├── .gitignore
├── pkg
├── categories
│ └── categories.go
├── modpath
│ ├── modpath.go
│ └── modpath_test.go
├── source
│ └── cncf
│ │ └── cncf.go
├── netutil
│ ├── github
│ │ ├── github_test.go
│ │ └── github.go
│ └── netutil.go
├── analyzer
│ └── analyzer.go
└── cache
│ └── cache.go
├── .github
├── dependabot.yml
└── workflows
│ └── main.yml
├── cmd
└── gosocialcheck
│ ├── flagutil
│ └── flagutil.go
│ ├── envutil
│ └── envutil.go
│ ├── commands
│ ├── update
│ │ └── update.go
│ ├── lookup
│ │ └── lookup.go
│ └── run
│ │ └── run.go
│ ├── version
│ └── version.go
│ └── main.go
├── go.mod
├── go.sum
├── README.md
└── LICENSE
/.gitignore:
--------------------------------------------------------------------------------
1 | /_artifacts
2 | /_output
3 | /vendor
4 |
--------------------------------------------------------------------------------
/pkg/categories/categories.go:
--------------------------------------------------------------------------------
1 | package categories
2 |
3 | const (
4 | CNCFGraduated = "cncf.io::graduated"
5 | CNCFGraduatedSub = "cncf.io::graduated::sub"
6 | )
7 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 | - package-ecosystem: gomod
4 | directory: "/"
5 | schedule:
6 | interval: weekly
7 | open-pull-requests-limit: 10
8 | - package-ecosystem: github-actions
9 | directory: "/"
10 | schedule:
11 | interval: weekly
12 | open-pull-requests-limit: 10
13 |
--------------------------------------------------------------------------------
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
1 | name: CI
2 | on:
3 | push:
4 | branches:
5 | - master
6 | - 'release/**'
7 | pull_request:
8 | jobs:
9 | main:
10 | env:
11 | GOTOOLCHAIN: local
12 | runs-on: ubuntu-24.04
13 | timeout-minutes: 10
14 | steps:
15 | - uses: actions/checkout@v6
16 | - uses: actions/setup-go@v6
17 | with:
18 | go-version: 1.24.x
19 | - run: go test -v ./...
20 | - run: go install ./cmd/gosocialcheck
21 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/flagutil/flagutil.go:
--------------------------------------------------------------------------------
1 | package flagutil
2 |
3 | import (
4 | "flag"
5 | "slices"
6 |
7 | "github.com/spf13/pflag"
8 | )
9 |
10 | func PFlagSetToGoFlagSet(pf *pflag.FlagSet, excludes []string) *flag.FlagSet {
11 | fs := flag.NewFlagSet(pf.Name(), flag.ContinueOnError)
12 | pf.VisitAll(func(f *pflag.Flag) {
13 | if slices.Contains(excludes, f.Name) {
14 | return
15 | }
16 | fs.Var(f.Value, f.Name, f.Usage)
17 | if g := fs.Lookup(f.Name); g != nil {
18 | g.DefValue = f.DefValue
19 | }
20 | })
21 | return fs
22 | }
23 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/envutil/envutil.go:
--------------------------------------------------------------------------------
1 | // Package envutil is from https://github.com/reproducible-containers/repro-get/blob/v0.4.0/pkg/envutil/envutil.go
2 | package envutil
3 |
4 | import (
5 | "fmt"
6 | "os"
7 | "strconv"
8 |
9 | "log/slog"
10 | )
11 |
12 | func Bool(envName string, defaultValue bool) bool {
13 | v, ok := os.LookupEnv(envName)
14 | if !ok {
15 | return defaultValue
16 | }
17 | b, err := strconv.ParseBool(v)
18 | if err != nil {
19 | slog.Warn(fmt.Sprintf("Failed to parse %q ($%s) as a boolean: %v", v, envName, err))
20 | return defaultValue
21 | }
22 | return b
23 | }
24 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | // FIXME: gomodjail support is currently broken
2 | // gomodjail:confined
3 | module github.com/AkihiroSuda/gosocialcheck
4 |
5 | go 1.24.0
6 |
7 | require (
8 | github.com/lmittmann/tint v1.1.2 // gomodjail:unconfined
9 | github.com/spf13/cobra v1.10.1 // gomodjail:unconfined
10 | github.com/spf13/pflag v1.0.10
11 | golang.org/x/mod v0.30.0
12 | golang.org/x/sync v0.18.0 // gomodjail:unconfined
13 | golang.org/x/tools v0.39.0 // gomodjail:unconfined
14 | gopkg.in/yaml.v3 v3.0.1
15 | gotest.tools/v3 v3.5.2
16 | )
17 |
18 | require (
19 | github.com/google/go-cmp v0.6.0 // indirect
20 | github.com/inconshreveable/mousetrap v1.1.0 // indirect
21 | )
22 |
--------------------------------------------------------------------------------
/pkg/modpath/modpath.go:
--------------------------------------------------------------------------------
1 | package modpath
2 |
3 | import (
4 | "fmt"
5 | "path/filepath"
6 | "regexp"
7 | "strings"
8 | )
9 |
10 | func DirFromFileAndMod(filePath, mod, modVer string) (string, error) {
11 | modPath := StripMajorVersion(mod)
12 | modOSPath := filepath.FromSlash(modPath)
13 | idx := strings.Index(filePath, modOSPath)
14 | if idx < 0 {
15 | return "", fmt.Errorf("module path %q not found in file path %q", modOSPath, filePath)
16 | }
17 | root := filePath[:idx+len(modOSPath)]
18 | if strings.Contains(filepath.ToSlash(root), "/pkg/mod/") && modVer != "" {
19 | root += "@" + modVer
20 | }
21 | return root, nil
22 | }
23 |
24 | func StripMajorVersion(pkg string) string {
25 | return regexp.MustCompile(`(/v[0-9]+)$`).ReplaceAllString(pkg, "")
26 | }
27 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/commands/update/update.go:
--------------------------------------------------------------------------------
1 | package update
2 |
3 | import (
4 | "context"
5 | "log/slog"
6 |
7 | "github.com/spf13/cobra"
8 |
9 | "github.com/AkihiroSuda/gosocialcheck/pkg/cache"
10 | )
11 |
12 | func New() *cobra.Command {
13 | cmd := &cobra.Command{
14 | Use: "update",
15 | Short: "Update the database",
16 | Args: cobra.NoArgs,
17 | RunE: action,
18 | DisableFlagsInUseLine: true,
19 | }
20 | return cmd
21 | }
22 |
23 | func action(cmd *cobra.Command, args []string) error {
24 | ctx := cmd.Context()
25 | onProgress := func(ctx context.Context, ev cache.ProgressEvent) {
26 | slog.InfoContext(ctx, "progress: "+ev.Message)
27 | }
28 | c, err := cache.New(cache.WithProgressEventHandler(onProgress))
29 | if err != nil {
30 | return err
31 | }
32 | return c.Update(ctx)
33 | }
34 |
--------------------------------------------------------------------------------
/pkg/source/cncf/cncf.go:
--------------------------------------------------------------------------------
1 | package cncf
2 |
3 | const ProjectsURL = "https://raw.githubusercontent.com/cncf/clomonitor/refs/heads/main/data/cncf.yaml"
4 |
5 | type Projects []Project
6 |
7 | type Project struct {
8 | Name string `yaml:"name,omitempty"`
9 | DisplayName string `yaml:"display_name,omitempty"`
10 | Description string `yaml:"description,omitempty"`
11 | Category string `yaml:"category,omitempty"`
12 | LogoURL string `yaml:"logo_url,omitempty"`
13 | DevstatsURL string `yaml:"devstats_url,omitempty"`
14 | AcceptedAt string `yaml:"accepted_at,omitempty"`
15 | Maturity string `yaml:"maturity,omitempty"`
16 | Repositories []Repository `yaml:"repositories,omitempty"`
17 | }
18 |
19 | type Repository struct {
20 | Name string `yaml:"name,omitempty"`
21 | URL string `yaml:"url,omitempty"`
22 | CheckSets []string `yaml:"check_sets,omitempty"`
23 | }
24 |
--------------------------------------------------------------------------------
/pkg/netutil/github/github_test.go:
--------------------------------------------------------------------------------
1 | package github
2 |
3 | import (
4 | "context"
5 | "testing"
6 |
7 | "gotest.tools/v3/assert"
8 | )
9 |
10 | func TestNewRepo(t *testing.T) {
11 | cases := []struct {
12 | url string
13 | expected *Repo
14 | }{
15 | {"https://github.com/containerd/nerdctl", &Repo{Owner: "containerd", Repo: "nerdctl"}},
16 | {"http://www.github.com/containerd/nerdctl.git", &Repo{Owner: "containerd", Repo: "nerdctl"}},
17 | }
18 | for _, tc := range cases {
19 | got, err := NewRepo(tc.url)
20 | if tc.expected != nil {
21 | assert.NilError(t, err)
22 | assert.DeepEqual(t, tc.expected, got)
23 | } else {
24 | assert.ErrorContains(t, err, "invalid")
25 | }
26 | }
27 | }
28 |
29 | func TestTags(t *testing.T) {
30 | ctx := context.TODO() // t.Context is too new
31 | repo, err := NewRepo("https://github.com/containerd/containerd")
32 | assert.NilError(t, err)
33 | tags, err := repo.Tags(ctx)
34 | assert.NilError(t, err)
35 | for _, tag := range tags {
36 | t.Logf("%s\t%s", tag.Name, tag.Commit.SHA)
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/commands/lookup/lookup.go:
--------------------------------------------------------------------------------
1 | package lookup
2 |
3 | import (
4 | "encoding/json"
5 |
6 | "github.com/spf13/cobra"
7 |
8 | "github.com/AkihiroSuda/gosocialcheck/pkg/cache"
9 | )
10 |
11 | func New() *cobra.Command {
12 | cmd := &cobra.Command{
13 | Use: "lookup",
14 | Short: "[DEBUG] Lookup the database by h1 sum",
15 | Args: cobra.ExactArgs(1),
16 | RunE: action,
17 | DisableFlagsInUseLine: true,
18 | }
19 | return cmd
20 | }
21 |
22 | func action(cmd *cobra.Command, args []string) error {
23 | ctx := cmd.Context()
24 | sum := args[0]
25 | c, err := cache.New()
26 | if err != nil {
27 | return err
28 | }
29 | if _, err = c.LastUpdated(); err != nil {
30 | return err
31 | }
32 | enc := json.NewEncoder(cmd.OutOrStdout())
33 | enc.SetEscapeHTML(false)
34 | res, lookupErr := c.Lookup(ctx, sum)
35 | // res may contain partial contents even on err
36 | for _, f := range res {
37 | if err = enc.Encode(f); err != nil {
38 | return err
39 | }
40 | }
41 | return lookupErr
42 | }
43 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/version/version.go:
--------------------------------------------------------------------------------
1 | package version
2 |
3 | import (
4 | "runtime/debug"
5 | "strconv"
6 | )
7 |
8 | // Version can be fulfilled on compilation time: -ldflags="-X github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/version.Version=v0.1.2"
9 | var Version string
10 |
11 | func GetVersion() string {
12 | if Version != "" {
13 | return Version
14 | }
15 | const unknown = "(unknown)"
16 | bi, ok := debug.ReadBuildInfo()
17 | if !ok {
18 | return unknown
19 | }
20 |
21 | /*
22 | * go install example.com/cmd/foo@vX.Y.Z: bi.Main.Version="vX.Y.Z", vcs.revision is unset
23 | * go install example.com/cmd/foo@latest: bi.Main.Version="vX.Y.Z", vcs.revision is unset
24 | * go install example.com/cmd/foo@master: bi.Main.Version="vX.Y.Z-N.yyyyMMddhhmmss-gggggggggggg", vcs.revision is unset
25 | * go install ./cmd/foo: bi.Main.Version="(devel)", vcs.revision="gggggggggggggggggggggggggggggggggggggggg"
26 | * vcs.time="yyyy-MM-ddThh:mm:ssZ", vcs.modified=("false"|"true")
27 | */
28 | if bi.Main.Version != "" && bi.Main.Version != "(devel)" {
29 | return bi.Main.Version
30 | }
31 | var (
32 | vcsRevision string
33 | vcsModified bool
34 | )
35 | for _, f := range bi.Settings {
36 | switch f.Key {
37 | case "vcs.revision":
38 | vcsRevision = f.Value
39 | case "vcs.modified":
40 | vcsModified, _ = strconv.ParseBool(f.Value)
41 | }
42 | }
43 | if vcsRevision == "" {
44 | return unknown
45 | }
46 | v := vcsRevision
47 | if vcsModified {
48 | v += ".m"
49 | }
50 | return v
51 | }
52 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/commands/run/run.go:
--------------------------------------------------------------------------------
1 | package run
2 |
3 | import (
4 | "os"
5 |
6 | "github.com/spf13/cobra"
7 | "golang.org/x/tools/go/analysis/singlechecker"
8 |
9 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/flagutil"
10 | "github.com/AkihiroSuda/gosocialcheck/pkg/analyzer"
11 | "github.com/AkihiroSuda/gosocialcheck/pkg/cache"
12 | )
13 |
14 | func New() *cobra.Command {
15 | cmd := &cobra.Command{
16 | Use: "run",
17 | Short: "Run the analyzer",
18 | RunE: action,
19 | DisableFlagsInUseLine: true,
20 | }
21 | return cmd
22 | }
23 |
24 | func action(cmd *cobra.Command, args []string) error {
25 | // Rewrite the global os.Args, as a workaround for:
26 | // - https://github.com/AkihiroSuda/gosocialcheck/issues/1
27 | // - https://github.com/golang/go/issues/73875
28 | //
29 | // golang.org/x/tools/go/analysis/singlechecker parses the global args
30 | // rather than flag.FlagSet.Args, and raises an error:
31 | // `-: package run is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/run`
32 | os.Args = append([]string{"gosocialcheck-run"}, args...)
