add vulncheck as a linter

.golangci.reference.yml

@@ -1944,6 +1944,9 @@ linters-settings:
       - T any
       - m map[string]int
 
+  vulncheck:
+    vuln-database: [https://vuln.go.dev]
+
   whitespace:
     # Enforces newlines (or comments) after every multi-line if statement.
     # Default: false
@@ -2159,6 +2162,7 @@ linters:
     - usestdlibvars
     - varcheck
     - varnamelen
+    - vulncheck
     - wastedassign
     - whitespace
     - wrapcheck
@@ -2272,6 +2276,7 @@ linters:
     - usestdlibvars
     - varcheck
     - varnamelen
+    - vulncheck
     - wastedassign
     - whitespace
     - wrapcheck

go.mod

@@ -113,7 +113,9 @@ require (
 	github.com/ykadowak/zerologlint v0.1.1
 	gitlab.com/bosi/decorder v0.2.3
 	go.tmz.dev/musttag v0.6.0
+	golang.org/x/net v0.9.0
 	golang.org/x/tools v0.8.0
+	golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39
 	gopkg.in/yaml.v3 v3.0.1
 	honnef.co/go/tools v0.4.3
 	mvdan.cc/gofumpt v0.5.0
@@ -187,7 +189,7 @@ require (
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

pkg/config/linters_settings.go

@@ -224,6 +224,7 @@ type LintersSettings struct {
 	Whitespace       WhitespaceSettings
 	Wrapcheck        WrapcheckSettings
 	WSL              WSLSettings
+	Vulncheck        VulncheckSettings
 
 	Custom map[string]CustomLinterSettings
 }
@@ -744,6 +745,10 @@ type VarnamelenSettings struct {
 	IgnoreDecls        []string `mapstructure:"ignore-decls"`
 }
 
+type VulncheckSettings struct {
+	VulnDatabase []string `mapstructure:"vuln-database"`
+}
+
 type WhitespaceSettings struct {
 	MultiIf   bool `mapstructure:"multi-if"`
 	MultiFunc bool `mapstructure:"multi-func"`

pkg/golinters/vulncheck.go

@@ -0,0 +1,106 @@
+package golinters
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"golang.org/x/net/context"
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/vuln/client"
+	"golang.org/x/vuln/vulncheck"
+
+	"github.com/golangci/golangci-lint/pkg/config"
+	"github.com/golangci/golangci-lint/pkg/golinters/goanalysis"
+	"github.com/golangci/golangci-lint/pkg/lint/linter"
+	"github.com/golangci/golangci-lint/pkg/result"
+)
+
+const (
+	vulncheckName = "vulncheck"
+	vulncheckDoc  = "Package vulncheck detects uses of known vulnerabilities in Go programs."
+)
+
+func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
+	var mu sync.Mutex
+	var resIssues []goanalysis.Issue
+
+	analyzer := &analysis.Analyzer{
+		Name: vulncheckName,
+		Doc:  vulncheckDoc,
+		Run:  goanalysis.DummyRun,
+	}
+
+	return goanalysis.NewLinter(
+		"vulncheck",
+		"Package vulncheck detects uses of known vulnerabilities in Go programs.",
+		[]*analysis.Analyzer{analyzer},
+		nil,
+	).WithContextSetter(func(lintCtx *linter.Context) {
+		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
+			issues, err := vulncheckRun(lintCtx, pass, settings)
+			if err != nil {
+				return nil, err
+			}
+
+			mu.Lock()
+			resIssues = append(resIssues, issues...)
+			mu.Unlock()
+
+			return nil, nil
+		}
+	}).WithIssuesReporter(func(*linter.Context) []goanalysis.Issue {
+		return resIssues
+	})
+}
+
+func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) {
+	dbs := []string{"https://vuln.go.dev"}
+	if len(settings.VulnDatabase) > 0 {
+		dbs = settings.VulnDatabase
+	}
+	dbClient, err := client.NewClient(dbs, client.Options{})
+	if err != nil {
+		return nil, err
+	}
+
+	vcfg := &vulncheck.Config{Client: dbClient, SourceGoVersion: lintCtx.Cfg.Run.Go}
+	vpkgs := vulncheck.Convert(lintCtx.Packages)
+	ctx := context.Background()
+
+	r, err := vulncheck.Source(ctx, vpkgs, vcfg)
+	if err != nil {
+		return nil, err
+	}
+
+	imports := vulncheck.ImportChains(r)
+	issues := make([]goanalysis.Issue, 0, len(r.Vulns))
+
+	for idx, vuln := range r.Vulns {
+		issues = append(issues, goanalysis.NewIssue(&result.Issue{
+			Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImports(imports[vuln])),
+		}, pass))
+	}
+
+	return issues, nil
+}
+
+func writeImports(imports []vulncheck.ImportChain) string {
+	var s strings.Builder
+	for _, i := range imports {
+		indent := 0
+		for _, pkg := range i {
+			s.WriteString(fmt.Sprintf("%s|_ %s", strings.Repeat(" ", indent), pkg.Name))
+		}
+	}
+
+	return s.String()
+}
+
+func writeVulnerability(idx int, id, details, imports string) string {
+	return fmt.Sprintf(`Vulnerability #%d: %s
+%s
+%s
+  More info: https://pkg.go.dev/vuln/%s
+`, idx, id, details, imports, id)
+}

pkg/lint/lintersdb/manager.go

@@ -178,6 +178,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		whitespaceCfg       *config.WhitespaceSettings
 		wrapcheckCfg        *config.WrapcheckSettings
 		wslCfg              *config.WSLSettings
+		vulncheckCfg        *config.VulncheckSettings
 	)
 
 	if m.cfg != nil {
@@ -258,6 +259,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		whitespaceCfg = &m.cfg.LintersSettings.Whitespace
 		wrapcheckCfg = &m.cfg.LintersSettings.Wrapcheck
 		wslCfg = &m.cfg.LintersSettings.WSL
+		vulncheckCfg = &m.cfg.LintersSettings.Vulncheck
 
 		if govetCfg != nil {
 			govetCfg.Go = m.cfg.Run.Go
@@ -897,6 +899,11 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithPresets(linter.PresetBugs).
 			WithLoadForGoAnalysis().
 			WithURL("https://github.com/ykadowak/zerologlint"),
+
+		linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)).
+			WithSince("v1.53.0").
+			WithPresets(linter.PresetModule).
+			WithURL("https://vuln.go.dev/"),
 	}
 
 	enabledByDefault := map[string]bool{

test/linters_test.go

@@ -32,6 +32,7 @@ func TestSourcesFromTestdataSubDir(t *testing.T) {
 		"loggercheck",
 		"ginkgolinter",
 		"zerologlint",
+		"vulncheck",
 	}
 
 	for _, dir := range subDirs {

test/testdata/vulncheck/go.mod

@@ -0,0 +1,5 @@
+module vulncheck
+
+go 1.19
+
+require golang.org/x/text v0.3.7

test/testdata/vulncheck/vulncheck.go

@@ -0,0 +1,13 @@
+//golangcitest:args -Evulncheck
+package vulncheck
+
+import (
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+func ParseRegion() {
+	us := language.MustParseRegion("US")
+	fmt.Println(us)
+}