src/goVulncheck: show the vulncheck result in vulncheck.view

hyangah · hyangah · commit 150c57f9e411 · 2022-05-18T20:53:25.000Z
After running vulncheck, open the custom editor (implmeneted by VulncheckResultViewProvider) to show the result. This CL also computes 'AffectedPkgs' field of each vulnerability. This computation should be done inside gopls, rather than in vscode. But while waiting for another gopls release, let's handle here. (For forwards-compatibility, we skip this if AffectedPkgs field is already populated). Change-Id: Ie29050a08955ace05c7c8f478b889554168de09b Reviewed-on: https://go-review.googlesource.com/c/vscode-go/+/406302 Reviewed-by: Suzy Mueller <suzmue@golang.org> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Jamal Carvalho <jamal@golang.org> TryBot-Result: kokoro <noreply+kokoro@google.com>
diff --git a/media/vulncheckView.js b/media/vulncheckView.js
@@ -94,6 +94,7 @@
 			<tr><td>Package</td><td>${vuln.PkgPath}</td></tr>
 			<tr><td>Current Version</td><td>${moduleVersion(vuln.ModPath, vuln.CurrentVersion)}</td></tr>
 			<tr><td>Fixed Version</td><td>${moduleVersion(vuln.ModPath, vuln.FixedVersion)}</td></tr>
+			<tr><td>Affecting</td><td>${vuln.AffectedPkgs?.join('<br>')}</td></tr>
 			`;
 			element.appendChild(details);
 
diff --git a/src/goVulncheck.ts b/src/goVulncheck.ts
@@ -4,6 +4,7 @@
  *--------------------------------------------------------*/
 
 import path from 'path';
+import fs from 'fs';
 import * as vscode from 'vscode';
 import { GoExtensionContext } from './context';
 import { getBinPath } from './util';
@@ -12,6 +13,7 @@ import { toolExecutionEnvironment } from './goEnv';
 import { killProcessTree } from './utils/processUtils';
 import * as readline from 'readline';
 import { URI } from 'vscode-uri';
+import { promisify } from 'util';
 
 export class VulncheckResultViewProvider implements vscode.CustomTextEditorProvider {
 	public static readonly viewType = 'vulncheck.view';
@@ -195,26 +197,39 @@ export class VulncheckProvider {
 		this.channel.clear();
 		this.channel.appendLine(`cd ${dir}; gopls vulncheck ${pattern}`);
 
-		let result = '';
 		try {
 			const start = new Date();
 			const vuln = await vulncheck(goCtx, dir, pattern, this.channel);
 
 			if (vuln) {
+				fillAffectedPkgs(vuln.Vuln);
+
 				// record run info.
 				vuln.Start = start;
 				vuln.Duration = Date.now() - start.getTime();
 				vuln.Dir = dir;
 				vuln.Pattern = pattern;
-				result = vuln.Vuln
-					? vuln.Vuln.map(renderVuln).join('----------------------\n')
-					: 'No known vulnerability found.';
+
+				// write to file and visualize it!
+				const fname = path.join(dir, `vulncheck-${Date.now()}.vulncheck.json`);
+				const writeFile = promisify(fs.writeFile);
+				await writeFile(fname, JSON.stringify(vuln));
+				const uri = URI.file(fname);
+				const viewColumn = vscode.ViewColumn.Beside;
+				vscode.commands.executeCommand(
+					'vscode.openWith',
+					uri,
+					VulncheckResultViewProvider.viewType,
+					viewColumn
+				);
+				this.channel.appendLine(`Vulncheck - result wrote in ${fname}`);
+			} else {
+				this.channel.appendLine('Vulncheck - found no vulnerability');
 			}
 		} catch (e) {
 			vscode.window.showErrorMessage(`error running vulncheck: ${e}`);
 			this.channel.appendLine(`Vulncheck failed: ${e}`);
 		}
-		this.channel.appendLine(result);
 		this.channel.show();
 	}
 
@@ -300,48 +315,6 @@ export async function vulncheck(
 	return await task;
 }
 
-const renderVuln = (v: Vuln) => `
-ID:               ${v.ID}
-Aliases:          ${v.Aliases?.join(', ') ?? 'None'}
-Symbol:           ${v.Symbol}
-Pkg Path:         ${v.PkgPath}
-Mod Path:         ${v.ModPath}
-URL:              ${v.URL}
-Current Version:  ${v.CurrentVersion}
-Fixed Version:    ${v.FixedVersion}
-
-${v.Details}
-${renderStack(v)}`;
-
-const renderStack = (v: Vuln) => {
-	const content = [];
-	for (const stack of v.CallStacks ?? []) {
-		for (const [, line] of stack.entries()) {
-			content.push(`\t${line.Name}`);
-			const loc = renderUri(line);
-			if (loc) {
-				content.push(`\t\t${loc}`);
-			}
-		}
-		content.push('');
-	}
-	return content.join('\n');
-};
-
-const renderUri = (stack: CallStack) => {
-	if (!stack.URI) {
-		// generated file or dummy location may not have a file name.
-		return '';
-	}
-	const parsed = vscode.Uri.parse(stack.URI);
-	const line = stack.Pos.line + 1; // Position uses 0-based line number.
-	const folder = vscode.workspace.getWorkspaceFolder(parsed);
-	if (folder) {
-		return `${parsed.path}:${line}:${stack.Pos.character}`;
-	}
-	return `${stack.URI}#${line}:${stack.Pos.character}`;
-};
-
 interface VulncheckReport {
 	// Vulns populated by gopls vulncheck run.
 	Vuln?: Vuln[];
@@ -366,6 +339,10 @@ interface Vuln {
 	FixedVersion: string;
 	CallStacks?: CallStack[][];
 	CallStacksSummary?: string[];
+
+	// Derived from call stacks.
+	// TODO(hyangah): add to gopls vulncheck.
+	AffectedPkgs?: string[];
 }
 
 interface CallStack {
@@ -393,3 +370,33 @@ function safeURIParse(s: string): URI | undefined {
 		return undefined;
 	}
 }
+
+// Computes the AffectedPkgs attribute if it's not present.
+// Exported for testing.
+// TODO(hyangah): move this logic to gopls vulncheck or govulncheck.
+export function fillAffectedPkgs(vulns: Vuln[] | undefined): Vuln[] {
+	if (!vulns) return [];
+
+	const re = new RegExp(/^(\S+)\/([^/\s]+)$/);
+	vulns.forEach((vuln) => {
+		// If it's already set by gopls vulncheck, great!
+		if (vuln.AffectedPkgs) return;
+
+		const affected = new Set<string>();
+		vuln.CallStacks?.forEach((cs) => {
+			if (!cs || cs.length === 0) {
+				return;
+			}
+			const name = cs[0].Name || '';
+			const m = name.match(re);
+			if (!m) {
+				name && affected.add(name);
+			} else {
+				const pkg = m[2] && m[2].split('.')[0];
+				affected.add(`${m[1]}/${pkg}`);
+			}
+		});
+		vuln.AffectedPkgs = Array.from(affected);
+	});
+	return vulns;
+}
diff --git a/test/gopls/vulncheck.test.ts b/test/gopls/vulncheck.test.ts
@@ -50,9 +50,14 @@ suite('vulncheck result viewer tests', () => {
 
 		assert.deepStrictEqual(res.type, 'snapshot-result', `want snapshot-result, got ${JSON.stringify(res)}`);
 		assert(res.target && res.target.includes('GO-2021-0113'), res.target);
+		assert(
+			res.target &&
+				res.target.includes('<td>Affecting</td><td>github.com/golang/vscode-go/test/testdata/vuln</td>'),
+			res.target
+		);
 	});
 
