <ju...@golang.org>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-Reviewer: Julie Qiu <ju...@golang.org>
Gerrit-Reviewer: Julie Qiu <juli...@google.com>
Gerrit-Reviewer: Tatiana Bradley <tatiana...@google.com>
Gerrit-Reviewer: Todd Kulesza <tkul...@google.com>
Gerrit-Reviewer: Zvonimir Pavlinovic <zpavl...@google.com>
Reply all
Reply to author
Forward
0 new messages