From 121801a0d5324078baf4e1bc3634406095948d0b Mon Sep 17 00:00:00 2001
From: Zvonimir Pavlinovic <zpavlinovic@google.com>
Date: Thu, 16 Jan 2025 19:48:43 +0000
Subject: [PATCH] all: use new version of govulncheck

Change-Id: I55fff6f6ea401dbda93374815cf27cb9fd517da8
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/643175
Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 go.mod                             |  2 +-
 go.sum                             |  4 ++--
 internal/govulncheck/handler.go    |  4 ++++
 internal/govulncheckapi/handler.go |  3 +++
 internal/govulncheckapi/result.go  | 24 ++++++++++++++++++++++++
 5 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 8cd7be9..774163d 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0
 	golang.org/x/tools v0.29.0
-	golang.org/x/vuln v1.1.3
+	golang.org/x/vuln v1.1.4
 	google.golang.org/api v0.132.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130
 	google.golang.org/grpc v1.56.2
diff --git a/go.sum b/go.sum
index 45555df..d57b4bb 100644
--- a/go.sum
+++ b/go.sum
@@ -603,8 +603,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
 golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
-golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
-golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=
+golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
+golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/govulncheck/handler.go b/internal/govulncheck/handler.go
index 35058cb..a9693ba 100644
--- a/internal/govulncheck/handler.go
+++ b/internal/govulncheck/handler.go
@@ -30,6 +30,10 @@ func (h *MetricsHandler) Progress(p *govulncheckapi.Progress) error {
 	return nil
 }
 
+func (h *MetricsHandler) SBOM(sbom *govulncheckapi.SBOM) error {
+	return nil
+}
+
 func (h *MetricsHandler) OSV(e *osv.Entry) error {
 	h.osvs[e.ID] = e
 	return nil
diff --git a/internal/govulncheckapi/handler.go b/internal/govulncheckapi/handler.go
index d5d672f..4e8e2e2 100644
--- a/internal/govulncheckapi/handler.go
+++ b/internal/govulncheckapi/handler.go
@@ -19,6 +19,9 @@ type Handler interface {
 	// Config communicates introductory message to the user.
 	Config(config *Config) error
 
+	// SBOM shows information about what govulncheck is scanning.
+	SBOM(sbom *SBOM) error
+
 	// Progress is called to display a progress message.
 	Progress(progress *Progress) error
 
diff --git a/internal/govulncheckapi/result.go b/internal/govulncheckapi/result.go
index d3307cf..ef6da28 100644
--- a/internal/govulncheckapi/result.go
+++ b/internal/govulncheckapi/result.go
@@ -17,6 +17,7 @@ import (
 type Message struct {
 	Config   *Config    `json:"config,omitempty"`
 	Progress *Progress  `json:"progress,omitempty"`
+	SBOM     *SBOM      `json:"SBOM,omitempty"`
 	OSV      *osv.Entry `json:"osv,omitempty"`
 	Finding  *Finding   `json:"finding,omitempty"`
 }
@@ -53,6 +54,29 @@ type Config struct {
 	ScanLevel ScanLevel `json:"scan_level,omitempty"`
 }
 
+// SBOM contains minimal information about the artifacts govulncheck is scanning.
+type SBOM struct {
+	// The go version used by govulncheck when scanning, which also defines
+	// the version of the standard library used for detecting vulns.
+	GoVersion string `json:"go_version,omitempty"`
+
+	// The set of modules included in the scan.
+	Modules []*Module `json:"modules,omitempty"`
+
+	// The roots of the scan, as package paths.
+	// For binaries, this will be the main package.
+	// For source code, this will be the packages matching the provided package patterns.
+	Roots []string `json:"roots,omitempty"`
+}
+
+type Module struct {
+	// The full module path.
+	Path string `json:"path,omitempty"`
+
+	// The version of the module.
+	Version string `json:"version,omitempty"`
+}
+
 // Progress messages are informational only, intended to allow users to monitor
 // the progress of a long running scan.
 // A stream must remain fully valid and able to be interpreted with all progress