patch: fixed vulnerabilities output for different languages

Author: Alex Holmberg

.gitignore

@@ -5,6 +5,7 @@ target/
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+.qoder
 
 # MSVC Windows builds of rustc generate these, which store debugging information
 *.pdb

src/analyzer/runtime/detection.rs

@@ -14,14 +14,11 @@ impl RuntimeDetectionEngine {
     }
 
     /// Get all available package managers in a project
-    pub fn get_all_package_managers(project_path: &Path) -> Vec<String> {
+    pub fn get_all_package_managers(project_path: &Path) -> Vec<super::javascript::PackageManager> {
         use super::javascript::RuntimeDetector;
 
         let js_detector = RuntimeDetector::new(project_path.to_path_buf());
         js_detector.detect_all_package_managers()
-            .into_iter()
-            .map(|pm| pm.as_str().to_string())
-            .collect()
     }
 
     /// Check if a project uses a specific runtime

src/analyzer/security_analyzer.rs

@@ -1551,7 +1551,7 @@ impl SecurityAnalyzer {
     }
 
     // Additional helper methods...
-    fn collect_source_files(&self, project_root: &Path, language: &str) -> Result<Vec<PathBuf>, SecurityError> {
+    fn collect_source_files(&self, _project_root: &Path, _language: &str) -> Result<Vec<PathBuf>, SecurityError> {
         // TODO: Implement source file collection based on language
         Ok(vec![])
     }
@@ -1874,7 +1874,7 @@ mod tests {
         config.skip_gitignored_files = false;
         config.downgrade_gitignored_severity = true;
 
-        let analyzer = SecurityAnalyzer::with_config(config).unwrap();
+        let _analyzer = SecurityAnalyzer::with_config(config).unwrap();
         // Additional test logic could be added here for downgrade behavior
     }
 
@@ -2027,7 +2027,7 @@ mod tests {
 
         for pattern in &legitimate_patterns {
             // These should either not match any secret pattern, or be filtered out by context detection
-            let matches_old_generic_pattern = pattern.to_lowercase().contains("secret") || 
+            let _matches_old_generic_pattern = pattern.to_lowercase().contains("secret") || 
                                             pattern.to_lowercase().contains("key");
 
             // Our new patterns should be more specific and not match env var access

src/analyzer/vulnerability/checkers/go.rs

@@ -1,24 +1,161 @@
 use std::path::Path;
-use log::info;
-
+use std::process::Command;
+use log::{info, warn};
 use crate::analyzer::dependency_parser::DependencyInfo;
-use super::{LanguageVulnerabilityChecker, VulnerableDependency, VulnerabilityError};
+use crate::analyzer::tool_management::ToolDetector;
+use crate::analyzer::vulnerability::{VulnerableDependency, VulnerabilityError, VulnerabilityInfo, VulnerabilitySeverity};
+use super::MutableLanguageVulnerabilityChecker;
 
-pub struct GoVulnerabilityChecker;
+pub struct GoVulnerabilityChecker {
+    tool_detector: ToolDetector,
+}
 
