Include target value in Sarif template ruleID (#991)

* Include target value in Sarif template ruleID

* Fix format

.github/workflows/mkdocs-latest.yaml

@@ -1,5 +1,10 @@
 name: Deploy the latest documentation
 on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to be deployed
+        required: true
   push:
     tags:
       - "v*"
@@ -27,7 +32,11 @@ jobs:
         run: |
           git config user.name "knqyf263"
           git config user.email "knqyf263@gmail.com"
-      - name: Deploy the latest documents
+      - name: Deploy the latest documents from new tag push
+        if: ${{ github.event.inputs.version == '' }}
         run: |
           VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
           mike deploy --push --update-aliases $VERSION latest
+      - name: Deploy the latest documents from manual trigger
+        if: ${{ github.event.inputs.version != '' }}
+        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.13
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

contrib/sarif.tpl

@@ -11,7 +11,7 @@
           "version": "0.15.0",
           "rules": [
         {{- $t_first := true }}
-        {{- range . }}
+        {{- range $result := . }}
             {{- $vulnerabilityType := .Type }}
             {{- range .Vulnerabilities -}}
               {{- if $t_first -}}
@@ -20,7 +20,7 @@
                 ,
               {{- end }}
             {
-              "id": "{{ .VulnerabilityID }}/{{ .PkgName }}",
+              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
               "name": "{{ toSarifRuleName $vulnerabilityType }}",
               "shortDescription": {
                 "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
@@ -57,7 +57,7 @@
       },
       "results": [
     {{- $t_first := true }}
-    {{- range . }}
+    {{- range $result := . }}
         {{- $filePath := .Target }}
         {{- range $index, $vulnerability := .Vulnerabilities -}}
           {{- if $t_first -}}
@@ -66,7 +66,7 @@
             ,
           {{- end }}
         {
-          "ruleId": "{{ $vulnerability.VulnerabilityID }}/{{ $vulnerability.PkgName }}",
+          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
           "ruleIndex": {{ $index }},
           "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
           "message": {
@@ -92,4 +92,4 @@
       }
     }
   ]
-}
+}

docs/vuln-detection/library.md

@@ -19,7 +19,8 @@
 - Java
     - JAR/WAR/EAR files (*.jar, *.war, and *.ear)
 - Go
-    - Binaries built by Go
+    - Binaries built by Go (UPX-compressed binaries don't work)
+    - go.sum
 
 The path of these files does not matter.
 

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/Masterminds/goutils v1.1.0 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70
+	github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1
 	github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

go.sum

@@ -172,6 +172,10 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70 h1:0v2pf+hIElPvGKLyDye08UtPH8AjujTVLUOWOgoM5O4=
 github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
+github.com/aquasecurity/fanal v0.0.0-20210501093021-8aaac3e8dea7 h1:bY5D5GVthqQCvnNllG2NVXYpOQJJRi7KFhLdVrskaDg=
+github.com/aquasecurity/fanal v0.0.0-20210501093021-8aaac3e8dea7/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
+github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1 h1:xgdjcsA4Go/9k9XDXYimVF+BgyMlt7YoeWTMs2DpR8Y=
+github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976 h1:ypl/IDxujzEymmwtzGJqQyboI2oZr1se+OoYaGqgBzQ=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

