Skip to content

Commit 93d3090

Browse files
committed
internal/sarif: add version to module info for locations
This allows makes module information complete so that users can compute local paths. Change-Id: I8cedf77908b825d7e66ac9d7a9a075804f207c66 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/581195 Reviewed-by: Ian Cottrell <iancottrell@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org>
1 parent 0e39fee commit 93d3090

File tree

4 files changed

+34
-28
lines changed

4 files changed

+34
-28
lines changed

cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
122122
{
123123
"locations": [
124124
{
125-
"module": "github.com/tidwall/gjson",
125+
"module": "github.com/tidwall/gjson@v1.6.5",
126126
"location": {
127127
"physicalLocation": {
128128
"artifactLocation": {},
@@ -148,7 +148,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
148148
},
149149
"frames": [
150150
{
151-
"module": "github.com/tidwall/gjson",
151+
"module": "github.com/tidwall/gjson@v1.6.5",
152152
"location": {
153153
"physicalLocation": {
154154
"artifactLocation": {},
@@ -175,7 +175,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
175175
{
176176
"locations": [
177177
{
178-
"module": "golang.org/x/text",
178+
"module": "golang.org/x/text@v0.3.0",
179179
"location": {
180180
"physicalLocation": {
181181
"artifactLocation": {},
@@ -201,7 +201,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
201201
},
202202
"frames": [
203203
{
204-
"module": "golang.org/x/text",
204+
"module": "golang.org/x/text@v0.3.0",
205205
"location": {
206206
"physicalLocation": {
207207
"artifactLocation": {},
@@ -228,7 +228,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
228228
{
229229
"locations": [
230230
{
231-
"module": "github.com/tidwall/gjson",
231+
"module": "github.com/tidwall/gjson@v1.6.5",
232232
"location": {
233233
"physicalLocation": {
234234
"artifactLocation": {},
@@ -251,7 +251,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
251251
{
252252
"locations": [
253253
{
254-
"module": "github.com/tidwall/gjson",
254+
"module": "github.com/tidwall/gjson@v1.6.5",
255255
"location": {
256256
"physicalLocation": {
257257
"artifactLocation": {},
@@ -277,7 +277,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
277277
},
278278
"frames": [
279279
{
280-
"module": "github.com/tidwall/gjson",
280+
"module": "github.com/tidwall/gjson@v1.6.5",
281281
"location": {
282282
"physicalLocation": {
283283
"artifactLocation": {},
@@ -296,7 +296,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
296296
},
297297
"frames": [
298298
{
299-
"module": "github.com/tidwall/gjson",
299+
"module": "github.com/tidwall/gjson@v1.6.5",
300300
"location": {
301301
"physicalLocation": {
302302
"artifactLocation": {},

cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
155155
{
156156
"locations": [
157157
{
158-
"module": "golang.org/vuln",
158+
"module": "golang.org/vuln@",
159159
"location": {
160160
"physicalLocation": {
161161
"artifactLocation": {
@@ -173,7 +173,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
173173
}
174174
},
175175
{
176-
"module": "github.com/tidwall/gjson",
176+
"module": "github.com/tidwall/gjson@v1.6.5",
177177
"location": {
178178
"physicalLocation": {
179179
"artifactLocation": {
@@ -191,7 +191,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
191191
}
192192
},
193193
{
194-
"module": "github.com/tidwall/gjson",
194+
"module": "github.com/tidwall/gjson@v1.6.5",
195195
"location": {
196196
"physicalLocation": {
197197
"artifactLocation": {
@@ -209,7 +209,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
209209
}
210210
},
211211
{
212-
"module": "github.com/tidwall/gjson",
212+
"module": "github.com/tidwall/gjson@v1.6.5",
213213
"location": {
214214
"physicalLocation": {
215215
"artifactLocation": {
@@ -241,7 +241,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
241241
},
242242
"frames": [
243243
{
244-
"module": "golang.org/vuln",
244+
"module": "golang.org/vuln@",
245245
"location": {
246246
"physicalLocation": {
247247
"artifactLocation": {
@@ -259,7 +259,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
259259
}
260260
},
261261
{
262-
"module": "github.com/tidwall/gjson",
262+
"module": "github.com/tidwall/gjson@v1.6.5",
263263
"location": {
264264
"physicalLocation": {
265265
"artifactLocation": {
@@ -277,7 +277,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
277277
}
278278
},
279279
{
280-
"module": "github.com/tidwall/gjson",
280+
"module": "github.com/tidwall/gjson@v1.6.5",
281281
"location": {
282282
"physicalLocation": {
283283
"artifactLocation": {
@@ -295,7 +295,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
295295
}
296296
},
297297
{
298-
"module": "github.com/tidwall/gjson",
298+
"module": "github.com/tidwall/gjson@v1.6.5",
299299
"location": {
300300
"physicalLocation": {
301301
"artifactLocation": {
@@ -313,7 +313,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
313313
}
314314
},
315315
{
316-
"module": "github.com/tidwall/gjson",
316+
"module": "github.com/tidwall/gjson@v1.6.5",
317317
"location": {
318318
"physicalLocation": {
319319
"artifactLocation": {
@@ -331,7 +331,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
331331
}
332332
},
333333
{
334-
"module": "github.com/tidwall/gjson",
334+
"module": "github.com/tidwall/gjson@v1.6.5",
335335
"location": {
336336
"physicalLocation": {
337337
"artifactLocation": {
@@ -380,7 +380,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
380380
{
381381
"locations": [
382382
{
383-
"module": "golang.org/vuln",
383+
"module": "golang.org/vuln@",
384384
"location": {
385385
"physicalLocation": {
386386
"artifactLocation": {
@@ -398,7 +398,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
398398
}
399399
},
400400
{
401-
"module": "golang.org/x/text",
401+
"module": "golang.org/x/text@v0.3.0",
402402
"location": {
403403
"physicalLocation": {
404404
"artifactLocation": {
@@ -430,7 +430,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
430430
},
431431
"frames": [
432432
{
433-
"module": "golang.org/vuln",
433+
"module": "golang.org/vuln@",
434434
"location": {
435435
"physicalLocation": {
436436
"artifactLocation": {
@@ -448,7 +448,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
448448
}
449449
},
450450
{
451-
"module": "golang.org/x/text",
451+
"module": "golang.org/x/text@v0.3.0",
452452
"location": {
453453
"physicalLocation": {
454454
"artifactLocation": {
@@ -497,7 +497,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
497497
{
498498
"locations": [
499499
{
500-
"module": "golang.org/vuln",
500+
"module": "golang.org/vuln@",
501501
"location": {
502502
"physicalLocation": {
503503
"artifactLocation": {
@@ -515,7 +515,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
515515
}
516516
},
517517
{
518-
"module": "github.com/tidwall/gjson",
518+
"module": "github.com/tidwall/gjson@v1.6.5",
519519
"location": {
520520
"physicalLocation": {
521521
"artifactLocation": {
@@ -547,7 +547,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
547547
},
548548
"frames": [
549549
{
550-
"module": "golang.org/vuln",
550+
"module": "golang.org/vuln@",
551551
"location": {
552552
"physicalLocation": {
553553
"artifactLocation": {
@@ -565,7 +565,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
565565
}
566566
},
567567
{
568-
"module": "github.com/tidwall/gjson",
568+
"module": "github.com/tidwall/gjson@v1.6.5",
569569
"location": {
570570
"physicalLocation": {
571571
"artifactLocation": {

internal/sarif/handler.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,7 @@ func stack(h *handler, f *govulncheck.Finding) Stack {
286286
}
287287

288288
sf := Frame{
289-
Module: frame.Module,
289+
Module: frame.Module + "@" + frame.Version,
290290
Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
291291
}
292292
if h.cfg.ScanMode != govulncheck.ScanModeBinary {
@@ -359,7 +359,7 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow {
359359
}
360360

361361
tfl := ThreadFlowLocation{
362-
Module: frame.Module,
362+
Module: frame.Module + "@" + frame.Version,
363363
Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
364364
}
365365
if h.cfg.ScanMode != govulncheck.ScanModeBinary {

internal/sarif/sarif.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,9 @@ type ThreadFlow struct {
122122
}
123123

124124
type ThreadFlowLocation struct {
125+
// Module is module information in the form <module-path>@<version>.
126+
// <version> can be empty when the module version is not known as
127+
// with, say, the source module analyzed.
125128
Module string `json:"module,omitempty"`
126129
// Location also contains a Message field.
127130
Location Location `json:"location,omitempty"`
@@ -138,6 +141,9 @@ type Stack struct {
138141
// Frame is effectively a module location. It can also contain thread and
139142
// parameter info, but those are not needed for govulncheck.
140143
type Frame struct {
144+
// Module is module information in the form <module-path>@<version>.
145+
// <version> can be empty when the module version is not known as
146+
// with, say, the source module analyzed.
141147
Module string `json:"module,omitempty"`
142148
Location Location `json:"location,omitempty"`
143149
}

0 commit comments

Comments
 (0)