internal/server: list vulnerabilities within vulncheck prompt

- List vulnerabilities and their CVE links in preparation for adding
  remediation functionality.
- Refactor command.go to generalize vulncheck scanning functionality.

Change-Id: I567f514eba2b7ed59ad3c4be23622f8e44fb9fa1
Reviewed-on: https://go-review.googlesource.com/c/tools/+/735740
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Hongxiang Jiang <hxjiang@golang.org>
Auto-Submit: Ethan Lee <ethanalee@google.com>

Author: ethanalee-work

gopls/internal/server/command.go

@@ -1246,28 +1246,13 @@ func (c *commandHandler) Vulncheck(ctx context.Context, args command.VulncheckAr
 		jsonrpc2.Async(ctx) // run this in parallel with other requests: vulncheck can be slow.
 
 		workDoneWriter := progress.NewWorkDoneWriter(ctx, deps.work)
-		dir := args.URI.DirPath()
-		pattern := args.Pattern
-
-		result, err := scan.RunGovulncheck(ctx, pattern, deps.snapshot, dir, workDoneWriter)
+		result, err := c.s.runVulncheck(ctx, deps.snapshot, args.URI, args.Pattern, workDoneWriter)
 		if err != nil {
 			return err
 		}
 		commandResult.Result = result
 		commandResult.Token = deps.work.Token()
 
-		snapshot, release, err := c.s.session.InvalidateView(ctx, deps.snapshot.View(), cache.StateChange{
-			Vulns: map[protocol.DocumentURI]*vulncheck.Result{args.URI: result},
-		})
-		if err != nil {
-			return err
-		}
-		defer release()
-
-		// Diagnosing with the background context ensures new snapshots are fully
-		// diagnosed.
-		c.s.diagnoseSnapshot(snapshot.BackgroundContext(), snapshot, nil, 0)
-
 		affecting := make(map[string]bool, len(result.Entries))
 		for _, finding := range result.Findings {
 			if len(finding.Trace) > 1 { // at least 2 frames if callstack exists (vulnerability, entry)
@@ -1285,7 +1270,6 @@ func (c *commandHandler) Vulncheck(ctx context.Context, args command.VulncheckAr
 		sort.Strings(affectingOSVs)
 
 		showMessage(ctx, c.s.client, protocol.Warning, fmt.Sprintf("Found %v", strings.Join(affectingOSVs, ", ")))
-
 		return nil
 	})
 	if err != nil {
@@ -1332,26 +1316,11 @@ func (c *commandHandler) RunGovulncheck(ctx context.Context, args command.Vulnch
 		tokenChan <- deps.work.Token()
 
 		workDoneWriter := progress.NewWorkDoneWriter(ctx, deps.work)
-		dir := filepath.Dir(args.URI.Path())
-		pattern := args.Pattern
-
-		result, err := scan.RunGovulncheck(ctx, pattern, deps.snapshot, dir, workDoneWriter)
+		result, err := c.s.runVulncheck(ctx, deps.snapshot, args.URI, args.Pattern, workDoneWriter)
 		if err != nil {
 			return err
 		}
 
-		snapshot, release, err := c.s.session.InvalidateView(ctx, deps.snapshot.View(), cache.StateChange{
-			Vulns: map[protocol.DocumentURI]*vulncheck.Result{args.URI: result},
-		})
-		if err != nil {
-			return err
-		}
-		defer release()
-
-		// Diagnosing with the background context ensures new snapshots are fully
-		// diagnosed.
-		c.s.diagnoseSnapshot(snapshot.BackgroundContext(), snapshot, nil, 0)
-
 		affecting := make(map[string]bool, len(result.Entries))
 		for _, finding := range result.Findings {
 			if len(finding.Trace) > 1 { // at least 2 frames if callstack exists (vulnerability, entry)
@@ -1369,7 +1338,6 @@ func (c *commandHandler) RunGovulncheck(ctx context.Context, args command.Vulnch
 		sort.Strings(affectingOSVs)
 
 		showMessage(ctx, c.s.client, protocol.Warning, fmt.Sprintf("Found %v", strings.Join(affectingOSVs, ", ")))
-
 		return nil
 	})
 	if err != nil {
@@ -1383,6 +1351,30 @@ func (c *commandHandler) RunGovulncheck(ctx context.Context, args command.Vulnch
 	}
 }
 
+// runVulncheck executes a vulnerability scan and updates the server's state.
+func (s *server) runVulncheck(ctx context.Context, snapshot *cache.Snapshot, uri protocol.DocumentURI, pattern string, out io.Writer) (*vulncheck.Result, error) {
+	dir := uri.DirPath()
+	result, err := scan.RunGovulncheck(ctx, pattern, snapshot, dir, out)
+	if err != nil {
+		return nil, err
+	}
+
+	// Invalidate the view to store findings in the vulnerability cache.
+	newSnapshot, release, err := s.session.InvalidateView(ctx, snapshot.View(), cache.StateChange{
+		Vulns: map[protocol.DocumentURI]*vulncheck.Result{uri: result},
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer release()
+
+	// Diagnosing with the background context ensures new snapshots are fully
+	// diagnosed.
+	s.diagnoseSnapshot(newSnapshot.BackgroundContext(), newSnapshot, nil, 0)
+
+	return result, nil
+}
+
 // MemStats implements the MemStats command. It returns an error as a
 // future-proof API, but the resulting error is currently always nil.
 func (c *commandHandler) MemStats(ctx context.Context) (command.MemStatsResult, error) {

gopls/internal/server/vulncheck_prompt.go

@@ -10,20 +10,26 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
+	"slices"
+	"sort"
+	"strings"
 
