Skip to content

Commit a20e520

Browse files
G-RathG-Rath
authored
fix: apply go version override to _all_ instances of the stdlib (google#1278)
Currently we assume that there'll only ever be one occurence of `stdlib` when overriding the Go version but really there can be an occurrence _per `go.mod`_ file Resolves google#1273
1 parent 3591365 commit a20e520

File tree

6 files changed

+57
-1
lines changed

6 files changed

+57
-1
lines changed

cmd/osv-scanner/__snapshots__/main_test.snap

+41
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,47 @@ Scanned <rootdir>/fixtures/go-project/go.mod file and found 1 package
186186

187187
---
188188

189+
[TestRun/Go_project_with_an_overridden_go_version,_recursive - 1]
190+
Scanning dir ./fixtures/go-project
191+
Scanned <rootdir>/fixtures/go-project/go.mod file and found 1 package
192+
Scanned <rootdir>/fixtures/go-project/nested/go.mod file and found 1 package
193+
+------------------------------+------+-----------+---------+---------+-----------------------------------+
194+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
195+
+------------------------------+------+-----------+---------+---------+-----------------------------------+
196+
| Uncalled vulnerabilities | | | | | |
197+
+------------------------------+------+-----------+---------+---------+-----------------------------------+
198+
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
199+
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
200+
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
201+
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
202+
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
203+
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
204+
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
205+
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
206+
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
207+
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
208+
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
209+
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
210+
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
211+
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
212+
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
213+
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
214+
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
215+
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
216+
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
217+
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
218+
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
219+
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
220+
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
221+
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.21.7 | fixtures/go-project/nested/go.mod |
222+
+------------------------------+------+-----------+---------+---------+-----------------------------------+
223+
224+
---
225+
226+
[TestRun/Go_project_with_an_overridden_go_version,_recursive - 2]
227+
228+
---
229+
189230
[TestRun/PURL_SBOM_case_sensitivity_(api) - 1]
190231
Scanning dir ./fixtures/sbom-insecure/alpine.cdx.xml
191232
Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages

cmd/osv-scanner/fixtures/go-project/nested/go-version-config.toml

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
GoVersionOverride = "1.21.7"

cmd/osv-scanner/fixtures/go-project/nested/go.mod

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
module github.com/ossf-tests/osv-e2e
2+
3+
go 1.19

cmd/osv-scanner/fixtures/go-project/nested/osv-scanner.toml

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
[[PackageOverrides]]
2+
name = "stdlib"
3+
ecosystem = "Go"
4+
ignore = true
5+
reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/main_test.go

+6
Original file line numberDiff line numberDiff line change
@@ -318,6 +318,12 @@ func TestRun(t *testing.T) {
318318
args: []string{"", "--config=./fixtures/go-project/go-version-config.toml", "./fixtures/go-project"},
319319
exit: 0,
320320
},
321+
// Go project with an overridden go version, recursive
322+
{
323+
name: "Go project with an overridden go version, recursive",
324+
args: []string{"", "--config=./fixtures/go-project/go-version-config.toml", "-r", "./fixtures/go-project"},
325+
exit: 0,
326+
},
321327
// broad config file that overrides a whole ecosystem
322328
{
323329
name: "config file can be broad",

pkg/osvscanner/osvscanner.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -1115,7 +1115,7 @@ func overrideGoVersion(r reporter.Reporter, packages []scannedPackage, configMan
11151115
packages[i].Version = configToUse.GoVersionOverride
11161116
}
11171117

1118-
break
1118+
continue
11191119
}
11201120
}
11211121
}

0 commit comments

Comments
 (0)