From 052eac784b099e7cc1a3864eb927288b196f2000 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Tue, 23 Apr 2024 17:00:17 +0000 Subject: [PATCH] internal/sarif: improve GOMODCACHE relative paths The paths are now indeed relative to %GOMODCACHE%. Change-Id: I445f95dfdcda4bf053b28917482f9a39866f9dd3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/581235 Reviewed-by: Ian Cottrell Run-TryBot: Zvonimir Pavlinovic TryBot-Result: Gopher Robot LUCI-TryBot-Result: Go LUCI --- .../source-call/source_call_sarif.ct | 24 +++++++++---------- internal/sarif/handler.go | 19 ++++++++------- 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct index be6a8e1..6f77980 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct @@ -177,7 +177,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -195,7 +195,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -213,7 +213,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -263,7 +263,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -281,7 +281,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -299,7 +299,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -317,7 +317,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -335,7 +335,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -402,7 +402,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "language/parse.go", + "uri": "golang.org/x/text@v0.3.0/language/parse.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -452,7 +452,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "language/parse.go", + "uri": "golang.org/x/text@v0.3.0/language/parse.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -519,7 +519,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { @@ -569,7 +569,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... "location": { "physicalLocation": { "artifactLocation": { - "uri": "gjson.go", + "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go", "uriBaseId": "%GOMODCACHE%" }, "region": { diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go index 744e951..3424857 100644 --- a/internal/sarif/handler.go +++ b/internal/sarif/handler.go @@ -8,6 +8,7 @@ import ( "encoding/json" "fmt" "io" + "path/filepath" "sort" "golang.org/x/vuln/internal" @@ -289,11 +290,12 @@ func stack(h *handler, f *govulncheck.Finding) Stack { Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } + file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version) if h.cfg.ScanMode != govulncheck.ScanModeBinary { sf.Location.PhysicalLocation = PhysicalLocation{ ArtifactLocation: ArtifactLocation{ - URI: pos.Filename, - URIBaseID: uriID(top.Module, frame.Module), + URI: file, + URIBaseID: base, }, Region: Region{ StartLine: pos.Line, @@ -362,11 +364,12 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow { Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } + file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version) if h.cfg.ScanMode != govulncheck.ScanModeBinary { tfl.Location.PhysicalLocation = PhysicalLocation{ ArtifactLocation: ArtifactLocation{ - URI: pos.Filename, - URIBaseID: uriID(top.Module, frame.Module), + URI: file, + URIBaseID: base, }, Region: Region{ StartLine: pos.Line, @@ -381,12 +384,12 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow { return tfs } -func uriID(top, module string) string { +func fileURIInfo(filename, top, module, version string) (string, string) { if top == module { - return SrcRootID + return filename, SrcRootID } if module == internal.GoStdModulePath { - return GoRootID + return filename, GoRootID } - return GoModCacheID + return filepath.ToSlash(filepath.Join(module+"@"+version, filename)), GoModCacheID }