integration/data/certs/cert.pem

@@ -1,18 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIRAJLJ5vw48YZwoHlC8i6VdHswDQYJKoZIhvcNAQELBQAw
+MIICwTCCAamgAwIBAgIJAP09YW8ChPlwMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
-EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0yMDA1MDMxMTU2MzhaFw0yMTA1MDMxMTU2
+BAoMB0FjbWUgQ28wIBcNMjEwNTEyMDQ0NzA1WhgPMjEwMDA0MTQwNDQ3MDVaMBIx
-MzhaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+EDAOBgNVBAoMB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-ggEKAoIBAQDhnepAL1Atd1xVh/TOZpTK7yHwtOrtGWNEqNkFbcyD7x9CNgUkxjO8
+AQDNmKpDOzU8GK5Xb3GfeqU1kKQ0gBejGtqK5ydH8tlRoy2NKGvjJ95nhIxUXMKe
-nc4ynEo4ARpLj+2VDLIwi93weCFj6mcz2tdHi7n0eiPR7+PSNMNpPFwablLOEtaX
+e345JFlzkCen5Ekvt70LT0O253z0FecfpaFilreIiu5J2YWWNtlruMhpjp4kYVMO
-XVqHhJNsHcJx6okX6ullksJoRnZGu+n1LvGRMMLWjS3UJZA6+1pujoifyrx9YXLU
+piKnujiNK9eAUcz++YeAmrog7QPBJBCgdu18xTy/yOW/Y414e1efvbRJZ4TaQb0Y
-qSjkRRv3Ly8HmAPJq0T19uCZiJ8qbrW1Vx3hdUILL4OlJmpjZvGKMRnolinko2Vk
+LgXRl1nlOLPPr5ew9pgnct7DxJVXpjXtgBxCsfcjH4kZGfc9zP0IKyODqaSCFRtj
-0pHH5MWz0iUbqWQjHZmQWi0rDHRAFbuCqQdmFsEneXmUzExXZbyHwrTH/mrjJTCJ
+eKH8gSpJCimBp3hpWvsSTHTRraOxAGXqhIYPhqRM83eB2QbeHnyk+YOn76pdMndb
-YmtR7Eq80AxsWnXNI3Z0mVQ9/nZDsT31AgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
+vqAPksmTyHcgZShkhGcHKvbVAgMBAAGjGDAWMBQGA1UdEQQNMAuCCWxvY2FsaG9z
-oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
+dDANBgkqhkiG9w0BAQsFAAOCAQEAHxXOTKGP1hl3J2jQrpha5LuYdMEbK1HFbPhV
-CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAG7spAmpZVKOV913WhKZp8o1+
+042k0tBmfP3wRgx0o/WQhg4f5RswQRtipdUCmMZVOAoQfos8j9LFmIKwcsboEQe/
-T6v/b6KUOAZ0iWXeGWO7LwnRaulkyauGav9xJUpfEw7Z/57qwTVIGZD6mZF6tt77
+Fvqq2+W/5TRhsKn/1OxvCZAEurazSygtm6hyiMGwKjJLfyzwjZx+Oopn3lqRUP36
-FsXXiQJA88LrQnt1BRTeNK8sRp4S3N1hrtY3akTit/dyQcfh3NSDttzkYsoUu0qT
+gLQQ57szoNZFKyPN2z2unXAuDG5wpG2InX8WJvlrhaiCHGUoxO8r0rVawm58bahM
-DUkXD0b4eDmaD47+0Z6eIVp3aEcPMzpiy6qWc5fMjMeHjtYF4lBSF0JTWzmxNUGl
+uGPlVPCNdxl1h7K8aecKpm+7Wh8n06Nl/kOWBDFAXeI8IwrnIy1rAZLngvnjqL//
-fiGhMJStQK/n73t58O7h5Adva5wRV+Km6pa+6SfOxPNUjsxXjG0LzWA9dJg/q2rs
+umjXKCBWya48ed9HMoOR2aruzseXc8k6cGXuBxYFtHissPvPPQ==
-k/ouIE05BfB3z538ncQVBTwfPMClbIiJhAs3b6ej22+j/O+vbFBmdfkpVpFRtg==
 -----END CERTIFICATE-----

