Skip to content

x/vuln: govulncheck -format=sarif generates invalid sarif with duplicate tags #75890

New issue
New issue
Open
Open
x/vuln: govulncheck -format=sarif generates invalid sarif with duplicate tags#75890
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned
@pau-hedgehog

Description

@pau-hedgehog
pau-hedgehog
opened on Oct 14, 2025

govulncheck version

Go: go1.24.2
Scanner: govulncheck@v1.1.4
DB: https://vuln.go.dev/
DB updated: 2025-09-24 19:21:41 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/runner/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/runner/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1335158222=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/home/runner/_work/gateway-proto/gateway-proto/go.mod'
GOMODCACHE='/home/runner/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/runner/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/runner/_work/_tool/go/1.24.2/x64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/runner/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/home/runner/_work/_tool/go/1.24.2/x64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.2'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I create a SARIF file:

govulncheck -format=sarif ./... > govulncheck.sarif

What did you see happen?

https://github.com/githedgehog/gateway-proto/actions/runs/18494179415

govulncheck.sarif.json

SARIF generated by govulncheck at some point started containing a vulnerability rule with duplicate tags (specifically: "CVE-2025-47906", "CVE-2025-47906"). SARIF requires all items in tags arrays to be unique.

Github action complains that:

Unable to upload "govulncheck.sarif" as it is not valid SARIF: - instance.runs[0].tool.driver.rules[4].properties.tags contains duplicate item

What did you expect to see?

Govulncheck generates a valid SARIF

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions