internal/vulncheck: add relative paths for vendored paths

packages.Load does not provide a path for a module if the module is
vendored. Vendored package and file paths are available so we
reconstruct the vendored module directory from them.

Change-Id: I75784a358e74c6c413b0e6d89e6bfc599a46efe0
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/559535
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>

cmd/govulncheck/testdata/testfiles/source-call/source_replace_json.ct

@@ -135,8 +135,7 @@ $ govulncheck -C ${moddir}/replace -json ./...
     "trace": [
       {
         "module": "stdlib",
-        "version": "v1.18.0",
-        "package": "net/http"
+        "version": "v1.18.0"
       }
     ]
   }

cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct

@@ -250,6 +250,7 @@ $ govulncheck -C ${moddir}/vendored -json ./...
         "function": "Get",
         "receiver": "Result",
         "position": {
+          "filename": "gjson.go",
           "offset": <o>,
           "line": <l>,
           "column": <c>
@@ -261,6 +262,7 @@ $ govulncheck -C ${moddir}/vendored -json ./...
         "package": "private.com/privateuser/fakemod",
         "function": "Leave",
         "position": {
+          "filename": "mod.go",
           "offset": <o>,
           "line": <l>,
           "column": <c>
@@ -381,6 +383,7 @@ $ govulncheck -C ${moddir}/vendored -json ./...
         "package": "golang.org/x/text/language",
         "function": "Parse",
         "position": {
+          "filename": "language/language.go",
           "offset": <o>,
           "line": <l>,
           "column": <c>

cmd/govulncheck/testdata/testfiles/stdlib/source_stdlib_json.ct

@@ -135,8 +135,7 @@ $ govulncheck -C ${moddir}/stdlib -json .
     "trace": [
       {
         "module": "stdlib",
-        "version": "v1.18.0",
-        "package": "net/http"
+        "version": "v1.18.0"
       }
     ]
   }

internal/vulncheck/emit.go

@@ -6,8 +6,10 @@ package vulncheck
 
 import (
 	"go/token"
+	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 
 	"golang.org/x/tools/go/packages"
 	"golang.org/x/vuln/internal/govulncheck"
@@ -147,13 +149,33 @@ func pathRelativeToMod(path string, f *FuncNode) string {
 		mod = mod.Replace // for replace directive
 	}
 
-	p, err := filepath.Rel(mod.Dir, path)
+	modDir := modDirWithVendor(mod.Dir, path, mod.Path)
+	p, err := filepath.Rel(modDir, path)
 	if err != nil {
 		return ""
 	}
 	return p
 }
 
+// modDirWithVendor returns modDir if modDir is not empty.
+// Otherwise, the module might be located in the vendor
+// directory. This function attempts to reconstruct the
+// vendored module directory from path and module. It
+// returns an empty string if reconstruction fails.
+func modDirWithVendor(modDir, path, module string) string {
+	if modDir != "" {
+		return modDir
+	}
+
+	sep := string(os.PathSeparator)
+	vendor := sep + "vendor" + sep
+	vendorIndex := strings.Index(path, vendor)
+	if vendorIndex == -1 {
+		return ""
+	}
+	return filepath.Join(path[:vendorIndex], "vendor", filepath.FromSlash(module))
+}
+
 func frameFromPackage(pkg *packages.Package) *govulncheck.Frame {
 	fr := &govulncheck.Frame{}
 	if pkg != nil {