internal/scan: print progress messages only in verbose mode

And also update the documentation.

Updates golang/go#66872

Change-Id: I73f0c7e9c1f46b66711b878748bf78571d26f66b
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/580175
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: zpavlinovic

cmd/govulncheck/doc.go

@@ -41,25 +41,27 @@ To control which files are processed, use the -tags flag to provide a
 comma-separated list of build tags, and the -test flag to indicate that test
 files should be included.
 
-To include more detailed stack traces, pass -show=traces, this will cause it to
+To include more detailed stack traces, pass '-show traces', this will cause it to
 print the full call stack for each entry.
 
+To include progress messages and more details on findings, pass '-show verbose'.
+
 To run govulncheck on a compiled binary, pass it the path to the binary file
-with the -mode=binary flag:
+with the '-mode binary' flag:
 
-	$ govulncheck -mode=binary $HOME/go/bin/my-go-program
+	$ govulncheck -mode binary $HOME/go/bin/my-go-program
 
 Govulncheck uses the binary's symbol information to find mentions of vulnerable
 functions. Its output omits call stacks, which require source code analysis.
 
-Govulncheck also supports -mode=extract on a Go binary for extraction of minimal
+Govulncheck also supports '-mode extract' on a Go binary for extraction of minimal
 information needed to analyze the binary. This will produce a blob, typically much
 smaller than the binary, that can also be passed to govulncheck as an argument with
--mode=binary. The users should not rely on the contents or representation of the blob.
+'-mode binary'. The users should not rely on the contents or representation of the blob.
 
 Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
 and exits unsuccessfully if there are. It also exits successfully if the -json flag
-is provided, regardless of the number of detected vulnerabilities.
+(or '-format json') is provided, regardless of the number of detected vulnerabilities.
 
 Govulncheck supports streaming JSON. For more details, please see [golang.org/x/vuln/internal/govulncheck].
 

cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test basic binary scanning with text output
 $ govulncheck -mode=binary ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test binary scanning at the module level
 $ govulncheck -mode=binary -scan module ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
 === Module Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_text.ct

@@ -1,7 +1,5 @@
 # Test binary scanning at the package level.
 $ govulncheck -mode=binary -scan package ${common_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
 === Package Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/convert/convert_text.ct

@@ -2,8 +2,6 @@
 # Test using the conversion from json on stdin to text on stdout
 # location of convert input is subdirectory/convert_intput
 $ govulncheck -mode=convert < convert/convert_input.json --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/extract/binary_extract.ct

@@ -1,8 +1,6 @@
 #####
 # Test binary mode using the extracted binary blob.
 $ govulncheck -mode=binary ${testdir}/extract/vuln.blob --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/source-call/source_call_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test of basic govulncheck in source mode
 $ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0265
@@ -47,8 +45,6 @@ Use '-show verbose' for more details.
 #####
 # Test of basic govulncheck in source mode with expanded traces
 $ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0265

cmd/govulncheck/testdata/common/testfiles/source-call/source_informational_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test source mode with no callstacks
 $ govulncheck -C ${moddir}/informational -show=traces .
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 No vulnerabilities found.

cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test for multiple call stacks in source mode
 $ govulncheck -C ${moddir}/multientry . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0113

cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_text.ct

@@ -2,8 +2,6 @@
 # Test of source mode on a module with a replace directive.
 
 $ govulncheck -C ${moddir}/replace ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0113

cmd/govulncheck/testdata/common/testfiles/source-call/source_subdir_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test govulncheck runs on the subdirectory of a module
 $ govulncheck -C ${moddir}/vuln/subdir . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0113
@@ -26,8 +24,6 @@ Use '-show verbose' for more details.
 #####
 # Test govulncheck runs on the subdirectory of a module
 $ govulncheck -C ${moddir}/vuln/subdir -show=traces . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0113

cmd/govulncheck/testdata/common/testfiles/source-call/source_wholemodvuln_text.ct

@@ -2,8 +2,6 @@
 # Test of govulncheck call analysis for vulns with no package info available.
 # All symbols of the module are vulnerable.
 $ govulncheck -C ${moddir}/wholemodvuln ./... --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2022-0956

cmd/govulncheck/testdata/common/testfiles/source-module/source_module_text.ct

@@ -2,8 +2,6 @@
 # Testing that govulncheck doesn't mention calls when it doesn't
 # have callstack information
 $ govulncheck -scan module -C ${moddir}/multientry --> FAIL 3
-Scanning your code across 2 dependent modules for known vulnerabilities...
-
 === Module Results ===
 
 Vulnerability #1: GO-2021-0113

cmd/govulncheck/testdata/common/testfiles/source-package/source_package_text.ct

@@ -1,8 +1,6 @@
 #####
 # Testing that govulncheck doesn't mention calls when it doesn't have the relevant info
 $ govulncheck -scan package -C ${moddir}/multientry . --> FAIL 3
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Package Results ===
 
 Vulnerability #1: GO-2021-0113

cmd/govulncheck/testdata/common/testfiles/usage/format.ct

@@ -1,8 +1,6 @@
 #####
 # Test of explicit text format
 $ govulncheck -C ${moddir}/informational -format text .
-Scanning your code and P packages across M dependent modules for known vulnerabilities...
-
 === Symbol Results ===
 
 No vulnerabilities found.

cmd/govulncheck/testdata/common/testfiles/usage/source_no_packages.ct

@@ -1,6 +1,4 @@
 #####
 # Test message when there are no packages matching the provided pattern (#59623).
 $ govulncheck -C ${moddir}/vuln pkg/no-govulncheck/...
-No packages matching the provided pattern.
-
 No vulnerabilities found.

cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_text.ct

@@ -1,8 +1,6 @@
 #####
 # Test finding stdlib vulnerability in source mode
 $ govulncheck -C ${moddir}/stdlib . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2022-0969
@@ -25,8 +23,6 @@ Use '-show verbose' for more details.
 #####
 # Test finding stdlib vulnerability in source mode with expanded traces
 $ govulncheck -C ${moddir}/stdlib -show=traces . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2022-0969
@@ -55,8 +51,6 @@ Use '-show verbose' for more details.
 #####
 # Test finding stdlib vulnerability in source mode at the package level
 $ govulncheck -C ${moddir}/stdlib -scan package . --> FAIL 3
-Scanning your code and P packages across M dependent module for known vulnerabilities...
-
 === Package Results ===
 
 Vulnerability #1: GO-2022-0969
@@ -77,8 +71,6 @@ verbose' for more details.
 #####
 # Test finding stdlib vulnerability in source mode at the module level
 $ govulncheck -C ${moddir}/stdlib -scan module --> FAIL 3
-Scanning your code across 1 dependent module for known vulnerabilities...
-
 === Module Results ===
 
 Vulnerability #1: GO-2022-0969

cmd/govulncheck/testdata/strip/testfiles/binary/strip.ct

@@ -1,8 +1,6 @@
 #####
 # Test for stripped binaries (see #57764)
 $ govulncheck -mode=binary ${strip_vuln_binary} --> FAIL 3
-Scanning your binary for known vulnerabilities...
-
 === Symbol Results ===
 
 Vulnerability #1: GO-2021-0113

internal/scan/run.go

@@ -47,7 +47,6 @@ func RunGovulncheck(ctx context.Context, env []string, r io.Reader, stdout io.Wr
 		handler = th
 	}
 
-	// Write the introductory message to the user.
 	if err := handler.Config(&cfg.Config); err != nil {
 		return err
 	}

internal/scan/text.go

@@ -116,7 +116,9 @@ func (h *TextHandler) Config(config *govulncheck.Config) error {
 
 // Progress writes progress updates during govulncheck execution.
 func (h *TextHandler) Progress(progress *govulncheck.Progress) error {
-	h.print(progress.Message, "\n\n")
+	if h.showVerbose {
+		h.print(progress.Message, "\n\n")
+	}
 	return h.err
 }