govulncheck integration (#198)

An initial attempt at integrating govulncheck's library with
OSV-Scanner.

TODOs before full PR:

~~- [ ] Add config options after design doc is finalized~~
~~- [ ] Allow user to configure tags and go versions~~
- [x] Update table output for inactive/not called vulnerabilities
- [x] Update exit code for not called vulnerabilities
- [x] Update README with feature and the go dependency if they want the
vulncheck feature
- [x] Add go as dependency into osv-scanner docker containers.

cmd/osv-scanner/main.go

@@ -89,6 +89,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Usage:   "check subdirectories",
 				Value:   false,
 			},
+			&cli.BoolFlag{
+				Name:  "experimental-call-analysis",
+				Usage: "attempt call analysis on code to detect only active vulnerabilities",
+				Value: false,
+			},
 			&cli.BoolFlag{
 				Name:  "no-ignore",
 				Usage: "also scan files that would be ignored by .gitignore",
@@ -106,14 +111,15 @@ func run(args []string, stdout, stderr io.Writer) int {
 			r = output.NewReporter(stdout, stderr, format)
 
 			vulnResult, err := osvscanner.DoScan(osvscanner.ScannerActions{
-				LockfilePaths:        context.StringSlice("lockfile"),
-				SBOMPaths:            context.StringSlice("sbom"),
-				DockerContainerNames: context.StringSlice("docker"),
-				Recursive:            context.Bool("recursive"),
-				SkipGit:              context.Bool("skip-git"),
-				NoIgnore:             context.Bool("no-ignore"),
-				ConfigOverridePath:   context.String("config"),
-				DirectoryPaths:       context.Args().Slice(),
+				LockfilePaths:            context.StringSlice("lockfile"),
+				SBOMPaths:                context.StringSlice("sbom"),
+				DockerContainerNames:     context.StringSlice("docker"),
+				Recursive:                context.Bool("recursive"),
+				SkipGit:                  context.Bool("skip-git"),
+				NoIgnore:                 context.Bool("no-ignore"),
+				ConfigOverridePath:       context.String("config"),
+				DirectoryPaths:           context.Args().Slice(),
+				ExperimentalCallAnalysis: context.Bool("experimental-call-analysis"),
 			}, r)
 
 			if errPrint := r.PrintResult(&vulnResult); errPrint != nil {
@@ -132,6 +138,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 			return 1
 		}
 
+		if errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr) {
+			// TODO: Discuss whether to have a different exit code now that running call analysis is not default
+			return 2
+		}
+
 		if errors.Is(err, osvscanner.NoPackagesFoundErr) {
 			r.PrintError("No package sources found, --help for usage information.\n")
 			return 128

docs/working_docs/installation.md

@@ -65,3 +65,4 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) file.
 ### SemVer Adherence
 
 All releases on the same Major version will be guaranteed to have backward compatible JSON output and CLI arguments.
+However, features prefixed with `experimental` (e.g. `--experimental-call-analysis`) might be changed or removed with only a Minor version change.

docs/working_docs/output.md

@@ -118,7 +118,15 @@ osv-scanner --format json -L path/to/lockfile > /path/to/file.json
               "ids": [
                 "GHSA-c3h9-896r-86jm",
                 "GO-2021-0053"
-              ]
+              ],
+              // Call stack analysis is done using the `--experimental-call-analysis` flag
+              // and result is matched against data provided by the advisory to check if
+              // affected code is actually being executed.
+              "experimentalAnalysis": {
+                "GO-2021-0053": {
+                  "called": false
+                }
+              }
             }
           ]
         }

docs/working_docs/usage.md

@@ -99,9 +99,33 @@ it should infer the parser based on the filename:
 osv-scanner --lockfile ':/path/to/my:projects/package-lock.json'
 ```
 
+### Scanning with call analysis
+Preview
+{: .label }
+
+{: .note }
+Features and flags with the `experimental` prefix might change or be removed with only a minor version update.
+
+Call stack analysis can be performed on some languages to check if the 
+vulnerable code is actually being executed by your project. If the code
+is not being executed, these vulnerabilities will be marked as unexecuted.
+
+To enable call analysis, call OSV-Scanner with the `--experimental-call-analysis` flag.
+
+#### Supported languages
+- `go`
+  - Additional dependencies:
+    - `go` compiler needs to be installed and available on PATH
+
+#### Example
+```bash
+osv-scanner --experimental-call-analysis ./my/project/path
+```
+
 ### Scanning a Debian based docker image packages
 Preview
 {: .label } 
+
 This tool will scrape the list of installed packages in a Debian image and query for vulnerabilities on them.
 
 Currently only Debian based docker image scanning is supported.
@@ -135,4 +159,4 @@ appropriate osv-scanner flags:
 
 ```bash
 docker run -it -v ${PWD}:/src ghcr.io/google/osv-scanner -L /src/go.mod
-```
+```

go.mod

@@ -9,12 +9,15 @@ require (
 	github.com/go-git/go-git/v5 v5.5.2
 	github.com/google/go-cmp v0.5.9
 	github.com/jedib0t/go-pretty/v6 v6.4.4
+	github.com/kr/pretty v0.3.1
 	github.com/package-url/packageurl-go v0.1.0
 	github.com/spdx/tools-golang v0.4.0
 	github.com/urfave/cli/v2 v2.24.4
 	golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb
 	golang.org/x/mod v0.8.0
 	golang.org/x/term v0.5.0
+	golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2
+	golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -29,13 +32,16 @@ require (
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+	github.com/stretchr/testify v1.8.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	golang.org/x/crypto v0.3.0 // indirect

go.sum

@@ -14,6 +14,7 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/cloudflare/circl v1.1.0 h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
@@ -49,8 +50,9 @@ github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -64,13 +66,16 @@ github.com/package-url/packageurl-go v0.1.0 h1:efWBc98O/dBZRg1pw2xiDzovnlMjCa9NP
 github.com/package-url/packageurl-go v0.1.0/go.mod h1:C/ApiuWpmbpni4DIOECf6WCjFUZV7O1Fx7VAzrZHgBw=
 github.com/pjbgf/sha1cd v0.2.3 h1:uKQP/7QOzNtKYH7UTohZLcjF5/55EnTw0jO/Ru4jZwI=
 github.com/pjbgf/sha1cd v0.2.3/go.mod h1:HOK9QrgzdHpbc2Kzip0Q1yi3M2MFGPADtR6HjG65m5M=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.6.0/go.mod h1:qBsxPvzyUincmltOk6iyRVxHYg4adc0OFOv72ZdLa18=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
@@ -85,12 +90,15 @@ github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2cs
 github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/urfave/cli/v2 v2.24.4 h1:0gyJJEBYtCV87zI/x2nZCPyDxD51K6xM8SkwjHFCNEU=
 github.com/urfave/cli/v2 v2.24.4/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
@@ -120,6 +128,7 @@ golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -154,6 +163,10 @@ golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2 h1:v0FhRDmSCNH/0EurAT6T8KRY4aNuUhz6/WwBMxG+gvQ=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6 h1:XZD8apnMaMVuqE3ZEzf5JJncKMlOsMnnov7U+JRT/d4=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6/go.mod h1:cBP4HMKv0X+x96j8IJWCKk0eqpakBmmHjKGSSC0NaYE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -170,4 +183,6 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
+mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

goreleaser.dockerfile

@@ -12,11 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:latest
+FROM alpine:3.17
 
