internal/sarif: improve GOMODCACHE relative paths

zpavlinovic · zpavlinovic · commit 052eac784b09 · 2024-05-08T21:38:34.000Z
The paths are now indeed relative to %GOMODCACHE%. Change-Id: I445f95dfdcda4bf053b28917482f9a39866f9dd3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/581235 Reviewed-by: Ian Cottrell <iancottrell@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
@@ -177,7 +177,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "location": {
                         "physicalLocation": {
                           "artifactLocation": {
-                            "uri": "gjson.go",
+                            "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                             "uriBaseId": "%GOMODCACHE%"
                           },
                           "region": {
@@ -195,7 +195,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "location": {
                         "physicalLocation": {
                           "artifactLocation": {
-                            "uri": "gjson.go",
+                            "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                             "uriBaseId": "%GOMODCACHE%"
                           },
                           "region": {
@@ -213,7 +213,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "location": {
                         "physicalLocation": {
                           "artifactLocation": {
-                            "uri": "gjson.go",
+                            "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                             "uriBaseId": "%GOMODCACHE%"
                           },
                           "region": {
@@ -263,7 +263,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -281,7 +281,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -299,7 +299,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -317,7 +317,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -335,7 +335,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -402,7 +402,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "location": {
                         "physicalLocation": {
                           "artifactLocation": {
-                            "uri": "language/parse.go",
+                            "uri": "golang.org/x/text@v0.3.0/language/parse.go",
                             "uriBaseId": "%GOMODCACHE%"
                           },
                           "region": {
@@ -452,7 +452,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "language/parse.go",
+                        "uri": "golang.org/x/text@v0.3.0/language/parse.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
@@ -519,7 +519,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "location": {
                         "physicalLocation": {
                           "artifactLocation": {
-                            "uri": "gjson.go",
+                            "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                             "uriBaseId": "%GOMODCACHE%"
                           },
                           "region": {
@@ -569,7 +569,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "location": {
                     "physicalLocation": {
                       "artifactLocation": {
-                        "uri": "gjson.go",
+                        "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
                         "uriBaseId": "%GOMODCACHE%"
                       },
                       "region": {
diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"path/filepath"
 	"sort"
 
 	"golang.org/x/vuln/internal"
@@ -289,11 +290,12 @@ func stack(h *handler, f *govulncheck.Finding) Stack {
 			Module:   frame.Module + "@" + frame.Version,
 			Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
 		}
+		file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version)
 		if h.cfg.ScanMode != govulncheck.ScanModeBinary {
 			sf.Location.PhysicalLocation = PhysicalLocation{
 				ArtifactLocation: ArtifactLocation{
-					URI:       pos.Filename,
-					URIBaseID: uriID(top.Module, frame.Module),
+					URI:       file,
+					URIBaseID: base,
 				},
 				Region: Region{
 					StartLine:   pos.Line,
@@ -362,11 +364,12 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow {
 				Module:   frame.Module + "@" + frame.Version,
 				Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
 			}
+			file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version)
 			if h.cfg.ScanMode != govulncheck.ScanModeBinary {
 				tfl.Location.PhysicalLocation = PhysicalLocation{
 					ArtifactLocation: ArtifactLocation{
-						URI:       pos.Filename,
-						URIBaseID: uriID(top.Module, frame.Module),
+						URI:       file,
+						URIBaseID: base,
 					},
 					Region: Region{
 						StartLine:   pos.Line,
@@ -381,12 +384,12 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow {
 	return tfs
 }
 
-func uriID(top, module string) string {
+func fileURIInfo(filename, top, module, version string) (string, string) {
 	if top == module {
-		return SrcRootID
+		return filename, SrcRootID
 	}
 	if module == internal.GoStdModulePath {
-		return GoRootID
+		return filename, GoRootID
 	}
-	return GoModCacheID
+	return filepath.ToSlash(filepath.Join(module+"@"+version, filename)), GoModCacheID
 }
