feat: Govulncheck source call analysis enricher #1555
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Return error instead of logging a warning
…running system req
another-rex
force-pushed
the
go_call_analysis
branch
from
de49305 to
ea5797d
Compare
enricher/enricher.go
Outdated
| EnricherOrder = []string{ | ||
| "reachability/java", | ||
| "vulnmatch/osvdev", | ||
| "reachability/govcsource", |
There was a problem hiding this comment.
how we order the enrichers in this list?
There was a problem hiding this comment.
The govcsoruce needs the output from the initial vulnerability match in osvdev, so it has to happen after vulnerability matching.
There was a problem hiding this comment.
can you add a comment with this reason? and does that mean we need to specify vulnmatch/osvdev as one of the required plugins?
There was a problem hiding this comment.
You could also get vulns from our internal matcher plugin (plus theoretically detectors that might find specific vulns in Go binaries, though we don't have any atm) so I'd rather not specify vulnmatch/osvdev
| // If there is symbol information, then analysis has been performed, and | ||
| // code does not import the vulnerable package, so definitely not called |
There was a problem hiding this comment.
I feel this comment is a bit hard to understand - can you rephrase it?
There was a problem hiding this comment.
Rephrased it, PTAL!
3 participants
Fork of #1208