syncable_cli/analyzer/vulnerability/checkers/

go.rs

use std::path::Path;
use std::process::Command;
use log::{info, warn};
use crate::analyzer::dependency_parser::DependencyInfo;
use crate::analyzer::tool_management::ToolDetector;
use crate::analyzer::vulnerability::{VulnerableDependency, VulnerabilityError, VulnerabilityInfo, VulnerabilitySeverity};
use super::MutableLanguageVulnerabilityChecker;

pub struct GoVulnerabilityChecker {
    tool_detector: ToolDetector,
}

impl GoVulnerabilityChecker {
    pub fn new() -> Self {
        Self {
            tool_detector: ToolDetector::new(),
        }
    }
    
    fn execute_govulncheck(
        &mut self,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // Check if govulncheck is available
        let govulncheck_status = self.tool_detector.detect_tool("govulncheck");
        if !govulncheck_status.available {
            warn!("govulncheck not found, skipping Go vulnerability check. Install with: go install golang.org/x/vuln/cmd/govulncheck@latest");
            return Ok(None);
        }
        
        info!("Executing govulncheck in {}", project_path.display());
        
        // Execute govulncheck -json
        let output = Command::new("govulncheck")
            .args(&["-json", "./..."])
            .current_dir(project_path)
            .output()
            .map_err(|e| VulnerabilityError::CommandError(
                format!("Failed to run govulncheck: {}", e)
            ))?;
        
        // govulncheck returns 0 even when vulnerabilities are found
        // Non-zero exit code indicates an actual error
        if !output.status.success() && output.stdout.is_empty() {
            return Err(VulnerabilityError::CommandError(
                format!("govulncheck failed with exit code {}: {}", 
                    output.status.code().unwrap_or(-1),
                    String::from_utf8_lossy(&output.stderr))
            ));
        }
        
        if output.stdout.is_empty() {
            return Ok(None);
        }
        
        // Parse govulncheck output
        self.parse_govulncheck_output(&output.stdout, dependencies)
    }
    
    fn parse_govulncheck_output(
        &self,
        output: &[u8],
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
        
        // Split output by lines and parse each JSON object
        let output_str = String::from_utf8_lossy(output);
        for line in output_str.lines() {
            if line.trim().is_empty() {
                continue;
            }
            
            let audit_data: serde_json::Value = serde_json::from_str(line)
                .map_err(|e| VulnerabilityError::ParseError(
                    format!("Failed to parse govulncheck output line: {}", e)
                ))?;
            
            // Govulncheck JSON structure parsing
            if audit_data.get("finding").is_some() {
                if let Some(finding) = audit_data.get("finding").and_then(|f| f.as_object()) {
                    let package_name = finding.get("package").and_then(|p| p.as_str())
                        .unwrap_or("").to_string();
                    let module = finding.get("module").and_then(|m| m.as_str())
                        .unwrap_or("").to_string();
                    
                    // Find matching dependency
                    if let Some(dep) = dependencies.iter().find(|d| 
                        d.name == package_name || d.name == module || 
                        package_name.starts_with(&format!("{}/", d.name)) ||
                        module.starts_with(&format!("{}/", d.name))) {
                        
                        let vuln_id = finding.get("osv").and_then(|o| o.as_str())
                            .unwrap_or("unknown").to_string();
                        let title = finding.get("summary").and_then(|s| s.as_str())
                            .unwrap_or("Unknown vulnerability").to_string();
                        let description = finding.get("details").and_then(|d| d.as_str())
                            .unwrap_or("").to_string();
                        let severity = VulnerabilitySeverity::Medium; // Govulncheck doesn't provide severity directly
                        let fixed_version = finding.get("fixed_version").and_then(|v| v.as_str())
                            .map(|s| s.to_string());
                        
                        let vuln_info = VulnerabilityInfo {
                            id: vuln_id,
                            vuln_type: "security".to_string(),  // Security vulnerability
                            severity,
                            title,
                            description,
                            cve: None, // Govulncheck uses OSV IDs
                            ghsa: None, // Govulncheck uses OSV IDs
                            affected_versions: "*".to_string(), // Govulncheck doesn't provide this directly
                            patched_versions: fixed_version,
                            published_date: None,
                            references: Vec::new(), // Govulncheck doesn't provide references in this format
                        };
                        
                        // Check if we already have this dependency
                        if let Some(existing) = vulnerable_deps.iter_mut()
                            .find(|vuln_dep| vuln_dep.name == dep.name)
                        {
                            // Avoid duplicate vulnerabilities
                            if !existing.vulnerabilities.iter().any(|v| v.id == vuln_info.id) {
                                existing.vulnerabilities.push(vuln_info);
                            }
                        } else {
                            vulnerable_deps.push(VulnerableDependency {
                                name: dep.name.clone(),
                                version: dep.version.clone(),
                                language: crate::analyzer::dependency_parser::Language::Go,
                                vulnerabilities: vec![vuln_info],
                            });
                        }
                    }
                }
            }
        }
        
        if vulnerable_deps.is_empty() {
            Ok(None)
        } else {
            Ok(Some(vulnerable_deps))
        }
    }
}

impl MutableLanguageVulnerabilityChecker for GoVulnerabilityChecker {
    fn check_vulnerabilities(
        &mut self,
        dependencies: &[DependencyInfo],
        project_path: &Path,
    ) -> Result<Vec<VulnerableDependency>, VulnerabilityError> {
        info!("Checking Go dependencies");
        
        match self.execute_govulncheck(project_path, dependencies) {
            Ok(Some(vulns)) => Ok(vulns),
            Ok(None) => Ok(vec![]),
            Err(e) => Err(e),
        }
    }
}