1
0
Fork 0
mirror of https://github.com/imjasonh/govulncheck-action synced 2026-07-11 18:11:01 +00:00
govulncheck-action/lib/annotator.js
Jason Hall bee00060a0
Add detailed logging and fix GitHub Actions annotation format
This commit adds comprehensive logging to help debug why annotations weren't
appearing in the GitHub Actions UI:

- Added logging for raw govulncheck output
- Added logging in the parser to show what vulnerabilities are found
- Added logging in the annotator to show when annotations are created
- Fixed the annotation format to use the correct property names (file, startLine, endLine)
- Updated tests to match the new annotation format

The annotations should now properly appear in pull requests and workflow runs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:58:11 -04:00

94 lines
No EOL
2.7 KiB
JavaScript

const fs = require('fs').promises;
const path = require('path');
class AnnotationCreator {
constructor(core, fsModule = fs) {
this.core = core;
this.fs = fsModule;
}
async createAnnotations(vulnerabilities, parser, workingDirectory = '.') {
this.core.info(`Creating annotations for ${vulnerabilities.length} vulnerabilities`);
const modules = parser.extractUniqueModules(vulnerabilities);
const callSites = parser.extractCallSites(vulnerabilities);
this.core.info(`Found ${modules.length} vulnerable modules and ${callSites.length} call sites`);
// Annotate go.mod for vulnerable modules
await this.annotateGoMod(modules, vulnerabilities, workingDirectory);
// Annotate source files for call sites
this.annotateCallSites(callSites);
}
async annotateGoMod(modules, vulnerabilities, workingDirectory) {
if (modules.length === 0) return;
const goModPath = path.join(workingDirectory, 'go.mod');
let goModContent = '';
try {
goModContent = await this.fs.readFile(goModPath, 'utf8');
} catch (error) {
this.core.warning(`Could not read go.mod: ${error.message}`);
return;
}
const goModLines = goModContent.split('\n');
for (const module of modules) {
// Find the vulnerability info for this module
const vuln = vulnerabilities.find(v =>
v.finding.trace &&
v.finding.trace[0] &&
v.finding.trace[0].module === module
);
// Find line in go.mod
for (let i = 0; i < goModLines.length; i++) {
if (goModLines[i].includes(module)) {
const lineNumber = i + 1;
let message = `Vulnerable module: ${module}`;
if (vuln && vuln.finding.osv) {
message += ` (${vuln.finding.osv})`;
}
this.core.info(`Creating annotation for ${module} at go.mod:${lineNumber}`);
// GitHub Actions annotation format
this.core.warning(message, {
title: 'Security Vulnerability',
file: 'go.mod',
startLine: lineNumber,
endLine: lineNumber
});
break;
}
}
}
}
annotateCallSites(callSites) {
for (const site of callSites) {
let message = `Vulnerable code path: ${site.function}`;
if (site.osv) {
message += ` (${site.osv})`;
}
this.core.info(`Creating annotation for call site at ${site.filename}:${site.line}`);
// GitHub Actions annotation format
this.core.warning(message, {
title: 'Security Vulnerability',
file: site.filename,
startLine: site.line,
endLine: site.line
});
}
}
}
module.exports = AnnotationCreator;