[gopls-release-branch.0.11] gopls/internal/vulncheck: add TODO for the vulncheck diagnostics

Change-Id: I2980cd85b4627ba44c05194ae033cae2a361454c
Reviewed-on: https://go-review.googlesource.com/c/tools/+/453275
TryBot-Result: Gopher Robot <[email protected]>
gopls-CI: kokoro <[email protected]>
Run-TryBot: Hyang-Ah Hana Kim <[email protected]>
Reviewed-by: Alan Donovan <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/tools/+/456638
Reviewed-by: Robert Findley <[email protected]>

Author: hyangah

gopls/internal/vulncheck/command.go

@@ -200,11 +200,26 @@ func finalDigitsIndex(s string) int {
 // apply to this snapshot. The result contains a set of packages,
 // grouped by vuln ID and by module.
 func vulnerablePackages(ctx context.Context, snapshot source.Snapshot, modfile source.FileHandle) (*govulncheck.Result, error) {
+	// We want to report the intersection of vulnerable packages in the vulndb
+	// and packages transitively imported by this module ('go list -deps all').
+	// We use snapshot.AllValidMetadata to retrieve the list of packages
+	// as an approximation.
+	//
+	// TODO(hyangah): snapshot.AllValidMetadata is a superset of
+	// `go list all` - e.g. when the workspace has multiple main modules
+	// (multiple go.mod files), that can include packages that are not
+	// used by this module. Vulncheck behavior with go.work is not well
+	// defined. Figure out the meaning, and if we decide to present
+	// the result as if each module is analyzed independently, make
+	// gopls track a separate build list for each module and use that
+	// information instead of snapshot.AllValidMetadata.
 	metadata, err := snapshot.AllValidMetadata(ctx)
 	if err != nil {
 		return nil, err
 	}
 
+	// TODO(hyangah): handle vulnerabilities in the standard library.
+
 	// Group packages by modules since vuln db is keyed by module.
 	metadataByModule := map[source.PackagePath][]*source.Metadata{}
 	for _, md := range metadata {