internal/sarif: compute relative paths for findings

And also make sure the paths are not added in binary mode. Updates golang/go#61347 Change-Id: If48fe57215cdecb01b8b687fbe042aae584f1d6d Reviewed-on: https://go-review.googlesource.com/c/vuln/+/558016 Reviewed-by: Maceo Thompson <maceothompson@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
golang · Apr 15, 2024 · 4b737a9 · 4b737a9
1 parent 7bf0c05
commit 4b737a9
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 64 deletions.
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
@@ -113,7 +113,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -131,7 +134,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -148,7 +154,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "golang.org/vuln",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "vuln.go",
+                            "uriBaseId": "%SRCROOT%"
+                          },
                           "region": {
                             "startLine": 14,
                             "startColumn": 20
@@ -163,7 +172,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "github.com/tidwall/gjson",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "gjson.go",
+                            "uriBaseId": "%GOMODCACHE%"
+                          },
                           "region": {
                             "startLine": 297,
                             "startColumn": 12
@@ -178,7 +190,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "github.com/tidwall/gjson",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "gjson.go",
+                            "uriBaseId": "%GOMODCACHE%"
+                          },
                           "region": {
                             "startLine": 1881,
                             "startColumn": 36
@@ -193,7 +208,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "github.com/tidwall/gjson",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "gjson.go",
+                            "uriBaseId": "%GOMODCACHE%"
+                          },
                           "region": {
                             "startLine": 220,
                             "startColumn": 17
@@ -222,7 +240,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "golang.org/vuln",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "vuln.go",
+                        "uriBaseId": "%SRCROOT%"
+                      },
                       "region": {
                         "startLine": 14,
                         "startColumn": 20
@@ -237,7 +258,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 297,
                         "startColumn": 12
@@ -252,7 +276,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 1881,
                         "startColumn": 36
@@ -267,7 +294,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 2587,
                         "startColumn": 21
@@ -282,7 +312,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 2631,
                         "startColumn": 21
@@ -297,7 +330,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 220,
                         "startColumn": 17
@@ -321,7 +357,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -338,7 +377,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "golang.org/vuln",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "vuln.go",
+                            "uriBaseId": "%SRCROOT%"
+                          },
                           "region": {
                             "startLine": 13,
                             "startColumn": 16
@@ -353,7 +395,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "golang.org/x/text",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "language/parse.go",
+                            "uriBaseId": "%GOMODCACHE%"
+                          },
                           "region": {
                             "startLine": 228,
                             "startColumn": 6
@@ -382,7 +427,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "golang.org/vuln",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "vuln.go",
+                        "uriBaseId": "%SRCROOT%"
+                      },
                       "region": {
                         "startLine": 13,
                         "startColumn": 16
@@ -397,7 +445,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "golang.org/x/text",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "language/parse.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 228,
                         "startColumn": 6
@@ -421,7 +472,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -438,7 +492,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "golang.org/vuln",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "vuln.go",
+                            "uriBaseId": "%SRCROOT%"
+                          },
                           "region": {
                             "startLine": 14,
                             "startColumn": 20
@@ -453,7 +510,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                       "module": "github.com/tidwall/gjson",
                       "location": {
                         "physicalLocation": {
-                          "artifactLocation": {},
+                          "artifactLocation": {
+                            "uri": "gjson.go",
+                            "uriBaseId": "%GOMODCACHE%"
+                          },
                           "region": {
                             "startLine": 296,
                             "startColumn": 17
@@ -482,7 +542,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "golang.org/vuln",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "vuln.go",
+                        "uriBaseId": "%SRCROOT%"
+                      },
                       "region": {
                         "startLine": 14,
                         "startColumn": 20
@@ -497,7 +560,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
                   "module": "github.com/tidwall/gjson",
                   "location": {
                     "physicalLocation": {
-                      "artifactLocation": {},
+                      "artifactLocation": {
+                        "uri": "gjson.go",
+                        "uriBaseId": "%GOMODCACHE%"
+                      },
                       "region": {
                         "startLine": 296,
                         "startColumn": 17

diff --git a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_sarif.ct
@@ -113,7 +113,10 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -131,7 +134,10 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -149,7 +155,10 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -167,7 +176,10 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }

diff --git a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_sarif.ct
@@ -113,7 +113,10 @@ $ govulncheck -format sarif -scan package -C ${moddir}/vuln .
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -131,7 +134,10 @@ $ govulncheck -format sarif -scan package -C ${moddir}/vuln .
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -149,7 +155,10 @@ $ govulncheck -format sarif -scan package -C ${moddir}/vuln .
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }
@@ -167,7 +176,10 @@ $ govulncheck -format sarif -scan package -C ${moddir}/vuln .
           "locations": [
             {
               "physicalLocation": {
-                "artifactLocation": {},
+                "artifactLocation": {
+                  "uri": "go.mod",
+                  "uriBaseId": "%SRCROOT%"
+                },
                 "region": {
                   "startLine": 1
                 }