internal/scan: change text based on scan level

Maceo Thompson · Maceo Thompson · commit 65a36416c4e2 · 2023-12-13T15:37:57.000Z
This change modifies the text output of govulncheck depending on the scan level - specifically omitting assumptions about callstack information when govulncheck never ran callstack analysis. Change-Id: Id3ba3a1c97edb6140f0f00d58d9ae76737fc0ce1 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/545638 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/internal/scan/testdata/module-vuln.txt b/internal/scan/testdata/module-vuln.txt
@@ -1,7 +1,7 @@
 === Informational ===
 
-There is 1 vulnerability in modules that you require that is neither
-imported nor called. You may not need to take any action.
+There is 1 vulnerability in modules that you require. Use -scan=symbol
+with govulncheck for more fine grained vulnerability detection.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0001
@@ -12,6 +12,5 @@ Vulnerability #1: GO-0000-0001
     Fixed in: golang.org/vmod@v0.1.3
     Platforms: amd
 
-No vulnerabilities found.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/internal/scan/testdata/multi-stack-modlevel.txt b/internal/scan/testdata/multi-stack-modlevel.txt
@@ -1,7 +1,8 @@
 === Informational ===
 
-There are 2 vulnerabilities in modules that you require that are
-neither imported nor called. You may not need to take any action.
+There are 2 vulnerabilities in modules that you require. Use
+-scan=symbol with govulncheck for more fine grained vulnerability
+detection.
 See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
 
 Vulnerability #1: GO-0000-0002
@@ -19,6 +20,5 @@ Vulnerability #2: GO-0000-0001
     Fixed in: golang.org/vmod@v0.1.3
     Platforms: amd
 
-No vulnerabilities found.
 
 Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/internal/scan/text.go b/internal/scan/text.go
@@ -159,17 +159,32 @@ func (h *TextHandler) byVulnerability(findings []*findingSummary) {
 	if onlyImported > 0 {
 		informational.WriteString("Found " + fmt.Sprint(onlyImported))
 		informational.WriteString(choose(onlyImported == 1, ` vulnerability`, ` vulnerabilities`))
-		informational.WriteString(" in packages that you import, but there are no call stacks leading to the use of ")
-		informational.WriteString(choose(onlyImported == 1, `this vulnerability.`, `these vulnerabilities.`))
+		informational.WriteString(" in packages that you import")
+		if h.scanLevel.WantSymbols() {
+			informational.WriteString(", but there are no call stacks leading to the use of ")
+			informational.WriteString(choose(onlyImported == 1, `this vulnerability.`, `these vulnerabilities.`))
+		} else {
+			informational.WriteString(".")
+		}
 	}
 	if onlyRequired > 0 {
 		isare := choose(onlyRequired == 1, ` is `, ` are `)
 		informational.WriteString(" There" + isare + choose(onlyImported > 0, `also `, ``) + fmt.Sprint(onlyRequired))
 		informational.WriteString(choose(onlyRequired == 1, ` vulnerability `, ` vulnerabilities `))
-		informational.WriteString("in modules that you require that" + isare)
-		informational.WriteString("neither imported nor called.")
+		informational.WriteString("in modules that you require")
+		if h.scanLevel.WantSymbols() {
+			informational.WriteString(" that" + choose(h.scanLevel.WantSymbols(), isare, " may be "))
+			informational.WriteString("neither imported nor called.")
+		} else {
+			informational.WriteString(".")
+		}
+
+	}
+	if h.scanLevel.WantSymbols() {
+		informational.WriteString(" You may not need to take any action.")
+	} else {
+		informational.WriteString(" Use -scan=symbol with govulncheck for more fine grained vulnerability detection.")
 	}
-	informational.WriteString(" You may not need to take any action.")
 	h.wrap("", informational.String(), 70)
 	h.print("\nSee https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.\n\n")
 	index := 0
@@ -283,7 +298,7 @@ func (h *TextHandler) traces(traces []*findingSummary) {
 func (h *TextHandler) summary(findings []*findingSummary) {
 	counters := counters(findings)
 	if counters.VulnerabilitiesCalled == 0 {
-		h.print("No vulnerabilities found.\n")
+		h.print(choose(h.scanLevel.WantSymbols(), "No vulnerabilities found.\n", ""))
 		return
 	}
 	h.print(`Your code is affected by `)
