internal/mcp: expose vulncheck tool functionality via mcp

- Expose `go_vulncheck` tool via MCP.
- Callers will be able to scan their directory using gopls.vulncheck.
- Appended additional steps to instructions.md to induce usage of
  vulncheck during read and write workflows.
- Add additional test case to mcp_test.go to evaluate go_vulncheck.

Change-Id: I3f6f4cc7cfe6279703f5cf980e92eda4b9029506
Reviewed-on: https://go-review.googlesource.com/c/tools/+/702376
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Robert Findley <rfindley@google.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>

Author: ethanalee-work

gopls/internal/cmd/mcp_test.go

@@ -7,19 +7,26 @@ package cmd_test
 import (
 	"bufio"
 	"bytes"
+	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/modelcontextprotocol/go-sdk/mcp"
+	internal_mcp "golang.org/x/tools/gopls/internal/mcp"
+	"golang.org/x/tools/gopls/internal/test/integration/fake"
+	"golang.org/x/tools/gopls/internal/vulncheck/vulntest"
 	"golang.org/x/tools/internal/testenv"
+	"golang.org/x/tools/txtar"
 )
 
 func TestMCPCommandStdio(t *testing.T) {
@@ -258,6 +265,119 @@ func MyFun() {}
 	}
 }
 
+func TestMCPVulncheckCommand(t *testing.T) {
+	const proxyData = `
+-- example.com/vulnmod@v1.0.0/go.mod --
+module example.com/vulnmod
+go 1.18
+-- example.com/vulnmod@v1.0.0/vuln.go --
+package vulnmod
+
+// VulnFunc is a vulnerable function.
+func VulnFunc() {}
+`
+	const vulnData = `
+-- GO-TEST-0001.yaml --
+modules:
+  - module: example.com/vulnmod
+    versions:
+      - introduced: "1.0.0"
+    packages:
+      - package: example.com/vulnmod
+        symbols:
+          - VulnFunc
+`
+	proxyArchive := txtar.Parse([]byte(proxyData))
+	proxyFiles := make(map[string][]byte)
+	for _, f := range proxyArchive.Files {
+		proxyFiles[f.Name] = f.Data
+	}
+	goproxy, err := fake.WriteProxy(t.TempDir(), proxyFiles)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	db, err := vulntest.NewDatabase(context.Background(), []byte(vulnData))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer db.Clean()
+
+	tree := writeTree(t, `
+-- go.mod --
+module example.com/user
+go 1.18
+require example.com/vulnmod v1.0.0
+-- main.go --
+package main
+import "example.com/vulnmod"
+func main() {
+	vulnmod.VulnFunc()
+}
+`)
+
+	// Update go.sum before running gopls, to avoid load failures.
+	tidyCmd := exec.CommandContext(t.Context(), "go", "mod", "tidy")
+	tidyCmd.Dir = tree
+	tidyCmd.Env = append(os.Environ(), "GOPROXY="+goproxy, "GOSUMDB=off")
+	if output, err := tidyCmd.CombinedOutput(); err != nil {
+		t.Fatalf("go mod tidy failed: %v\n%s", err, output)
+	}
+
+	goplsCmd := exec.Command(os.Args[0], "mcp")
+	goplsCmd.Env = append(os.Environ(),
+		"ENTRYPOINT=goplsMain",
+		"GOPROXY="+goproxy,
+		"GOSUMDB=off",
+		"GOVULNDB="+db.URI(),
+	)
+	goplsCmd.Dir = tree
+
+	ctx := t.Context()
+	client := mcp.NewClient(&mcp.Implementation{Name: "client", Version: "v0.0.1"}, nil)
+	mcpSession, err := client.Connect(ctx, &mcp.CommandTransport{Command: goplsCmd}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := mcpSession.Close(); err != nil {
+			t.Errorf("closing MCP connection: %v", err)
+		}
+	}()
+
+	res, err := mcpSession.CallTool(ctx, &mcp.CallToolParams{Name: "go_vulncheck", Arguments: map[string]any{}})
+	if err != nil {
+		t.Fatal(err)
+	}
+	jsonBytes, err := json.Marshal(res.StructuredContent)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var result internal_mcp.VulncheckResultOutput
+	if err := json.Unmarshal(jsonBytes, &result); err != nil {
+		t.Fatal(err)
+	}
+	if len(result.Findings) != 1 {
+		t.Errorf("expected 1 finding, got %d", len(result.Findings))
+	} else {
+		finding := result.Findings[0]
+		if finding.ID != "GO-TEST-0001" {
+			t.Errorf("expected ID 'GO-TEST-0001', got %q", finding.ID)
+		}
+		expectedPackages := []string{"Go standard library", "example.com/vulnmod"}
+		if !slices.Equal(finding.AffectedPackages, expectedPackages) {
+			t.Errorf("expected affected packages %v, got %v", expectedPackages, finding.AffectedPackages)
+		}
+	}
+
+	if result.Logs == "" {
+		t.Errorf("expected logs to be non-empty")
+	} else {
+		t.Logf("Logs:\n%s", result.Logs)
+	}
+}
+
 // resultText concatenates the textual content of the given result, reporting
 // an error if any content values are non-textual.
 func resultText(t *testing.T, res *mcp.CallToolResult) string {

gopls/internal/mcp/instructions.md

@@ -4,7 +4,7 @@ These instructions describe how to efficiently work in the Go programming langua
 
 ## Detecting a Go workspace
 
-At the start of every session, you MUST use the `go_workspace` tool to learn about the Go workspace. The rest of these instructions apply whenever that tool indicates that the user is in a Go workspace.
+At the start of every session, you MUST use the `go_workspace` tool to learn about the Go workspace. ONLY if you are in a Go workspace, you MUST run `go_vulncheck` immediately afterwards to identify any existing security risks. The rest of these instructions apply whenever that tool indicates that the user is in a Go workspace.
 
 ## Go programming workflows
 
@@ -43,5 +43,7 @@ The editing workflow is iterative. You should cycle through these steps until th
 
 5. **Fix errors**: If `go_diagnostics` reports any errors, fix them. The tool may provide suggested quick fixes in the form of diffs. You should review these diffs and apply them if they are correct. Once you've applied a fix, re-run `go_diagnostics` to confirm that the issue is resolved. It is OK to ignore 'hint' or 'info' diagnostics if they are not relevant to the current task. Note that Go diagnostic messages may contain a summary of the source code, which may not match its exact text.
 
-6. **Run tests**: Once `go_diagnostics` reports no errors (and ONLY once there are no errors), run the tests for the packages you have changed. You can do this with `go test [packagePath...]`. Don't run `go test ./...` unless the user explicitly requests it, as doing so may slow down the iteration loop.
+6. **Check for vulnerabilities**: If your edits involved adding or updating dependencies in the go.mod file, you MUST run a vulnerability check on the entire workspace. This ensures that the new dependencies do not introduce any security risks. This step should be performed after all build errors are resolved. EXAMPLE: `go_vulncheck({"pattern":"./..."})`
+
+7. **Run tests**: Once `go_diagnostics` reports no errors (and ONLY once there are no errors), run the tests for the packages you have changed. You can do this with `go test [packagePath...]`. Don't run `go test ./...` unless the user explicitly requests it, as doing so may slow down the iteration loop.
 

gopls/internal/mcp/mcp.go

@@ -169,7 +169,8 @@ func newServer(session *cache.Session, lspServer protocol.Server) *mcp.Server {
 		"go_diagnostics",
 		"go_symbol_references",
 		"go_search",
-		"go_file_context"}
+		"go_file_context",
+		"go_vulncheck"}
 	disabledTools := append(defaultTools,
 		// The fileMetadata tool is redundant with fileContext.
 		[]string{"go_file_metadata",
@@ -289,6 +290,15 @@ does the same for a symbol in the imported package "lib".
 			Name:        "go_workspace",
 			Description: "Summarize the Go programming language workspace",
 		}, h.workspaceHandler)
+	case "go_vulncheck":
+		mcp.AddTool(mcpServer, &mcp.Tool{
+			Name: "go_vulncheck",
+			Description: `Runs a vulnerability check on the Go workspace.
+
+	The check is performed on a given package pattern within a specified directory.
+	If no directory is provided, it defaults to the workspace root.
+	If no pattern is provided, it defaults to "./...".`,
+		}, h.vulncheckHandler)
 	}
 }
 

gopls/internal/mcp/vulncheck.go

@@ -0,0 +1,100 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mcp
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"maps"
+	"slices"
+	"sort"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"golang.org/x/tools/gopls/internal/vulncheck/scan"
+)
+
+type vulncheckParams struct {
+	Dir     string `json:"dir" jsonschema:"directory to run the vulnerability check within"`
+	Pattern string `json:"pattern" jsonschema:"package pattern to check"`
+}
+
+type GroupedVulnFinding struct {
+	ID               string   `json:"id"`
+	Details          string   `json:"details"`
+	AffectedPackages []string `json:"affectedPackages"`
+}
+
+type VulncheckResultOutput struct {
+	Findings []GroupedVulnFinding `json:"findings,omitempty"`
+	Logs     string               `json:"logs,omitempty"`
+}
+
+func (h *handler) vulncheckHandler(ctx context.Context, req *mcp.CallToolRequest, params *vulncheckParams) (*mcp.CallToolResult, *VulncheckResultOutput, error) {
+	snapshot, release, err := h.snapshot()
+	if err != nil {
+		return nil, nil, err
+	}
+	defer release()
+
+	dir := params.Dir
+	if dir == "" && len(h.session.Views()) > 0 {
+		dir = h.session.Views()[0].Root().Path()
+	}
+
+	pattern := params.Pattern
+	if pattern == "" {
+		pattern = "./..."
+	}
+
+	var logBuf bytes.Buffer
+	result, err := scan.RunGovulncheck(ctx, pattern, snapshot, dir, &logBuf)
+	if err != nil {
+		return nil, nil, fmt.Errorf("running govulncheck failed: %v\nLogs:\n%s", err, logBuf.String())
+	}
+
+	groupedPkgs := make(map[string]map[string]struct{})
+	for _, finding := range result.Findings {
+		if osv := result.Entries[finding.OSV]; osv != nil {
+			if _, ok := groupedPkgs[osv.ID]; !ok {
+				groupedPkgs[osv.ID] = make(map[string]struct{})
+			}
+			pkg := finding.Trace[0].Package
+			if pkg == "" {
+				pkg = "Go standard library"
+			}
+			groupedPkgs[osv.ID][pkg] = struct{}{}
+		}
+	}
+
+	var output VulncheckResultOutput
+	if len(groupedPkgs) > 0 {
+		output.Findings = make([]GroupedVulnFinding, 0, len(groupedPkgs))
+		for id, pkgsSet := range groupedPkgs {
+			pkgs := slices.Sorted(maps.Keys(pkgsSet))
+
+			output.Findings = append(output.Findings, GroupedVulnFinding{
+				ID:               id,
+				Details:          result.Entries[id].Details,
+				AffectedPackages: pkgs,
+			})
+		}
+		sort.Slice(output.Findings, func(i, j int) bool {
+			return output.Findings[i].ID < output.Findings[j].ID
+		})
+	}
+
+	if logBuf.Len() > 0 {
+		output.Logs = logBuf.String()
+	}
+
+	var summary bytes.Buffer
+	fmt.Fprintf(&summary, "Vulnerability check for pattern %q complete. Found %d vulnerabilities.", pattern, len(output.Findings))
+	if output.Logs != "" {
+		fmt.Fprintf(&summary, "\nLogs are available in the structured output.")
+	}
+
+	return nil, &output, nil
+}