Tim King pointed out the possibility for code like this to yield false negatives. The issue is one of not being able to perform a whole program analysis without downloading dependencies.
import "pkg"
func foo(slice []T) {
x := pkg.bar()
for _, v := range slice {
x.method(&v)
}
}Suppose that bar returns some type whose declaration of method is not present in the target repository, and is not available for VetBot to analyze. Suppose also that there are unary functions named method declared in the target repository, and that the argument is marked safe.
If the declaration of method actually uses v in an unsafe way, VetBot will report a false-negative. Also, VetBot currently has no way to understand that the method being used refers to a declaration that it cannot see.
The approach to use here is to try and provide VetBot with whatever information it needs to determine that method refers to a declaration VetBot did not see. To do that means we will need to rely on some type-checking information to at least determine whether the type referred to is one that is declared in the repository rather than imported from a third-party.
That means exploring the use of the types and packages packages. That is a rather involved undertaking which may disrupt changes happening in parallel.
Tim King pointed out the possibility for code like this to yield false negatives. The issue is one of not being able to perform a whole program analysis without downloading dependencies.
Suppose that
barreturns some type whose declaration ofmethodis not present in the target repository, and is not available for VetBot to analyze. Suppose also that there are unary functions namedmethoddeclared in the target repository, and that the argument is marked safe.If the declaration of
methodactually usesvin an unsafe way, VetBot will report a false-negative. Also, VetBot currently has no way to understand that the method being used refers to a declaration that it cannot see.The approach to use here is to try and provide VetBot with whatever information it needs to determine that
methodrefers to a declaration VetBot did not see. To do that means we will need to rely on some type-checking information to at least determine whether the type referred to is one that is declared in the repository rather than imported from a third-party.That means exploring the use of the
typesandpackagespackages. That is a rather involved undertaking which may disrupt changes happening in parallel.