internal/sarif: add result stubs to run object

Other information (message, location, and stacks) will be added in future CLs. Updates golang/go#61347 Change-Id: I3bb78594372038817e379c16d452ff5159b26efc Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549995 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Cottrell <iancottrell@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2023-12-14 21:41:27 +00:00 · 2023-12-14 21:41:27 +00:00 · 8f863e2f0f
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_sarif.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_sarif.ct
@ -121,7 +121,34 @@ $ govulncheck -C ${moddir}/vuln -format sarif ./...
            }
          ]
        }
-      }
+      },
+      "results": [
+        {
+          "ruleId": "GO-2020-0015",
+          "level": "note",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0054",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0113",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0265",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2022-0969",
+          "level": "note",
+          "message": {}
+        }
+      ]
    }
  ]
 }
--- a/cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct
@ -121,7 +121,34 @@ $ govulncheck -format sarif -scan module -C ${moddir}/vuln
            }
          ]
        }
-      }
+      },
+      "results": [
+        {
+          "ruleId": "GO-2020-0015",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0054",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0113",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0265",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2022-0969",
+          "level": "error",
+          "message": {}
+        }
+      ]
    }
  ]
 }
--- a/cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct
@ -121,7 +121,34 @@ $ govulncheck -format sarif -scan package -C ${moddir}/vuln .
            }
          ]
        }
-      }
+      },
+      "results": [
+        {
+          "ruleId": "GO-2020-0015",
+          "level": "warning",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0054",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0113",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2021-0265",
+          "level": "error",
+          "message": {}
+        },
+        {
+          "ruleId": "GO-2022-0969",
+          "level": "warning",
+          "message": {}
+        }
+      ]
    }
  ]
 }
--- a/internal/sarif/handler.go
+++ b/internal/sarif/handler.go
@ -123,6 +123,7 @@ func toSarif(h *handler) Log {
 				Rules:          rules(h),
 			},
 		},
+		Results: results(h),
 	}

 	return Log{
@ -154,3 +155,44 @@ func rules(h *handler) []Rule {
 	sort.SliceStable(rs, func(i, j int) bool { return rs[i].ID < rs[j].ID })
 	return rs
 }
+
+func results(h *handler) []Result {
+	var results []Result
+	for _, fs := range h.findings {
+		res := Result{
+			RuleID: fs[0].OSV,
+			Level:  level(fs[0], h.cfg),
+			// TODO: add location, message, code flows, and stacks
+		}
+		results = append(results, res)
+	}
+	sort.SliceStable(results, func(i, j int) bool { return results[i].RuleID < results[j].RuleID }) // for deterministic output
+	return results
+}
+
+const (
+	errorLevel         = "error"
+	warningLevel       = "warning"
+	informationalLevel = "note"
+)
+
+func level(f *govulncheck.Finding, cfg *govulncheck.Config) string {
+	fr := f.Trace[0]
+	switch {
+	case cfg.ScanLevel.WantSymbols():
+		if fr.Function != "" {
+			return errorLevel
+		}
+		if fr.Package != "" {
+			return warningLevel
+		}
+		return informationalLevel
+	case cfg.ScanLevel.WantPackages():
+		if fr.Package != "" {
+			return errorLevel
+		}
+		return warningLevel
+	default:
+		return errorLevel
+	}
+}
--- a/internal/sarif/handler_test.go
+++ b/internal/sarif/handler_test.go
@ -12,7 +12,7 @@ import (
 	"golang.org/x/vuln/internal/govulncheck"
 )

-func level(f *govulncheck.Finding) string {
+func scanLevel(f *govulncheck.Finding) string {
 	fr := f.Trace[0]
 	if fr.Function != "" {
 		return "symbol"
@ -108,7 +108,7 @@ func TestHandlerSymbol(t *testing.T) {
 	}
 	got := make(map[string]string)
 	for osv, fs := range h.findings {
-		got[osv] = level(fs[0])
+		got[osv] = scanLevel(fs[0])
 	}
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("(-want;got+): %s", diff)
@ -182,7 +182,7 @@ func TestHandlerPackage(t *testing.T) {
 	}
 	got := make(map[string]string)
 	for osv, fs := range h.findings {
-		got[osv] = level(fs[0])
+		got[osv] = scanLevel(fs[0])
 	}
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("(-want;got+): %s", diff)
@ -234,7 +234,7 @@ func TestHandlerModule(t *testing.T) {
 	}
 	got := make(map[string]string)
 	for osv, fs := range h.findings {
-		got[osv] = level(fs[0])
+		got[osv] = scanLevel(fs[0])
 	}
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("(-want;got+): %s", diff)