all: cleanup govulncheck packages

This CL does not add any new code. It simply

- renames files and moves code accordingly
- makes private those symbols that do not need to be public anymore

For golang/go#56042

Change-Id: I827a84540f0c7200f4d68bf59ce1f6a59a52877f
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/448775
Run-TryBot: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Jonathan Amsterdam <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: softdev050

cmd/govulncheck/errors.go

@@ -15,42 +15,42 @@ import (
 )
 
 var (
-	// ErrErrGoVersionMismatch is used to indicate that there is a mismatch between
+	// errGoVersionMismatch is used to indicate that there is a mismatch between
 	// the Go version used to build govulncheck and the one currently on PATH.
-	ErrGoVersionMismatch = errors.New(`Loading packages failed, possibly due to a mismatch between the Go version
+	errGoVersionMismatch = errors.New(`Loading packages failed, possibly due to a mismatch between the Go version
 used to build govulncheck and the Go version on PATH. Consider rebuilding
 govulncheck with the current Go version.`)
 
-	// ErrNoGoSum indicates that a go.mod file was not found in this module.
-	ErrNoGoMod = errors.New(`no go.mod file
+	// errNoGoSum indicates that a go.mod file was not found in this module.
+	errNoGoMod = errors.New(`no go.mod file
 
 govulncheck only works Go with modules. Try navigating to your module directory.
 Otherwise, run go mod init to make your project a module.
 
 See https://go.dev/doc/modules/managing-dependencies for more information.`)
 
-	// ErrNoGoSum indicates that a go.sum file was not found in this module.
-	ErrNoGoSum = errors.New(`no go.sum file
+	// errNoGoSum indicates that a go.sum file was not found in this module.
+	errNoGoSum = errors.New(`no go.sum file
 
 Your module is missing a go.sum file. Try running go mod tidy.
 
 See https://go.dev/doc/modules/managing-dependencies for more information.`)
 
-	// ErrNoModVersion indicates that govulncheck cannot access module version information.
-	ErrNoModVersion = errors.New(`no module version information
+	// errNoModVersion indicates that govulncheck cannot access module version information.
+	errNoModVersion = errors.New(`no module version information
 
 This can happen when running govulncheck in GOPATH mode. govulncheck needs module
 versions to correctly identify vulnerabilities.
 
 See https://go.dev/doc/modules/managing-dependencies for more information.`)
 )
 
-// A PackageError contains errors from loading a set of packages.
-type PackageError struct {
+// packageError contains errors from loading a set of packages.
+type packageError struct {
 	Errors []packages.Error
 }
 
-func (e *PackageError) Error() string {
+func (e *packageError) Error() string {
 	var b strings.Builder
 	fmt.Fprintln(&b, "Packages contain errors:")
 	for _, e := range e.Errors {

cmd/govulncheck/main.go

@@ -103,13 +103,13 @@ func doGovulncheck(patterns []string, sourceAnalysis bool) error {
 		if err != nil {
 			// Try to provide a meaningful and actionable error message.
 			if !fileExists(filepath.Join(dir, "go.mod")) {
-				return ErrNoGoMod
+				return errNoGoMod
 			}
 			if !fileExists(filepath.Join(dir, "go.sum")) {
-				return ErrNoGoSum
+				return errNoGoSum
 			}
 			if isGoVersionMismatchError(err) {
-				return fmt.Errorf("%v\n\n%v", ErrGoVersionMismatch, err)
+				return fmt.Errorf("%v\n\n%v", errGoVersionMismatch, err)
 			}
 			return err
 		}
@@ -181,7 +181,7 @@ func die(format string, args ...interface{}) {
 
 // loadPackages loads the packages matching patterns at dir using build tags
 // provided by tagsFlag. Uses load mode needed for vulncheck analysis. If the
-// packages contain errors, a PackageError is returned containing a list of
+// packages contain errors, a packageError is returned containing a list of
 // the errors, along with the packages themselves.
 func loadPackages(patterns []string, dir string) ([]*vulncheck.Package, error) {
 	var buildFlags []string
@@ -205,7 +205,7 @@ func loadPackages(patterns []string, dir string) ([]*vulncheck.Package, error) {
 		perrs = append(perrs, p.Errors...)
 	})
 	if len(perrs) > 0 {
-		err = &PackageError{perrs}
+		err = &packageError{perrs}
 	}
 	return vpkgs, err
 }

internal/govulncheck/inits.go renamed to internal/govulncheck/callstacks.go

@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 
+	"golang.org/x/vuln/internal"
 	"golang.org/x/vuln/vulncheck"
 )
 
@@ -114,24 +115,61 @@ func isInit(f *vulncheck.FuncNode) bool {
 	return f.Name == "init" || strings.HasPrefix(f.Name, "init#")
 }
 
-// pkgMap creates a map from package paths to packages for all pkgs
-// and their transitive imports.
-func pkgMap(pkgs []*vulncheck.Package) map[string]*vulncheck.Package {
-	m := make(map[string]*vulncheck.Package)
-	var visit func(*vulncheck.Package)
-	visit = func(p *vulncheck.Package) {
-		if _, ok := m[p.PkgPath]; ok {
-			return
-		}
-		m[p.PkgPath] = p
+// summarizeCallStack returns a short description of the call stack.
+// It uses one of two forms, depending on what the lowest function F in topPkgs
+// calls:
+//   - If it calls a function V from the vulnerable package, then summarizeCallStack
+//     returns "F calls V".
+//   - If it calls a function G in some other package, which eventually calls V,
+//     it returns "F calls G, which eventually calls V".
+//
+// If it can't find any of these functions, summarizeCallStack returns the empty string.
+func summarizeCallStack(cs CallStack, topPkgs map[string]bool, vulnPkg string) string {
+	// Find the lowest function in the top packages.
+	iTop := lowest(cs.Frames, func(e *StackFrame) bool {
+		return topPkgs[e.PkgPath]
+	})
+	if iTop < 0 {
+		return ""
+	}
+	// Find the highest function in the vulnerable package that is below iTop.
+	iVuln := highest(cs.Frames[iTop+1:], func(e *StackFrame) bool {
+		return e.PkgPath == vulnPkg
+	})
+	if iVuln < 0 {
+		return ""
+	}
+	iVuln += iTop + 1 // adjust for slice in call to highest.
+	topName := cs.Frames[iTop].Name()
+	topPos := internal.AbsRelShorter(cs.Frames[iTop].Pos())
+	if topPos != "" {
+		topPos += ": "
+	}
+	vulnName := cs.Frames[iVuln].Name()
+	if iVuln == iTop+1 {
+		return fmt.Sprintf("%s%s calls %s", topPos, topName, vulnName)
+	}
+	return fmt.Sprintf("%s%s calls %s, which eventually calls %s",
+		topPos, topName, cs.Frames[iTop+1].Name(), vulnName)
+}
 
-		for _, i := range p.Imports {
-			visit(i)
-		}
+// uniqueCallStack returns the first unique call stack among css, if any.
+// Unique means that the call stack does not go through symbols of vg.
+func uniqueCallStack(v *vulncheck.Vuln, css []vulncheck.CallStack, vg []*vulncheck.Vuln, r *vulncheck.Result) vulncheck.CallStack {
+	vulnFuncs := make(map[*vulncheck.FuncNode]bool)
+	for _, v := range vg {
+		vulnFuncs[r.Calls.Functions[v.CallSink]] = true
 	}
 
-	for _, p := range pkgs {
-		visit(p)
+	vulnFunc := r.Calls.Functions[v.CallSink]
+callstack:
+	for _, cs := range css {
+		for _, e := range cs {
+			if e.Function != vulnFunc && vulnFuncs[e.Function] {
+				continue callstack
+			}
+		}
+		return cs
 	}
-	return m
+	return nil
 }

internal/govulncheck/inits_test.go renamed to internal/govulncheck/callstacks_test.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"path"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -18,6 +19,98 @@ import (
 	"golang.org/x/vuln/vulncheck"
 )
 
+func TestUniqueCallStack(t *testing.T) {
+	a := &vulncheck.FuncNode{Name: "A"}
+	b := &vulncheck.FuncNode{Name: "B"}
+	v1 := &vulncheck.FuncNode{Name: "V1"}
+	v2 := &vulncheck.FuncNode{Name: "V2"}
+	v3 := &vulncheck.FuncNode{Name: "V3"}
+
+	vuln1 := &vulncheck.Vuln{Symbol: "V1", CallSink: 1}
+	vuln2 := &vulncheck.Vuln{Symbol: "V2", CallSink: 2}
+	vuln3 := &vulncheck.Vuln{Symbol: "V3", CallSink: 3}
+
+	vr := &vulncheck.Result{
+		Calls: &vulncheck.CallGraph{
+			Functions: map[int]*vulncheck.FuncNode{1: v1, 2: v2, 3: v3},
+		},
+		Vulns: []*vulncheck.Vuln{vuln1, vuln2, vuln3},
+	}
+
+	callStack := func(fs ...*vulncheck.FuncNode) vulncheck.CallStack {
+		var cs vulncheck.CallStack
+		for _, f := range fs {
+			cs = append(cs, vulncheck.StackEntry{Function: f})
+		}
+		return cs
+	}
+
+	// V1, V2, and V3 are vulnerable symbols
+	skip := []*vulncheck.Vuln{vuln1, vuln2, vuln3}
+	for _, test := range []struct {
+		vuln *vulncheck.Vuln
+		css  []vulncheck.CallStack
+		want vulncheck.CallStack
+	}{
+		// [A -> B -> V3 -> V1, A -> V1] ==> A -> V1 since the first stack goes through V3
+		{vuln1, []vulncheck.CallStack{callStack(a, b, v3, v1), callStack(a, v1)}, callStack(a, v1)},
+		// [A -> V1 -> V2] ==> nil since the only candidate call stack goes through V1
+		{vuln2, []vulncheck.CallStack{callStack(a, v1, v2)}, nil},
+		// [A -> V1 -> V3, A -> B -> v3] ==> A -> B -> V3 since the first stack goes through V1
+		{vuln3, []vulncheck.CallStack{callStack(a, v1, v3), callStack(a, b, v3)}, callStack(a, b, v3)},
+	} {
+		t.Run(test.vuln.Symbol, func(t *testing.T) {
+			got := uniqueCallStack(test.vuln, test.css, skip, vr)
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Fatalf("mismatch (-want, +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestSummarizeCallStack(t *testing.T) {
+	topPkgs := map[string]bool{"t1": true, "t2": true}
+	vulnPkg := "v"
+
+	for _, test := range []struct {
+		in, want string
+	}{
+		{"a.F", ""},
+		{"t1.F", ""},
+		{"v.V", ""},
+		{
+			"t1.F v.V",
+			"t1.F calls v.V",
+		},
+		{
+			"t1.F t2.G v.V1 v.v2",
+			"t2.G calls v.V1",
+		},
+		{
+			"t1.F x.Y t2.G a.H b.I c.J v.V",
+			"t2.G calls a.H, which eventually calls v.V",
+		},
+	} {
+		in := stringToCallStack(test.in)
+		got := summarizeCallStack(in, topPkgs, vulnPkg)
+		if got != test.want {
+			t.Errorf("%s:\ngot  %s\nwant %s", test.in, got, test.want)
+		}
+	}
+}
+
+func stringToCallStack(s string) CallStack {
+	var cs CallStack
+	for _, e := range strings.Fields(s) {
+		parts := strings.Split(e, ".")
+		cs.Frames = append(cs.Frames, &StackFrame{
+			PkgPath:  parts[0],
+			FuncName: parts[1],
+		})
+	}
+	return cs
+}
+
 // TestInits checks for correct positions of init functions
 // and their respective calls (see #51575).
 func TestInits(t *testing.T) {

internal/govulncheck/run.go

@@ -94,7 +94,7 @@ func createSourceResult(vr *vulncheck.Result, pkgs []*vulncheck.Package) *Result
 					Frames: stackFramesfromEntries(vcs),
 					Symbol: vv.Symbol,
 				}
-				cs.Summary = SummarizeCallStack(cs, topPkgs, p.Path)
+				cs.Summary = summarizeCallStack(cs, topPkgs, p.Path)
 				p.CallStacks = []CallStack{cs}
 			}
 		}
@@ -253,37 +253,3 @@ func stackFramesfromEntries(vcs vulncheck.CallStack) []*StackFrame {
 	}
 	return frames
 }
-
-// uniqueCallStack returns the first unique call stack among css, if any.
-// Unique means that the call stack does not go through symbols of vg.
-func uniqueCallStack(v *vulncheck.Vuln, css []vulncheck.CallStack, vg []*vulncheck.Vuln, r *vulncheck.Result) vulncheck.CallStack {
-	vulnFuncs := make(map[*vulncheck.FuncNode]bool)
-	for _, v := range vg {
-		vulnFuncs[r.Calls.Functions[v.CallSink]] = true
-	}
-
-	vulnFunc := r.Calls.Functions[v.CallSink]
-callstack:
-	for _, cs := range css {
-		for _, e := range cs {
-			if e.Function != vulnFunc && vulnFuncs[e.Function] {
-				continue callstack
-			}
-		}
-		return cs
-	}
-	return nil
-}
-
-// moduleVersionMap builds a map from module paths to versions.
-func moduleVersionMap(mods []*vulncheck.Module) map[string]string {
-	moduleVersions := map[string]string{}
-	for _, m := range mods {
-		v := m.Version
-		if m.Replace != nil {
-			v = m.Replace.Version
-		}
-		moduleVersions[m.Path] = v
-	}
-	return moduleVersions
-}