integration/data/certs/key.pem

@@ -1,28 +1,27 @@
------BEGIN PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhnepAL1Atd1xV
+MIIEpQIBAAKCAQEAzZiqQzs1PBiuV29xn3qlNZCkNIAXoxraiucnR/LZUaMtjShr
-h/TOZpTK7yHwtOrtGWNEqNkFbcyD7x9CNgUkxjO8nc4ynEo4ARpLj+2VDLIwi93w
+4yfeZ4SMVFzCnnt+OSRZc5Anp+RJL7e9C09Dtud89BXnH6WhYpa3iIruSdmFljbZ
-eCFj6mcz2tdHi7n0eiPR7+PSNMNpPFwablLOEtaXXVqHhJNsHcJx6okX6ullksJo
+a7jIaY6eJGFTDqYip7o4jSvXgFHM/vmHgJq6IO0DwSQQoHbtfMU8v8jlv2ONeHtX
-RnZGu+n1LvGRMMLWjS3UJZA6+1pujoifyrx9YXLUqSjkRRv3Ly8HmAPJq0T19uCZ
+n720SWeE2kG9GC4F0ZdZ5Tizz6+XsPaYJ3Lew8SVV6Y17YAcQrH3Ix+JGRn3Pcz9
-iJ8qbrW1Vx3hdUILL4OlJmpjZvGKMRnolinko2Vk0pHH5MWz0iUbqWQjHZmQWi0r
+CCsjg6mkghUbY3ih/IEqSQopgad4aVr7Ekx00a2jsQBl6oSGD4akTPN3gdkG3h58
-DHRAFbuCqQdmFsEneXmUzExXZbyHwrTH/mrjJTCJYmtR7Eq80AxsWnXNI3Z0mVQ9
+pPmDp++qXTJ3W76gD5LJk8h3IGUoZIRnByr21QIDAQABAoIBAQCVN2ETjIxVgqA+
-/nZDsT31AgMBAAECggEBAKwwGhSMR3O7sdNxJIvVzF8orE2JtfXoN1OyTZcQGlLi
+K08u7Ses2b6jr/f31AybVasnx/S8EI+F7Llo003SmdvzeqNxvLVeqagWfKCbdM89
-z4d3tOtA/UFJapJDp30gklHy8Y6clu3oASVCebFItyTjMwPehrgn82iI3eWS8URC
+R8B3zd6aiCYjTSZCzMZ1tGeePR83EB2paUOhsCocmnricpSChEeQrlJO+2vb4QLE
-lcRySG4QAIia7bmZm+2atMi+B40icqhbnlV42VHYnpDKGAEIJtsZ+kz7shzhsj3G
+Z7xVtXazYPIhophCri4tKUWu+BLvNPez+TndaE5Xg77HLmu24rloZh6XhYDdFWd+
-yTQMFyuqk0DUmsbSVKPjryv15DXsT9Rk2pVZYFhiRw/gQpWD58GMP/HMrSz+sjuX
+u/eF+QiWy4/EoLUv2TLym8ivUws+r2G9yK57kcQCJw+BqlaRew7Ts0RHnam53OxV
-ZIlhSMGVWA4Yc7le4PpWI2qAZLR+X1EgkzxcMJ0kWvnvzEXFmofaYzkbEcNOlguF
+T4dEHJxAfXO8jC1F5NCjoBO/+0HJqrMtD0NqWH9G+fEtakL7h5oeh6vYrSQfpZGC
-Bv9kP5fh35AbQbTLykGO9h4VrfDajlHequzNBJs1z60CgYEA53cwBh42pg/fSmaO
+V7MXojqdAoGBAOhwBi0erXOn4strtkGvSjJ6HVLwWfmm+rlfm23JGigYghYTSxBM
-sowpFV52ZfbfUPcuXRuaidHWougByB8P8XTMeQTse4NLt+2oat/5rdP3keGr5OR5
+ESuwppt1QPXK5jfil89RqrvDqKG9BjXV4yWyaJlIRaYeJe8/TZa3e8WkLr0XaKGH
-8q7v8/R/KY0NQOa/93BUeRDW4ntxMECWbC2p/sq2wnRKTl+yepAWrRXzk8z9vFP/
+v1LTW+/uc73ihDJ/M2axmP4vjThCfqiG9aKXLCDM+DIgfdvIbkXUfPZjAoGBAOJw
-TZM5m65aj3IsZ3Bo1WG+SSf8bvsCgYEA+YgFxmiTauKRO4IVPuOqJ88yC5SQ83mF
+Fc6D3z0r09F3/UgtADhQlbD2jzs6xdcqCu7af3527F6ePXXU8CTLS5jusAiDW5xH
-T54ILYalG3yq/Jm1TTOzoZAoKvHrJeeZqQvjS4jSY5gc5TCrUVTdsw5nXtrRKZJs
+ukQS/0ZM92UTUJxpQxgzHSWOImhcv3o45vzQ0C0pXSSaE+Pp8QYWaE/BdE+VoVOK
-HjtVT78qfzjCSHzImvc3Rw5+SNO2+j9yxuBSAG4tEKD3KKxSodXnKtD4CwzvRdyI
+YGAfppZywPGnKYt4R5ho5XLwAL3rrH+2m7z51mdnAoGBANP5LbjCLF64Mb1f2pOm
-gUyjQi3Os88CgYEAgrzegkYkhe2nKKX+6bijJ+/AHl2vy1KifHKv+jJs8nzrLLbm
+f1zvPoTfyr5BSI/7n+yMJL2CNEhbie4v4MzeSeKmGPrO8grvK5EXIkQgGE5/6wT3
-0XIwYBa44BbL+Oqi2yMBKv7z8hEuf03R15KZ9Ahgnv6Nwt/TBBcNj4hEZ45j42ZH
+rTI4tOltHo9zGRdJvMGBTXAd3b32diYxfQrU1BhIducph3PhyweRWTweM4SmJ4ob
-0HiGcWTcj78RjW0eKX4jYMZqW0xI8Uvcg1uqCVYUzrsle5ORkxzvVvDf82sCgYEA
+ojGH+edj5ckZFo50CBTIxrmPAoGBAI8SpSSsfCRJiffjadzt2iK7AColT9DrzM+r
-4hS9tsA1IJhaoaIAgdRf7GWroBZhJlep0zMJkcX2fer8OJVDUMlRLUahPhelx9gI
+1+adlksQ1z7dmxXVqrqE3UpPHljyrrKrO40Bt9vyi6qIrrl1ZRhoS3VMPn9UgwO1
-vsLIkz1J8XZ2Z6kq7yuHGp4oRibXb2T8lH+JkhFP/ah9TpPQZacq7DRTcsRvelhW
+6nU5dx/h7+FNnV23ljvzcotaP6R9dca0OzrhJMAQ18qYhY6DPDGXrcqWzNEzlPXJ
-M542bbFlHzXX+X/39i0Jnx9qPQjhGVjwTMYU/Pbn2r0CgYAkwwh2oq6BP3w7/4xe
+KtQXxBnnAoGAFQPvW/wDahrGcm1MBw83E0TgNJpoB10tz6R1dLdKVSHJUXMfxmij
-giaW/5zzMA8R9ZXFfkE4OXk2vig8LzUn1IO0JeGLyHQbdg8exYxTU3zygIlSvCQP
+Wj4MaF0JB0GWRRjutng+i7y7Tx+mUpu80qV8E9zAH7jGFnpqjw8A9zp5ftK00e7Y
-Zbl0+RB+NHwGOqlpEDdPFXsqi1GAdWOC6FzYtBFNk9WyjFICXjB42wnfIIUQPLU1
+shRlg+lhJhlvMA5QCYNzpYj+7EXJm7nzbhC6pMtBapT9a/MUPYFte38=
-kQKFaehfx9KR0iW1dnm3vbFlzw==
+-----END RSA PRIVATE KEY-----
------END PRIVATE KEY-----

integration/testdata/alpine-310.sarif.golden

@@ -11,7 +11,7 @@
           "version": "0.15.0",
           "rules": [
             {
-              "id": "CVE-2019-1549/libcrypto1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1549 Package: libcrypto1.1"
@@ -37,7 +37,7 @@
               }
             },
             {
-              "id": "CVE-2019-1551/libcrypto1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1551 Package: libcrypto1.1"
@@ -63,7 +63,7 @@
               }
             },
             {
-              "id": "CVE-2019-1563/libcrypto1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1563 Package: libcrypto1.1"
@@ -89,7 +89,7 @@
               }
             },
             {
-              "id": "CVE-2019-1547/libcrypto1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1547 Package: libcrypto1.1"
@@ -115,7 +115,7 @@
               }
             },
             {
-              "id": "CVE-2019-1549/libssl1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1549 Package: libssl1.1"
@@ -141,7 +141,7 @@
               }
             },
             {
-              "id": "CVE-2019-1551/libssl1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1551 Package: libssl1.1"
@@ -167,7 +167,7 @@
               }
             },
             {
-              "id": "CVE-2019-1563/libssl1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1563 Package: libssl1.1"
@@ -193,7 +193,7 @@
               }
             },
             {
-              "id": "CVE-2019-1547/libssl1.1",
+              "id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
               "name": "OS Package Vulnerability (Alpine)",
               "shortDescription": {
                 "text": "CVE-2019-1547 Package: libssl1.1"
@@ -222,7 +222,7 @@
       },
       "results": [
         {
-          "ruleId": "CVE-2019-1549/libcrypto1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
           "ruleIndex": 0,
           "level": "warning",
           "message": {
@@ -238,7 +238,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1551/libcrypto1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
           "ruleIndex": 1,
           "level": "warning",
           "message": {
@@ -254,7 +254,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1563/libcrypto1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
           "ruleIndex": 2,
           "level": "warning",
           "message": {
@@ -270,7 +270,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1547/libcrypto1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
           "ruleIndex": 3,
           "level": "note",
           "message": {
@@ -286,7 +286,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1549/libssl1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
           "ruleIndex": 4,
           "level": "warning",
           "message": {
@@ -302,7 +302,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1551/libssl1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
           "ruleIndex": 5,
           "level": "warning",
           "message": {
@@ -318,7 +318,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1563/libssl1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
           "ruleIndex": 6,
           "level": "warning",
           "message": {
@@ -334,7 +334,7 @@
           }]
         },
         {
-          "ruleId": "CVE-2019-1547/libssl1.1",
+          "ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
           "ruleIndex": 7,
           "level": "note",
           "message": {
@@ -357,4 +357,4 @@
       }
     }
   ]
-}
+}

pkg/detector/library/driver.go

@@ -39,7 +39,7 @@ func NewDriver(libType string) (Driver, error) {
 		driver = newNugetDriver()
 	case library.Jar:
 		driver = newMavenDriver()
-	case library.GoBinary:
+	case library.GoBinary, library.GoMod:
 		driver = Driver{
 			ecosystem:  vulnerability.Go,
 			advisories: []advisory{NewAdvisory(vulnerability.Go, comparer.GenericComparer{})},

pkg/report/writer_test.go

@@ -409,7 +409,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
           "version": "0.15.0",
           "rules": [
             {
-              "id": "CVE-1234-5678/foopackage",
+              "id": "foo/target/alpine-310.tar.gz (alpine 3.10.2): foopackage-1.2.3 CVE-1234-5678",
               "name": "Other Vulnerability (Footype)",
               "shortDescription": {
                 "text": "CVE-1234-5678 Package: foopackage"
@@ -437,7 +437,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
       },
       "results": [
         {
-          "ruleId": "CVE-1234-5678/foopackage",
+          "ruleId": "foo/target/alpine-310.tar.gz (alpine 3.10.2): foopackage-1.2.3 CVE-1234-5678",
           "ruleIndex": 0,
           "level": "error",
           "message": {
@@ -493,7 +493,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
           "version": "0.15.0",
           "rules": [
             {
-              "id": "CVE-1234-5678/foopackage",
+              "id": "rust-app\\Cargo.lock: foopackage-1.2.3 CVE-1234-5678",
               "name": "Other Vulnerability (Footype)",
               "shortDescription": {
                 "text": "CVE-1234-5678 Package: foopackage"
@@ -522,7 +522,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
       },
       "results": [
         {
-          "ruleId": "CVE-1234-5678/foopackage",
+          "ruleId": "rust-app\\Cargo.lock: foopackage-1.2.3 CVE-1234-5678",
           "ruleIndex": 0,
           "level": "error",
           "message": {