33 |
34 | ctx := cmd.Context()
35 | c, err := cache.New()
36 | if err != nil {
37 | return err
38 | }
39 | if _, err = c.LastUpdated(); err != nil {
40 | return err
41 | }
42 | flags := cmd.Flags()
43 | goflags := flagutil.PFlagSetToGoFlagSet(flags, []string{"debug"})
44 | if err := goflags.Parse(args); err != nil {
45 | return err
46 | }
47 | opts := analyzer.Opts{
48 | Flags: *goflags,
49 | Cache: c,
50 | }
51 | a, err := analyzer.New(ctx, opts)
52 | if err != nil {
53 | return err
54 | }
55 | singlechecker.Main(a)
56 | // NOTREACHED
57 | return nil
58 | }
59 |
--------------------------------------------------------------------------------
/pkg/netutil/github/github.go:
--------------------------------------------------------------------------------
1 | package github
2 |
3 | import (
4 | "context"
5 | "encoding/json"
6 | "fmt"
7 | "path"
8 | "regexp"
9 |
10 | "github.com/AkihiroSuda/gosocialcheck/pkg/netutil"
11 | )
12 |
13 | func NewRepo(urlStr string) (*Repo, error) {
14 | pattern := regexp.MustCompile(`^https?://(?:www\.)?github\.com/([^/]+)/([^/]+?)(?:\.git)?(?:/.*)?$`)
15 | matches := pattern.FindStringSubmatch(urlStr)
16 | if len(matches) != 3 {
17 | return nil, fmt.Errorf("invalid GitHub repo URL: %q", urlStr)
18 | }
19 | repo := &Repo{
20 | Owner: matches[1],
21 | Repo: matches[2],
22 | }
23 | return repo, nil
24 | }
25 |
26 | type Repo struct {
27 | Owner string `json:"owner"`
28 | Repo string `json:"repo"`
29 | }
30 |
31 | type Tag struct {
32 | Name string `json:"name"`
33 | ZipballURL string `json:"zipball_url,omitempty"`
34 | TarballURL string `json:"tarball_url,omitempty"`
35 | Commit struct {
36 | SHA string `json:"sha"`
37 | URL string `json:"url,omitempty"`
38 | } `json:"commit"`
39 | NodeID string `json:"node_id,omitempty"`
40 | }
41 |
42 | func (t *Tag) Compact() Tag {
43 | n := *t
44 | n.ZipballURL = ""
45 | n.TarballURL = ""
46 | n.Commit.URL = ""
47 | n.NodeID = ""
48 | return n
49 | }
50 |
51 | // Tags returns 30 tags at most.
52 | func (r *Repo) Tags(ctx context.Context, o ...netutil.HTTPOpt) ([]Tag, error) {
53 | urlStr := fmt.Sprintf("https://api.github.com/repos/%s/%s/tags", r.Owner, r.Repo)
54 | b, err := netutil.Get(ctx, urlStr, o...)
55 | if err != nil {
56 | return nil, err
57 | }
58 | var tags []Tag
59 | if err = json.Unmarshal(b, &tags); err != nil {
60 | return nil, err
61 | }
62 | return tags, nil
63 | }
64 |
65 | func (r *Repo) ContentURL(commit, p string) string {
66 | return fmt.Sprintf("https://raw.githubusercontent.com/%s/%s/%s/%s",
67 | r.Owner, r.Repo, path.Clean(commit), path.Clean(p))
68 | }
69 |
--------------------------------------------------------------------------------
/cmd/gosocialcheck/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "log/slog"
5 | "os"
6 | "time"
7 |
8 | "github.com/lmittmann/tint"
9 | "github.com/spf13/cobra"
10 |
11 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/commands/lookup"
12 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/commands/run"
13 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/commands/update"
14 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/envutil"
15 | "github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/version"
16 | )
17 |
18 | var logLevel = new(slog.LevelVar)
19 |
20 | func main() {
21 | logHandler := tint.NewHandler(os.Stderr, &tint.Options{
22 | Level: logLevel,
23 | TimeFormat: time.Kitchen,
24 | })
25 | slog.SetDefault(slog.New(logHandler))
26 | cmd := newRootCommand()
27 | if err := cmd.Execute(); err != nil {
28 | slog.Error("exiting with an error: " + err.Error())
29 | os.Exit(1)
30 | }
31 | }
32 |
33 | const example = `
34 | # Set the token if facing the GitHub API rate limit (see README.md)
35 | export GITHUB_TOKEN=...
36 |
37 | gosocialcheck update
38 |
39 | gosocialcheck run ./...
40 | `
41 |
42 | func newRootCommand() *cobra.Command {
43 | cmd := &cobra.Command{
44 | Use: "gosocialcheck",
45 | Short: "Social reputation checker for Go modules",
46 | Example: example,
47 | Version: version.GetVersion(),
48 | Args: cobra.NoArgs,
49 | SilenceUsage: true,
50 | SilenceErrors: true,
51 | }
52 |
53 | flags := cmd.PersistentFlags()
54 | flags.Bool("debug", envutil.Bool("DEBUG", false), "debug mode [$DEBUG]")
55 | cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
56 | flags := cmd.Flags()
57 | if debug, _ := flags.GetBool("debug"); debug {
58 | logLevel.Set(slog.LevelDebug)
59 | }
60 | return nil
61 | }
62 |
63 | cmd.AddCommand(
64 | update.New(),
65 | lookup.New(),
66 | run.New(),
67 | )
68 | return cmd
69 | }
70 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
2 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
3 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
4 | github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
5 | github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
6 | github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w=
7 | github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
8 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
9 | github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
10 | github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
11 | github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
12 | github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
13 | github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
14 | golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
15 | golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
16 | golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
17 | golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
18 | golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
19 | golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
20 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
21 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
22 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
23 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
24 | gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
25 | gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
26 |
--------------------------------------------------------------------------------
/pkg/modpath/modpath_test.go:
--------------------------------------------------------------------------------
1 | package modpath
2 |
3 | import (
4 | "strings"
5 | "testing"
6 |
7 | "gotest.tools/v3/assert"
8 | )
9 |
10 | func TestDirFromFileAndPkg(t *testing.T) {
11 | tests := []struct {
12 | name string
13 | file string
14 | Mod string
15 | modVer string
16 | want string
17 | wantErr bool
18 | }{
19 | {
20 | name: "Without version suffix",
21 | file: "/Users/me/gopath/src/github.com/containerd/containerd/pkg/archive/tar.go",
22 | Mod: "github.com/containerd/containerd",
23 | modVer: "v1.0.0",
24 | want: "/Users/me/gopath/src/github.com/containerd/containerd",
25 | },
26 | {
27 | name: "With /v2 version suffix",
28 | file: "/Users/me/gopath/src/github.com/containerd/containerd/pkg/archive/tar.go",
29 | Mod: "github.com/containerd/containerd/v2",
30 | modVer: "v2.0.0",
31 | want: "/Users/me/gopath/src/github.com/containerd/containerd",
32 | },
33 | {
34 | name: "Without /v2 version suffix, in GOPATH/pkg/mod",
35 | file: "/Users/me/gopath/pkg/mod/github.com/containerd/containerd@v1.0.0/pkg/archive/tar.go",
36 | Mod: "github.com/containerd/containerd",
37 | modVer: "v1.0.0",
38 | want: "/Users/me/gopath/pkg/mod/github.com/containerd/containerd@v1.0.0",
39 | },
40 | {
41 | name: "With /v2 version suffix, in GOPATH/pkg/mod",
42 | file: "/Users/me/gopath/pkg/mod/github.com/containerd/containerd@v2.0.0/pkg/archive/tar.go",
43 | Mod: "github.com/containerd/containerd/v2",
44 | modVer: "v2.0.0",
45 | want: "/Users/me/gopath/pkg/mod/github.com/containerd/containerd@v2.0.0",
46 | },
47 | {
48 | name: "Module path not found",
49 | file: "/some/other/path/main.go",
50 | Mod: "github.com/containerd/containerd",
51 | wantErr: true,
52 | },
53 | }
54 |
55 | for _, tc := range tests {
56 | t.Run(tc.name, func(t *testing.T) {
57 | root, err := DirFromFileAndMod(tc.file, tc.Mod, tc.modVer)
58 | if tc.wantErr {
59 | assert.ErrorContains(t, err, "module path")
60 | return
61 | }
62 | assert.NilError(t, err)
63 | assert.Equal(t, tc.want, root)
64 | assert.Assert(t, strings.HasPrefix(tc.file, tc.want))
65 | })
66 | }
67 | }
68 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # gosocialcheck: social reputation checker for Go modules
2 |
3 | gosocialcheck checks whether a Go module is already adopted by a trustworthy project.
4 |
5 | List of trusted projects:
6 | - [CNCF Graduated](https://www.cncf.io/projects/) (Kubernetes, containerd, etc.)
7 |
8 | ## Install
9 | ```bash
10 | go install github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck@latest
11 | ```
12 |
13 | ## Usage
14 | ```
15 | # Set the token if facing the GitHub API rate limit (see below)
16 | export GITHUB_TOKEN=...
17 |
18 | gosocialcheck update
19 |
20 | gosocialcheck run ./...
21 | ```
22 |
23 | This command checks whether the **dependencies** of the current module (`./...`) are used by trusted projects.
24 | This command does not check whether the the current module itself is used by trusted projects.
25 |
26 | Example output:
27 | ```
28 | /Users/suda/gopath/src/github.com/AkihiroSuda/gosocialcheck/pkg/analyzer/analyzer.go:18:2:
29 | import 'golang.org/x/tools/go/analysis': module 'golang.org/x/tools@v0.33.0' does not seem adopted by a trusted project (negligible if you trust the module)
30 | /Users/suda/gopath/src/github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/commands/run/run.go:5:2:
31 | import 'golang.org/x/tools/go/analysis/singlechecker': module 'golang.org/x/tools@v0.33.0' does not seem adopted by a trusted project (negligible if you trust the module)
32 | /Users/suda/gopath/src/github.com/AkihiroSuda/gosocialcheck/cmd/gosocialcheck/main.go:8:2:
33 | import 'github.com/lmittmann/tint': module 'github.com/lmittmann/tint@v1.0.7' does not seem adopted by a trusted project (negligible if you trust the module)
34 | ```
35 |
36 | ## Hints
37 | ### GitHub API rate limit
38 | gosocialcheck uses the GitHub API for the following operations:
39 | - Fetch git tags, via `api.github.com`.
