Add additional tags in rules plus some end to end tests to ensure no regression

go.mod

@@ -3,6 +3,7 @@ module github.com/tjgurwara99/vulnny
 go 1.20
 
 require (
+	github.com/tjgurwara99/mixtape v0.0.4
 	golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2
 	golang.org/x/vuln v0.0.0-20230201222900-4c848edceff1
 )

go.sum

@@ -1,6 +1,8 @@
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/tjgurwara99/mixtape v0.0.4 h1:ryD5pDn063SHBi/d/nvJhehmgHLJZ5iN5vNehpCwecE=
+github.com/tjgurwara99/mixtape v0.0.4/go.mod h1:rWb4gvSbZQMsyG+5bsnuffPckEk+PkRhkC/fXmwmYZY=
 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
 golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=

internal/sarif/sarif.go

@@ -53,6 +53,8 @@ func FromResult(r *vulncheck.Result) (*Log, error) {
 		}
 		level := LevelError
 		ruleID := v.OSV.ID
+		tags := []string{"security", "vulnerability"}
+		tags = append(tags, v.OSV.Aliases...)
 		rule := ReportingDescriptor{
 			ID:      ruleID,
 			Name:    "VulnerablePackage",
@@ -69,7 +71,7 @@ func FromResult(r *vulncheck.Result) (*Log, error) {
 				Name:        shortDescription,
 				Description: v.OSV.Details,
 				Kind:        "problem",
-				Tags:        []string{"security", "vulnerability"},
+				Tags:        tags,
 			},
 		}
 		results = append(results, Result{

main.go

@@ -36,8 +36,10 @@ func main() {
 		fmt.Fprintf(flag.CommandLine.Output(), usage, os.Args[0])
 		flag.PrintDefaults()
 	}
+	var tags string
+	flag.StringVar(&tags, "tags", "", "Tags to be passed to the build system")
 	flag.Parse()
-	log, err := runVulnny()
+	log, err := runVulnny(client.Options{}, setBuildFlags("-tags="+tags))
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err.Error())
 		os.Exit(1)
@@ -59,7 +61,23 @@ func main() {
 	fmt.Fprintln(out, string(data))
 }
 
-func runVulnny() (*sarif.Log, error) {
+type cfgOpts func(*packages.Config) error
+
+// setBuildFlags sets the build flags to be passed to the build system.
+// The format of these flags must be in the form of bFlag[i] = "-flag=value".
+// For example, if we want to pass on the tags, we need to pass them like the following:
+//
+//	setBuildFlags("-tags=something,here")
+//
+// which is the same as how the go build system accepts these flags.
+func setBuildFlags(bFlags ...string) cfgOpts {
+	return func(c *packages.Config) error {
+		c.BuildFlags = bFlags
+		return nil
+	}
+}
+
+func runVulnny(cOpts client.Options, opts ...cfgOpts) (*sarif.Log, error) {
 	fset := token.NewFileSet()
 	const mode packages.LoadMode = packages.NeedName | packages.NeedImports | packages.NeedTypes |
 		packages.NeedSyntax | packages.NeedTypesInfo | packages.NeedDeps |
@@ -68,6 +86,12 @@ func runVulnny() (*sarif.Log, error) {
 		Fset: fset,
 		Mode: mode,
 	}
+	for _, opt := range opts {
+		err := opt(&cfg)
+		if err != nil {
+			return nil, fmt.Errorf("failed to apply opts: %w", err)
+		}
+	}
 	pkgs, err := packages.Load(&cfg, flag.Args()...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load packages: %w", err)
@@ -77,7 +101,7 @@ func runVulnny() (*sarif.Log, error) {
 	}
 	vPkgs := vulncheck.Convert(pkgs)
 	sources := []string{"https://vuln.go.dev"}
-	dbClient, err := client.NewClient(sources, client.Options{})
+	dbClient, err := client.NewClient(sources, cOpts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create a client: %w", err)
 	}

main_test.go

@@ -0,0 +1,70 @@
+package main
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/tjgurwara99/mixtape"
+	"github.com/tjgurwara99/mixtape/player"
+	"golang.org/x/tools/go/packages"
+	"golang.org/x/vuln/client"
+)
+
+func setTestBuildDir(elems ...string) cfgOpts {
+	return func(c *packages.Config) error {
+		wd, err := os.Getwd()
+		if err != nil {
+			return err
+		}
+		data := []string{wd}
+		data = append(data, elems...)
+		c.Dir = filepath.Join(data...)
+		return nil
+	}
+}
+
+func TestRunVulnny(t *testing.T) {
+	cassette, err := mixtape.Load("testdata/vuln/cassette")
+	if err != nil {
+		t.Fatal(err)
+	}
+	transport := player.New(cassette, player.Record, http.DefaultTransport)
+	c := &http.Client{
+		Transport: transport,
+	}
+	sarif, err := runVulnny(client.Options{
+		HTTPClient: c,
+	}, setTestBuildDir("testdata", "vuln"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(sarif.Runs) != 1 {
+		t.Fatalf("expected 1 run, got %d", len(sarif.Runs))
+	}
+	if len(sarif.Runs[0].Results) != 1 {
+		t.Fatalf("expected 1 result, got %d", len(sarif.Runs[0].Results))
+	}
+	if sarif.Runs[0].Results[0].RuleID != "GO-2021-0113" {
+		t.Fatalf("expected rule ID to be GO-2021-0113, got %s", sarif.Runs[0].Results[0].RuleID)
+	}
+	if sarif.Runs[0].Results[0].Level != "error" {
+		t.Fatalf("expected level to be error, got %s", sarif.Runs[0].Results[0].Level)
+	}
+	if sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.ArtifactLocation.URI != "testdata/vuln/vuln.go" {
+		t.Fatalf("expected URI to be testdata/vuln/vuln.go, got %s", sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.ArtifactLocation.URI)
+	}
+	if sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.ArtifactLocation.URIBaseID != "%SRCROOT%" {
+		t.Fatalf("expected URI to be testdata/vuln/vuln.go, got %s", sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.ArtifactLocation.URI)
+	}
+	if sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.StartLine != 12 {
+		t.Fatalf("expected start line to be 12, got %d", sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.StartLine)
+	}
+	if sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.StartColumn != 16 {
+		t.Fatalf("expected start column to be 16, got %d", sarif.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.StartColumn)
+	}
+	if sarif.Runs[0].Results[0].Message.Text != "Vulnerable package golang.org/x/text is being used" {
+		t.Fatalf("expected message to be Vulnerable package golang.org/x/text is being used, got %s", sarif.Runs[0].Results[0].Message.Text)
+	}
+}