-	test('handles invalid input', async () => {
+	test('handles empty input', async () => {
 		const webviewPanel = _register(
 			vscode.window.createWebviewPanel(webviewId, 'title', { viewColumn: vscode.ViewColumn.One }, {})
 		);
@@ -74,6 +79,8 @@ suite('vulncheck result viewer tests', () => {
 		assert.deepStrictEqual(res.type, 'snapshot-result', `want snapshot-result, got ${JSON.stringify(res)}`);
 		assert(!res.target, res.target);
 	});
+
+	// TODO: test corrupted/incomplete json file handling.
 });
 
 function getMessage<R = { type: string; target?: string }>(webview: vscode.WebviewPanel): Promise<R> {
@@ -84,3 +91,44 @@ function getMessage<R = { type: string; target?: string }>(webview: vscode.Webvi
 		});
 	});
 }
+suite('fillAffectedPkgs', () => {
+	test('compute from the first call stack entry', async () => {
+		const data = JSON.parse(`{
+		"Vuln": [{
+			"CallStacks": [
+				[
+				  {
+					"Name": "github.com/golang/vscode-go/test/testdata/vuln.main",
+					"URI": "file:///vuln/test.go",
+					"Pos": { "line": 9, "character": 0 }
+				  },
+				  {
+					"Name": "golang.org/x/text/language.Parse",
+					"URI": "file:///foo/bar.go",
+					"Pos": { "line": 227, "character": 0 }
+				  }
+				]
+			]}]}`);
+		goVulncheck.fillAffectedPkgs(data.Vuln);
+		assert.deepStrictEqual(data.Vuln[0].AffectedPkgs, ['github.com/golang/vscode-go/test/testdata/vuln']);
+	});
+
+	test('callstacks missing', async () => {
+		const data = JSON.parse('{ "Vuln": [{}] }');
+		goVulncheck.fillAffectedPkgs(data.Vuln);
+		assert.deepStrictEqual(data.Vuln[0].AffectedPkgs, []);
+	});
+
+	test('callstacks empty', async () => {
+		const data = JSON.parse('{ "Vuln": [{"CallStacks": []}] }');
+		goVulncheck.fillAffectedPkgs(data.Vuln);
+		assert.deepStrictEqual(data.Vuln[0].AffectedPkgs, []);
+	});
+
+	test('first call stack entry is missing Name', async () => {
+		const data = JSON.parse(`{
+		"Vuln": [{ "CallStacks": [ [ { "URI": "file:///vuln/test.go" } ] ]}]}`);
+		goVulncheck.fillAffectedPkgs(data.Vuln);
+		assert.deepStrictEqual(data.Vuln[0].AffectedPkgs, []);
+	});
+});
diff --git a/test/testdata/vuln/test.vulncheck.json b/test/testdata/vuln/test.vulncheck.json
@@ -12,6 +12,7 @@
       "URL": "https://pkg.go.dev/vuln/GO-2021-0113",
       "CurrentVersion": "v0.0.0-20170915032832-14c0d48ead0c",
       "FixedVersion": "v0.3.7",
+      "AffectedPkgs": ["github.com/golang/vscode-go/test/testdata/vuln"],
       "CallStacks": [
         [
           {
@@ -34,9 +35,6 @@
       ],
       "CallStackSummaries": [
         "github.com/golang/vscode-go/test/testdata/vuln.main calls golang.org/x/text/language.Parse"
-      ],
-      "AffectedPkgs": [
-        "github.com/golang/vscode-go/test/testdata/vuln"
       ]
     }
   ],

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`"URL": "https://pkg.go.dev/vuln/GO-2021-0113",`
`13`	`13`	`"CurrentVersion": "v0.0.0-20170915032832-14c0d48ead0c",`
`14`	`14`	`"FixedVersion": "v0.3.7",`
	`15`	`+ "AffectedPkgs": ["github.com/golang/vscode-go/test/testdata/vuln"],`
`15`	`16`	`"CallStacks": [`
`16`	`17`	`[`
`17`	`18`	`{`
`@@ -34,9 +35,6 @@`
`34`	`35`	`],`
`35`	`36`	`"CallStackSummaries": [`
`36`	`37`	`"github.com/golang/vscode-go/test/testdata/vuln.main calls golang.org/x/text/language.Parse"`
`37`		`- ],`
`38`		`- "AffectedPkgs": [`
`39`		`- "github.com/golang/vscode-go/test/testdata/vuln"`
`40`	`38`	`]`
`41`	`39`	`}`
`42`	`40`	`],`