cmd/govulncheck: better mask new (sbom) versions

Using +dirty to match binary versions produced by new go build stamping
feature is not sufficient. In general, the build version will depend on
the git state and the vuln repo version. We hence only emit sbom
messages for the prebuild binaries.

Updates golang/go#70523

Change-Id: Id55307b4cef2af3f4ff4685bb34f001554fa4dd4
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/632155
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Ian Cottrell <[email protected]>

Author: zpavlinovic

cmd/govulncheck/main_test.go

@@ -93,7 +93,7 @@ func runTestCase(t *testing.T, tcName, testDir string) {
 
 	os.Setenv("moddir", modulesDir)
 	os.Setenv("testdir", testfilesDir)
-	runTestSuite(t, testfilesDir, govulndbURI.String(), cfg.Fixups, *update)
+	runTestSuite(t, testfilesDir, govulndbURI.String(), cfg, *update)
 }
 
 // Limit the number of concurrent scans. Scanning is implemented using
@@ -117,7 +117,7 @@ var (
 // testSuite creates a cmdtest suite from testfilesDir. It also defines
 // a govulncheck command on the suite that runs govulncheck against
 // vulnerability database available at vulndbDir.
-func runTestSuite(t *testing.T, testfilesDir string, vulndbDir string, fixups []fixup, update bool) {
+func runTestSuite(t *testing.T, testfilesDir string, vulndbDir string, cfg *config, update bool) {
 	parallelLimiterInit.Do(func() {
 		limit := (runtime.GOMAXPROCS(0) + 3) / 4
 		if limit > 2 && unsafe.Sizeof(uintptr(0)) < 8 {
@@ -173,14 +173,17 @@ func runTestSuite(t *testing.T, testfilesDir string, vulndbDir string, fixups []
 			if err := govulncheck.HandleJSON(buf, gather); err != nil {
 				return nil, err
 			}
+			if !cfg.EnableSBOM {
+				gather.SBOMMessages = nil
+			}
 			sorted = &bytes.Buffer{}
 			h := govulncheck.NewJSONHandler(sorted)
 			if err := gather.Write(h); err != nil {
 				return nil, err
 			}
 		}
 		out := sorted.Bytes()
-		for _, fix := range fixups {
+		for _, fix := range cfg.Fixups {
 			out = fix.apply(out)
 		}
 		return out, err

cmd/govulncheck/test_utils.go

@@ -77,6 +77,9 @@ type config struct {
 	SkipBuild bool `json:"skipBuild,omitempty"`
 	// Strip indicates if binaries should be stripped
 	Strip bool `json:"strip,omitempty"`
+	// EnableSBOM indicates if sbom should be
+	// printed in JSON.
+	EnableSBOM bool `json:"sbom,omitempty"`
 
 	Fixups []fixup `json:"fixups,omitempty"`
 }

cmd/govulncheck/testdata/common/config.json

@@ -1,4 +1,5 @@
 {
+  "sbom": false,
   "fixups": [
     {
       "pattern": "Scanning your code and (\\d+) packages across (\\d+)",
@@ -43,10 +44,6 @@
     {
       "pattern": "path\": \"stdlib\",\n *\"version\": \"(.*)\"",
       "replace": "path\": \"stdlib\",\n        \"version\": \"v1.18.0\""
-    },
-    {
-      "pattern": "\"version\": \"(.*)dirty\"",
-      "replace": "\"version\": \"(devel)\""
     }
   ]
 }

cmd/govulncheck/testdata/common/testfiles/binary-call/binary_call_json.ct

@@ -27,40 +27,6 @@ $ govulncheck -format json -mode binary ${common_vuln_binary}
     "message": "Checking the binary against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vendored_json.ct

@@ -27,36 +27,6 @@ $ govulncheck -format json -mode binary ${common_vendored_binary}
     "message": "Checking the binary against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vendored",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "private.com/privateuser/fakemod",
-        "version": "v1.0.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vendored"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/binary-module/binary_module_json.ct

@@ -27,40 +27,6 @@ $ govulncheck -format json -mode binary -scan module ${common_vuln_binary}
     "message": "Checking the binary against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/binary-package/binary_package_json.ct

@@ -27,40 +27,6 @@ $ govulncheck -format json -mode binary -scan package ${common_vuln_binary}
     "message": "Checking the binary against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln",
-        "version": "(devel)"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/source-call/source_call_json.ct

@@ -22,40 +22,6 @@ $ govulncheck -C ${moddir}/vuln -format json ./...
     "message": "Checking the code against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/vuln"
-      },
-      {
-        "path": "github.com/tidwall/gjson",
-        "version": "v1.6.5"
-      },
-      {
-        "path": "github.com/tidwall/match",
-        "version": "v1.1.0"
-      },
-      {
-        "path": "github.com/tidwall/pretty",
-        "version": "v1.2.0"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/vuln",
-      "golang.org/vuln/subdir"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/source-call/source_multientry_json.ct

@@ -23,27 +23,6 @@ $ govulncheck -format json -C ${moddir}/multientry .
     "message": "Checking the code against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/multientry"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.5"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/multientry"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",

cmd/govulncheck/testdata/common/testfiles/source-call/source_replace_json.ct

@@ -23,27 +23,6 @@ $ govulncheck -C ${moddir}/replace -format json ./...
     "message": "Checking the code against the vulnerabilities..."
   }
 }
-{
-  "SBOM": {
-    "go_version": "go1.18",
-    "modules": [
-      {
-        "path": "golang.org/replace"
-      },
-      {
-        "path": "golang.org/x/text",
-        "version": "v0.3.0"
-      },
-      {
-        "path": "stdlib",
-        "version": "v1.18.0"
-      }
-    ],
-    "roots": [
-      "golang.org/replace"
-    ]
-  }
-}
 {
   "osv": {
     "schema_version": "1.3.1",