 	"golang.org/x/mod/modfile"
 	"golang.org/x/tools/gopls/internal/filecache"
+	"golang.org/x/tools/gopls/internal/progress"
 	"golang.org/x/tools/gopls/internal/protocol"
-	"golang.org/x/tools/gopls/internal/protocol/command"
 	"golang.org/x/tools/gopls/internal/settings"
 	"golang.org/x/tools/internal/event"
+	"golang.org/x/tools/internal/xcontext"
 )
 
 const (
 	// goModHashKind is the kind for the go.mod hash in the filecache.
-	goModHashKind = "gomodhash"
+	goModHashKind  = "gomodhash"
+	maxVulnsToShow = 10
 )
 
 // computeGoModHash computes the SHA256 hash of the go.mod file's dependencies.
@@ -95,17 +101,10 @@ func (s *server) checkGoModDeps(ctx context.Context, uri protocol.DocumentURI) {
 		if err != nil {
 			event.Error(ctx, "reading vulncheck preference failed", err)
 		}
-		args := command.VulncheckArgs{
-			URI:     uri,
-			Pattern: "./...",
-		}
-		cmd := command.NewRunGovulncheckCommand("Run govulncheck", args)
 
 		switch action {
 		case "Always":
-			if _, err := s.executeCommand(ctx, cmd); err != nil {
-				event.Error(ctx, "executing govulncheck command failed", err)
-			}
+			go s.handleVulncheck(ctx, uri)
 		case "Never":
 			return
 		case "":
@@ -125,9 +124,7 @@ func (s *server) checkGoModDeps(ctx context.Context, uri protocol.DocumentURI) {
 				}
 			}
 			if action == "Yes" || action == "Always" {
-				if _, err := s.executeCommand(ctx, cmd); err != nil {
-					event.Error(ctx, "executing govulncheck command failed", err)
-				}
+				go s.handleVulncheck(ctx, uri)
 			}
 			if action == "" {
 				// No user input gathered from prompt.
@@ -142,12 +139,74 @@ func (s *server) checkGoModDeps(ctx context.Context, uri protocol.DocumentURI) {
 	}
 }
 
-func (s *server) executeCommand(ctx context.Context, cmd *protocol.Command) (any, error) {
-	params := &protocol.ExecuteCommandParams{
-		Command:   cmd.Command,
-		Arguments: cmd.Arguments,
+func (s *server) handleVulncheck(ctx context.Context, uri protocol.DocumentURI) {
+	_, snapshot, release, err := s.session.FileOf(ctx, uri)
+	if err != nil {
+		event.Error(ctx, "getting file snapshot failed", err)
+		return
+	}
+	defer release()
+	ctx = xcontext.Detach(ctx)
+
+	work := s.progress.Start(ctx, GoVulncheckCommandTitle, "Running govulncheck...", nil, nil)
+	defer work.End(ctx, "Done.")
+	workDoneWriter := progress.NewWorkDoneWriter(ctx, work)
+	result, err := s.runVulncheck(ctx, snapshot, uri, "./...", workDoneWriter)
+	if err != nil {
+		event.Error(ctx, "vulncheck failed", err)
+		return
+	}
+
+	affecting := make(map[string]struct{})
+	upgrades := make(map[string]string)
+	for _, f := range result.Findings {
+		if len(f.Trace) > 1 {
+			affecting[f.OSV] = struct{}{}
+			if f.FixedVersion != "" && f.Trace[0].Module != "stdlib" {
+				upgrades[f.Trace[0].Module] = f.FixedVersion
+			}
+		}
+	}
+
+	if len(affecting) == 0 {
+		showMessage(ctx, s.client, protocol.Info, "No vulnerabilities found.")
+		return
+	}
+
+	affectingOSVs := slices.Sorted(maps.Keys(affecting))
+	sort.Strings(affectingOSVs)
+
+	var b strings.Builder
+	fmt.Fprintf(&b, "Found %d vulnerabilities affecting your dependencies:\n\n", len(affectingOSVs))
+
+	for i, id := range affectingOSVs {
+		if i >= maxVulnsToShow {
+			break
+		}
+		cveURL := fmt.Sprintf("https://pkg.go.dev/vuln/%s", id)
+		if s.Options().LinkifyShowMessage {
+			fmt.Fprintf(&b, "Vulnerability #%d: [%s](%s)", i+1, id, cveURL)
+		} else {
+			fmt.Fprintf(&b, "Vulnerability #%d: %s (%s)", i+1, id, cveURL)
+		}
+		if i < len(affectingOSVs)-1 && i < maxVulnsToShow-1 {
+			b.WriteString(", ")
+		}
+	}
+	if len(affectingOSVs) > maxVulnsToShow {
+		fmt.Fprintf(&b, "\n\n...and %d more.", len(affectingOSVs)-maxVulnsToShow)
+	}
+
+	action, err := showMessageRequest(ctx, s.client, protocol.Warning, b.String(), "Upgrade All", "Ignore")
+	if err != nil {
+		event.Error(ctx, "vulncheck remediation failed", err)
+		return
+	}
+
+	if action == "Upgrade All" {
+		// TODO: Add dependency upgrade functionality.
+		showMessage(ctx, s.client, protocol.Info, "Upgrading all modules... (not yet implemented)")
 	}
-	return s.ExecuteCommand(ctx, params)
 }
 
 type vulncheckConfig struct {