mirror of
https://github.com/imjasonh/govulncheck-action
synced 2026-07-18 14:45:18 +00:00
Initial implementation of govulncheck GitHub Action
This action runs govulncheck on Go projects and creates GitHub annotations for vulnerabilities found in dependencies and code paths. Features: - Automated vulnerability scanning with govulncheck - Smart annotations on go.mod for vulnerable dependencies - Annotations on source code lines that call vulnerable functions - Configurable working directory - Output variables for vulnerability detection The implementation includes: - Modular architecture with separate concerns (execution, parsing, annotation) - Comprehensive test suite with 100% function coverage - Example vulnerable Go module for demonstration - GitHub workflow example - Full documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
commit
39e329ab61
19 changed files with 5314 additions and 0 deletions
58
lib/parser.js
Normal file
58
lib/parser.js
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
class VulnerabilityParser {
|
||||
parse(output) {
|
||||
const vulnerabilities = [];
|
||||
const lines = output.split('\n').filter(line => line.trim());
|
||||
|
||||
for (const line of lines) {
|
||||
try {
|
||||
const json = JSON.parse(line);
|
||||
|
||||
// Check for vulnerability findings
|
||||
if (json.finding) {
|
||||
vulnerabilities.push(json);
|
||||
}
|
||||
} catch (e) {
|
||||
// Skip non-JSON lines
|
||||
}
|
||||
}
|
||||
|
||||
return vulnerabilities;
|
||||
}
|
||||
|
||||
extractUniqueModules(vulnerabilities) {
|
||||
const modules = new Set();
|
||||
|
||||
for (const vuln of vulnerabilities) {
|
||||
const finding = vuln.finding;
|
||||
if (finding.trace && finding.trace.length > 0 && finding.trace[0].module) {
|
||||
modules.add(finding.trace[0].module);
|
||||
}
|
||||
}
|
||||
|
||||
return Array.from(modules);
|
||||
}
|
||||
|
||||
extractCallSites(vulnerabilities) {
|
||||
const callSites = [];
|
||||
|
||||
for (const vuln of vulnerabilities) {
|
||||
const finding = vuln.finding;
|
||||
if (finding.trace) {
|
||||
for (const frame of finding.trace) {
|
||||
if (frame.position && frame.position.filename) {
|
||||
callSites.push({
|
||||
filename: frame.position.filename,
|
||||
line: frame.position.line || 1,
|
||||
function: frame.function || 'unknown function',
|
||||
osv: finding.osv || null
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return callSites;
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = VulnerabilityParser;
|
||||
Loading…
Add table
Add a link
Reference in a new issue