From 4f55e503a8ab7a7affab771bb1da4993bf61671f Mon Sep 17 00:00:00 2001 From: Rex P Date: Wed, 22 Jan 2025 13:25:44 +1100 Subject: [PATCH] fix: pass on annotations to results --- pkg/osvscanner/vulnerability_result.go | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index 9ab7deb20d..25abd0c8f8 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -5,6 +5,7 @@ import ( "sort" "strings" + "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/internal/grouper" "github.com/google/osv-scanner/internal/imodels" "github.com/google/osv-scanner/internal/imodels/results" @@ -28,7 +29,13 @@ func buildVulnerabilityResults( Results: []models.PackageSource{}, ImageMetadata: scanResults.ImageMetadata, } - groupedBySource := map[models.SourceInfo][]models.PackageVulns{} + + type packageVulnsGroup struct { + pvs []models.PackageVulns + annotations []extractor.Annotation + } + + groupedBySource := map[models.SourceInfo]*packageVulnsGroup{} for _, psr := range scanResults.PackageScanResults { p := psr.PackageInfo includePackage := actions.ShowAllPackages @@ -131,16 +138,24 @@ func buildVulnerabilityResults( Path: p.Location(), Type: sourceType, } - groupedBySource[source] = append(groupedBySource[source], pkg) + + if groupedBySource[source] == nil { + groupedBySource[source] = &packageVulnsGroup{} + } + + groupedBySource[source].pvs = append(groupedBySource[source].pvs, pkg) + // Overwrite annotations as it should be the same for the same package. + groupedBySource[source].annotations = p.Annotations } } // TODO(v2): Move source analysis out of here. for source, packages := range groupedBySource { - sourceanalysis.Run(r, source, packages, actions.CallAnalysisStates) + sourceanalysis.Run(r, source, packages.pvs, actions.CallAnalysisStates) results.Results = append(results.Results, models.PackageSource{ - Source: source, - Packages: packages, + Source: source, + ExperimentalAnnotations: packages.annotations, + Packages: packages.pvs, }) }