cmd/govulncheck: better mask new (sbom) versions

Using +dirty to match binary versions produced by new go build stamping
feature is not sufficient. In general, the build version will depend on
the git state and the vuln repo version. We hence only emit sbom
messages for the prebuild binaries.

Updates golang/go#70523

Change-Id: Id55307b4cef2af3f4ff4685bb34f001554fa4dd4
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/632155
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
diff --git a/cmd/govulncheck/main_test.go b/cmd/govulncheck/main_test.go
index 21b6d21..5613de5 100644
--- a/cmd/govulncheck/main_test.go
+++ b/cmd/govulncheck/main_test.go
@@ -93,7 +93,7 @@
 
 	os.Setenv("moddir", modulesDir)
 	os.Setenv("testdir", testfilesDir)
-	runTestSuite(t, testfilesDir, govulndbURI.String(), cfg.Fixups, *update)
+	runTestSuite(t, testfilesDir, govulndbURI.String(), cfg, *update)
 }
 
 // Limit the number of concurrent scans. Scanning is implemented using
@@ -117,7 +117,7 @@
 // testSuite creates a cmdtest suite from testfilesDir. It also defines
 // a govulncheck command on the suite that runs govulncheck against
 // vulnerability database available at vulndbDir.
-func runTestSuite(t *testing.T, testfilesDir string, vulndbDir string, fixups []fixup, update bool) {
+func runTestSuite(t *testing.T, testfilesDir string, vulndbDir string, cfg *config, update bool) {
 	parallelLimiterInit.Do(func() {
 		limit := (runtime.GOMAXPROCS(0) + 3) / 4
 		if limit > 2 && unsafe.Sizeof(uintptr(0)) < 8 {
@@ -173,6 +173,9 @@
 			if err := govulncheck.HandleJSON(buf, gather); err != nil {
 				return nil, err
 			}
+			if !cfg.EnableSBOM {
+				gather.SBOMMessages = nil
+			}
 			sorted = &bytes.Buffer{}
 			h := govulncheck.NewJSONHandler(sorted)
 			if err := gather.Write(h); err != nil {
@@ -180,7 +183,7 @@
 			}
 		}
 		out := sorted.Bytes()
-		for _, fix := range fixups {
+		for _, fix := range cfg.Fixups {
 			out = fix.apply(out)
 		}
 		return out, err
diff --git a/cmd/govulncheck/test_utils.go b/cmd/govulncheck/test_utils.go
index 2043e24..826d6ca 100644
--- a/cmd/govulncheck/test_utils.go
+++ b/cmd/govulncheck/test_utils.go
@@ -77,6 +77,9 @@
 	SkipBuild bool `json:"skipBuild,omitempty"`
 	// Strip indicates if binaries should be stripped
 	Strip bool `json:"strip,omitempty"`
+	// EnableSBOM indicates if sbom should be
+	// printed in JSON.
+	EnableSBOM bool `json:"sbom,omitempty"`
 
 	Fixups []fixup `json:"fixups,omitempty"`
 }
diff --git a/cmd/govulncheck/testdata/common/config.json b/cmd/govulncheck/testdata/common/config.json
index f8cc97f..7fcb017 100644
--- a/cmd/govulncheck/testdata/common/config.json
+++ b/cmd/govulncheck/testdata/common/config.json
@@ -1,4 +1,5 @@
 {
+  "sbom": false,
   "fixups": [
     {
       "pattern": "Scanning your code and (\\d+) packages across (\\d+)",
@@ -43,10 +44,6 @@
     {
       "pattern": "path\": \"stdlib\",\n *\"version\": \"(.*)\"",
       "replace": "path\": \"stdlib\",\n        \"version\": \"v1.18.0\""
-    },
-    {
-      "pattern": "\"version\": \"(.*)dirty\"",
-      "replace": "\"version\": \"(devel)\""
     }
   ]
 }
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct
index 1cf7982..6ab4c79 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct
@@ -28,40 +28,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct
index 33d88c2..30f1556 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct
@@ -28,36 +28,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vendored",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "private.com/privateuser/fakemod",
-        "version": "v1.0.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vendored"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct
index e2a8fa7..c94989d 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct
@@ -28,40 +28,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct
index 99c1fe2..9d81fd6 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct
@@ -28,40 +28,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct
index b693d1e..cd5ff3c 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct
@@ -23,40 +23,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln",
-      "golang.org/vuln/subdir"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct
index e99693d..cb69a7e 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct
@@ -24,27 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/multientry"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.5"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/multientry"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0113",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct
index 490588f..2f88b06 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct
@@ -24,27 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/replace"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/replace"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0113",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct
index 9b45acb..67b5446 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_vendored_json.ct
@@ -24,36 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vendored"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "private.com/privateuser/fakemod",
-        "version": "v1.0.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vendored",
-      "golang.org/vendored/subdir"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0265",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct
index 9f5b0be..8f8c639 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-module/source_module_json.ct
@@ -24,27 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/multientry"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.5"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/multientry"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0113",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct
index 67aff07..2f9ecc8 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-package/source_package_json.ct
@@ -24,27 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/multientry"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.5"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/multientry"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2021-0113",
diff --git a/cmd/govulncheck/testdata/main/config.json b/cmd/govulncheck/testdata/main/config.json
index 0967ef4..07ace85 100644
--- a/cmd/govulncheck/testdata/main/config.json
+++ b/cmd/govulncheck/testdata/main/config.json
@@ -1 +1,25 @@
-{}
+{
+  "sbom": true,
+  "fixups": [
+    {
+      "pattern": "\"scanner_version\": \"[^\"]*\"",
+      "replace": "\"scanner_version\": \"v0.0.0-00000000000-20000101010101\""
+    },
+    {
+      "pattern": "file:///(.*)/testdata/(.*)/vulndb",
+      "replace": "testdata/vulndb"
+    },
+    {
+      "pattern": "modified (.*)\\)",
+      "replace": "modified 01 Jan 21 00:00 UTC)"
+    },
+    {
+      "pattern": "\"go_version\": \"(go(.*)|devel(.*))\"",
+      "replace": "\"go_version\": \"go1.18\""
+    },
+    {
+      "pattern": "path\": \"stdlib\",\n *\"version\": \"(.*)\"",
+      "replace": "path\": \"stdlib\",\n        \"version\": \"v1.18.0\""
+    }
+  ]
+}
diff --git a/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_json.ct b/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_json.ct
new file mode 100644
index 0000000..c7fa971
--- /dev/null
+++ b/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_json.ct
@@ -0,0 +1,228 @@
+# Test no vulnerabilities in main module with devel version.
+$ govulncheck -format json -mode=binary ${moddir}/vuln/vuln_main_devel
+{
+  "config": {
+    "protocol_version": "v1.0.0",
+    "scanner_name": "govulncheck",
+    "scanner_version": "v0.0.0-00000000000-20000101010101",
+    "db": "testdata/vulndb-v1",
+    "db_last_modified": "2023-04-03T15:57:51Z",
+    "scan_level": "symbol",
+    "scan_mode": "binary"
+  }
+}
+{
+  "progress": {
+    "message": "Scanning your binary for known vulnerabilities..."
+  }
+}
+{
+  "progress": {
+    "message": "Fetching vulnerabilities from the database..."
+  }
+}
+{
+  "progress": {
+    "message": "Checking the binary against the vulnerabilities..."
+  }
+}
+{
+  "SBOM": {
+    "go_version": "go1.18",
+    "modules": [
+      {
+        "path": "golang.org/vuln",
+        "version": "(devel)"
+      },
+      {
+        "path": "stdlib",
+        "version": "v1.18.0"
+      }
+    ],
+    "roots": [
+      "golang.org/vuln"
+    ]
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-9999-9999",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-04-14T20:04:52Z",
+    "aliases": [
+      "CVE-9999-99999",
+      "GHSA-9999-9999-9999"
+    ],
+    "summary": "A fake vulnerability in golang.org/x/vuln",
+    "details": "This is a fake vulnerability used only for testing purposes.",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/vuln",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.3.3"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/vuln",
+              "symbols": [
+                "main"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-9999-9999"
+    }
+  }
+}
+
+# Test vulnerabilities in main module with v0.3.1 version.
+$ govulncheck -format json -mode=binary ${moddir}/vuln/vuln_main_v0.3.1
+{
+  "config": {
+    "protocol_version": "v1.0.0",
+    "scanner_name": "govulncheck",
+    "scanner_version": "v0.0.0-00000000000-20000101010101",
+    "db": "testdata/vulndb-v1",
+    "db_last_modified": "2023-04-03T15:57:51Z",
+    "scan_level": "symbol",
+    "scan_mode": "binary"
+  }
+}
+{
+  "progress": {
+    "message": "Scanning your binary for known vulnerabilities..."
+  }
+}
+{
+  "progress": {
+    "message": "Fetching vulnerabilities from the database..."
+  }
+}
+{
+  "progress": {
+    "message": "Checking the binary against the vulnerabilities..."
+  }
+}
+{
+  "SBOM": {
+    "go_version": "go1.18",
+    "modules": [
+      {
+        "path": "golang.org/vuln",
+        "version": "v0.3.1"
+      },
+      {
+        "path": "stdlib",
+        "version": "v1.18.0"
+      }
+    ],
+    "roots": [
+      "golang.org/vuln"
+    ]
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-9999-9999",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-04-14T20:04:52Z",
+    "aliases": [
+      "CVE-9999-99999",
+      "GHSA-9999-9999-9999"
+    ],
+    "summary": "A fake vulnerability in golang.org/x/vuln",
+    "details": "This is a fake vulnerability used only for testing purposes.",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/vuln",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.3.3"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/vuln",
+              "symbols": [
+                "main"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-9999-9999"
+    }
+  }
+}
+{
+  "finding": {
+    "osv": "GO-9999-9999",
+    "fixed_version": "v0.3.3",
+    "trace": [
+      {
+        "module": "golang.org/vuln",
+        "version": "v0.3.1"
+      }
+    ]
+  }
+}
+{
+  "finding": {
+    "osv": "GO-9999-9999",
+    "fixed_version": "v0.3.3",
+    "trace": [
+      {
+        "module": "golang.org/vuln",
+        "version": "v0.3.1",
+        "package": "golang.org/vuln"
+      }
+    ]
+  }
+}
+{
+  "finding": {
+    "osv": "GO-9999-9999",
+    "fixed_version": "v0.3.3",
+    "trace": [
+      {
+        "module": "golang.org/vuln",
+        "version": "v0.3.1",
+        "package": "golang.org/vuln",
+        "function": "main"
+      }
+    ]
+  }
+}
diff --git a/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_text.ct b/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_text.ct
index 41993f6..bb19b79 100644
--- a/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_text.ct
+++ b/cmd/govulncheck/testdata/main/testfiles/binary/binary_call_text.ct
@@ -3,7 +3,6 @@
 $ govulncheck -mode=binary ${moddir}/vuln/vuln_main_devel
 No vulnerabilities found.
 
-
 # Test vulnerabilities in main module with v0.3.1 version.
 $ govulncheck -mode=binary ${moddir}/vuln/vuln_main_v0.3.1 --> FAIL 3
 === Symbol Results ===
diff --git a/cmd/govulncheck/testdata/nogomod/config.json b/cmd/govulncheck/testdata/nogomod/config.json
index 3b52192..bbbf93d 100644
--- a/cmd/govulncheck/testdata/nogomod/config.json
+++ b/cmd/govulncheck/testdata/nogomod/config.json
@@ -1,4 +1,5 @@
 {
+  "sbom": false,
   "copy": true,
   "skipBuild": true
 }
diff --git a/cmd/govulncheck/testdata/stdlib/config.json b/cmd/govulncheck/testdata/stdlib/config.json
index bed4dcd..90ee3f5 100644
--- a/cmd/govulncheck/testdata/stdlib/config.json
+++ b/cmd/govulncheck/testdata/stdlib/config.json
@@ -1,4 +1,5 @@
 {
+  "sbom": false,
   "fixups": [
     {
       "pattern": "\\.go:(\\d+):(\\d+)",
diff --git a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct
index 57d96ee..eab675d 100644
--- a/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct
+++ b/cmd/govulncheck/testdata/stdlib/testfiles/stdlib/source_stdlib_json.ct
@@ -24,23 +24,6 @@
   }
 }
 {
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/stdlib"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/stdlib"
-    ]
-  }
-}
-{
   "osv": {
     "schema_version": "1.3.1",
     "id": "GO-2022-0969",
diff --git a/cmd/govulncheck/testdata/strip/config.json b/cmd/govulncheck/testdata/strip/config.json
index ec98bef..875b1bb 100644
--- a/cmd/govulncheck/testdata/strip/config.json
+++ b/cmd/govulncheck/testdata/strip/config.json
@@ -1,4 +1,5 @@
 {
+  "sbom": false,
   "strip": true,
   "skipGOOS": ["darwin"]
 }