pkg/scanner/local/scan.go

@@ -18,6 +18,7 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
 	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
 	_ "github.com/aquasecurity/fanal/analyzer/library/gobinary"
+	_ "github.com/aquasecurity/fanal/analyzer/library/gomod"
 	_ "github.com/aquasecurity/fanal/analyzer/library/jar"
 	_ "github.com/aquasecurity/fanal/analyzer/library/npm"
 	_ "github.com/aquasecurity/fanal/analyzer/library/nuget"

pkg/types/vulnerability.go

@@ -28,6 +28,8 @@ func (v BySeverity) Len() int { return len(v) }
 func (v BySeverity) Less(i, j int) bool {
 	if v[i].PkgName != v[j].PkgName {
 		return v[i].PkgName < v[j].PkgName
+	} else if v[i].InstalledVersion != v[j].InstalledVersion {
+		return v[i].InstalledVersion < v[j].InstalledVersion
 	}
 	ret := types.CompareSeverityString(
 		v[j].Severity, v[i].Severity,

pkg/vulnerability/vulnerability.go

@@ -3,6 +3,7 @@ package vulnerability
 import (
 	"bufio"
 	"context"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"sort"
@@ -148,25 +149,8 @@ func (c Client) getPrimaryURL(vulnID string, refs []string, source string) strin
 func (c Client) Filter(ctx context.Context, vulns []types.DetectedVulnerability, severities []dbTypes.Severity,
 	ignoreUnfixed bool, ignoreFile string, policyFile string) ([]types.DetectedVulnerability, error) {
 	ignoredIDs := getIgnoredIDs(ignoreFile)
-	var vulnerabilities []types.DetectedVulnerability
+
-	for _, vuln := range vulns {
+	vulnerabilities := filterVulnerabilities(vulns, severities, ignoredIDs, ignoreUnfixed)
-		if vuln.Severity == "" {
-			vuln.Severity = dbTypes.SeverityUnknown.String()
-		}
-		// Filter vulnerabilities by severity
-		for _, s := range severities {
-			if s.String() == vuln.Severity {
-				// Ignore unfixed vulnerabilities
-				if ignoreUnfixed && vuln.FixedVersion == "" {
-					continue
-				} else if utils.StringInSlice(vuln.VulnerabilityID, ignoredIDs) {
-					continue
-				}
-				vulnerabilities = append(vulnerabilities, vuln)
-				break
-			}
-		}
-	}
 
 	if policyFile != "" {
 		var err error
@@ -179,6 +163,49 @@ func (c Client) Filter(ctx context.Context, vulns []types.DetectedVulnerability,
 	return vulnerabilities, nil
 }
 
+func filterVulnerabilities(vulns []types.DetectedVulnerability, severities []dbTypes.Severity, ignoredIDs []string,
+	ignoreUnfixed bool) []types.DetectedVulnerability {
+	uniqVulns := make(map[string]types.DetectedVulnerability)
+	for _, vuln := range vulns {
+		if vuln.Severity == "" {
+			vuln.Severity = dbTypes.SeverityUnknown.String()
+		}
+		// Filter vulnerabilities by severity
+		for _, s := range severities {
+			if s.String() != vuln.Severity {
+				continue
+			}
+
+			// Ignore unfixed vulnerabilities
+			if ignoreUnfixed && vuln.FixedVersion == "" {
+				continue
+			} else if utils.StringInSlice(vuln.VulnerabilityID, ignoredIDs) {
+				continue
+			}
+
+			// Check if there is a duplicate vulnerability
+			key := fmt.Sprintf("%s/%s/%s", vuln.VulnerabilityID, vuln.PkgName, vuln.InstalledVersion)
+			if old, ok := uniqVulns[key]; ok && !shouldOverwrite(old, vuln) {
+				continue
+			}
+			uniqVulns[key] = vuln
+			break
+		}
+	}
+
+	return toSlice(uniqVulns)
+}
+
+func toSlice(uniqVulns map[string]types.DetectedVulnerability) []types.DetectedVulnerability {
+	// Convert map to slice
+	var vulnerabilities []types.DetectedVulnerability
+	for _, vuln := range uniqVulns {
+		vulnerabilities = append(vulnerabilities, vuln)
+	}
+
+	return vulnerabilities
+}
+
 func applyPolicy(ctx context.Context, vulns []types.DetectedVulnerability, policyFile string) ([]types.DetectedVulnerability, error) {
 	policy, err := ioutil.ReadFile(policyFile)
 	if err != nil {
@@ -236,3 +263,8 @@ func getIgnoredIDs(ignoreFile string) []string {
 	}
 	return ignoredIDs
 }
+
+func shouldOverwrite(old, new types.DetectedVulnerability) bool {
+	// The same vulnerability must be picked always.
+	return old.FixedVersion < new.FixedVersion
+}

pkg/vulnerability/vulnerability_test.go

@@ -675,6 +675,134 @@ func TestClient_Filter(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path with duplicates, one with empty fixed version",
+			args: args{
+				vulns: []types.DetectedVulnerability{
+					{
+						VulnerabilityID:  "CVE-2019-0001",
+						PkgName:          "foo",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityLow.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2019-0001",
+						PkgName:          "foo",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "1.2.4",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityLow.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2019-0002",
+						PkgName:          "bar",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "1.2.4",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityCritical.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2019-0002",
+						PkgName:          "bar",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "1.2.5",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityCritical.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2018-0001",
+						PkgName:          "baz",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityHigh.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2018-0001",
+						PkgName:          "bar",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: dbTypes.SeverityCritical.String(),
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2018-0002",
+						PkgName:          "bar",
+						InstalledVersion: "1.2.3",
+						FixedVersion:     "",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: "",
+						},
+					},
+					{
+						VulnerabilityID:  "CVE-2018-0002",
+						PkgName:          "bar",
+						InstalledVersion: "2.0.0",
+						FixedVersion:     "",
+						Vulnerability: dbTypes.Vulnerability{
+							Severity: "",
+						},
+					},
+				},
+				severities:    []dbTypes.Severity{dbTypes.SeverityCritical, dbTypes.SeverityHigh, dbTypes.SeverityUnknown},
+				ignoreUnfixed: false,
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2018-0001",
+					PkgName:          "bar",
+					InstalledVersion: "1.2.3",
+					FixedVersion:     "",
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityCritical.String(),
+					},
+				},
+				{
+					VulnerabilityID:  "CVE-2019-0002",
+					PkgName:          "bar",
+					InstalledVersion: "1.2.3",
+					FixedVersion:     "1.2.5",
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityCritical.String(),
+					},
+				},
+				{
+					VulnerabilityID:  "CVE-2018-0002",
+					PkgName:          "bar",
+					InstalledVersion: "1.2.3",
+					FixedVersion:     "",
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityUnknown.String(),
+					},
+				},
+				{
+					VulnerabilityID:  "CVE-2018-0002",
+					PkgName:          "bar",
+					InstalledVersion: "2.0.0",
+					FixedVersion:     "",
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityUnknown.String(),
+					},
+				},
+				{
+					VulnerabilityID:  "CVE-2018-0001",
+					PkgName:          "baz",
+					InstalledVersion: "1.2.3",
+					FixedVersion:     "",
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityHigh.String(),
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {