Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: offline scanning having different results than online #1566

Merged
merged 5 commits into from
Feb 5, 2025
Merged

fix: offline scanning having different results than online #1566

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9df9c00
Don't skip aliases when performing an include.
another-rex Feb 4, 2025
1baf4ed
Actually show the patch for stdlib we applied.
another-rex Feb 4, 2025
4ce1c60
Remove patching code from osvmatcher.go
another-rex Feb 4, 2025
8c9877e
Add comment
another-rex Feb 4, 2025
5875aa0
Comment out the unused functions for now, they could still be useful.
another-rex Feb 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 53 additions & 37 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1085,15 +1085,15 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
| https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | |
| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
hogo6002 marked this conversation as resolved.
Show resolved Hide resolved
| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
Expand All @@ -1107,18 +1107,18 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
| https://osv.dev/GHSA-x92r-3vfx-4cv3 | | | | | |
| https://osv.dev/GO-2024-2937 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GHSA-9phm-fm57-rhg8 | | | | | |
| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+

---
Expand Down Expand Up @@ -2082,14 +2082,22 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
| https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | |
| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | |
| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | |
| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | |
| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | |
| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | |
| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | |
| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | |
| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -2283,14 +2291,22 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
| https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | |
| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | |
| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | |
| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | |
| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | |
| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | |
| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | |
| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | |
| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down
31 changes: 0 additions & 31 deletions internal/clients/clientimpl/osvmatcher/osvmatcher.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,13 @@ package osvmatcher
import (
"context"
"errors"
"fmt"
"time"

"github.com/google/osv-scalibr/extractor"
"github.com/google/osv-scalibr/log"
"github.com/google/osv-scanner/v2/internal/imodels"
"github.com/google/osv-scanner/v2/internal/imodels/ecosystem"
"github.com/google/osv-scanner/v2/internal/osvdev"
"github.com/google/osv-scanner/v2/internal/semantic"
"github.com/google/osv-scanner/v2/pkg/models"
"github.com/ossf/osv-schema/bindings/go/osvschema"
"golang.org/x/sync/errgroup"
)

Expand Down Expand Up @@ -186,34 +182,7 @@ func invsToQueries(invs []*extractor.Inventory) []*osvdev.Query {
for i, inv := range invs {
pkg := imodels.FromInventory(inv)
queries[i] = pkgToQuery(pkg)
patchQueryForRequest(queries[i])
}

return queries
}

// patchQueryForRequest modifies packages before they are sent to osv.dev to
// account for edge cases.
func patchQueryForRequest(queryToPatch *osvdev.Query) {
// Assume Go stdlib patch version as the latest version
//
// This is done because go1.20 and earlier do not support patch
// version in go.mod file, and will fail to build.
//
// However, if we assume patch version as .0, this will cause a lot of
// false positives. This compromise still allows osv-scanner to pick up
// when the user is using a minor version that is out-of-support.
//
// MustParse works here because this query is converted from a valid ecosystem in the first place
if queryToPatch.Package.Name == "stdlib" && ecosystem.MustParse(queryToPatch.Package.Ecosystem).Ecosystem == osvschema.EcosystemGo {
v := semantic.ParseSemverLikeVersion(queryToPatch.Version, 3)
if len(v.Components) == 2 {
queryToPatch.Version = fmt.Sprintf(
"%d.%d.%d",
v.Components.Fetch(0),
v.Components.Fetch(1),
9999,
)
}
}
}
Loading