Skip to content

feat: Add Support for vet MCP Server #502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jun 5, 2025
Merged

feat: Add Support for vet MCP Server #502

merged 13 commits into from
Jun 5, 2025

Conversation

abhisek
Copy link
Member

@abhisek abhisek commented May 31, 2025

No description provided.

@abhisek abhisek changed the title fix: MCP server with update mcp-go feat: Add Support for vet MCP Server May 31, 2025
@abhisek abhisek requested a review from Copilot May 31, 2025 17:17
Copilot
Copilot AI reviewed May 31, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for a new MCP server used to vet packages, including new tools for package registry, malware analysis, and package insights, as well as integration tests and updated documentation.

  • Introduces new MCP server commands with both stdio and SSE transports.
  • Implements new MCP tools (package registry, malware, insights) with corresponding driver methods.
  • Updates dependencies, adds documentation, and improves end-to-end testing.

Reviewed Changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
test/utils.go Added a helper function to enable E2E testing.
pkg/common/logger/logger.go Updated log level retrieval logic with fallback to a new environment variable.
mcp/tools/*.go Added new MCP tools for package registry, malware scanning, and insights.
mcp/server/*.go Created server implementations for stdio and SSE transports.
mcp/driver.go Integrated new driver methods to support package operations.
main.go Added logic to conditionally register the server command.
internal/auth/grpc.go Added a new function for creating InsightsV2 gRPC client connections.
go.mod Updated several dependency versions.
docs/mcp.md Added documentation covering MCP server usage.
cmd/server/* Introduced new server command and related tests for the MCP server functionality.
Comments suppressed due to low confidence (1)

mcp/tools/common.go:9

  • [nitpick] The variable name 'json' shadows the package name 'json'. Consider renaming it (e.g., 'jsonData') to avoid potential confusion.
json, err := json.Marshal(msg)

@codecov Codecov
Copy link

codecov bot commented May 31, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 46.97581% with 263 lines in your changes missing coverage. Please review.

Project coverage is 17.31%. Comparing base (3d94f0f) to head (7809933).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cmd/server/mcp.go 13.04% 56 Missing and 4 partials ⚠️
mcp/driver.go 51.81% 51 Missing and 2 partials ⚠️
mcp/tools/package_insights.go 67.03% 27 Missing and 3 partials ⚠️
mcp/server/server.go 0.00% 21 Missing ⚠️
mcp/tools/package_registry.go 64.40% 19 Missing and 2 partials ⚠️
mcp/tools/mock_driver.go 52.63% 12 Missing and 6 partials ⚠️
mcp/tools/package_malware.go 65.71% 11 Missing and 1 partial ⚠️
cmd/server/main.go 0.00% 10 Missing ⚠️
mcp/server/sse.go 0.00% 10 Missing ⚠️
mcp/server/stdio.go 0.00% 9 Missing ⚠️
... and 5 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #502      +/-   ##
==========================================
+ Coverage   16.40%   17.31%   +0.91%     
==========================================
  Files         162      175      +13     
  Lines       16294    16790     +496     
==========================================
+ Hits         2673     2908     +235     
- Misses      13417    13659     +242     
- Partials      204      223      +19

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 31, 2025
edited
Loading

vet Summary Report

This report is generated by vet

Policy Checks

  • ✅ Vulnerability
  • ✅ Malware
  • ✅ License
  • ❌ Popularity
  • ❌ Maintenance
  • ✅ Security Posture
  • ✅ Threats