 RUN apk add --no-cache \
     ca-certificates \
-    git
+    git \
+    go
 
 # Allow git to run on mounted directories
 RUN git config --global --add safe.directory '*'

internal/govulncheckshim/.goignore

@@ -0,0 +1 @@
+fixtures

internal/govulncheckshim/client.go

@@ -0,0 +1,121 @@
+package govulncheckshim
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"golang.org/x/vuln/client"
+	gvcOSV "golang.org/x/vuln/osv"
+
+	"github.com/google/osv-scanner/pkg/models"
+)
+
+type localSource struct {
+	vulnList         []models.Vulnerability
+	vulnsByID        map[string]*models.Vulnerability
+	vulnsByAlias     map[string][]*models.Vulnerability
+	vulnsByModule    map[string][]*models.Vulnerability
+	lastModifiedTime time.Time
+	client.Client
+}
+
+func newClient(vulns []models.Vulnerability) *localSource {
+	client := localSource{
+		vulnList:         vulns,
+		vulnsByID:        make(map[string]*models.Vulnerability),
+		vulnsByAlias:     make(map[string][]*models.Vulnerability),
+		vulnsByModule:    make(map[string][]*models.Vulnerability),
+		lastModifiedTime: time.Unix(0, 0),
+	}
+	for idx := range vulns {
+		// Iterate on reference to avoid copying entire data structure
+		v := &client.vulnList[idx]
+		client.vulnsByID[v.ID] = v
+		for _, alias := range v.Aliases {
+			client.vulnsByAlias[alias] = append(client.vulnsByAlias[alias], v)
+		}
+		for _, affected := range v.Affected {
+			client.vulnsByModule[affected.Package.Name] = append(client.vulnsByModule[affected.Package.Name], v)
+		}
+		if client.lastModifiedTime.Before(v.Modified) {
+			client.lastModifiedTime = v.Modified
+		}
+	}
+
+	return &client
+}
+
+func convertToGvcOSV(osv models.Vulnerability) (gvcOSV.Entry, error) {
+	val, err := json.Marshal(osv)
+	if err != nil {
+		return gvcOSV.Entry{}, fmt.Errorf("failed to convert vuln to JSON: %w", err)
+	}
+	response := gvcOSV.Entry{}
+	err = json.Unmarshal(val, &response)
+	if err != nil {
+		return gvcOSV.Entry{}, fmt.Errorf("gvc format is no longer compatible with osv format: %w", err)
+	}
+
+	return response, nil
+}
+
+func (ls *localSource) GetByModule(ctx context.Context, modulePath string) ([]*gvcOSV.Entry, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var entries []*gvcOSV.Entry
+	for _, v := range ls.vulnsByModule[modulePath] {
+		res, err := convertToGvcOSV(*v)
+		if err != nil {
+			return nil, err
+		}
+		entries = append(entries, &res)
+	}
+
+	return entries, nil
+}
+
+func (ls *localSource) GetByID(ctx context.Context, id string) (*gvcOSV.Entry, error) {
+	entry, ok := ls.vulnsByID[id]
+	if !ok {
+		//nolint:nilnil // This follows govulncheck's client implementation
+		// See: https://github.com/golang/vuln/blob/master/client/client.go
+		return nil, nil
+	}
+	response, err := convertToGvcOSV(*entry)
+	if err != nil {
+		return nil, err
+	}
+
+	return &response, nil
+}
+
+func (ls *localSource) GetByAlias(ctx context.Context, alias string) ([]*gvcOSV.Entry, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var entries []*gvcOSV.Entry
+
+	for _, v := range ls.vulnsByAlias[alias] {
+		res, err := convertToGvcOSV(*v)
+		if err != nil {
+			return nil, err
+		}
+		entries = append(entries, &res)
+	}
+
+	return entries, nil
+}
+
+func (ls *localSource) ListIDs(ctx context.Context) ([]string, error) {
+	//nolint:prealloc // Need to be nil if none exists
+	var ids []string
+	for i := range ls.vulnList {
+		ids = append(ids, ls.vulnList[i].ID)
+	}
+
+	return ids, nil
+}
+
+func (ls *localSource) LastModifiedTime(context.Context) (time.Time, error) {
+	// Assume that if anything changes, the index does.
+	return ls.lastModifiedTime, nil
+}