40 | - Fetch `go.mod` and `go.sum`, via `http://raw.githubusercontent.com`.
41 |
42 | These API calls often fails unless the API token is set.
43 |
44 | To mitigate the API rate limit, set the token as follows:
45 | 1. Open .
46 | 2. Click `Generate new token`.
47 | 3. Generate a token with the following configuration:
48 | - Token name: (arbitrary name, e.g., `gosocialcheck`)
49 | - Expiration: (arbitrary lifetime, but 365 days at most)
50 | - Repository access: `Public repositories`
51 | - Account permissions: `No access` for all.
52 | 4. Set the token as `$GITHUB_TOKEN`.
53 | ```bash
54 | export GITHUB_TOKEN=...
55 | ```
56 |
--------------------------------------------------------------------------------
/pkg/netutil/netutil.go:
--------------------------------------------------------------------------------
1 | package netutil
2 |
3 | import (
4 | "context"
5 | "fmt"
6 | "io"
7 | "net/http"
8 | "net/url"
9 | "os"
10 | "strings"
11 | )
12 |
13 | type httpOpts struct {
14 | client *http.Client
15 | maxBytes int64
16 | bearerToken string
17 | }
18 |
19 | type HTTPOpt func(opts *httpOpts, urlStr string) error
20 |
21 | func WithHTTPClient(client *http.Client) HTTPOpt {
22 | return func(opts *httpOpts, _ string) error {
23 | opts.client = client
24 | return nil
25 | }
26 | }
27 |
28 | const DefaultHTTPMaxBytes = 64 * 1024 * 1024 // 64 MiB
29 |
30 | func WithHTTPMaxBytes(maxBytes int64) HTTPOpt {
31 | return func(opts *httpOpts, _ string) error {
32 | opts.maxBytes = maxBytes
33 | return nil
34 | }
35 | }
36 |
37 | func WithBearerToken(bearerToken string) HTTPOpt {
38 | return func(opts *httpOpts, _ string) error {
39 | opts.bearerToken = bearerToken
40 | return nil
41 | }
42 | }
43 |
44 | func isGitHubDomain(urlStr string) (bool, error) {
45 | u, err := url.Parse(urlStr)
46 | if err != nil {
47 | return false, err
48 | }
49 | hostname := u.Hostname()
50 | hostname = strings.TrimSuffix(hostname, ".")
51 | switch hostname {
52 | case "github.com", "api.github.com", "raw.githubusercontent.com":
53 | return true, nil
54 | }
55 | return false, nil
56 | }
57 |
58 | // WithAutoGitHubToken automatically sends $GITHUB_TOKEN so as to relax the API rate limit.
59 | // https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api
60 | func WithAutoGitHubToken() HTTPOpt {
61 | return func(opts *httpOpts, urlStr string) error {
62 | isGH, err := isGitHubDomain(urlStr)
63 | if err != nil {
64 | return err
65 | }
66 | if isGH {
67 | token := os.Getenv("GITHUB_TOKEN")
68 | if token == "" {
69 | // `gh` prioritizes $GH_TOKEN over $GITHUB_TOKEN
70 | token = os.Getenv("GH_TOKEN")
71 | }
72 | if token != "" {
73 | opts.bearerToken = token
74 | }
75 | }
76 | return nil
77 | }
78 | }
79 |
80 | type UnexpectedStatusCodeError struct {
81 | URL *url.URL
82 | StatusCode int
83 | Body string
84 | }
85 |
86 | func (e *UnexpectedStatusCodeError) Error() string {
87 | return fmt.Sprintf("%s: unexpected status code %d: %s", e.URL.Redacted(), e.StatusCode, e.Body)
88 | }
89 |
90 | func Get(ctx context.Context, urlStr string, o ...HTTPOpt) ([]byte, error) {
91 | var opts httpOpts
92 | for _, f := range o {
93 | if err := f(&opts, urlStr); err != nil {
94 | return nil, err
95 | }
96 | }
97 | if opts.client == nil {
98 | opts.client = http.DefaultClient
99 | }
100 | if opts.maxBytes == 0 {
101 | opts.maxBytes = DefaultHTTPMaxBytes
102 | }
103 | req, err := http.NewRequestWithContext(ctx, http.MethodGet, urlStr, nil)
104 | if err != nil {
105 | return nil, err
106 | }
107 | if opts.bearerToken != "" {
108 | req.Header.Add("Authorization", "Bearer "+opts.bearerToken)
109 | }
110 | resp, err := opts.client.Do(req)
111 | if err != nil {
112 | return nil, err
113 | }
114 | defer resp.Body.Close()
115 | lr := &io.LimitedReader{
116 | R: resp.Body,
117 | N: opts.maxBytes,
118 | }
119 | body, err := io.ReadAll(lr)
120 | if err != nil {
121 | return nil, err
122 | }
123 | if resp.StatusCode != 200 {
124 | return nil, &UnexpectedStatusCodeError{
125 | URL: req.URL,
126 | StatusCode: resp.StatusCode,
127 | Body: string(body),
128 | }
129 | }
130 | return body, nil
131 | }
132 |
--------------------------------------------------------------------------------
/pkg/analyzer/analyzer.go:
--------------------------------------------------------------------------------
1 | package analyzer
2 |
3 | import (
4 | "bufio"
5 | "bytes"
6 | "context"
7 | "errors"
8 | "flag"
9 | "fmt"
10 | "io"
11 | "log/slog"
12 | "os"
13 | "path/filepath"
14 | "strconv"
15 | "strings"
16 | "sync"
17 |
18 | "golang.org/x/mod/modfile"
19 | "golang.org/x/mod/module"
20 | "golang.org/x/tools/go/analysis"
21 |
22 | "github.com/AkihiroSuda/gosocialcheck/pkg/cache"
23 | "github.com/AkihiroSuda/gosocialcheck/pkg/modpath"
24 | )
25 |
26 | type Opts struct {
27 | Flags flag.FlagSet
28 | Cache *cache.Cache
29 | }
30 |
31 | func New(ctx context.Context, opts Opts) (*analysis.Analyzer, error) {
32 | inst := &instance{
33 | Opts: opts,
34 | modDirs: make(map[string]string),
35 | }
36 | a := &analysis.Analyzer{
37 | Name: "gosocialcheck",
38 | Doc: "Social reputation checker",
39 | URL: "https://github.com/AkihiroSuda/gosocialcheck",
40 | Flags: opts.Flags,
41 | Run: run(ctx, inst),
42 | RunDespiteErrors: false,
43 | }
44 | return a, nil
45 | }
46 |
