From 563994f0852c21fbdb2424841ebd8de389ff47ad Mon Sep 17 00:00:00 2001
From: Zvonimir Pavlinovic <zpavlinovic@google.com>
Date: Thu, 14 Dec 2023 18:58:30 +0000
Subject: [PATCH] internal/sarif: add rules

Also add a summary to one of the vulndb entries. This actually improves
testing coverage for both govulncheck text and sarif.

Updates golang/go#61347

Change-Id: Id851d6015daf350908b433c56853daf75f1240fb
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/549815
Reviewed-by: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 cmd/govulncheck/testdata/strip/strip.ct       |   6 +-
 .../testfiles/binary-call/binary_call_json.ct |   1 +
 .../binary-call/binary_vendored_json.ct       |   1 +
 .../binary-module/binary_module_json.ct       |   1 +
 .../binary-module/binary_module_text.ct       |   6 +-
 .../binary-package/binary_package_json.ct     |   1 +
 .../testfiles/source-call/source_call_json.ct |   1 +
 .../testfiles/source-call/source_call_text.ct |   6 +-
 .../source-call/source_multientry_json.ct     |   1 +
 .../source-call/source_replace_json.ct        |   1 +
 .../source-call/source_vendored_json.ct       |   1 +
 .../source-call/source_vendored_text.ct       |   6 +-
 .../source-call/source_vuln_sarif.ct          | 126 ++++++++++++++++++
 .../source-module/source_module_json.ct       |   1 +
 .../source-module/source_module_sarif.ct      | 126 ++++++++++++++++++
 .../source-package/source_package_json.ct     |   1 +
 .../source-package/source_package_sarif.ct    | 126 ++++++++++++++++++
 .../testdata/vulndb-v1/ID/GO-2020-0015.json   |   2 +-
 .../vulndb-v1/ID/GO-2020-0015.json.gz         | Bin 733 -> 770 bytes
 internal/sarif/handler.go                     |  53 ++++++++
 20 files changed, 446 insertions(+), 21 deletions(-)
 create mode 100644 cmd/govulncheck/testdata/testfiles/source-call/source_vuln_sarif.ct
 create mode 100644 cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct
 create mode 100644 cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct

diff --git a/cmd/govulncheck/testdata/strip/strip.ct b/cmd/govulncheck/testdata/strip/strip.ct
index 45b4c014..9e618093 100644
--- a/cmd/govulncheck/testdata/strip/strip.ct
+++ b/cmd/govulncheck/testdata/strip/strip.ct
@@ -21,11 +21,7 @@ Vulnerability #1: GO-2021-0113
       #4: language.ParseAcceptLanguage
 
 Vulnerability #2: GO-2020-0015
-    An attacker could provide a single byte to a UTF16 decoder instantiated with
-    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
-    the Decoder is called, or the Decoder is passed to transform.String. If used
-    to parse user supplied input, this may be used as a denial of service
-    vector.
+    Infinite loop when decoding some inputs in golang.org/x/text
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
diff --git a/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct b/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct
index 3523b58a..7d92a461 100644
--- a/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/binary-call/binary_call_json.ct
@@ -360,6 +360,7 @@ $ govulncheck -format json -mode binary ${vuln_binary}
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct b/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct
index 233939a0..ecc12614 100644
--- a/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/binary-call/binary_vendored_json.ct
@@ -345,6 +345,7 @@ $ govulncheck -format json -mode binary ${vendored_binary}
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct b/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct
index ab425000..e816069b 100644
--- a/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_json.ct
@@ -263,6 +263,7 @@ $ govulncheck -format json -mode binary -scan module ${vuln_binary}
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct b/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct
index 9a25bc7a..75146a37 100644
--- a/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/binary-module/binary_module_text.ct
@@ -33,11 +33,7 @@ Vulnerability #3: GO-2021-0054
     Fixed in: github.com/tidwall/gjson@v1.6.6
 
