internal/govulncheck: fail in GOPATH mode

Follows https://go-review.git.corp.google.com/c/vuln/+/395241

Fixes golang/go#53741

Change-Id: I9d751cd40530fd31c1d86c26dd4f718681b7719c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/443455
Run-TryBot: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Jonathan Amsterdam <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: softdev050

cmd/govulncheck/testdata/nogomod.ct

@@ -6,6 +6,7 @@ govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulnch
 Scanning for dependencies with known vulnerabilities...
 govulncheck: no go.mod file
 
-govulncheck only works Go with modules. To make your project a module, run go mod init.
+govulncheck only works Go with modules. Try navigating to your module directory.
+Otherwise, run go mod init to make your project a module.
 
 See https://go.dev/doc/modules/managing-dependencies for more information.

internal/govulncheck/errors.go

@@ -8,6 +8,8 @@ import (
 	"errors"
 	"os"
 	"strings"
+
+	"golang.org/x/vuln/vulncheck"
 )
 
 var (
@@ -30,7 +32,8 @@ govulncheck with the current Go version.`)
 	// ErrNoGoSum indicates that a go.mod file was not found in this module.
 	ErrNoGoMod = errors.New(`no go.mod file
 
-govulncheck only works Go with modules. To make your project a module, run go mod init.
+govulncheck only works Go with modules. Try navigating to your module directory.
+Otherwise, run go mod init to make your project a module.
 
 See https://go.dev/doc/modules/managing-dependencies for more information.`)
 
@@ -39,6 +42,14 @@ See https://go.dev/doc/modules/managing-dependencies for more information.`)
 
 Your module is missing a go.sum file. Try running go mod tidy.
 
+See https://go.dev/doc/modules/managing-dependencies for more information.`)
+
+	// ErrNoModVersion indicates that govulncheck cannot access module version information.
+	ErrNoModVersion = errors.New(`no module version information
+
+This can happen when running govulncheck in GOPATH mode. govulncheck needs module
+versions to correctly identify vulnerabilities.
+
 See https://go.dev/doc/modules/managing-dependencies for more information.`)
 )
 
@@ -65,3 +76,34 @@ func isGoVersionMismatchError(err error) bool {
 	return strings.Contains(msg, "This application uses version go") &&
 		strings.Contains(msg, "It may fail to process source files")
 }
+
+// inGoPathMode checks if govulncheck is running in GOPATH mode by checking
+// if module information is available.
+func inGoPathMode(pkgs []*vulncheck.Package) bool {
+	packageModule := func(p *vulncheck.Package) *vulncheck.Module {
+		m := p.Module
+		if m == nil {
+			return nil
+		}
+		if r := m.Replace; r != nil {
+			return r
+		}
+		return m
+	}
+
+	hasModuleInfo := false
+	var visit func(p *vulncheck.Package)
+	visit = func(p *vulncheck.Package) {
+		if packageModule(p) != nil {
+			hasModuleInfo = true
+			return
+		}
+		for _, i := range p.Imports {
+			visit(i)
+		}
+	}
+	for _, p := range pkgs {
+		visit(p)
+	}
+	return !hasModuleInfo
+}

internal/govulncheck/legacy_run.go

@@ -69,6 +69,10 @@ func LegacyRun(ctx context.Context, cfg LegacyConfig) (*Result, error) {
 			}
 			return nil, err
 		}
+		// If we are in GOPATH mode, then no version information will be available.
+		if inGoPathMode(pkgs) {
+			return nil, ErrNoModVersion
+		}
 
 		// Sort pkgs so that the PkgNodes returned by vulncheck.Source will be
 		// deterministic.