47 | type instance struct {
48 | Opts
49 | modDirs map[string]string // key: MODULE@VER
50 | mu sync.RWMutex
51 | }
52 |
53 | func run(ctx context.Context, inst *instance) func(*analysis.Pass) (any, error) {
54 | return func(pass *analysis.Pass) (any, error) {
55 | modDir, err := inst.guessModuleDir(pass)
56 | if err != nil {
57 | return nil, err
58 | }
59 | if modDir == "" {
60 | return nil, nil
61 | }
62 | // TODO: cache go.mod
63 | // TODO: support multi-module mono repo
64 | goModFilename := filepath.Join(modDir, "go.mod")
65 | // pass.ReadFile does not support go.mod
66 | goModB, err := os.ReadFile(goModFilename)
67 | if err != nil {
68 | return nil, fmt.Errorf("failed to read %q: %w", goModFilename, err)
69 | }
70 | goMod, err := modfile.Parse(goModFilename, goModB, nil)
71 | if err != nil {
72 | return nil, err
73 | }
74 | if goMod.Module.Mod.Path != pass.Module.Path {
75 | return nil, fmt.Errorf("%s: expected %q, got %q", goModFilename, pass.Module.Path, goMod.Module.Mod.Path)
76 | }
77 | if len(goMod.Replace) != 0 {
78 | slog.WarnContext(ctx, "replace is not supported yet")
79 | }
80 |
81 | // TODO: cache go.sum
82 | goSumFilename := filepath.Join(modDir, "go.sum")
83 | // pass.ReadFile does not support go.sum
84 | goSumB, err := os.ReadFile(goSumFilename)
85 | if err != nil {
86 | return nil, fmt.Errorf("failed to read %q: %w", goSumFilename, err)
87 | }
88 | goSum, err := parseGoSum(bytes.NewReader(goSumB))
89 | if err != nil {
90 | return nil, err
91 | }
92 |
93 | for _, file := range pass.Files {
94 | for _, imp := range file.Imports {
95 | if imp.Path == nil {
96 | return nil, errors.New("got nil ast.ImportSpec.Path")
97 | }
98 | p, err := strconv.Unquote(imp.Path.Value)
99 | if err != nil {
100 | return nil, err
101 | }
102 | modV := moduleVersion(goMod, p)
103 | if modV == nil {
104 | slog.DebugContext(ctx, "module entry not found (negligible for stdlib and local imports)", "path", p)
105 | continue
106 | }
107 | h1 := goSum[modV.Path+" "+modV.Version]
108 | slog.DebugContext(ctx, "module", "path", p, "modpath", modV.Path, "modver", modV.Version, "h1", h1)
109 | hit, err := inst.Opts.Cache.Lookup(ctx, h1)
110 | if err != nil {
111 | return nil, err
112 | }
113 | if len(hit) == 0 {
114 | diag := analysis.Diagnostic{
115 | Pos: imp.Pos(),
116 | End: imp.End(),
117 | Message: fmt.Sprintf("import '%s': module '%s' does not seem adopted by a trusted project "+
118 | "(negligible if you trust the module)",
119 | p, modV.String()),
120 | }
121 | pass.Report(diag)
122 | } else {
123 | slog.DebugContext(ctx, "cache hit", "path", p, "hit[0]", hit[0])
124 | }
125 | }
126 | }
127 | return nil, nil
128 | }
129 | }
130 |
131 | func moduleVersion(goMod *modfile.File, imp string) *module.Version {
132 | for _, r := range goMod.Require {
133 | // TODO: check multiple matches
134 | if r.Mod.Path == imp || strings.HasPrefix(imp, r.Mod.Path+"/") {
135 | return &r.Mod
136 | }
137 | }
138 | return nil
139 | }
140 |
141 | func parseGoSum(r io.Reader) (map[string]string, error) {
142 | sc := bufio.NewScanner(r)
143 | res := make(map[string]string)
144 | for sc.Scan() {
145 | line := sc.Text()
146 | line = strings.TrimSpace(line)
147 | fields := strings.Fields(line)
148 | if len(fields) != 3 {
149 | return res, fmt.Errorf("expected 3 fields, got %v", fields)
150 | }
151 | res[fields[0]+" "+fields[1]] = fields[2]
152 | }
153 | return res, sc.Err()
154 | }
155 |
156 | // guessModuleDir guess the directory that contains go.mod and go.sum.
157 | // This function might not be robust.
158 | //
159 | // A workaround for https://github.com/golang/go/issues/73878
160 | func (inst *instance) guessModuleDir(pass *analysis.Pass) (string, error) {
161 | if pass.Module == nil {
162 | return "", errors.New("got nil module")
163 | }
164 | mod := pass.Module.Path
165 | modVer := pass.Module.Version
166 | inst.mu.RLock()
167 | k := mod
168 | if modVer != "" {
169 | k += "@" + modVer
170 | }
171 | v := inst.modDirs[k]
172 | inst.mu.RUnlock()
173 | if v != "" {
174 | return v, nil
175 | }
176 | if len(pass.Files) == 0 {
177 | return "", fmt.Errorf("%s: got no files", mod)
178 | }
179 | var sawGoBuildDir bool
180 | for _, f := range pass.Files {
181 | ff := pass.Fset.File(f.Pos())
182 | file := ff.Name()
183 | fileSlash := filepath.ToSlash(file)
184 | if strings.Contains(fileSlash, "/go-build/") {
185 | // tmp file like /Users/suda/Library/Caches/go-build/a0/a0f5d4693b09f2e3e24d18608f43e8540c5c52248877ef966df196f36bed5dfb-d
186 | sawGoBuildDir = true
187 | }
188 | if strings.Contains(fileSlash, modpath.StripMajorVersion(mod)) {
189 | dir, err := modpath.DirFromFileAndMod(file, mod, modVer)
190 | if err != nil {
191 | return "", err
192 | }
193 | slog.Debug("guessed module dir", "mod", mod, "modVer", modVer, "dir", dir)
194 | inst.mu.Lock()
195 | inst.modDirs[k] = dir
196 | inst.mu.Unlock()
197 | return dir, nil
198 | }
199 | }
200 | if sawGoBuildDir {
201 | return "", nil
202 | }
203 | return "", fmt.Errorf("could not guess the directory of module %s", k)
204 | }
205 |
--------------------------------------------------------------------------------
/pkg/cache/cache.go:
--------------------------------------------------------------------------------
1 | // Package cache manages the cache.
2 |
3 | /*
4 | TODO: consider switching to bbolt
5 |
6 | ~/.cache: the cache home ($XDG_CACHE_HOME)
7 | gosocialcheck: the ModTime represents the last updated time
8 | github.com
9 | containerd
10 | containerd
11 | fb4c30d4ede3531652d86197bf3fc9515e5276d9
12 | gosocialcheck-cache.json
13 | go.mod
14 | go.sum
15 | */
16 |
17 | package cache
18 |
19 | import (
20 | "bufio"
21 | "bytes"
22 | "context"
23 | "encoding/json"
24 | "errors"
25 | "fmt"
26 | "io/fs"
27 | "log/slog"
28 | "net/http"
29 | "os"
30 | "os/exec"
31 | "path/filepath"
32 | "slices"
33 | "strings"
34 | "time"
35 |
36 | "golang.org/x/mod/semver"
37 | "golang.org/x/sync/errgroup"
38 | "gopkg.in/yaml.v3"
39 |
40 | "github.com/AkihiroSuda/gosocialcheck/pkg/categories"
41 | "github.com/AkihiroSuda/gosocialcheck/pkg/netutil"
42 | "github.com/AkihiroSuda/gosocialcheck/pkg/netutil/github"
43 | "github.com/AkihiroSuda/gosocialcheck/pkg/source/cncf"
44 | )
45 |
46 | type ProgressEvent struct {
47 | Message string `json:"message,omitempty"`
48 | }
49 |
50 | type ProgressEventHandler func(context.Context, ProgressEvent)
51 |
52 | func DefaultProgressEventHandler(ctx context.Context, ev ProgressEvent) {
53 | slog.DebugContext(ctx, "progress: "+ev.Message)
54 | }
55 |
56 | type opts struct {
57 | dir string
58 | onProgress ProgressEventHandler
59 | httpClient *http.Client
60 | }
61 |
62 | type Opt func(*opts) error
63 |
64 | func WithDir(dir string) Opt {
65 | return func(opts *opts) error {
66 | opts.dir = dir
67 | return nil
68 | }
69 | }
70 |
71 | func WithProgressEventHandler(onProgress ProgressEventHandler) Opt {
72 | return func(opts *opts) error {
73 | opts.onProgress = onProgress
74 | return nil
75 | }
76 | }
77 |
78 | func WithHTTPClient(httpClient *http.Client) Opt {
79 | return func(opts *opts) error {
80 | opts.httpClient = httpClient
81 | return nil
82 | }
83 | }
84 |
85 | // New instantiates [Cache].
86 | func New(o ...Opt) (*Cache, error) {
87 | var c Cache
88 | for _, f := range o {
89 | if err := f(&c.opts); err != nil {
90 | return nil, err
91 | }
92 | }
93 | if c.opts.dir == "" {
94 | cacheHome, err := os.UserCacheDir()
95 | if err != nil {
96 | return nil, err
97 | }
98 | c.opts.dir = filepath.Join(cacheHome, "gosocialcheck")
99 | }
100 | if c.opts.onProgress == nil {
101 | c.opts.onProgress = DefaultProgressEventHandler
102 | }
103 | if c.opts.httpClient == nil {
104 | c.opts.httpClient = http.DefaultClient
105 | }
106 | return &c, nil
107 | }
108 |
109 | type Cache struct {
110 | opts
111 | updated []string
112 | }
113 |
114 | func (c *Cache) httpOpts() []netutil.HTTPOpt {
115 | return []netutil.HTTPOpt{
116 | netutil.WithHTTPClient(c.httpClient),
117 | netutil.WithAutoGitHubToken(),
118 | }
119 | }
120 |
121 | // LastUpdated returns the last updated time.
122 | // LastUpdated returns [fs.ErrNotExist] on the first run.
123 | func (c *Cache) LastUpdated() (time.Time, error) {
124 | st, err := os.Stat(c.dir)
125 | if err != nil {
126 | return time.Time{}, err
127 | }
128 | return st.ModTime(), nil
129 | }
130 |
131 | // Update updates the cache.
132 | func (c *Cache) Update(ctx context.Context) error {
133 | b, err := netutil.Get(ctx, cncf.ProjectsURL, c.httpOpts()...)
134 | if err != nil {
135 | return err
136 | }
137 | var projects cncf.Projects
138 | if err = yaml.Unmarshal(b, &projects); err != nil {
139 | return err
140 | }
141 | for _, p := range projects {
142 | if err = c.updateCNCFProject(ctx, p); err != nil {
143 | return err
144 | }
145 | }
146 | if len(c.updated) > 0 {
147 | now := time.Now()
148 | if err = os.Chtimes(c.dir, now, now); err != nil {
149 | return err
150 | }
151 | }
152 | return nil
153 | }
154 |
155 | func (c *Cache) updateCNCFProject(ctx context.Context, p cncf.Project) error {
156 | if p.Maturity != "graduated" {
157 | return nil
158 | }
159 | for _, r := range p.Repositories {
160 | if err := c.updateCNCFRepo(ctx, r); err != nil {
161 | return err
162 | }
163 | }
164 | return nil
165 | }
166 |
167 | func (c *Cache) updateCNCFRepo(ctx context.Context, r cncf.Repository) error {
168 | var category string
169 | // TODO: include repos that belong to the same org as "code".
170 | // Most of them should be accidentally ommited out from "code-lite".