 Vulnerability #4: GO-2020-0015
-    An attacker could provide a single byte to a UTF16 decoder instantiated with
-    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
-    the Decoder is called, or the Decoder is passed to transform.String. If used
-    to parse user supplied input, this may be used as a denial of service
-    vector.
+    Infinite loop when decoding some inputs in golang.org/x/text
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
diff --git a/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct b/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct
index 9e125956..0a5ec5a1 100644
--- a/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/binary-package/binary_package_json.ct
@@ -302,6 +302,7 @@ $ govulncheck -format json -mode binary -scan package ${vuln_binary}
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
index b24e7513..bb049a81 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_json.ct
@@ -569,6 +569,7 @@ $ govulncheck -C ${moddir}/vuln -format json ./...
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
index dfae2934..9122b485 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_call_text.ct
@@ -156,11 +156,7 @@ Vulnerability #1: GO-2022-0969
     Fixed in: stdlib@go1.18.6
 
 Vulnerability #2: GO-2020-0015
-    An attacker could provide a single byte to a UTF16 decoder instantiated with
-    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
-    the Decoder is called, or the Decoder is passed to transform.String. If used
-    to parse user supplied input, this may be used as a denial of service
-    vector.
+    Infinite loop when decoding some inputs in golang.org/x/text
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
index 599b4211..41f79fc8 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_multientry_json.ct
@@ -335,6 +335,7 @@ $ govulncheck -format json -C ${moddir}/multientry .
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_json.ct
index 95705d1c..9d2a32af 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_replace_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_replace_json.ct
@@ -271,6 +271,7 @@ $ govulncheck -C ${moddir}/replace -format json ./...
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
index f00922ae..6104cd4e 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_json.ct
@@ -501,6 +501,7 @@ $ govulncheck -C ${moddir}/vendored -format json ./...
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
index f368a0a7..fa592a41 100644
--- a/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vendored_text.ct
@@ -50,11 +50,7 @@ Vulnerability #1: GO-2022-0969
     Fixed in: stdlib@go1.18.6
 
 Vulnerability #2: GO-2020-0015
-    An attacker could provide a single byte to a UTF16 decoder instantiated with
-    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
-    the Decoder is called, or the Decoder is passed to transform.String. If used
-    to parse user supplied input, this may be used as a denial of service
-    vector.
+    Infinite loop when decoding some inputs in golang.org/x/text
   More info: https://pkg.go.dev/vuln/GO-2020-0015
   Module: golang.org/x/text
     Found in: golang.org/x/text@v0.3.0
diff --git a/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_sarif.ct b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_sarif.ct
new file mode 100644
index 00000000..73bb5960
--- /dev/null
+++ b/cmd/govulncheck/testdata/testfiles/source-call/source_vuln_sarif.ct
@@ -0,0 +1,126 @@
+#####
+# Test sarif json output
+$ govulncheck -C ${moddir}/vuln -format sarif ./...
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "govulncheck",
+          "semanticVersion": "v0.0.0",
+          "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "govulncheck",
+            "scanner_version": "v0.0.0-00000000000-20000101010101",
+            "db": "testdata/vulndb-v1",
+            "db_last_modified": "2023-04-03T15:57:51Z",
+            "go_version": "go1.18",
+            "scan_level": "symbol"
+          },
+          "rules": [
+            {
+              "id": "GO-2020-0015",
+              "shortDescription": {
+                "text": "[GO-2020-0015] Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "fullDescription": {
+                "text": "Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "help": {
+                "text": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2020-0015",
+              "properties": {
+                "tags": [
+                  "CVE-2020-14040",
+                  "GHSA-5rcv-m4m3-hfh7"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0054",
+              "shortDescription": {
+                "text": "[GO-2021-0054] Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "fullDescription": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "help": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0054",
+              "properties": {
+                "tags": [
+                  "CVE-2020-36067",
+                  "GHSA-p64j-r5f4-pwwx"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0113",
+              "shortDescription": {
+                "text": "[GO-2021-0113] Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "fullDescription": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "help": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0113",
+              "properties": {
+                "tags": [
+                  "CVE-2021-38561",
+                  "GHSA-ppp9-7jff-5vj2"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0265",
+              "shortDescription": {
+                "text": "[GO-2021-0265] A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "fullDescription": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "help": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0265",
+              "properties": {
+                "tags": [
+                  "CVE-2021-42248",
+                  "CVE-2021-42836",
+                  "GHSA-c9gm-7rfj-8w5h",
+                  "GHSA-ppj4-34rq-v8j9"
+                ]
+              }
+            },
+            {
+              "id": "GO-2022-0969",
+              "shortDescription": {
+                "text": "[GO-2022-0969] HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "fullDescription": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "help": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2022-0969",
+              "properties": {
+                "tags": [
+                  "CVE-2022-27664",
+                  "GHSA-69cg-p879-7622"
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct b/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct
index 3b728b53..c27f5042 100644
--- a/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-module/source_module_json.ct
@@ -227,6 +227,7 @@ $ govulncheck -format json -scan module -C ${moddir}/multientry
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct b/cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct
new file mode 100644
index 00000000..c67b5d9d
--- /dev/null
+++ b/cmd/govulncheck/testdata/testfiles/source-module/source_module_sarif.ct
@@ -0,0 +1,126 @@
+#####
+# Test sarif output
+$ govulncheck -format sarif -scan module -C ${moddir}/vuln
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "govulncheck",
+          "semanticVersion": "v0.0.0",
+          "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "govulncheck",
+            "scanner_version": "v0.0.0-00000000000-20000101010101",
+            "db": "testdata/vulndb-v1",
+            "db_last_modified": "2023-04-03T15:57:51Z",
+            "go_version": "go1.18",
+            "scan_level": "module"
+          },
+          "rules": [
+            {
+              "id": "GO-2020-0015",
+              "shortDescription": {
+                "text": "[GO-2020-0015] Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "fullDescription": {
+                "text": "Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "help": {
+                "text": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2020-0015",
+              "properties": {
+                "tags": [
+                  "CVE-2020-14040",
+                  "GHSA-5rcv-m4m3-hfh7"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0054",
+              "shortDescription": {
+                "text": "[GO-2021-0054] Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "fullDescription": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "help": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0054",
+              "properties": {
+                "tags": [
+                  "CVE-2020-36067",
+                  "GHSA-p64j-r5f4-pwwx"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0113",
+              "shortDescription": {
+                "text": "[GO-2021-0113] Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "fullDescription": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "help": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0113",
+              "properties": {
+                "tags": [
+                  "CVE-2021-38561",
+                  "GHSA-ppp9-7jff-5vj2"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0265",
+              "shortDescription": {
+                "text": "[GO-2021-0265] A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "fullDescription": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "help": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0265",
+              "properties": {
+                "tags": [
+                  "CVE-2021-42248",
+                  "CVE-2021-42836",
+                  "GHSA-c9gm-7rfj-8w5h",
+                  "GHSA-ppj4-34rq-v8j9"
+                ]
+              }
+            },
+            {
+              "id": "GO-2022-0969",
+              "shortDescription": {
+                "text": "[GO-2022-0969] HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "fullDescription": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "help": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2022-0969",
+              "properties": {
+                "tags": [
+                  "CVE-2022-27664",
+                  "GHSA-69cg-p879-7622"
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct b/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct
index 738eba98..f5bd1e37 100644
--- a/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct
+++ b/cmd/govulncheck/testdata/testfiles/source-package/source_package_json.ct
@@ -240,6 +240,7 @@ $ govulncheck -format json -scan package -C ${moddir}/multientry .
       "CVE-2020-14040",
       "GHSA-5rcv-m4m3-hfh7"
     ],
+    "summary": "Infinite loop when decoding some inputs in golang.org/x/text",
     "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
     "affected": [
       {
diff --git a/cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct b/cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct
new file mode 100644
index 00000000..057abfd0
--- /dev/null
+++ b/cmd/govulncheck/testdata/testfiles/source-package/source_package_sarif.ct
@@ -0,0 +1,126 @@
+#####
+# Test sarif output
+$ govulncheck -format sarif -scan package -C ${moddir}/vuln .
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "govulncheck",
+          "semanticVersion": "v0.0.0",
+          "informationUri": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "govulncheck",
+            "scanner_version": "v0.0.0-00000000000-20000101010101",
+            "db": "testdata/vulndb-v1",
+            "db_last_modified": "2023-04-03T15:57:51Z",
+            "go_version": "go1.18",
+            "scan_level": "package"
+          },
+          "rules": [
+            {
+              "id": "GO-2020-0015",
+              "shortDescription": {
+                "text": "[GO-2020-0015] Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "fullDescription": {
+                "text": "Infinite loop when decoding some inputs in golang.org/x/text"
+              },
+              "help": {
+                "text": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2020-0015",
+              "properties": {
+                "tags": [
+                  "CVE-2020-14040",
+                  "GHSA-5rcv-m4m3-hfh7"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0054",
+              "shortDescription": {
+                "text": "[GO-2021-0054] Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "fullDescription": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "help": {
+                "text": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0054",
+              "properties": {
+                "tags": [
+                  "CVE-2020-36067",
+                  "GHSA-p64j-r5f4-pwwx"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0113",
+              "shortDescription": {
+                "text": "[GO-2021-0113] Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "fullDescription": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "help": {
+                "text": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0113",
+              "properties": {
+                "tags": [
+                  "CVE-2021-38561",
+                  "GHSA-ppp9-7jff-5vj2"
+                ]
+              }
+            },
+            {
+              "id": "GO-2021-0265",
+              "shortDescription": {
+                "text": "[GO-2021-0265] A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "fullDescription": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "help": {
+                "text": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2021-0265",
+              "properties": {
+                "tags": [
+                  "CVE-2021-42248",
+                  "CVE-2021-42836",
+                  "GHSA-c9gm-7rfj-8w5h",
+                  "GHSA-ppj4-34rq-v8j9"
+                ]
+              }
+            },
+            {
+              "id": "GO-2022-0969",
+              "shortDescription": {
+                "text": "[GO-2022-0969] HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "fullDescription": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "help": {
+                "text": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service."
+              },
+              "helpUri": "https://pkg.go.dev/vuln/GO-2022-0969",
+              "properties": {
+                "tags": [
+                  "CVE-2022-27664",
+                  "GHSA-69cg-p879-7622"
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json b/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json
index 71f64c18..816c28d2 100644
--- a/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json
+++ b/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json
@@ -1 +1 @@
-{"schema_version":"1.3.1","id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"],"details":"An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.3"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/encoding/unicode","symbols":["bomOverride.Transform","utf16Decoder.Transform"]},{"path":"golang.org/x/text/transform","symbols":["String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/238238"},{"type":"FIX","url":"https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"},{"type":"REPORT","url":"https://go.dev/issue/39491"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"}],"credits":[{"name":"@abacabadabacaba and Anton Gyllenberg"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0015"}}
\ No newline at end of file
+{"schema_version":"1.3.1","id":"GO-2020-0015","modified":"2023-04-03T15:57:51Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-14040","GHSA-5rcv-m4m3-hfh7"],"summary":"Infinite loop when decoding some inputs in golang.org/x/text","details":"An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.","affected":[{"package":{"name":"golang.org/x/text","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.3"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/text/encoding/unicode","symbols":["bomOverride.Transform","utf16Decoder.Transform"]},{"path":"golang.org/x/text/transform","symbols":["String"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/238238"},{"type":"FIX","url":"https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"},{"type":"REPORT","url":"https://go.dev/issue/39491"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"}],"credits":[{"name":"@abacabadabacaba and Anton Gyllenberg"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0015"}}
diff --git a/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json.gz b/cmd/govulncheck/testdata/vulndb-v1/ID/GO-2020-0015.json.gz
index d6ad56485cd5d47add55c87bfc93b3d41092aa03..2a96452934f4becae7238914cbaca5cf5e702782 100644
GIT binary patch
literal 770
zcmV+d1O5CTiwFpoZh&O~14mCSGB7eQEif=KH7;s%Z*Bm6R9$b{Fcf{?udw_&$OnP)
z@ie+o)`yCzrCqfORgQg=SWWEAb|?(--*-)@1Y0*LD6#Lo=NzAV&5l}LK*gTdV64=N
zPG}q?K}<VT3S7(=-Cop-x=|DlaIexrW)ge^x07zv??%Zo9!v(q$sqoL8FiDE(iU$i
zu}_Kn%U(2z`jbJ=r?65o3zklv=;w!7iy!x+euT04*Sl$VVEDRQ^{b>?WW|uKI@C5*
z#mp8luT>_MbU;e2Yw}uvA_6$dQaQ1@0wPu2IEycm>yoKF&?XNzp@WS>d;yNh61nMA
z5#}7@FJK7QO({ri^jZoaj95e~fuvjHaT+)7msjycON8lCS;v%<%z+@U(iP<1!sX(I
zXhUY38o2WdEObWZITkR5HK)2|MqB~p4iiv!)+p}Ke1ebP{_@6S31?*qqT`YOh}6tl
zq(87QWixH6pv4Qwbw-+Fux7@BUm0SXx-PMKtwkLKM3{<gNeXQ`vv^biO0tsZj9|@L
zav*CwkT!wuT$bUt@9oo$*61C}flhW*u?pYxJ;PD3-C75gA0|!r9g1r6L-%*oZEIh5
zH@kV5-TLG;DA$Ihaz=}W9|kGHx*g5rrd{EHCUn2ruTJ2fE&7hL$-N#~)!H0^YUYaf
zw1uGBu?ZU`y{pJ?w^gdk!(^tqTHu{9I1s_|&0tJvTozv(+i((Cd4d0=awh;M9BsR>
zcD46sF_3{lRp;hhT|atSQ{s2wTx};|nCn2mI^<>8OGfw{?D>Cwt~HLd)s5j0a9y>+
zJ|X~vWHb~2aW;-bZ_IiLk6<(eh|>N=l#H?zL<FZ4x3h1H+vUGhNoyMjlW~6>pB8<e
zUH)BRbW_`-wu7oXY~AZJr8Hg(2zi)3KESk^FMj^QIY6Jd0U?jwJx<;ymNJe%aeU*A
z6J)9!Ua0vNZ;(pC<cDIx9L6o2&C9u}`XvvJXIVF;3eWxn_xlgO0n|0kf;0sH05f)S
AlmGw#

literal 733
zcmV<30wVn%iwFP!00002|9n)@ZsRr({FTMNR+cEqzBqbnuJxt&aBz|M(nAl%VMVTF
zA{42TlpELZzZbF`z-fDZGS<60Gn`rIh(YeSqi=imK|6~T=4qMcn4nfz;r)76h(gSS
z$QPJk=ag<VkDWpk<xI?HqTJ+*YH?F7^4~GReyEKOyVsF?9LeXKLR4a2EsAl3jHbW=
ztFQRe(`v%c=VC4}!TVnx?`8`x_p@%^m9t&5yTNUOiX&+gu);eF6eG!J_8{G06!hNh
zwPGL$+O~$FK17D-fZ+4yL;emFOQ+a_wjq*@nj$OsQ^y^A4*Y)o37m)3OV2WnMRX9o
zZd>+17PM`&)sewC*Mn{#?ie1U*S3Xburg|A!P)cQKfm$>kYo(2WJLZ)r>78DO)O+X
z<9wG+cqx2rV7N4U@`1<7Lm2wrXjY(YKg0y$P6z1d05wnJ6o5dn)nvdm5ZLdvWZ1Ke
z&Znc{O~W#dk$gR3Px6^s#_EWcI>riHXUMjx^KJH$MSh8xAWIhxA#yj~fWuRQo@{##
z?TGQvk9&`+Pfx3dad^)*PAzStcWRL5`~{wpBR2YFs?sto@w7c{ui(Fho~3TI9QEj~
zcm4v@Q{4TRwv4TGO4~LYtR7v(1jC`LojD&=?Yi}zz1ND<&8xwf;1HYq-6e*r#&#6=
zU8;BmaK$mjh1=8iG`_`i!=9~tYtDy{Uq)JQu)<x8eW<dmb*bWgCQVk9%c5MK?fL)t
z*16VjaD$heO4m)oe#nZFxLn>S=DfKTs<@@1l!BKx%%YyZ6Xmk0SqZ+Tcv$_qe%O3Z
zl@4Lxth}Ay=GRNVt=|88!@Hpm7j0)%Z8o_#BWvAYC1*0LzdZ3>cfbDQFM*>^(zDW+
zbT60pBh@6SCUyA*vI_2ObQbOp#;~o~x94R=k!lM3=3d^a>Yv;6@|OKzZ1(2UbvpeW
P00960dNTGU>I47)<X?yc

