internal/scan: Improve "Informational" text output

Maceo Thompson · Maceo Thompson · commit 26305ce58712 · 2023-11-07T19:54:48.000Z
This change changes the text output to only include messages relating to vulnerabilities that actually appear. This means that if there is a package level vuln but no module level vulnerabilities, govulncheck will no longer say "There are also 0 vulnerabilities in modules that you import". Additionally, this change cleans up how the informational section actually builds the string, using strings.Builder and automatically wrapping text with handler.wrap() instead of manually wrapping the text. Change-Id: Ia933ee777d87004ec94918954619e916ec307dd7 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/540315 Reviewed-by: Ian Cottrell <iancottrell@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/cmd/govulncheck/testdata/convert_text.ct b/cmd/govulncheck/testdata/convert_text.ct
@@ -28,9 +28,8 @@ Vulnerability #2: GO-2021-0113
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2021-0054
diff --git a/cmd/govulncheck/testdata/source_informational_text.ct b/cmd/govulncheck/testdata/source_informational_text.ct
@@ -6,9 +6,9 @@ Scanning your code and P packages across M dependent modules for known vulnerabi
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+call stacks leading to the use of this vulnerability. There is also 1
+vulnerability in modules that you require that is neither imported nor
+called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
diff --git a/cmd/govulncheck/testdata/source_multientry_text.ct b/cmd/govulncheck/testdata/source_multientry_text.ct
@@ -18,10 +18,8 @@ Vulnerability #1: GO-2021-0113
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
@@ -64,10 +62,8 @@ Vulnerability #1: GO-2021-0113
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
diff --git a/cmd/govulncheck/testdata/source_replace_text.ct b/cmd/govulncheck/testdata/source_replace_text.ct
@@ -18,10 +18,8 @@ Vulnerability #1: GO-2021-0113
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There are also 2 vulnerabilities in modules
-that you require that are neither imported nor called.
+There are 2 vulnerabilities in modules that you require that are
+neither imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
diff --git a/cmd/govulncheck/testdata/source_subdir_text.ct b/cmd/govulncheck/testdata/source_subdir_text.ct
@@ -17,10 +17,8 @@ Vulnerability #1: GO-2021-0113
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There are also 4 vulnerabilities in modules
-that you require that are neither imported nor called.
+There are 4 vulnerabilities in modules that you require that are
+neither imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
@@ -85,10 +83,8 @@ Vulnerability #1: GO-2021-0113
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There are also 4 vulnerabilities in modules
-that you require that are neither imported nor called.
+There are 4 vulnerabilities in modules that you require that are
+neither imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
diff --git a/cmd/govulncheck/testdata/source_vuln_text.ct b/cmd/govulncheck/testdata/source_vuln_text.ct
@@ -28,9 +28,9 @@ Vulnerability #2: GO-2021-0113
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 2 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. There are also 2
+vulnerabilities in modules that you require that are neither imported
+nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
@@ -100,9 +100,9 @@ Vulnerability #2: GO-2021-0113
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 2 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. There are also 2
+vulnerabilities in modules that you require that are neither imported
+nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-2022-0969
diff --git a/internal/scan/testdata/module-vuln.txt b/internal/scan/testdata/module-vuln.txt
@@ -1,9 +1,7 @@
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0001
diff --git a/internal/scan/testdata/multi-stack-modlevel.txt b/internal/scan/testdata/multi-stack-modlevel.txt
@@ -10,10 +10,8 @@ Vulnerability #1: GO-0000-0001
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0002
diff --git a/internal/scan/testdata/platform-all.txt b/internal/scan/testdata/platform-all.txt
@@ -1,9 +1,8 @@
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: All
diff --git a/internal/scan/testdata/platform-one-arch-only.txt b/internal/scan/testdata/platform-one-arch-only.txt
@@ -1,9 +1,8 @@
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: one-arch-only
diff --git a/internal/scan/testdata/platform-one-import.txt b/internal/scan/testdata/platform-one-import.txt
@@ -1,9 +1,8 @@
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: one-import
diff --git a/internal/scan/testdata/platform-two-imports.txt b/internal/scan/testdata/platform-two-imports.txt
@@ -1,9 +1,8 @@
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: two-imports
diff --git a/internal/scan/testdata/platform-two-os-only.txt b/internal/scan/testdata/platform-two-os-only.txt
@@ -1,9 +1,8 @@
 === Informational ===
 
 Found 1 vulnerability in packages that you import, but there are no
-call stacks leading to the use of this vulnerability. You may not
-need to take any action. There are also 0 vulnerabilities in modules
-that you require that are neither imported nor called.
+call stacks leading to the use of this vulnerability. You may not need
+to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: two-os-only
diff --git a/internal/scan/testdata/source.txt b/internal/scan/testdata/source.txt
@@ -10,10 +10,8 @@ Vulnerability #1: GO-0000-0001
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0002
diff --git a/internal/scan/testdata/source_traces.txt b/internal/scan/testdata/source_traces.txt
@@ -12,10 +12,8 @@ Vulnerability #1: GO-0000-0001
 
 === Informational ===
 
-Found 0 vulnerabilities in packages that you import, but there are no
-call stacks leading to the use of these vulnerabilities. You may not
-need to take any action. There is also 1 vulnerability in modules
-that you require that is neither imported nor called.
+There is 1 vulnerability in modules that you require that is neither
+imported nor called. You may not need to take any action.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0002
diff --git a/internal/scan/text.go b/internal/scan/text.go
@@ -150,17 +150,24 @@ func (h *TextHandler) byVulnerability(findings []*findingSummary) {
 	if onlyImported+onlyRequired == 0 {
 		return
 	}
-	h.style(sectionStyle, "=== Informational ===\n")
-	h.print("\nFound ", onlyImported)
-	h.print(choose(onlyImported == 1, ` vulnerability`, ` vulnerabilities`))
-	h.print(" in packages that you import, but there are no\ncall stacks leading to the use of ")
-	h.print(choose(onlyImported == 1, `this vulnerability`, `these vulnerabilities`))
-	h.print(". You may not\nneed to take any action. ")
-	h.print("There ", choose(onlyRequired == 1, `is`, `are`), " also ", onlyRequired)
-	h.print(choose(onlyRequired == 1, ` vulnerability`, ` vulnerabilities`))
-	h.print(" in modules\nthat you require that")
-	h.print(choose(onlyRequired == 1, ` is `, ` are `), "neither imported nor called.\n")
-	h.print("See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.\n\n")
+	h.style(sectionStyle, "=== Informational ===\n\n")
+	var informational strings.Builder
+	if onlyImported > 0 {
+		informational.WriteString("Found " + fmt.Sprint(onlyImported))
+		informational.WriteString(choose(onlyImported == 1, ` vulnerability`, ` vulnerabilities`))
+		informational.WriteString(" in packages that you import, but there are no call stacks leading to the use of ")
+		informational.WriteString(choose(onlyImported == 1, `this vulnerability.`, `these vulnerabilities.`))
+	}
+	if onlyRequired > 0 {
+		isare := choose(onlyRequired == 1, ` is `, ` are `)
+		informational.WriteString(" There" + isare + choose(onlyImported > 0, `also `, ``) + fmt.Sprint(onlyRequired))
+		informational.WriteString(choose(onlyRequired == 1, ` vulnerability `, ` vulnerabilities `))
+		informational.WriteString("in modules that you require that" + isare)
+		informational.WriteString("neither imported nor called.")
+	}
+	informational.WriteString(" You may not need to take any action.")
+	h.wrap("", informational.String(), 70)
+	h.print("\nSee https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.\n\n")
 	index := 0
 	for _, findings := range byVuln {
 		if !isCalled(findings) {
