gopls/internal/server: trigger vulncheck prompt for go.mod changes

- Detect go.mod dependency changes upon file modification.
- Create new vulncheck prompt that allows a user to pick their preferred
  method of vulncheck usage.
- Add tests to verify hashing of go.mod dependencies and vulncheck
  prompt logic.

For golang/go#75447

Change-Id: If6f692bc825419dc4d10c997162bb755438f01b4
Reviewed-on: https://go-review.googlesource.com/c/tools/+/722100
Reviewed-by: Hongxiang Jiang <hxjiang@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>

Author: ethanalee-work

gopls/internal/server/server.go

@@ -53,6 +53,7 @@ func New(session *cache.Session, client protocol.ClientCloser, options *settings
 		progress:            progress.NewTracker(client),
 		options:             options,
 		viewsToDiagnose:     make(map[*cache.View]uint64),
+		// checkingGoMod:       make(map[protocol.DocumentURI]struct{}),
 	}
 }
 
@@ -186,6 +187,9 @@ type server struct {
 	lastModificationID    uint64                 // incrementing clock
 
 	runGovulncheckInProgress atomic.Bool
+
+	// goModCheckInProgress is used to serialize calls to checkGoModDeps
+	goModCheckInProgress atomic.Bool
 }
 
 func (s *server) WorkDoneProgressCancel(ctx context.Context, params *protocol.WorkDoneProgressCancelParams) error {

gopls/internal/server/text_synchronization.go

@@ -254,6 +254,15 @@ func (s *server) didModifyFiles(ctx context.Context, modifications []file.Modifi
 	// to their files.
 	modifications = s.session.ExpandModificationsToDirectories(ctx, modifications)
 
+	for _, m := range modifications {
+		// TODO: also handle go.work changes as well.
+		if strings.HasSuffix(m.URI.Path(), "go.mod") {
+			if m.Action == file.Create || m.Action == file.Change {
+				s.checkGoModDeps(ctx, m.URI)
+			}
+		}
+	}
+
 	viewsToDiagnose, err := s.session.DidModifyFiles(ctx, modifications)
 	if err != nil {
 		return err

gopls/internal/server/vulncheck_prompt.go

@@ -0,0 +1,149 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package server
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"os"
+	"time"
+
+	"golang.org/x/mod/modfile"
+	"golang.org/x/tools/gopls/internal/filecache"
+	"golang.org/x/tools/gopls/internal/protocol"
+	"golang.org/x/tools/gopls/internal/settings"
+	"golang.org/x/tools/internal/event"
+)
+
+const (
+	// goModHashKind is the kind for the go.mod hash in the filecache.
+	goModHashKind = "gomodhash"
+)
+
+// computeGoModHash computes the SHA256 hash of the go.mod file's dependencies.
+// It only considers the Require, Exclude, and Replace directives and ignores
+// other parts of the file.
+func computeGoModHash(file *modfile.File) (string, error) {
+	h := sha256.New()
+	for _, req := range file.Require {
+		if _, err := h.Write([]byte(req.Mod.Path + req.Mod.Version)); err != nil {
+			return "", err
+		}
+	}
+	for _, exc := range file.Exclude {
+		if _, err := h.Write([]byte(exc.Mod.Path + exc.Mod.Version)); err != nil {
+			return "", err
+		}
+	}
+	for _, rep := range file.Replace {
+		if _, err := h.Write([]byte(rep.Old.Path + rep.Old.Version + rep.New.Path + rep.New.Version)); err != nil {
+			return "", err
+		}
+	}
+	return hex.EncodeToString(h.Sum(nil)), nil
+}
+
+// showMessageRequest causes the client to show a prompt that the user can respond to.
+func showMessageRequest(ctx context.Context, cli protocol.Client, typ protocol.MessageType, message string, actions ...string) (string, error) {
+	var actionItems []protocol.MessageActionItem
+	for _, action := range actions {
+		actionItems = append(actionItems, protocol.MessageActionItem{Title: action})
+	}
+	params := &protocol.ShowMessageRequestParams{
+		Type:    typ,
+		Message: message,
+		Actions: actionItems,
+	}
+	// Timeout used to wait for the user to respond to a message request.
+	const timeout = 15 * time.Second
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	result, err := cli.ShowMessageRequest(ctx, params)
+
+	if err != nil {
+		if errors.Is(err, context.DeadlineExceeded) {
+			return "", nil
+		}
+		return "", err
+	}
+	if result == nil {
+		return "", nil // User dismissed the notification
+	}
+	return result.Title, nil
+}
+
+func (s *server) checkGoModDeps(ctx context.Context, uri protocol.DocumentURI) {
+	if s.Options().Vulncheck != settings.ModeVulncheckPrompt {
+		return
+	}
+	if !s.goModCheckInProgress.CompareAndSwap(false, true) {
+		return
+	}
+
+	go func() {
+		defer s.goModCheckInProgress.Store(false)
+
+		ctx, done := event.Start(ctx, "server.CheckGoModDeps")
+		defer done()
+
+		var (
+			newHash  string
+			oldHash  string
+			pathHash [32]byte
+		)
+		{
+			newContent, err := os.ReadFile(uri.Path())
+			if err != nil {
+				event.Error(ctx, "reading new go.mod content", err)
+				return
+			}
+			newModFile, err := modfile.Parse("go.mod", newContent, nil)
+			if err != nil {
+				event.Error(ctx, "parsing new go.mod", err)
+				return
+			}
+			hash, err := computeGoModHash(newModFile)
+			if err != nil {
+				event.Error(ctx, "computing new go.mod hash", err)
+				return
+			}
+			newHash = hash
+
+			pathHash = sha256.Sum256([]byte(uri.Path()))
+			oldHashBytes, err := filecache.Get(goModHashKind, pathHash)
+			if err != nil && err != filecache.ErrNotFound {
+				event.Error(ctx, "reading old go.mod hash from filecache", err)
+				return
+			}
+			oldHash = string(oldHashBytes)
+		}
+		if oldHash != newHash {
+			fileLink := fmt.Sprintf("[%s](%s)", uri.Path(), string(uri))
+			govulncheckLink := "[govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)"
+			message := fmt.Sprintf("Dependencies have changed in %s, would you like to run %s to check for vulnerabilities?", fileLink, govulncheckLink)
+			action, err := showMessageRequest(ctx, s.client, protocol.Info, message, "Yes", "No", "Always", "Never")
+
+			if err != nil {
+				event.Error(ctx, "showing go.mod changed notification", err)
+				return
+			}
+
+			// TODO: Implement persistent storage for "Always" and "Never" preferences.
+			// TODO: Implement the logic to run govulncheck when action is "Yes" or "Always".
+			if action == "No" || action == "Never" || action == "" {
+				return // Skip the check and don't update the hash.
+			}
+
+			if err := filecache.Set(goModHashKind, pathHash, []byte(newHash)); err != nil {
+				event.Error(ctx, "writing new go.mod hash to filecache", err)
+				return
+			}
+		}
+	}()
+}