[tools] internal/server: add vulncheck scanning after vulncheck prompt
6 views
Skip to first unread message
Ethan Lee (Gerrit)
Nov 20, 2025, 1:08:51 PMNov 20
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee has uploaded the change for review![]( "Open in Gerrit")
Commit message
internal/server: add vulncheck scanning after vulncheck prompt
- Add runVulncheck function to trigger a vulncheck scan after either
reading vulncheck preference or obtaining relevant user input.
Change-Id: Ic8e6a96c71c7d87178acde1f704573ad4b2a2181
Change diff
diff --git a/gopls/internal/server/vulncheck_prompt.go b/gopls/internal/server/vulncheck_prompt.go
index 32a5925..9edb727 100644
--- a/gopls/internal/server/vulncheck_prompt.go
+++ b/gopls/internal/server/vulncheck_prompt.go
@@ -14,12 +14,18 @@
"os"
"path/filepath"
"reflect"
+ "sort"
+ "strings"
"time"
"golang.org/x/mod/modfile"
+ "golang.org/x/tools/gopls/internal/cache"
"golang.org/x/tools/gopls/internal/filecache"
+ "golang.org/x/tools/gopls/internal/progress"
"golang.org/x/tools/gopls/internal/protocol"
"golang.org/x/tools/gopls/internal/settings"
+ "golang.org/x/tools/gopls/internal/vulncheck"
+ "golang.org/x/tools/gopls/internal/vulncheck/scan"
"golang.org/x/tools/internal/event"
)
@@ -125,40 +131,99 @@
govulncheckLink := "[govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)"
message := fmt.Sprintf("Dependencies have changed in %s, would you like to run %s to check for vulnerabilities?", fileLink, govulncheckLink)
- preference, err := getVulncheckPreference()
+ action, err := getVulncheckPreference()
if err != nil {
event.Error(ctx, "reading vulncheck preference", err)
}
- if preference == "Always" || preference == "Never" {
- // TODO: Update this so that we run vulncheck when Always is set.
- return
- }
- action, err := showMessageRequest(ctx, s.client, protocol.Info, message, "Yes", "No", "Always", "Never")
- if err != nil {
- event.Error(ctx, "showing go.mod changed notification", err)
- return
- }
- if action == "Always" || action == "Never" {
- if err := setVulncheckPreference(action); err != nil {
- event.Error(ctx, "writing vulncheck preference", err)
- showMessage(ctx, s.client, protocol.Error, fmt.Sprintf("Failed to save vulncheck preference: %v", err))
+ if action == "" {
+ action, err = showMessageRequest(ctx, s.client, protocol.Info, message, "Yes", "No", "Always", "Never")
+ if err != nil {
+ event.Error(ctx, "showing go.mod changed notification", err)
+ return
+ }
+
+ if action == "Always" || action == "Never" {
+ if err := setVulncheckPreference(action); err != nil {
+ event.Error(ctx, "writing vulncheck preference", err)
+ showMessage(ctx, s.client, protocol.Error, fmt.Sprintf("Failed to save vulncheck preference: %v", err))
+ }
+ }
+
+ if action == "" {
+ // No user input gathered from prompt.
+ return
}
}
- // TODO: Implement the logic to run govulncheck when action is "Yes" or "Always".
- if action == "No" || action == "Never" || action == "" {
- return // Skip the check and don't update the hash.
+ if action == "Yes" || action == "Always" {
+ s.runVulncheck(ctx, change.URI)
}
if err := filecache.Set(goModHashKind, pathHash, []byte(newHash)); err != nil {
event.Error(ctx, "writing new go.mod hash to filecache", err)
- return
}
}
}()
}
+func (s *server) runVulncheck(ctx context.Context, uri protocol.DocumentURI) {
+ err := func() error {
+ snapshot, release, err := s.session.SnapshotOf(ctx, uri)
+ if err != nil {
+ return err
+ }
+ defer release()
+
+ work := s.progress.Start(ctx, GoVulncheckCommandTitle, "Running govulncheck...", nil, nil)
+ defer work.End(ctx, "Done.")
+ workDoneWriter := progress.NewWorkDoneWriter(ctx, work)
+
+ dir := uri.DirPath()
+ pattern := "./..."
+
+ result, err := scan.RunGovulncheck(ctx, pattern, snapshot, dir, workDoneWriter)
+ if err != nil {
+ return err
+ }
+
+ snapshot, release, err = s.session.InvalidateView(ctx, snapshot.View(), cache.StateChange{
+ Vulns: map[protocol.DocumentURI]*vulncheck.Result{uri: result},
+ })
+ if err != nil {
+ return err
+ }
+ defer release()
+
+ s.diagnoseSnapshot(snapshot.BackgroundContext(), snapshot, nil, 0)
+
+ affecting := make(map[string]bool, len(result.Entries))
+ for _, finding := range result.Findings {
+ if len(finding.Trace) > 1 {
+ affecting[finding.OSV] = true
+ }
+ }
+ if len(affecting) == 0 {
+ showMessage(ctx, s.client, protocol.Info, "No vulnerabilities found")
+ return nil
+ }
+ affectingOSVs := make([]string, 0, len(affecting))
+ for id := range affecting {
+ affectingOSVs = append(affectingOSVs, id)
+ }
+ sort.Strings(affectingOSVs)
+
+ showMessage(ctx, s.client, protocol.Warning, fmt.Sprintf("Found %v", strings.Join(affectingOSVs, ", ")))
+
+ return nil
+ }()
+
+ if err != nil {
+ event.Error(ctx, "running vulncheck", err)
+ showMessage(ctx, s.client, protocol.Error, fmt.Sprintf("Failed to run vulncheck: %v", err))
+ }
+}
+
type vulncheckConfig struct {
Vulncheck string `json:"vulncheck"`
}
@@ -193,7 +258,6 @@
return err
}
path := filepath.Join(goplsDir, "settings.json")
- fmt.Printf("Writing vulncheck preference to %s\n", path)
config := vulncheckConfig{Vulncheck: preference}
content, err := json.Marshal(config)
if err != nil {
Change information
Files:
- M gopls/internal/server/vulncheck_prompt.go
Change size: M
Delta: 1 file changed, 83 insertions(+), 19 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Dec 5, 2025, 4:05:20 PM (11 days ago) Dec 5
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #4 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Dec 10, 2025, 3:36:52 PM (6 days ago) Dec 10
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #5 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Dec 12, 2025, 3:21:02 PM (4 days ago) Dec 12
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #8 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Dec 15, 2025, 4:32:12 PM (22 hours ago) Dec 15
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #9 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Dec 15, 2025, 4:32:46 PM (22 hours ago) Dec 15
to goph...@pubsubhelper.golang.org, Hongxiang Jiang, golang-co...@googlegroups.com
Attention needed from Hongxiang Jiang
Ethan Lee voted![]( "Open in Gerrit")
| Auto-Submit | +1 |
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Hongxiang Jiang
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
11:13 AM (3 hours ago) 11:13 AM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ethan Lee and Hongxiang Jiang
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #10 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Related details
Attention is currently required from:
- Ethan Lee
- Hongxiang Jiang
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages