x/vuln: SARIF format incorrect for zero results

[cbandy]

govulncheck version

Go: go1.22.8
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2024-10-30 21:28:25 +0000 UTC

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/cbandy/Library/Caches/go-build'
GOENV='/Users/cbandy/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/cbandy/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/cbandy/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/cbandy/.local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/cbandy/.local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.8'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/cbandy/tmp/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/b2/6dgjh_xn1xs_zmnnkrkhs9rh0000gn/T/go-build3343678873=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

Run govulncheck in an empty project.

cd $(mktemp -d)
go mod init tmp
govulncheck -format sarif ./...

What did you see happen?

The scan finished and found no vulnerabilities, but the SARIF report contains no runs.results field.

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "govulncheck",
          "semanticVersion": "v1.1.3",
          "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
          "properties": {
            "protocol_version": "v1.0.0",
            "scanner_name": "govulncheck",
            "scanner_version": "v1.1.3",
            "db": "https://vuln.go.dev",
            "db_last_modified": "2024-10-30T21:28:25Z",
            "go_version": "go1.22.8",
            "scan_level": "symbol",
            "scan_mode": "source"
          }
        }
      }
    }
  ]
}

What did you expect to see?

I expected a "results": [] field, as described by the SARIF spec.

3.14.23 results property

If the tool failed to start, … then results MAY be present. If it is present, its value SHALL be null.
If the tool started but failed to begin its analysis… then again results MAY be present, and if present SHALL be null.

In all other circumstances, results SHALL be present and SHALL contain all results detected by the tool. If the tool did not detect any results, results SHALL be an empty array.

[gabyhelp]

Related Issues and Documentation

• x/vuln: Missing output message when no vulnerabilities are found #61328 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[cagedmantis]

cc @golang/vulndb

[zpavlinovic]

Thanks for reporting this, we'll fix this.

[gopherbot]

Change https://go.dev/cl/625355 mentions this issue: internal/sarif: ensure results follow sarif formatting requirements

[gopherbot]

Change https://go.dev/cl/625656 mentions this issue: internal/sarif: use empty arrays instead of nils