govulncheck version
Go: go1.25.4
Scanner: govulncheck@v1.5.0
DB: https://vuln.go.dev
DB updated: 2026-06-26 20:04:13 +0000 UTC
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes, this issue can be reproduced at the latest version of golang.org/x/vuln/cmd/govulncheck.
Output of go env in your module/workspace:
set AR=ar
set CC=gcc
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_ENABLED=1
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set CXX=g++
set GCCGO=gccgo
set GO111MODULE=on
set GOAMD64=v1
set GOARCH=amd64
set GOAUTH=netrc
set GOBIN=
set GOCACHE=C:\Users\Marat\AppData\Local\go-build
set GOCACHEPROG=
set GODEBUG=
set GOENV=C:\Users\Marat\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFIPS140=off
set GOFLAGS=
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\Marat\AppData\Local\Temp\go-build1707616018=/tmp/go-build -gno-record-gcc-switches
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMOD=D:\Users\Marat\Documents\work\go\vuln\go.mod
set GOMODCACHE=D:\Users\Marat\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=D:\Users\Marat\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:/Users/Marat/sdk/go1.25.4
set GOSUMDB=sum.golang.org
set GOTELEMETRY=off
set GOTELEMETRYDIR=C:\Users\Marat\AppData\Roaming\go\telemetry
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Users\Marat\sdk\go1.25.4\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.25.4
set GOWORK=
set PKG_CONFIG=pkg-config
What did you do?
Scan any Go project using golang.org/x/vuln/cmd/govulncheck tool in source mode with SARIF output, e.g.:
go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@v1.5.0 -format sarif ./...
What did you see happen?
The results of SARIF output of golang.org/x/vuln/cmd/govulncheck tool - .runs[*].results[*].locations[*].physicalLocation.region.startLine (JSONPath of respective property) - always point to the first line (have value 1) of go.mod file (.runs[*].results[*].locations[*].physicalLocation.artifactLocation.uri).
What did you expect to see?
The results of SARIF output of golang.org/x/vuln/cmd/govulncheck tool - .runs[*].results[*].locations[*].physicalLocation.region.startLine (JSONPath of respective property) - should point to:
- the line of go.mod which declares usage of Go module which causes result (finding) if the Go module is not Go standard library.
- the line of go.mod which declares version of Go if the Go package which causes result is part of Go standard library.
- the first line of go.mod if Go module which causes result can not be found in go.mod (fallback to current behavior).
govulncheck version
Go: go1.25.4
Scanner: govulncheck@v1.5.0
DB: https://vuln.go.dev
DB updated: 2026-06-26 20:04:13 +0000 UTC
Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes, this issue can be reproduced at the latest version of golang.org/x/vuln/cmd/govulncheck.
Output of
go envin your module/workspace:What did you do?
Scan any Go project using golang.org/x/vuln/cmd/govulncheck tool in
sourcemode with SARIF output, e.g.:What did you see happen?
The results of SARIF output of golang.org/x/vuln/cmd/govulncheck tool -
.runs[*].results[*].locations[*].physicalLocation.region.startLine(JSONPath of respective property) - always point to the first line (have value1) of go.mod file (.runs[*].results[*].locations[*].physicalLocation.artifactLocation.uri).What did you expect to see?
The results of SARIF output of golang.org/x/vuln/cmd/govulncheck tool -
.runs[*].results[*].locations[*].physicalLocation.region.startLine(JSONPath of respective property) - should point to: