internal/server: add module upgrade pathway after vulncheck scanning

ethanalee-work · gopherbot · commit 27020ac4d8e3 · 2026-02-09T03:52:01.000-08:00
- Provide prompt messages indicating vulnerabilities found and actions that users can take to update dependencies and `go mod tidy`. Change-Id: I7d18fb48ac53ee3e4857fa3ff4be2968260e33db Reviewed-on: https://go-review.googlesource.com/c/tools/+/736122 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Hongxiang Jiang <hxjiang@golang.org> Auto-Submit: Ethan Lee <ethanalee@google.com>
diff --git a/gopls/internal/server/vulncheck_prompt.go b/gopls/internal/server/vulncheck_prompt.go
@@ -5,6 +5,7 @@
 package server
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
@@ -18,10 +19,13 @@ import (
 	"strings"
 
 	"golang.org/x/mod/modfile"
+	"golang.org/x/mod/semver"
+	"golang.org/x/tools/gopls/internal/cache"
 	"golang.org/x/tools/gopls/internal/filecache"
 	"golang.org/x/tools/gopls/internal/progress"
 	"golang.org/x/tools/gopls/internal/protocol"
 	"golang.org/x/tools/gopls/internal/settings"
+	"golang.org/x/tools/gopls/internal/vulncheck/govulncheck"
 	"golang.org/x/tools/internal/event"
 	"golang.org/x/tools/internal/xcontext"
 )
@@ -38,60 +42,60 @@ const (
 func computeGoModHash(file *modfile.File) (string, error) {
 	h := sha256.New()
 	for _, req := range file.Require {
-		if _, err := h.Write([]byte(req.Mod.Path + req.Mod.Version)); err != nil {
+		if _, err := h.Write([]byte(req.Mod.Path + "\x00" + req.Mod.Version)); err != nil {
 			return "", err
 		}
 	}
 	for _, exc := range file.Exclude {
-		if _, err := h.Write([]byte(exc.Mod.Path + exc.Mod.Version)); err != nil {
+		if _, err := h.Write([]byte(exc.Mod.Path + "\x00" + exc.Mod.Version)); err != nil {
 			return "", err
 		}
 	}
 	for _, rep := range file.Replace {
-		if _, err := h.Write([]byte(rep.Old.Path + rep.Old.Version + rep.New.Path + rep.New.Version)); err != nil {
+		if _, err := h.Write([]byte(rep.Old.Path + "\x00" + rep.Old.Version + "\x00" + rep.New.Path + "\x00" + rep.New.Version)); err != nil {
 			return "", err
 		}
 	}
 	return hex.EncodeToString(h.Sum(nil)), nil
 }
 
+func getModFileHashes(uri protocol.DocumentURI) (contentHash string, pathHash [32]byte, err error) {
+	content, err := os.ReadFile(uri.Path())
+	if err != nil {
+		return "", [32]byte{}, err
+	}
+	newModFile, err := modfile.Parse("go.mod", content, nil)
+	if err != nil {
+		return "", [32]byte{}, err
+	}
+	contentHash, err = computeGoModHash(newModFile)
+	if err != nil {
+		return "", [32]byte{}, err
+	}
+	pathHash = sha256.Sum256([]byte(uri.Path()))
+	return contentHash, pathHash, nil
+}
+
 func (s *server) checkGoModDeps(ctx context.Context, uri protocol.DocumentURI) {
 	if s.Options().Vulncheck != settings.ModeVulncheckPrompt {
 		return
 	}
 	ctx, done := event.Start(ctx, "server.CheckGoModDeps")
 	defer done()
 
-	var (
-		newHash, oldHash string
-		pathHash         [32]byte
-	)
-	{
-		newContent, err := os.ReadFile(uri.Path())
-		if err != nil {
-			event.Error(ctx, "reading new go.mod content failed", err)
-			return
-		}
-		newModFile, err := modfile.Parse("go.mod", newContent, nil)
-		if err != nil {
-			event.Error(ctx, "parsing new go.mod failed", err)
-			return
-		}
-		hash, err := computeGoModHash(newModFile)
-		if err != nil {
-			event.Error(ctx, "computing new go.mod hash failed", err)
-			return
-		}
-		newHash = hash
+	newHash, pathHash, err := getModFileHashes(uri)
+	if err != nil {
+		event.Error(ctx, "getting go.mod hashes failed", err)
+		return
+	}
 
