diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct index eaed232..667d19e 100644 --- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct +++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_sarif.ct @@ -122,7 +122,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -148,7 +148,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -175,7 +175,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": {}, @@ -201,7 +201,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": {}, @@ -228,7 +228,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -251,7 +251,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} { "locations": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -277,7 +277,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, @@ -296,7 +296,7 @@ $ govulncheck -format sarif -mode binary ${common_vuln_binary} }, "frames": [ { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": {}, diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct index 7b6c02e..be6a8e1 100644 --- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct +++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct @@ -155,7 +155,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -173,7 +173,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -191,7 +191,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -209,7 +209,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -241,7 +241,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -259,7 +259,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -277,7 +277,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -295,7 +295,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -313,7 +313,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -331,7 +331,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -380,7 +380,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -398,7 +398,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": { @@ -430,7 +430,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -448,7 +448,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "golang.org/x/text", + "module": "golang.org/x/text@v0.3.0", "location": { "physicalLocation": { "artifactLocation": { @@ -497,7 +497,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... { "locations": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -515,7 +515,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { @@ -547,7 +547,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... }, "frames": [ { - "module": "golang.org/vuln", + "module": "golang.org/vuln@", "location": { "physicalLocation": { "artifactLocation": { @@ -565,7 +565,7 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./... } }, { - "module": "github.com/tidwall/gjson", + "module": "github.com/tidwall/gjson@v1.6.5", "location": { "physicalLocation": { "artifactLocation": { diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go index 5cd2656..744e951 100644 --- a/internal/sarif/handler.go +++ b/internal/sarif/handler.go @@ -286,7 +286,7 @@ func stack(h *handler, f *govulncheck.Finding) Stack { } sf := Frame{ - Module: frame.Module, + Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } if h.cfg.ScanMode != govulncheck.ScanModeBinary { @@ -359,7 +359,7 @@ func threadFlows(h *handler, fs []*govulncheck.Finding) []ThreadFlow { } tfl := ThreadFlowLocation{ - Module: frame.Module, + Module: frame.Module + "@" + frame.Version, Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name } if h.cfg.ScanMode != govulncheck.ScanModeBinary { diff --git a/internal/sarif/sarif.go b/internal/sarif/sarif.go index ed55640..fb1c5b7 100644 --- a/internal/sarif/sarif.go +++ b/internal/sarif/sarif.go @@ -122,6 +122,9 @@ type ThreadFlow struct { } type ThreadFlowLocation struct { + // Module is module information in the form @. + // can be empty when the module version is not known as + // with, say, the source module analyzed. Module string `json:"module,omitempty"` // Location also contains a Message field. Location Location `json:"location,omitempty"` @@ -138,6 +141,9 @@ type Stack struct { // Frame is effectively a module location. It can also contain thread and // parameter info, but those are not needed for govulncheck. type Frame struct { + // Module is module information in the form @. + // can be empty when the module version is not known as + // with, say, the source module analyzed. Module string `json:"module,omitempty"` Location Location `json:"location,omitempty"` }