Google Git
Sign in
go / vuln / refs/heads/master / . / cmd / govulncheck / testdata / common / testfiles / source-call / source_call_sarif.ct
blob: 6f77980879c13c146b716487cae3023ad31888b8 [file] [log] [blame]
#####
# Test sarif json output
$ govulncheck -C ${moddir}/vuln -format sarif ./...
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "govulncheck",
"semanticVersion": "v0.0.0",
"informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
"properties": {
"protocol_version": "v1.0.0",
"scanner_name": "govulncheck",
"scanner_version": "v0.0.0-00000000000-20000101010101",
"db": "testdata/vulndb-v1",
"db_last_modified": "2023-04-03T15:57:51Z",
"go_version": "go1.18",
"scan_level": "symbol",
"scan_mode": "source"
},
"rules": [
{
"id": "GO-2020-0015",
"shortDescription": {
"text": "[GO-2020-0015] Infinite loop when decoding some inputs in golang.org/x/text"
},
"fullDescription": {
"text": "Infinite loop when decoding some inputs in golang.org/x/text"
},
"help": {
"text": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector."
},
"helpUri": "https://pkg.go.dev/vuln/GO-2020-0015",
"properties": {
"tags": [
"CVE-2020-14040",
"GHSA-5rcv-m4m3-hfh7"
]
}
},
{
"id": "GO-2021-0054",
"shortDescription": {
"text": "[GO-2021-0054] Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
},
"fullDescription": {
"text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
},
"help": {
"text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
},
"helpUri": "https://pkg.go.dev/vuln/GO-2021-0054",
"properties": {
"tags": [
"CVE-2020-36067",
"GHSA-p64j-r5f4-pwwx"
]
}
},
{
"id": "GO-2021-0113",
"shortDescription": {
"text": "[GO-2021-0113] Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
},
"fullDescription": {
"text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
},
"help": {
"text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
},
"helpUri": "https://pkg.go.dev/vuln/GO-2021-0113",
"properties": {
"tags": [
"CVE-2021-38561",
"GHSA-ppp9-7jff-5vj2"
]
}
},
{
"id": "GO-2021-0265",
"shortDescription": {
"text": "[GO-2021-0265] A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
},
"fullDescription": {
"text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
},
"help": {
"text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
},
"helpUri": "https://pkg.go.dev/vuln/GO-2021-0265",
"properties": {
"tags": [
"CVE-2021-42248",
"CVE-2021-42836",
"GHSA-c9gm-7rfj-8w5h",
"GHSA-ppj4-34rq-v8j9"
]
}
}
]
}
},
"results": [
{
"ruleId": "GO-2020-0015",
"level": "note",
"message": {
"text": "Your code depends on 1 vulnerable module (golang.org/x/text), but doesn't appear to call any of the vulnerable symbols."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 1
}
},
"message": {
"text": "Findings for vulnerability GO-2020-0015"
}
}
]
},
{
"ruleId": "GO-2021-0054",
"level": "error",
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 1
}
},
"message": {
"text": "Findings for vulnerability GO-2021-0054"
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 297,
"startColumn": 12
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 1881,
"startColumn": 36
}
},
"message": {
"text": "github.com/tidwall/gjson.Get"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 220,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function github.com/tidwall/gjson.Result.ForEach"
}
}
],
"stacks": [
{
"message": {
"text": "A call stack for vulnerable function github.com/tidwall/gjson.Result.ForEach"
},
"frames": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 297,
"startColumn": 12
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 1881,
"startColumn": 36
}
},
"message": {
"text": "github.com/tidwall/gjson.Get"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 2587,
"startColumn": 21
}
},
"message": {
"text": "github.com/tidwall/gjson.execModifier"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 2631,
"startColumn": 21
}
},
"message": {
"text": "github.com/tidwall/gjson.modPretty"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 220,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.ForEach"
}
}
}
]
}
]
},
{
"ruleId": "GO-2021-0113",
"level": "error",
"message": {
"text": "Your code calls vulnerable functions in 1 package (golang.org/x/text/language)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 1
}
},
"message": {
"text": "Findings for vulnerability GO-2021-0113"
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function golang.org/x/text/language.Parse"
}
}
],
"stacks": [
{
"message": {
"text": "A call stack for vulnerable function golang.org/x/text/language.Parse"
},
"frames": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 13,
"startColumn": 16
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "golang.org/x/text@v0.3.0",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 228,
"startColumn": 6
}
},
"message": {
"text": "golang.org/x/text/language.Parse"
}
}
}
]
}
]
},
{
"ruleId": "GO-2021-0265",
"level": "error",
"message": {
"text": "Your code calls vulnerable functions in 1 package (github.com/tidwall/gjson)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "go.mod",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 1
}
},
"message": {
"text": "Findings for vulnerability GO-2021-0265"
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 296,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
}
]
}
],
"message": {
"text": "A summarized code flow for vulnerable function github.com/tidwall/gjson.Result.Get"
}
}
],
"stacks": [
{
"message": {
"text": "A call stack for vulnerable function github.com/tidwall/gjson.Result.Get"
},
"frames": [
{
"module": "golang.org/vuln@",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "vuln.go",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 14,
"startColumn": 20
}
},
"message": {
"text": "golang.org/vuln.main"
}
}
},
{
"module": "github.com/tidwall/gjson@v1.6.5",
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
"startLine": 296,
"startColumn": 17
}
},
"message": {
"text": "github.com/tidwall/gjson.Result.Get"
}
}
}
]
}
]
}
]
}
]
}