 impl GoVulnerabilityChecker {
     pub fn new() -> Self {
-        Self
+        Self {
+            tool_detector: ToolDetector::new(),
+        }
+    }
+    
+    fn execute_govulncheck(
+        &mut self,
+        project_path: &Path,
+        dependencies: &[DependencyInfo],
+    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
+        // Check if govulncheck is available
+        let govulncheck_status = self.tool_detector.detect_tool("govulncheck");
+        if !govulncheck_status.available {
+            warn!("govulncheck not found, skipping Go vulnerability check. Install with: go install golang.org/x/vuln/cmd/govulncheck@latest");
+            return Ok(None);
+        }
+        
+        info!("Executing govulncheck in {}", project_path.display());
+        
+        // Execute govulncheck -json
+        let output = Command::new("govulncheck")
+            .args(&["-json", "./..."])
+            .current_dir(project_path)
+            .output()
+            .map_err(|e| VulnerabilityError::CommandError(
+                format!("Failed to run govulncheck: {}", e)
+            ))?;
+        
+        // govulncheck returns 0 even when vulnerabilities are found
+        // Non-zero exit code indicates an actual error
+        if !output.status.success() && output.stdout.is_empty() {
+            return Err(VulnerabilityError::CommandError(
+                format!("govulncheck failed with exit code {}: {}", 
+                    output.status.code().unwrap_or(-1),
+                    String::from_utf8_lossy(&output.stderr))
+            ));
+        }
+        
+        if output.stdout.is_empty() {
+            return Ok(None);
+        }
+        
+        // Parse govulncheck output
+        self.parse_govulncheck_output(&output.stdout, dependencies)
+    }
+    
+    fn parse_govulncheck_output(
+        &self,
+        output: &[u8],
+        dependencies: &[DependencyInfo],
+    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
+        let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
+        
+        // Split output by lines and parse each JSON object
+        let output_str = String::from_utf8_lossy(output);
+        for line in output_str.lines() {
+            if line.trim().is_empty() {
+                continue;
+            }
+            
+            let audit_data: serde_json::Value = serde_json::from_str(line)
+                .map_err(|e| VulnerabilityError::ParseError(
+                    format!("Failed to parse govulncheck output line: {}", e)
+                ))?;
+            
+            // Govulncheck JSON structure parsing
+            if audit_data.get("finding").is_some() {
+                if let Some(finding) = audit_data.get("finding").and_then(|f| f.as_object()) {
+                    let package_name = finding.get("package").and_then(|p| p.as_str())
+                        .unwrap_or("").to_string();
+                    let module = finding.get("module").and_then(|m| m.as_str())
+                        .unwrap_or("").to_string();
+                    
+                    // Find matching dependency
+                    if let Some(dep) = dependencies.iter().find(|d| 
+                        d.name == package_name || d.name == module || 
+                        package_name.starts_with(&format!("{}/", d.name)) ||
+                        module.starts_with(&format!("{}/", d.name))) {
+                        
+                        let vuln_id = finding.get("osv").and_then(|o| o.as_str())
+                            .unwrap_or("unknown").to_string();
+                        let title = finding.get("summary").and_then(|s| s.as_str())
+                            .unwrap_or("Unknown vulnerability").to_string();
+                        let description = finding.get("details").and_then(|d| d.as_str())
+                            .unwrap_or("").to_string();
+                        let severity = VulnerabilitySeverity::Medium; // Govulncheck doesn't provide severity directly
+                        let fixed_version = finding.get("fixed_version").and_then(|v| v.as_str())
+                            .map(|s| s.to_string());
+                        
+                        let vuln_info = VulnerabilityInfo {
+                            id: vuln_id,
+                            vuln_type: "security".to_string(),  // Security vulnerability
+                            severity,
+                            title,
+                            description,
+                            cve: None, // Govulncheck uses OSV IDs
+                            ghsa: None, // Govulncheck uses OSV IDs
+                            affected_versions: "*".to_string(), // Govulncheck doesn't provide this directly
+                            patched_versions: fixed_version,
+                            published_date: None,
+                            references: Vec::new(), // Govulncheck doesn't provide references in this format
+                        };
+                        
+                        // Check if we already have this dependency
+                        if let Some(existing) = vulnerable_deps.iter_mut()
+                            .find(|vuln_dep| vuln_dep.name == dep.name)
+                        {
+                            // Avoid duplicate vulnerabilities
+                            if !existing.vulnerabilities.iter().any(|v| v.id == vuln_info.id) {
+                                existing.vulnerabilities.push(vuln_info);
+                            }
+                        } else {
+                            vulnerable_deps.push(VulnerableDependency {
+                                name: dep.name.clone(),
+                                version: dep.version.clone(),
+                                language: crate::analyzer::dependency_parser::Language::Go,
+                                vulnerabilities: vec![vuln_info],
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        
+        if vulnerable_deps.is_empty() {
+            Ok(None)
+        } else {
+            Ok(Some(vulnerable_deps))
+        }
     }
 }
 
-impl LanguageVulnerabilityChecker for GoVulnerabilityChecker {
+impl MutableLanguageVulnerabilityChecker for GoVulnerabilityChecker {
     fn check_vulnerabilities(
-        &self,
-        _dependencies: &[DependencyInfo],
-        _project_path: &Path,
+        &mut self,
+        dependencies: &[DependencyInfo],
+        project_path: &Path,
     ) -> Result<Vec<VulnerableDependency>, VulnerabilityError> {
-        info!("Go vulnerability checking - implementation placeholder");
-        Ok(vec![])
+        info!("Checking Go dependencies");
+        
+        match self.execute_govulncheck(project_path, dependencies) {
+            Ok(Some(vulns)) => Ok(vulns),
+            Ok(None) => Ok(vec![]),
+            Err(e) => Err(e),
+        }
     }
 }