Malicious Package Analysis

Malicious package analysis was performed using SafeDep Cloud API

Malicious Package Analysis Report
Ecosystem Package Version Status Report
ECOSYSTEM_GO github.com/docker/go-events 0.0.0-20250114142523-c867878c5e32 🔗
ECOSYSTEM_GO github.com/docker/docker 28.2.2+incompatible 🔗
ECOSYSTEM_GO deps.dev/util/pypi 0.0.0-20250429014815-ac0aa6a085fa 🔗
ECOSYSTEM_GO golang.org/x/net 0.40.0 🔗
ECOSYSTEM_GO github.com/ugorji/go/codec 1.2.14 🔗
ECOSYSTEM_GO github.com/oklog/ulid/v2 2.1.1 🔗
ECOSYSTEM_GO golang.org/x/arch 0.17.0 🔗
ECOSYSTEM_GO golang.org/x/crypto 0.38.0 🔗
ECOSYSTEM_GO golang.org/x/tools 0.33.0 🔗
ECOSYSTEM_GO google.golang.org/genproto/googleapis/rpc 0.0.0-20250528174236-200df99c418a 🔗
ECOSYSTEM_GO golang.org/x/sync 0.14.0 🔗
ECOSYSTEM_GO github.com/moby/sys/user 0.4.0 🔗
ECOSYSTEM_GO github.com/docker/cli 28.2.2+incompatible 🔗
ECOSYSTEM_GO github.com/gin-gonic/gin 1.10.1 🔗
ECOSYSTEM_GO github.com/go-git/go-git/v5 5.16.0 🔗
ECOSYSTEM_GO github.com/vbatts/tar-split 0.12.1 🔗
ECOSYSTEM_GO dario.cat/mergo 1.0.2 🔗
ECOSYSTEM_GO github.com/opencontainers/runtime-spec 1.2.1 🔗
ECOSYSTEM_GO github.com/labstack/echo/v4 4.13.4 🔗
ECOSYSTEM_GO github.com/edsrzf/mmap-go 1.2.0 🔗
ECOSYSTEM_GO golang.org/x/exp 0.0.0-20250531010427-b6e5de432a8b 🔗
ECOSYSTEM_GO github.com/prometheus/client_golang 1.22.0 🔗
ECOSYSTEM_GO github.com/google/cel-go 0.25.0 🔗
ECOSYSTEM_GO github.com/yosida95/uritemplate/v3 3.0.2 🔗
ECOSYSTEM_GO github.com/containerd/containerd/api 1.9.0 🔗
ECOSYSTEM_GO google.golang.org/genproto/googleapis/api 0.0.0-20250528174236-200df99c418a 🔗
ECOSYSTEM_GO golang.org/x/oauth2 0.30.0 🔗
ECOSYSTEM_GO deps.dev/api/v3 3.0.0-20250429014815-ac0aa6a085fa 🔗
ECOSYSTEM_GO golang.org/x/term 0.32.0 🔗
ECOSYSTEM_GO github.com/moby/sys/signal 0.7.1 🔗
ECOSYSTEM_GO github.com/github/go-spdx/v2 2.3.3 🔗
ECOSYSTEM_GO github.com/andybalholm/brotli 1.1.2-0.20250424173009-453214e765f3 🔗
ECOSYSTEM_GO go.etcd.io/bbolt 1.4.0 🔗
ECOSYSTEM_GO github.com/google/go-containerregistry 0.20.5 🔗
ECOSYSTEM_GO github.com/go-logr/logr 1.4.3 🔗
ECOSYSTEM_GO github.com/prometheus/common 0.64.0 🔗
ECOSYSTEM_GO www.velocidex.com/golang/regparser 0.0.0-20250203141505-31e704a67ef7 🔗
ECOSYSTEM_GO github.com/opencontainers/selinux 1.12.0 🔗
