fix: pass on annotations to results

google · Jan 22, 2025 · 4f55e50 · 4f55e50
1 parent e35a80c
commit 4f55e50
Showing 1 changed file with 20 additions and 5 deletions.
diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go
@@ -5,6 +5,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scanner/internal/grouper"
 	"github.com/google/osv-scanner/internal/imodels"
 	"github.com/google/osv-scanner/internal/imodels/results"
@@ -28,7 +29,13 @@ func buildVulnerabilityResults(
 		Results:       []models.PackageSource{},
 		ImageMetadata: scanResults.ImageMetadata,
 	}
-	groupedBySource := map[models.SourceInfo][]models.PackageVulns{}
+
+	type packageVulnsGroup struct {
+		pvs         []models.PackageVulns
+		annotations []extractor.Annotation
+	}
+
+	groupedBySource := map[models.SourceInfo]*packageVulnsGroup{}
 	for _, psr := range scanResults.PackageScanResults {
 		p := psr.PackageInfo
 		includePackage := actions.ShowAllPackages
@@ -131,16 +138,24 @@ func buildVulnerabilityResults(
 				Path: p.Location(),
 				Type: sourceType,
 			}
-			groupedBySource[source] = append(groupedBySource[source], pkg)
+
+			if groupedBySource[source] == nil {
+				groupedBySource[source] = &packageVulnsGroup{}
+			}
+
+			groupedBySource[source].pvs = append(groupedBySource[source].pvs, pkg)
+			// Overwrite annotations as it should be the same for the same package.
+			groupedBySource[source].annotations = p.Annotations
 		}
 	}
 
 	// TODO(v2): Move source analysis out of here.
 	for source, packages := range groupedBySource {
-		sourceanalysis.Run(r, source, packages, actions.CallAnalysisStates)
+		sourceanalysis.Run(r, source, packages.pvs, actions.CallAnalysisStates)
 		results.Results = append(results.Results, models.PackageSource{
-			Source:   source,
-			Packages: packages,
+			Source:                  source,
+			ExperimentalAnnotations: packages.annotations,
+			Packages:                packages.pvs,
 		})
 	}