internal/scan: fix trace count bug

This change updates the text output for govulncheck to properly count
the number of called traces when printing (previously, if there were two
findings emitted for the same vuln, one of which was called and one of
which wasn't, it would count the uncalled vuln's traces when it
shouldn't.)

Change-Id: I54d52f8769901177835eb8501dc3f8dce380d882
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/525755
Run-TryBot: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
diff --git a/internal/scan/testdata/mixed-calls.json b/internal/scan/testdata/mixed-calls.json
new file mode 100644
index 0000000..e08b43d
--- /dev/null
+++ b/internal/scan/testdata/mixed-calls.json
@@ -0,0 +1,66 @@
+{
+  "config": {
+    "protocol_version": "v0.1.0",
+    "scanner_name": "govulncheck"
+  }
+}
+{
+  "osv": {
+    "id": "GO-0000-0001",
+    "modified": "0001-01-01T00:00:00Z",
+    "published": "0001-01-01T00:00:00Z",
+    "details": "Third-party vulnerability",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/vmod",
+          "ecosystem": ""
+        },
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "goos": [
+                "amd"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-0000-0001"
+    }
+  }
+}
+{
+  "finding": {
+    "osv": "GO-0000-0001",
+    "fixed_version": "v0.1.3",
+    "trace": [
+      {
+        "module": "golang.org/vmod",
+        "version": "v0.0.1"
+      }
+    ]
+  }
+}
+{
+  "finding": {
+    "osv": "GO-0000-0001",
+    "fixed_version": "v0.1.3",
+    "trace": [
+      {
+        "module": "golang.org/vmod",
+        "version": "v0.0.1",
+        "package": "vmod",
+        "function": "VulnFoo"
+      },
+      {
+        "module": "golang.org/main",
+        "version": "v0.0.1",
+        "package": "main",
+        "function": "main"
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/internal/scan/testdata/mixed-calls.txt b/internal/scan/testdata/mixed-calls.txt
new file mode 100644
index 0000000..8a47c58
--- /dev/null
+++ b/internal/scan/testdata/mixed-calls.txt
@@ -0,0 +1,13 @@
+Vulnerability #1: GO-0000-0001
+    Third-party vulnerability
+  More info: https://pkg.go.dev/vuln/GO-0000-0001
+  Module: golang.org/vmod
+    Found in: golang.org/vmod@v0.0.1
+    Fixed in: golang.org/vmod@v0.1.3
+    Platforms: amd
+    Example traces found:
+      #1: main.main calls vmod.VulnFoo
+
+Your code is affected by 1 vulnerability from 1 module.
+
+Share feedback at https://go.dev/s/govulncheck-feedback.
diff --git a/internal/scan/text.go b/internal/scan/text.go
index 879f5ab..4afcf3f 100644
--- a/internal/scan/text.go
+++ b/internal/scan/text.go
@@ -232,7 +232,8 @@
 
 func (h *TextHandler) traces(traces []*findingSummary) {
 	first := true
-	for i, entry := range traces {
+	count := 1
+	for _, entry := range traces {
 		if entry.Compact == "" {
 			continue
 		}
@@ -241,7 +242,8 @@
 		}
 		first = false
 
-		h.print("      #", i+1, ": ")
+		h.print("      #", count, ": ")
+		count++
 		if !h.showTraces {
 			h.print(entry.Compact, "\n")
 		} else {