fixes

pkg/scanner/govulncheck/govulncheck.go

@@ -0,0 +1,194 @@
+package govulncheck
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/lukaszraczylo/gohoarder/pkg/config"
+	"github.com/lukaszraczylo/gohoarder/pkg/metadata"
+	"github.com/lukaszraczylo/gohoarder/pkg/uuid"
+	"github.com/rs/zerolog/log"
+)
+
+// ScannerName is the name of this scanner
+const ScannerName = "govulncheck"
+
+// Scanner implements the govulncheck vulnerability scanner for Go modules
+type Scanner struct {
+	config config.GovulncheckConfig
+}
+
+// New creates a new govulncheck scanner
+func New(cfg config.GovulncheckConfig) *Scanner {
+	return &Scanner{
+		config: cfg,
+	}
+}
+
+// Name returns the scanner name
+func (s *Scanner) Name() string {
+	return ScannerName
+}
+
+// Scan scans a Go module using govulncheck
+func (s *Scanner) Scan(ctx context.Context, registry, packageName, version string, filePath string) (*metadata.ScanResult, error) {
+	// Only scan Go packages
+	if registry != "go" {
+		return &metadata.ScanResult{
+			ID:                 uuid.New().String(),
+			Registry:           registry,
+			PackageName:        packageName,
+			PackageVersion:     version,
+			Scanner:            ScannerName,
+			ScannedAt:          time.Now(),
+			Status:             metadata.ScanStatusClean,
+			VulnerabilityCount: 0,
+			Vulnerabilities:    []metadata.Vulnerability{},
+			Details: map[string]interface{}{
+				"skipped": "govulncheck only supports Go modules",
+			},
+		}, nil
+	}
+
+	log.Info().
+		Str("scanner", ScannerName).
+		Str("package", packageName).
+		Str("version", version).
+		Msg("Starting govulncheck scan")
+
+	// Create a temporary directory for extraction
+	tmpDir, err := os.MkdirTemp("", "govulncheck-*")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create temp dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Extract the .zip file
+	if err := s.extractZip(filePath, tmpDir); err != nil {
+		return nil, fmt.Errorf("failed to extract zip: %w", err)
+	}
+
+	// Run govulncheck
+	cmd := exec.CommandContext(ctx, "govulncheck", "-json", "-mode=binary", tmpDir)
+	output, err := cmd.CombinedOutput()
+
+	// govulncheck returns non-zero when vulnerabilities are found
+	// Parse output regardless of error
+	var vulns []GovulncheckVuln
+	if len(output) > 0 {
+		// Parse line-delimited JSON
+		lines := strings.Split(string(output), "\n")
+		for _, line := range lines {
+			if strings.TrimSpace(line) == "" {
+				continue
+			}
+			var entry GovulncheckEntry
+			if err := json.Unmarshal([]byte(line), &entry); err != nil {
+				log.Warn().Err(err).Str("line", line).Msg("Failed to parse govulncheck line")
+				continue
+			}
+			if entry.Finding != nil && entry.Finding.OSV != "" {
+				vulns = append(vulns, GovulncheckVuln{
+					OSV:         entry.Finding.OSV,
+					FixedVersion: entry.Finding.FixedVersion,
+				})
+			}
+		}
+	}
+
+	// Convert to our format
+	result := s.convertResult(vulns, registry, packageName, version)
+
+	log.Info().
+		Str("scanner", ScannerName).
+		Str("package", packageName).
+		Int("vulnerabilities", result.VulnerabilityCount).
+		Msg("govulncheck scan completed")
+
+	return result, nil
+}
+
+// Health checks if govulncheck is available
+func (s *Scanner) Health(ctx context.Context) error {
+	cmd := exec.CommandContext(ctx, "govulncheck", "-version")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("govulncheck not available: %w (install with: go install golang.org/x/vuln/cmd/govulncheck@latest)", err)
+	}
+	return nil
+}
+
+// extractZip extracts a zip file to destination
+func (s *Scanner) extractZip(zipPath, destDir string) error {
+	cmd := exec.Command("unzip", "-q", zipPath, "-d", destDir)
+	return cmd.Run()
+}
+
+// convertResult converts govulncheck findings to our ScanResult format
+func (s *Scanner) convertResult(vulns []GovulncheckVuln, registry, packageName, version string) *metadata.ScanResult {
+	vulnerabilities := make([]metadata.Vulnerability, 0)
+	severityCounts := make(map[string]int)
+	seen := make(map[string]bool)
+
+	for _, vuln := range vulns {
+		// Deduplicate by OSV ID
+		if seen[vuln.OSV] {
+			continue
+		}
+		seen[vuln.OSV] = true
+
+		// govulncheck doesn't provide severity in output
+		// Default to HIGH for found vulnerabilities
+		severity := metadata.NormalizeSeverity("HIGH")
+		severityCounts[severity]++
+
+		vulnerabilities = append(vulnerabilities, metadata.Vulnerability{
+			ID:          vuln.OSV,
+			Severity:    severity,
+			Title:       vuln.OSV,
+			Description: fmt.Sprintf("Vulnerability %s found by govulncheck", vuln.OSV),
+			References:  []string{fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV)},
+			FixedIn:     vuln.FixedVersion,
+		})
+	}
+
+	status := metadata.ScanStatusClean
+	if len(vulnerabilities) > 0 {
+		status = metadata.ScanStatusVulnerable
+	}
+
+	return &metadata.ScanResult{
+		ID:                 uuid.New().String(),
+		Registry:           registry,
+		PackageName:        packageName,
+		PackageVersion:     version,
+		Scanner:            ScannerName,
+		ScannedAt:          time.Now(),
+		Status:             status,
+		VulnerabilityCount: len(vulnerabilities),
+		Vulnerabilities:    vulnerabilities,
+		Details: map[string]interface{}{
+			"severity_counts": severityCounts,
+			"note":            "govulncheck provides reachability analysis for Go modules",
+		},
+	}
+}
+
+// GovulncheckEntry represents a single line of govulncheck JSON output
+type GovulncheckEntry struct {
+	Finding *GovulncheckFinding `json:"finding,omitempty"`
+}
+
+type GovulncheckFinding struct {
+	OSV          string `json:"osv"`
+	FixedVersion string `json:"fixed_version,omitempty"`
+}
+
+type GovulncheckVuln struct {
+	OSV          string
+	FixedVersion string
+}