ECOSYSTEM_GO github.com/containerd/continuity 0.4.5 🔗
ECOSYSTEM_GO github.com/containerd/cgroups/v3 3.0.5 🔗
ECOSYSTEM_GO github.com/safedep/code 0.0.0-20250513161430-3da0c16c0b53 🔗
ECOSYSTEM_GO deps.dev/util/resolve 0.0.0-20250429014815-ac0aa6a085fa 🔗
ECOSYSTEM_GO github.com/tdewolff/parse/v2 2.8.1 🔗
ECOSYSTEM_GO deps.dev/util/semver 0.0.0-20250429014815-ac0aa6a085fa 🔗
ECOSYSTEM_GO github.com/containerd/errdefs/pkg 0.3.0 🔗
ECOSYSTEM_GO golang.org/x/xerrors 0.0.0-20240903120638-7835f813f4da 🔗
ECOSYSTEM_GO buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go 1.36.6-20250425153114-8976f5be98c1.1 🔗
ECOSYSTEM_GO github.com/zclconf/go-cty 1.16.3 🔗
ECOSYSTEM_GO github.com/google/pprof 0.0.0-20250501235452-c0086092b71a 🔗
ECOSYSTEM_GO github.com/anchore/fangs 0.0.0-20250512222850-4ff6e4a2d62b 🔗
ECOSYSTEM_GO k8s.io/utils 0.0.0-20250502105355-0f33e8f1c979 🔗
ECOSYSTEM_GO github.com/prometheus/client_model 0.6.2 🔗
ECOSYSTEM_GO github.com/anchore/syft 1.26.1 🔗
ECOSYSTEM_GO deps.dev/util/maven 0.0.0-20250429014815-ac0aa6a085fa 🔗
ECOSYSTEM_GO github.com/erikvarga/go-rpmdb 0.0.0-20250523120114-a15a62cd4593 🔗
ECOSYSTEM_GO github.com/prometheus/procfs 0.16.1 🔗
ECOSYSTEM_GO github.com/anchore/go-sync 0.0.0-20250519164722-dc6a2c354e2d 🔗
ECOSYSTEM_GO buf.build/gen/go/safedep/api/protocolbuffers/go 1.36.6-20250528015308-9847554fa87b.1 🔗
ECOSYSTEM_GO github.com/anchore/clio 0.0.0-20250523175750-7f25834ffe5e 🔗
ECOSYSTEM_GO github.com/anchore/stereoscope 0.1.4 🔗
ECOSYSTEM_GO ariga.io/atlas 0.34.0 🔗
ECOSYSTEM_GO github.com/spdx/gordf 0.0.0-20250128162952-000978ccd6fb 🔗
ECOSYSTEM_GO google.golang.org/grpc 1.72.2 🔗
ECOSYSTEM_GO github.com/safedep/dry 0.0.0-20250603124321-c8255e47954f 🔗
ECOSYSTEM_GO github.com/spf13/cast 1.8.0 🔗
ECOSYSTEM_GO github.com/containerd/typeurl/v2 2.2.3 🔗
ECOSYSTEM_GO github.com/google/osv-scalibr 0.2.1 🔗
ECOSYSTEM_GO github.com/tdewolff/minify/v2 2.23.8 🔗
ECOSYSTEM_GO github.com/posthog/posthog-go 1.5.11 🔗
ECOSYSTEM_GO github.com/mark3labs/mcp-go 0.31.0 🔗
ECOSYSTEM_GO cel.dev/expr 0.24.0 🔗
ECOSYSTEM_GO buf.build/gen/go/safedep/api/grpc/go 1.5.1-20250528015308-9847554fa87b.2 🔗
  • ℹ️ 72 packages have been actively analyzed for malicious behaviour.
  • ✅ No malicious packages found.

Note: Some of the package analysis jobs may still be running.Please check back later. Consider increasing the timeout for better coverage.

Changed Packages

Changed Packages

  • ✅ [Go] deps.dev/api/v3@3.0.0-20250429014815-ac0aa6a085fa
  • ✅ [Go] k8s.io/utils@0.0.0-20250502105355-0f33e8f1c979
  • ✅ [Go] golang.org/x/crypto@0.38.0
  • ✅ [Go] deps.dev/util/resolve@0.0.0-20250429014815-ac0aa6a085fa
  • ✅ [Go] github.com/tdewolff/minify/v2@2.23.8
  • ✅ [Go] github.com/erikvarga/go-rpmdb@0.0.0-20250523120114-a15a62cd4593
  • ✅ [Go] github.com/opencontainers/selinux@1.12.0
  • ✅ [Go] ariga.io/atlas@0.34.0
  • ✅ [Go] buf.build/gen/go/safedep/api/grpc/go@1.5.1-20250528015308-9847554fa87b.2
  • ✅ [Go] github.com/anchore/stereoscope@0.1.4
  • ✅ [Go] deps.dev/util/pypi@0.0.0-20250429014815-ac0aa6a085fa
  • ✅ [Go] github.com/anchore/clio@0.0.0-20250523175750-7f25834ffe5e
  • ✅ [Go] github.com/safedep/dry@0.0.0-20250603124321-c8255e47954f
  • ✅ [Go] github.com/docker/cli@28.2.2+incompatible
  • ✅ [Go] golang.org/x/text@0.25.0
  • ✅ [Go] github.com/go-git/go-git/v5@5.16.0
  • ✅ [Go] github.com/Microsoft/hcsshim@0.13.0
  • ✅ [Go] github.com/docker/docker@28.2.2+incompatible
  • ✅ [Go] golang.org/x/arch@0.17.0
  • ✅ [Go] github.com/moby/sys/user@0.4.0
  • ✅ [Go] golang.org/x/tools@0.33.0
  • ✅ [Go] github.com/containerd/containerd/api@1.9.0
  • ✅ [Go] dario.cat/mergo@1.0.2
  • ✅ [Go] github.com/opencontainers/runtime-spec@1.2.1
  • ✅ [Go] github.com/mark3labs/mcp-go@0.31.0
  • ✅ [Go] github.com/Shopify/goreferrer@0.0.0-20250513162709-b78e2829e40b
  • ⚠️ [Go] github.com/AdaLogics/go-fuzz-headers@0.0.0-20240806141605-e8a1dd7889d6
  • ✅ [Go] github.com/containerd/continuity@0.4.5
  • ✅ [Go] github.com/google/cel-go@0.25.0
  • ✅ [Go] github.com/oklog/ulid/v2@2.1.1
  • ✅ [Go] google.golang.org/grpc@1.72.2
  • ✅ [Go] github.com/prometheus/client_golang@1.22.0
  • ✅ [Go] cel.dev/expr@0.24.0
  • ✅ [Go] golang.org/x/xerrors@0.0.0-20240903120638-7835f813f4da
  • ✅ [Go] deps.dev/util/semver@0.0.0-20250429014815-ac0aa6a085fa
  • ✅ [Go] github.com/anchore/go-sync@0.0.0-20250519164722-dc6a2c354e2d
  • ✅ [Go] github.com/google/go-containerregistry@0.20.5
  • ✅ [Go] github.com/ugorji/go/codec@1.2.14
  • ✅ [Go] github.com/containerd/cgroups/v3@3.0.5
  • ✅ [Go] go.etcd.io/bbolt@1.4.0
  • ⚠️ [Go] github.com/containerd/typeurl/v2@2.2.3
  • ⚠️ [Go] github.com/vbatts/tar-split@0.12.1
  • ✅ [Go] google.golang.org/genproto/googleapis/api@0.0.0-20250528174236-200df99c418a
  • ✅ [Go] github.com/zclconf/go-cty@1.16.3
  • ✅ [Go] github.com/labstack/echo/v4@4.13.4
  • ✅ [Go] github.com/github/go-spdx/v2@2.3.3
  • ✅ [Go] github.com/AdamKorcz/go-118-fuzz-build@0.0.0-20250520111509-a70c2aa677fa
  • ✅ [Go] github.com/docker/go-events@0.0.0-20250114142523-c867878c5e32
  • ✅ [Go] github.com/prometheus/client_model@0.6.2
  • ✅ [Go] golang.org/x/net@0.40.0
  • ✅ [Go] github.com/go-logr/logr@1.4.3
  • ✅ [Go] github.com/moby/sys/signal@0.7.1
  • ✅ [Go] buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go@1.36.6-20250425153114-8976f5be98c1.1
  • ✅ [Go] github.com/prometheus/common@0.64.0
  • ✅ [Go] www.velocidex.com/golang/regparser@0.0.0-20250203141505-31e704a67ef7
  • ✅ [Go] github.com/safedep/code@0.0.0-20250513161430-3da0c16c0b53
  • ✅ [Go] github.com/posthog/posthog-go@1.5.11
  • ✅ [Go] github.com/spf13/cast@1.8.0
  • ✅ [Go] google.golang.org/genproto/googleapis/rpc@0.0.0-20250528174236-200df99c418a
  • ✅ [Go] google.golang.org/genproto@0.0.0-20250528174236-200df99c418a
  • ✅ [Go] github.com/prometheus/procfs@0.16.1
  • ⚠️ [Go] github.com/containerd/errdefs/pkg@0.3.0
  • ✅ [Go] github.com/google/pprof@0.0.0-20250501235452-c0086092b71a
  • ✅ [Go] github.com/anchore/fangs@0.0.0-20250512222850-4ff6e4a2d62b
  • ✅ [Go] github.com/anchore/syft@1.26.1
  • ✅ [Go] golang.org/x/exp@0.0.0-20250531010427-b6e5de432a8b
  • ✅ [Go] buf.build/gen/go/safedep/api/protocolbuffers/go@1.36.6-20250528015308-9847554fa87b.1
  • ✅ [Go] github.com/gin-gonic/gin@1.10.1
  • ⚠️ [Go] github.com/yosida95/uritemplate/v3@3.0.2
  • ✅ [Go] golang.org/x/sync@0.14.0
  • ✅ [Go] deps.dev/util/maven@0.0.0-20250429014815-ac0aa6a085fa
  • ✅ [Go] github.com/spdx/gordf@0.0.0-20250128162952-000978ccd6fb
  • ⚠️ [Go] github.com/edsrzf/mmap-go@1.2.0
  • ✅ [Go] github.com/tdewolff/parse/v2@2.8.1
  • ✅ [Go] golang.org/x/oauth2@0.30.0
  • ✅ [Go] github.com/andybalholm/brotli@1.1.2-0.20250424173009-453214e765f3
  • ✅ [Go] github.com/google/osv-scalibr@0.2.1
  • ✅ [Go] golang.org/x/term@0.32.0
Policy Violations

