Skip to content

Commit

Permalink
internal/sarif: add region part of the physical location
Browse files Browse the repository at this point in the history 
Updates golang/go#61347

Change-Id: I725012e4b028b879a0d1720fc47632e76e699c04
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/552955
Reviewed-by: Ian Cottrell <iancottrell@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
  • Loading branch information
@zpavlinovic
zpavlinovic committed Apr 3, 2024
1 parent d00c170 commit 33791bc
Show file tree
Hide file tree
Showing 5 changed files with 260 additions and 36 deletions.
136 changes: 117 additions & 19 deletions cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,14 +109,36 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"level": "note",
"message": {
"text": "Your code depends on 1 vulnerable module (golang.org/x/text), but doesn't appear to call any of the vulnerable symbols."
}
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
]
},
{
"ruleId": "GO-2021-0054",
"level": "error",
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
],
"codeFlows": [
{
"threadFlows": [
Expand All @@ -127,7 +149,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -139,7 +164,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 297,
"startColumn": 12
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
Expand All @@ -151,7 +179,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 1881,
"startColumn": 36
}
},
"message": {
"text": "github.com/tidwall/gjson.Get"
Expand All @@ -163,7 +194,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 220,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
Expand All @@ -189,7 +223,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -201,7 +238,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 297,
"startColumn": 12
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
Expand All @@ -213,7 +253,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 1881,
"startColumn": 36
}
},
"message": {
"text": "github.com/tidwall/gjson.Get"
Expand All @@ -225,7 +268,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 2587,
"startColumn": 21
}
},
"message": {
"text": "github.com/tidwall/gjson.execModifier"
Expand All @@ -237,7 +283,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 2631,
"startColumn": 21
}
},
"message": {
"text": "github.com/tidwall/gjson.modPretty"
Expand All @@ -249,7 +298,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 220,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
Expand All @@ -266,6 +318,17 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"message": {
"text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
],
"codeFlows": [
{
"threadFlows": [
Expand All @@ -276,7 +339,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -288,7 +354,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
Expand All @@ -314,7 +383,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -326,7 +398,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
Expand All @@ -343,6 +418,17 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
],
"codeFlows": [
{
"threadFlows": [
Expand All @@ -353,7 +439,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -365,7 +454,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 296,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
Expand All @@ -391,7 +483,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
Expand All @@ -403,7 +498,10 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
"location": {
"physicalLocation": {
"artifactLocation": {},
"region": {}
"region": {
"startLine": 296,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
Expand Down
52 changes: 48 additions & 4 deletions cmd/govulncheck/testdata/common/testfiles/source-module/source_module_sarif.ct
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,28 +109,72 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
"level": "error",
"message": {
"text": "Your code depends on 1 vulnerable module (golang.org/x/text). Run the call-level analysis to understand whether your code actually calls the vulnerabilities."
}
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
]
},
{
"ruleId": "GO-2021-0054",
"level": "error",
"message": {
"text": "Your code depends on 1 vulnerable module (github.com/tidwall/gjson). Run the call-level analysis to understand whether your code actually calls the vulnerabilities."
}
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
]
},
{
"ruleId": "GO-2021-0113",
"level": "error",
"message": {
"text": "Your code depends on 1 vulnerable module (golang.org/x/text). Run the call-level analysis to understand whether your code actually calls the vulnerabilities."
}
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
]
},
{
"ruleId": "GO-2021-0265",
"level": "error",
"message": {
"text": "Your code depends on 1 vulnerable module (github.com/tidwall/gjson). Run the call-level analysis to understand whether your code actually calls the vulnerabilities."
}
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": {
"startLine": 1
}
},
"message": {}
}
]
}
]
}
Expand Down
Loading

0 comments on commit 33791bc

Please sign in to comment.