diff --git a/internal/sarif/handler.go b/internal/sarif/handler.go
index 90193e28..865aa19b 100644
--- a/internal/sarif/handler.go
+++ b/internal/sarif/handler.go
@@ -5,7 +5,10 @@
 package sarif
 
 import (
+	"encoding/json"
+	"fmt"
 	"io"
+	"sort"
 
 	"golang.org/x/vuln/internal/govulncheck"
 	"golang.org/x/vuln/internal/osv"
@@ -99,5 +102,55 @@ func (h *handler) Finding(f *govulncheck.Finding) error {
 // Flush is used to print out to w the sarif json output.
 // This is needed as sarif is not streamed.
 func (h *handler) Flush() error {
+	sLog := toSarif(h)
+	s, err := json.MarshalIndent(sLog, "", "  ")
+	if err != nil {
+		return err
+	}
+	h.w.Write(s)
 	return nil
 }
+
+func toSarif(h *handler) Log {
+	cfg := h.cfg
+	r := Run{
+		Tool: Tool{
+			Driver: Driver{
+				Name:           cfg.ScannerName,
+				Version:        cfg.ScannerVersion,
+				InformationURI: "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
+				Properties:     *cfg,
+				Rules:          rules(h),
+			},
+		},
+	}
+
+	return Log{
+		Version: "2.1.0",
+		Schema:  "https://json.schemastore.org/sarif-2.1.0.json",
+		Runs:    []Run{r},
+	}
+}
+
+func rules(h *handler) []Rule {
+	var rs []Rule
+	for id := range h.findings {
+		osv := h.osvs[id]
+		// s is either summary if it exists, or details
+		// otherwise. Govulncheck text does the same.
+		s := osv.Summary
+		if s == "" {
+			s = osv.Details
+		}
+		rs = append(rs, Rule{
+			ID:               osv.ID,
+			ShortDescription: Description{Text: fmt.Sprintf("[%s] %s", osv.ID, s)},
+			FullDescription:  Description{Text: s},
+			HelpURI:          fmt.Sprintf("https://pkg.go.dev/vuln/%s", osv.ID),
+			Help:             Description{Text: osv.Details},
+			Properties:       RuleTags{Tags: osv.Aliases},
+		})
+	}
+	sort.SliceStable(rs, func(i, j int) bool { return rs[i].ID < rs[j].ID })
+	return rs
+}