Skip to content

Commit

Permalink
internal/sarif: add code flows
Browse files Browse the repository at this point in the history 
A code flow is a compact representation of a trace used for the textual
output of govulncheck. For that purpose, the logic for trace compaction
is extracted into a separate internal package traces.

We also add the message portion of Location object for code flows to
reduce the number of CLs; the actual physical region part will come in
following CLs. To make things consistent, we also add the Message part
of the location for stacks.

Updates golang/go#61347

Change-Id: I99065a7aab7aa794e7a08687cb4055bc21a610f8
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/551375
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
  • Loading branch information
@zpavlinovic
zpavlinovic committed Apr 3, 2024
1 parent 9fbf042 commit d00c170
Show file tree
Hide file tree
Showing 9 changed files with 565 additions and 40 deletions.
114 changes: 110 additions & 4 deletions cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,31 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "github.com/tidwall/gjson",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function github.com/tidwall/gjson.Result.ForEach"
}
}
],
"stacks": [
{
"message": {
Expand All @@ -129,7 +154,9 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"artifactLocation": {},
"region": {}
},
"message": {}
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
}
}
}
]
Expand All @@ -142,6 +169,31 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"message": {
"text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)."
},
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/x/text",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function golang.org/x/text/language.Parse"
}
}
],
"stacks": [
{
"message": {
Expand All @@ -155,7 +207,9 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"artifactLocation": {},
"region": {}
},
"message": {}
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
Expand All @@ -168,6 +222,54 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "github.com/tidwall/gjson",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "github.com/tidwall/gjson.Get"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function github.com/tidwall/gjson.Get"
}
},
{
"threadFlows": [
{
"locations": [
{
"module": "github.com/tidwall/gjson",
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function github.com/tidwall/gjson.Result.Get"
}
}
],
"stacks": [
{
"message": {
Expand All @@ -181,7 +283,9 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"artifactLocation": {},
"region": {}
},
"message": {}
"message": {
"text": "github.com/tidwall/gjson.Get"
}
}
}
]
Expand All @@ -198,7 +302,9 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary}
"artifactLocation": {},
"region": {}
},
"message": {}
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
}
]
Expand Down

0 comments on commit d00c170

Please sign in to comment.