From 93d3090660cdfbfe5dfa57dfc366438d35283648 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Tue, 23 Apr 2024 16:34:25 +0000 Subject: [PATCH] internal/sarif: add version to module info for locations This allows makes module information complete so that users can compute local paths. Change-Id: I8cedf77908b825d7e66ac9d7a9a075804f207c66 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/581195 Reviewed-by: Ian Cottrell Run-TryBot: Zvonimir Pavlinovic LUCI-TryBot-Result: Go LUCI TryBot-Result: Gopher Robot --- .../testfiles/binary-call/binary_sarif.ct | 16 ++++----- .../source-call/source_call_sarif.ct | 36 +++++++++---------- internal/sarif/handler.go | 4 +-- internal/sarif/sarif.go | 6 ++++ 4 files changed, 34 insertions(+), 28 deletions(-) diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct index eaed2327..667d19ed 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct @@ -122,7 +122,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -148,7 +148,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -175,7 +175,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": {}, @@ -201,7 +201,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": {}, @@ -228,7 +228,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -251,7 +251,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -277,7 +277,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -296,7 +296,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct index 7b6c02e0..be6a8e1e 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct @@ -155,7 +155,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -173,7 +173,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -191,7 +191,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -209,7 +209,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -241,7 +241,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -259,7 +259,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -277,7 +277,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -295,7 +295,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -313,7 +313,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -331,7 +331,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -380,7 +380,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -398,7 +398,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": { @@ -430,7 +430,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -448,7 +448,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": { @@ -497,7 +497,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -515,7 +515,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -547,7 +547,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -565,7 +565,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go index 5cd2656b..744e9513 100644 --- a/internal/sarif/handler.go +++ b/internal/sarif/handler.go @@ -286,7 +286,7 @@ func stack(h *handler, f *govulncheck.Finding) Stack { } sf := Frame{ - Module: frame.Module, + Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } if h.cfg.ScanMode != govulncheck.ScanModeBinary { @@ -359,7 +359,7 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow { } tfl := ThreadFlowLocation{ - Module: frame.Module, + Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } if h.cfg.ScanMode != govulncheck.ScanModeBinary { diff --git a/internal/sarif/sarif.go b/internal/sarif/sarif.go index ed55640e..fb1c5b7d 100644 --- a/internal/sarif/sarif.go +++ b/internal/sarif/sarif.go @@ -122,6 +122,9 @@ type ThreadFlow struct { } type ThreadFlowLocation struct { + // Module is module information in the form @. + // can be empty when the module version is not known as + // with, say, the source module analyzed. Module string `json:"module,omitempty"` // Location also contains a Message field. Location Location `json:"location,omitempty"` @@ -138,6 +141,9 @@ type Stack struct { // Frame is effectively a module location. It can also contain thread and // parameter info, but those are not needed for govulncheck. type Frame struct { + // Module is module information in the form @. + // can be empty when the module version is not known as + // with, say, the source module analyzed. Module string `json:"module,omitempty"` Location Location `json:"location,omitempty"` }