From 0f7005f3db72ac2c67d870609932dd49954db764 Mon Sep 17 00:00:00 2001
From: Maceo Thompson <maceothompson@google.com>
Date: Tue, 9 Jul 2024 13:12:53 -0500
Subject: [PATCH] internal/openvex: omit vulns with no findings

This change modifies govulncheck's VEX output to no longer include
vulnerabilities that are not imported at a vulnerable version.
This matches the text output of govulncheck, and is in line with most
other vulnerability scanners.

updates golang/go#68338

Change-Id: If7041fd4624d023f623db8daf35a2e76f41d1d29
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/597396
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mauri de Souza Meneguzzo <mauri870@gmail.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
---
 .../testfiles/binary-call/binary_vex.ct       | 21 +------------------
 .../testfiles/source-call/source_call_vex.ct  | 21 +------------------
 internal/openvex/handler.go                   |  3 +++
 3 files changed, 5 insertions(+), 40 deletions(-)

diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
index 2eb1838..ecea760 100644
--- a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -format openvex -mode binary ${common_vuln_binary}
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+  "@id": "govulncheck/vex:12f16e1541f93ab0d46d78966849d71bc20932795108f69d0df5a415a2c3a5e6",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
@@ -45,25 +45,6 @@ $ govulncheck -format openvex -mode binary ${common_vuln_binary}
       ],
       "status": "affected"
     },
-    {
-      "vulnerability": {
-        "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
-        "name": "GO-2021-0059",
-        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
-        "aliases": [
-          "CVE-2020-35380",
-          "GHSA-w942-gw6m-p62c"
-        ]
-      },
-      "products": [
-        {
-          "@id": "Unknown Product"
-        }
-      ],
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_present",
-      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
-    },
     {
       "vulnerability": {
         "@id": "https://pkg.go.dev/vuln/GO-2021-0113",
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
index 5bd871e..a631bca 100644
--- a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -C ${moddir}/vuln -format openvex ./...
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
+  "@id": "govulncheck/vex:12f16e1541f93ab0d46d78966849d71bc20932795108f69d0df5a415a2c3a5e6",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
@@ -45,25 +45,6 @@ $ govulncheck -C ${moddir}/vuln -format openvex ./...
       ],
       "status": "affected"
     },
-    {
-      "vulnerability": {
-        "@id": "https://pkg.go.dev/vuln/GO-2021-0059",
-        "name": "GO-2021-0059",
-        "description": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.",
-        "aliases": [
-          "CVE-2020-35380",
-          "GHSA-w942-gw6m-p62c"
-        ]
-      },
-      "products": [
-        {
-          "@id": "Unknown Product"
-        }
-      ],
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_present",
-      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
-    },
     {
       "vulnerability": {
         "@id": "https://pkg.go.dev/vuln/GO-2021-0113",
diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go
index 5087eb7..b5e43aa 100644
--- a/internal/openvex/handler.go
+++ b/internal/openvex/handler.go
@@ -118,6 +118,9 @@ func statements(h *handler) []Statement {
 
 	var statements []Statement
 	for id, osv := range h.osvs {
+		if _, found := h.levels[id]; !found {
+			continue
+		}
 		description := osv.Summary
 		if description == "" {
 			description = osv.Details