Skip to content

x/vuln: SARIF format incorrect for zero results #70157

New issue
New issue
Closed
Closed
x/vuln: SARIF format incorrect for zero results#70157
Assignees
zpavlinovic
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
 
vuln/unplanned
@cbandy

Description

@cbandy
cbandy
opened on Nov 1, 2024

govulncheck version

Go: go1.22.8
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2024-10-30 21:28:25 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/cbandy/Library/Caches/go-build'
GOENV='/Users/cbandy/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/cbandy/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/cbandy/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/cbandy/.local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/cbandy/.local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.8'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/cbandy/tmp/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/b2/6dgjh_xn1xs_zmnnkrkhs9rh0000gn/T/go-build3343678873=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

Run govulncheck in an empty project.

cd $(mktemp -d)
go mod init tmp
govulncheck -format sarif ./...

What did you see happen?

The scan finished and found no vulnerabilities, but the SARIF report contains no runs.results field.

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "govulncheck",
          "semanticVersion": "v1.1.3",
          "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
          "properties": {
            "protocol_version": "v1.0.0",
            "scanner_name": "govulncheck",
            "scanner_version": "v1.1.3",
            "db": "https://vuln.go.dev",
            "db_last_modified": "2024-10-30T21:28:25Z",
            "go_version": "go1.22.8",
            "scan_level": "symbol",
            "scan_mode": "source"
          }
        }
      }
    }
  ]
}

What did you expect to see?

I expected a "results": [] field, as described by the SARIF spec.

3.14.23 results property

If the tool failed to start, … then results MAY be present. If it is present, its value SHALL be null.
If the tool started but failed to begin its analysis… then again results MAY be present, and if present SHALL be null.

In all other circumstances, results SHALL be present and SHALL contain all results detected by the tool. If the tool did not detect any results, results SHALL be an empty array.

Metadata

Metadata

Assignees

Labels

NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions