#!/bin/bash

# This script checks for vulnerabilities in project dependencies

set -e

echo "Starting dependency vulnerability scan..."

# Initialize exit code
exit_code=0

# Run govulncheck
echo "Running govulncheck..."
if command -v govulncheck >/dev/null 2>&1; then
  if ! govulncheck ./...; then
    echo "❌ govulncheck found vulnerabilities"
    exit_code=1
  else
    echo "✅ govulncheck found no vulnerabilities"
  fi
else
  echo "⚠️  govulncheck not installed, skipping"
fi

# Run nancy (for Sonatype Nexus IQ)
echo "Running nancy scan..."
if command -v nancy >/dev/null 2>&1; then
  if ! go list -json -m all | nancy --skip-update-check; then
    echo "❌ nancy found vulnerable dependencies"
    exit_code=1
  else
    echo "✅ nancy found no vulnerabilities"
  fi
else
  echo "⚠️  nancy not installed, skipping"
fi

# Check for deprecated packages
echo "Checking for deprecated packages..."
if go list -json -m all | grep -i deprecated; then
  echo "⚠️  Found deprecated packages in dependencies"
else
  echo "✅ No deprecated packages found"
fi

# Check for unmaintained packages (packages without recent updates)
echo "Checking for potentially unmaintained packages..."
# This is a basic check - in a real scenario, you might want to check
# the age of the latest commits for each dependency
go list -m -u all || echo "Dependency update check completed"

echo "Dependency vulnerability scan completed."

if [ $exit_code -ne 0 ]; then
  echo "❌ Dependency vulnerability scan found issues"
  exit $exit_code
else
  echo "✅ Dependency vulnerability scan passed"
  exit 0
fi