171 | switch {
172 | case slices.Contains(r.CheckSets, "code"):
173 | category = categories.CNCFGraduated
174 | case slices.Contains(r.CheckSets, "code-lite"):
175 | // TODO: opt-in
176 | // category = categories.CNCFGraduatedSub
177 | }
178 | if category != "" {
179 | if err := c.updateGitHubRepo(ctx, r.URL, category); err != nil {
180 | return err
181 | }
182 | }
183 | return nil
184 | }
185 |
186 | func filterPrelease(tags []github.Tag) []github.Tag {
187 | var res []github.Tag
188 | for _, tag := range tags {
189 | if semver.Prerelease(tag.Name) == "" {
190 | res = append(res, tag)
191 | }
192 | }
193 | return res
194 | }
195 |
196 | // updateGitHubRepo expects url to be "https://github.com//".
197 | func (c *Cache) updateGitHubRepo(ctx context.Context, urlStr, category string) error {
198 | repo, err := github.NewRepo(urlStr)
199 | if err != nil {
200 | return err
201 | }
202 | tags, err := repo.Tags(ctx, c.httpOpts()...)
203 | if err != nil {
204 | return err
205 | }
206 | tags = filterPrelease(tags)
207 | const maxTags = 10
208 | if len(tags) > maxTags {
209 | tags = tags[:maxTags]
210 | }
211 | g, ctx := errgroup.WithContext(ctx)
212 | for _, tag := range tags {
213 | g.Go(func() error {
214 | return c.updateGitHubRepoTag(ctx, repo, tag, category)
215 | })
216 | }
217 | return g.Wait()
218 | }
219 |
220 | func (c *Cache) updateGitHubRepoTag(ctx context.Context, repo *github.Repo, tag github.Tag, category string) error {
221 | dir := filepath.Join(c.dir, "github.com", repo.Owner, repo.Repo, tag.Commit.SHA)
222 | if _, err := os.Stat(dir); !errors.Is(err, fs.ErrNotExist) {
223 | return err
224 | }
225 | if err := os.MkdirAll(dir, 0o755); err != nil {
226 | return err
227 | }
228 | for _, p := range []string{"go.mod", "go.sum"} {
229 | urlStr := repo.ContentURL(tag.Commit.SHA, p)
230 | b, err := netutil.Get(ctx, urlStr, c.httpOpts()...)
231 | if err != nil {
232 | var err2 *netutil.UnexpectedStatusCodeError
233 | if errors.As(err, &err2) && err2.StatusCode == 404 {
234 | // Not Go code
235 | break
236 | }
237 | return err
238 | }
239 | f := filepath.Join(dir, p)
240 | if err = os.WriteFile(f, b, 0o644); err != nil {
241 | return err
242 | }
243 | }
244 | meta := &Meta{
245 | Repo: *repo,
246 | Tag: tag.Compact(),
247 | Category: category,
248 | }
249 | metaB, err := json.Marshal(meta)
250 | if err != nil {
251 | return err
252 | }
253 | metaF := filepath.Join(dir, MetaFilename)
254 | if err := os.WriteFile(metaF, metaB, 0o644); err != nil {
255 | return err
256 | }
257 | progress := ProgressEvent{
258 | Message: fmt.Sprintf("%s/%s %s %s (%s)",
259 | repo.Owner, repo.Repo, tag.Name, tag.Commit.SHA, category),
260 | }
261 | c.onProgress(ctx, progress)
262 | return nil
263 | }
264 |
265 | const MetaFilename = "gosocialcheck-meta.json"
266 |
267 | type Meta struct {
268 | Repo github.Repo `json:"repo"`
269 | Tag github.Tag `json:"tag"`
270 | Category string `json:"category"`
271 | }
272 |
273 | func (c *Cache) Lookup(ctx context.Context, sum string) ([]Meta, error) {
274 | if !strings.HasPrefix(sum, "h1:") || !strings.HasSuffix(sum, "=") {
275 | return nil, fmt.Errorf("expected h1 sum, got %q", sum)
276 | }
277 | goSumFiles, err := c.lookupGoSumFiles(ctx, sum)
278 | if err != nil {
279 | return nil, err
280 | }
281 | var res []Meta
282 | for _, goSumFile := range goSumFiles {
283 | dir := filepath.Join(c.dir, filepath.Clean(filepath.Dir(goSumFile)))
284 | f := filepath.Join(dir, MetaFilename)
285 | b, err := os.ReadFile(f)
286 | if err != nil {
287 | return res, err
288 | }
289 | var m Meta
290 | if err = json.Unmarshal(b, &m); err != nil {
291 | return res, err
292 | }
293 | res = append(res, m)
294 | }
295 | return res, nil
296 | }
297 |
298 | func (c *Cache) lookupGoSumFiles(ctx context.Context, sum string) ([]string, error) {
299 | var stdout, stderr bytes.Buffer
300 | cmd := exec.CommandContext(ctx, "git", "-C", c.dir, "grep", "--name-only", "--no-index", sum)
301 | cmd.Stdout = &stdout
302 | cmd.Stderr = &stderr
303 | if err := cmd.Run(); err != nil {
304 | exitCode := -1
305 | if cmd.ProcessState != nil {
306 | exitCode = cmd.ProcessState.ExitCode()
307 | }
308 | if exitCode == 1 && stderr.String() == "" {
309 | // failed successfully
310 | return nil, nil
311 | }
312 | return nil, fmt.Errorf("failed to run %v (stderr=%q)", cmd.Args, stderr.String())
313 | }
314 | sc := bufio.NewScanner(&stdout)
315 | var res []string
316 | for sc.Scan() {
317 | line := sc.Text()
318 | line = strings.TrimSpace(line)
319 | res = append(res, line)
320 | }
321 | return res, sc.Err()
322 | }
323 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | APPENDIX: How to apply the Apache License to your work.
180 |
181 | To apply the Apache License to your work, attach the following
182 | boilerplate notice, with the fields enclosed by brackets "[]"
183 | replaced with your own identifying information. (Don't include
184 | the brackets!) The text should be enclosed in the appropriate
185 | comment syntax for the file format. We also recommend that a
186 | file or class name and description of purpose be included on the
187 | same "printed page" as the copyright notice for easier
188 | identification within third-party archives.
189 |
190 | Copyright [yyyy] [name of copyright owner]
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------