Packages Violating Policy

[Go] github.com/AdaLogics/go-fuzz-headers@0.0.0-20240806141605-e8a1dd7889d6 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/typeurl/v2@2.2.3 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/vbatts/tar-split@0.12.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/errdefs/pkg@0.3.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/yosida95/uritemplate/v3@3.0.2 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/edsrzf/mmap-go@1.2.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

@abhisek abhisek requested review from Copilot, OmkarPh and KunalSin9h June 3, 2025 17:33
@abhisek
Copy link
Member Author

abhisek commented Jun 3, 2025

@KunalSin9h @OmkarPh Please do a review

@abhisek abhisek force-pushed the feat/mcp-server branch from a8f4f52 to dec6cd8 Compare June 3, 2025 17:34
Copilot
Copilot AI reviewed Jun 3, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces support for running vet as a Model Context Protocol (MCP) server, including new server transports, tools, commands, tests, docs, and dependency bumps.

  • Add MCP server components (stdio/sse transports, config, commands)
  • Implement package registry, malware scanning, and insights tools via mcp-go
  • Update tests, utilities, documentation, and bump related dependencies

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
test/utils.go Wrapper function EnsureEndToEndTestIsEnabled for E2E tests
pkg/common/logger/logger.go Fallback to VET_LOG_LEVEL env var in getLogLevelFromEnv
mcp/tools/tools.go Added RegisterAll helper for bulk tool registration
mcp/tools/package_registry.go Implemented package registry MCP tool
mcp/tools/package_malware.go Implemented package malware scanning MCP tool
mcp/tools/package_insights.go Implemented package insights MCP tool (vulns, popularity, license)
mcp/tools/common.go Added serializeForLlm JSON helper
mcp/tool.go Defined McpTool interface
mcp/server/stdio.go Added stdio transport server constructor
mcp/server/sse.go Added SSE transport server constructor
mcp/server/server.go Added MCP server interface, config, and wiring
mcp/driver.go Extended default driver to support MCP operations
main.go Imported and enabled server command
internal/auth/grpc.go Added InsightsV2CommunityClientConnection
go.mod Updated dependencies for MCP features and others
docs/mcp.md New documentation for MCP server usage
cmd/server/mcp_test.go Added E2E tests for MCP driver
cmd/server/mcp.go New mcp server cobra command with flags
cmd/server/main.go Added server command grouping
README.md Updated README with MCP server section
Comments suppressed due to low confidence (3)

test/utils.go:16

  • [nitpick] The function name EnsureEndToEndTestIsEnabled is verbose and may mislead about its behavior; consider renaming to SkipIfE2EDisabled for clarity.
func EnsureEndToEndTestIsEnabled(t *testing.T) {

cmd/server/mcp.go:20

  • [nitpick] Consider renaming mcpServerServerType to mcpServerType to avoid redundant 'Server' and improve readability.
   mcpServerServerType    string

mcp/tools/tools.go:8

  • The RegisterAll function is not invoked anywhere; consider removing it or integrating it into the server registration workflow to avoid dead code.
func RegisterAll(server server.McpServer, driver mcp.Driver) error {

@abhisek abhisek merged commit 5a5a951 into main Jun 5, 2025
10 of 11 checks passed
@abhisek abhisek deleted the feat/mcp-server branch June 5, 2025 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@arunanshub arunanshub arunanshub approved these changes

@KunalSin9h KunalSin9h KunalSin9h approved these changes

@OmkarPh OmkarPh Awaiting requested review from OmkarPh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abhisek @arunanshub @KunalSin9h