Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Indexer: don't index third party dependencies. #1766

Closed
oliverchang opened this issue Oct 30, 2023 · 5 comments · Fixed by #1785
Closed

Indexer: don't index third party dependencies. #1766

oliverchang opened this issue Oct 30, 2023 · 5 comments · Fixed by #1785
Labels
bug Something isn't working

Comments

@oliverchang
Copy link
Collaborator

https://github.com/gemini-testing/png-img seems to cause matches against it instead of libpng.
@oliverchang oliverchang added the bug Something isn't working label Oct 30, 2023
@oliverchang
Copy link
Collaborator Author

(from google/osv-scanner#621)

@another-rex
Copy link
Contributor

Hmm... there's probably a more general approach here where we ignore these "third_party" and similar folders from the initial indexing, could reduce a lot of false positives.

Also detecting a non C/C++ package manifest file and avoiding these repositories when indexing will help.

@oliverchang
Copy link
Collaborator Author

Hmm... there's probably a more general approach here where we ignore these "third_party" and similar folders from the initial indexing, could reduce a lot of false positives.

+1 that's a great idea! In the meantime though, does it seem reasonable ot just remove the config for this repo and delete all relevant index entities?

@another-rex
Copy link
Contributor

Yep can do

@another-rex
Copy link
Contributor

png-img has now been removed from the indexer config and datastore hashes.

@oliverchang oliverchang changed the title Denylist https://github.com/gemini-testing/png-img for indexer Indexer: don't index third party dependencies. Nov 2, 2023
oliverchang added a commit that referenced this issue Nov 2, 2023
@oliverchang
Indexer: don't index vendored libraries.
72f058b 
This can cause bad matches against libraries that depend on the correct
library we're trying to identify (#1766).
@oliverchang oliverchang mentioned this issue Nov 2, 2023
Merged
another-rex added a commit that referenced this issue Nov 3, 2023
@oliverchang @another-rex
Indexer: don't index vendored libraries. (#1780)
81a0213 
This can cause bad matches against libraries that depend on the correct
library we're trying to identify (#1766).

---------

Co-authored-by: Rex P <rexpan@google.com>
@another-rex another-rex mentioned this issue Nov 3, 2023
Merged
another-rex added a commit that referenced this issue Nov 3, 2023
@another-rex
Add datastore label to bucket node entry (#1785)
f4b9fe8 
Followup to #1780 , Fixes #1766 .

Just after I merged in the previous PR I realized I missed
DocumentVersion datastore name.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add datastore label to bucket node entry another-rex/osv.dev
2 participants
@oliverchang @another-rex