internal/sarif: improve GOMODCACHE relative paths
The paths are now indeed relative to %GOMODCACHE%.
Change-Id: I445f95dfdcda4bf053b28917482f9a39866f9dd3
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/581235
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
index be6a8e1..6f77980 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_sarif.ct
@@ -177,7 +177,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -195,7 +195,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -213,7 +213,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -263,7 +263,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -281,7 +281,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -299,7 +299,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -317,7 +317,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -335,7 +335,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -402,7 +402,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "language/parse.go",
+ "uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -452,7 +452,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "language/parse.go",
+ "uri": "golang.org/x/text@v0.3.0/language/parse.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -519,7 +519,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
@@ -569,7 +569,7 @@
"location": {
"physicalLocation": {
"artifactLocation": {
- "uri": "gjson.go",
+ "uri": "github.com/tidwall/gjson@v1.6.5/gjson.go",
"uriBaseId": "%GOMODCACHE%"
},
"region": {
diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go
index 744e951..3424857 100644
--- a/internal/sarif/handler.go
+++ b/internal/sarif/handler.go
@@ -8,6 +8,7 @@
"encoding/json"
"fmt"
"io"
+ "path/filepath"
"sort"
"golang.org/x/vuln/internal"
@@ -289,11 +290,12 @@
Module: frame.Module + "@" + frame.Version,
Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
}
+ file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version)
if h.cfg.ScanMode != govulncheck.ScanModeBinary {
sf.Location.PhysicalLocation = PhysicalLocation{
ArtifactLocation: ArtifactLocation{
- URI: pos.Filename,
- URIBaseID: uriID(top.Module, frame.Module),
+ URI: file,
+ URIBaseID: base,
},
Region: Region{
StartLine: pos.Line,
@@ -362,11 +364,12 @@
Module: frame.Module + "@" + frame.Version,
Location: Location{Message: Description{Text: symbol(frame)}}, // show the (full) symbol name
}
+ file, base := fileURIInfo(pos.Filename, top.Module, frame.Module, frame.Version)
if h.cfg.ScanMode != govulncheck.ScanModeBinary {
tfl.Location.PhysicalLocation = PhysicalLocation{
ArtifactLocation: ArtifactLocation{
- URI: pos.Filename,
- URIBaseID: uriID(top.Module, frame.Module),
+ URI: file,
+ URIBaseID: base,
},
Region: Region{
StartLine: pos.Line,
@@ -381,12 +384,12 @@
return tfs
}
-func uriID(top, module string) string {
+func fileURIInfo(filename, top, module, version string) (string, string) {
if top == module {
- return SrcRootID
+ return filename, SrcRootID
}
if module == internal.GoStdModulePath {
- return GoRootID
+ return filename, GoRootID
}
- return GoModCacheID
+ return filepath.ToSlash(filepath.Join(module+"@"+version, filename)), GoModCacheID
}