-		pathHash = sha256.Sum256([]byte(uri.Path()))
-		oldHashBytes, err := filecache.Get(goModHashKind, pathHash)
-		if err != nil && err != filecache.ErrNotFound {
-			event.Error(ctx, "reading old go.mod hash from filecache failed", err)
-			return
-		}
-		oldHash = string(oldHashBytes)
+	oldHashBytes, err := filecache.Get(goModHashKind, pathHash)
+	if err != nil && err != filecache.ErrNotFound {
+		event.Error(ctx, "reading old go.mod hash from filecache failed", err)
+		return
 	}
+	oldHash := string(oldHashBytes)
+
 	if oldHash != newHash {
 		fileLink := fmt.Sprintf("[%s](%s)", uri.Path(), string(uri))
 		govulncheckLink := "[govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)"
@@ -153,22 +157,14 @@ func (s *server) handleVulncheck(ctx context.Context, uri protocol.DocumentURI)
 	workDoneWriter := progress.NewWorkDoneWriter(ctx, work)
 	result, err := s.runVulncheck(ctx, snapshot, uri, "./...", workDoneWriter)
 	if err != nil {
-		event.Error(ctx, "vulncheck failed", err)
+		event.Error(ctx, "govulncheck failed", err)
+		showMessage(ctx, s.client, protocol.Error, fmt.Sprintf("govulncheck failed: %v", err))
 		return
 	}
 
-	affecting := make(map[string]struct{})
-	upgrades := make(map[string]string)
-	for _, f := range result.Findings {
-		if len(f.Trace) > 1 {
-			affecting[f.OSV] = struct{}{}
-			if f.FixedVersion != "" && f.Trace[0].Module != "stdlib" {
-				upgrades[f.Trace[0].Module] = f.FixedVersion
-			}
-		}
-	}
-
-	if len(affecting) == 0 {
+	affecting, stdLibVulns, modulesToUpgrade := computeModulesToUpgrade(result.Findings)
+	numStdLib := len(stdLibVulns)
+	if len(affecting) == 0 && numStdLib == 0 {
 		showMessage(ctx, s.client, protocol.Info, "No vulnerabilities found.")
 		return
 	}
@@ -177,7 +173,7 @@ func (s *server) handleVulncheck(ctx context.Context, uri protocol.DocumentURI)
 	sort.Strings(affectingOSVs)
 
 	var b strings.Builder
-	fmt.Fprintf(&b, "Found %d vulnerabilities affecting your dependencies:\n\n", len(affectingOSVs))
+	fmt.Fprintf(&b, "Found %d actionable vulnerabilities and %d standard library vulnerabilities affecting your dependencies:\n\n", len(affectingOSVs), numStdLib)
 
 	for i, id := range affectingOSVs {
 		if i >= maxVulnsToShow {
@@ -197,16 +193,132 @@ func (s *server) handleVulncheck(ctx context.Context, uri protocol.DocumentURI)
 		fmt.Fprintf(&b, "\n\n...and %d more.", len(affectingOSVs)-maxVulnsToShow)
 	}
 
-	action, err := showMessageRequest(ctx, s.client, protocol.Warning, b.String(), "Upgrade All", "Ignore")
+	if numStdLib > 0 {
+		if b.Len() > 0 {
+			b.WriteString("\n\n")
+		}
+		b.WriteString("Upgrading your Go version may address vulnerabilities in the standard library.")
+	}
+
+	actions := []string{"Ignore"}
+	if len(modulesToUpgrade) > 0 {
+		actions = append([]string{"Upgrade All"}, actions...)
+	}
+
+	action, err := showMessageRequest(ctx, s.client, protocol.Warning, b.String(), actions...)
 	if err != nil {
 		event.Error(ctx, "vulncheck remediation failed", err)
 		return
 	}
 
 	if action == "Upgrade All" {
-		// TODO: Add dependency upgrade functionality.
-		showMessage(ctx, s.client, protocol.Info, "Upgrading all modules... (not yet implemented)")
+		if err := s.upgradeModules(ctx, snapshot, uri, modulesToUpgrade); err != nil {
+			event.Error(ctx, "upgrading modules failed", err)
+		}
+	}
+}
+
+func computeModulesToUpgrade(findings []*govulncheck.Finding) (affecting map[string]bool, stdLibVulns map[string]bool, modulesToUpgrade map[string]string) {
+	affecting = make(map[string]bool)
+	stdLibVulns = make(map[string]bool)
+	modulesToUpgrade = make(map[string]string)
+
+	for _, f := range findings {
+		if len(f.Trace) == 0 {
+			continue
+		}
+		mod := f.Trace[0].Module
+		// An empty module path or "stdlib" indicates a standard library package.
+		// These vulnerabilities cannot be remediated via module upgrades and
+		// instead require updating the Go toolchain.
+		if mod == "stdlib" || mod == "" {
+			stdLibVulns[f.OSV] = true
+		} else {
+			affecting[f.OSV] = true
+			if f.FixedVersion != "" {
+				current, ok := modulesToUpgrade[mod]
+				if !ok || current == "latest" || semver.Compare(f.FixedVersion, current) > 0 {
+					modulesToUpgrade[mod] = f.FixedVersion
+				}
+			} else if _, ok := modulesToUpgrade[mod]; !ok {
+				modulesToUpgrade[mod] = "latest"
+			}
+		}
+	}
+	return affecting, stdLibVulns, modulesToUpgrade
+}
+
+func (s *server) upgradeModules(ctx context.Context, snapshot *cache.Snapshot, uri protocol.DocumentURI, modulesToUpgrade map[string]string) error {
+	if err := s.runGoGet(ctx, snapshot, uri, modulesToUpgrade); err != nil {
+		return err
+	}
+	if err := s.runGoModTidy(ctx, snapshot, uri); err != nil {
+		return err
+	}
+
+	var (
+		upgradedStrs []string
+		upgrades     []string
+	)
+	for module, version := range modulesToUpgrade {
+		upgrades = append(upgrades, module+"@"+version)
+		upgradedStrs = append(upgradedStrs, fmt.Sprintf("%s to %s", module, version))
+	}
+	sort.Strings(upgradedStrs)
+
+	msg := fmt.Sprintf("Successfully upgraded vulnerable modules:\n %s", strings.Join(upgradedStrs, ",\n "))
+	showMessage(ctx, s.client, protocol.Info, msg)
+	if hash, pathHash, err := getModFileHashes(uri); err == nil {
+		if err := filecache.Set(goModHashKind, pathHash, []byte(hash)); err != nil {
+			event.Error(ctx, "failed to update go.mod hash after upgrade", err)
+		}
+	} else {
+		event.Error(ctx, "failed to get go.mod hash after upgrade", err)
+	}
+	return nil
+}
+
+func (s *server) runGoGet(ctx context.Context, snapshot *cache.Snapshot, uri protocol.DocumentURI, modulesToUpgrade map[string]string) error {
+	work := s.progress.Start(ctx, "Upgrading Modules", "Running go get...", nil, nil)
+	defer work.End(ctx, "Done.")
+
+	var upgrades []string
+	for module, version := range modulesToUpgrade {
+		upgrades = append(upgrades, module+"@"+version)
+	}
+
+	if err := runGoCommand(ctx, snapshot, uri, "get", upgrades); err != nil {
+		msg := fmt.Sprintf("Failed to upgrade modules: %v", err)
+		showMessage(ctx, s.client, protocol.Error, msg)
+		return err
+	}
+	return nil
+}
+
+func (s *server) runGoModTidy(ctx context.Context, snapshot *cache.Snapshot, uri protocol.DocumentURI) error {
+	work := s.progress.Start(ctx, "Upgrading Modules", "Running go mod tidy...", nil, nil)
+	defer work.End(ctx, "Done.")
+
+	if err := runGoCommand(ctx, snapshot, uri, "mod", []string{"tidy"}); err != nil {
+		event.Error(ctx, "go mod tidy failed", err)
+		showMessage(ctx, s.client, protocol.Error, fmt.Sprintf("go mod tidy failed: %v", err))
+		return err
+	}
+	return nil
+}
+
+func runGoCommand(ctx context.Context, snapshot *cache.Snapshot, uri protocol.DocumentURI, verb string, args []string) error {
+	dir := uri.DirPath()
+	inv, cleanup, err := snapshot.GoCommandInvocation(cache.NetworkOK, dir, verb, args)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+	var stdout, stderr bytes.Buffer
+	if err := snapshot.View().GoCommandRunner().RunPiped(ctx, *inv, &stdout, &stderr); err != nil {
+		return fmt.Errorf("go %s %s failed: %v\n-- stdout --\n%s\n-- stderr --\n%s", verb, strings.Join(args, " "), err, stdout.String(), stderr.String())
 	}
+	return nil
 }
 
 type vulncheckConfig struct {
diff --git a/gopls/internal/server/vulncheck_prompt_test.go b/gopls/internal/server/vulncheck_prompt_test.go
@@ -45,8 +45,8 @@ func TestComputeGoModHash(t *testing.T) {
 			`,
 			want: func() string {
 				h := sha256.New()
-				h.Write([]byte("golang.org/x/toolsv0.1.0"))
-				h.Write([]byte("golang.org/x/vulnv0.2.0"))
+				h.Write([]byte("golang.org/x/tools\x00v0.1.0"))
+				h.Write([]byte("golang.org/x/vuln\x00v0.2.0"))
 				return hex.EncodeToString(h.Sum(nil))
 			}(),
 		},
@@ -60,7 +60,7 @@ func TestComputeGoModHash(t *testing.T) {
 			`,
 			want: func() string {
 				h := sha256.New()
-				h.Write([]byte("golang.org/x/toolsv0.1.0"))
+				h.Write([]byte("golang.org/x/tools\x00v0.1.0"))
 				return hex.EncodeToString(h.Sum(nil))
 			}(),
 		},
@@ -74,7 +74,7 @@ func TestComputeGoModHash(t *testing.T) {
 			`,
 			want: func() string {
 				h := sha256.New()
-				h.Write([]byte("golang.org/x/toolsv0.1.0golang.org/x/toolsv0.2.0"))
+				h.Write([]byte("golang.org/x/tools\x00v0.1.0\x00golang.org/x/tools\x00v0.2.0"))
 				return hex.EncodeToString(h.Sum(nil))
 			}(),
 		},
