Skip to content

Commit

Permalink
fix: offline scanning having different results than online (#1566)
Browse files Browse the repository at this point in the history 
This fixes offline scanning having different results compared to using
the API. Seems to have two causes:

- vulnerabilities.Include function tests whether a vulnerability is
included in aliases as well, and offline scanning skips those vulns if
it is included in aliases. However, this is not the behavior of online
scanning, where we return all records that match and do not skip alised
vulns.
- osv.dev query code has a special section to edit stdlib versions
without a patch version to always assume it's at the max patch version.
This code is not replicated in offline matcher code.
- I initially placed it in the query code because I didn't want to show
the patched version in the output. But I think it's probably a good
thing that we show how we are interpreting a version rather than
silently patching it, so moved it out to our PackageInfo struct.
  • Loading branch information
@another-rex
another-rex authored Feb 5, 2025
1 parent 053e848 commit e146bf5
Show file tree
Hide file tree
Showing 6 changed files with 98 additions and 98 deletions.
90 changes: 53 additions & 37 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1085,15 +1085,15 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
| https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | |
| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
Expand All @@ -1107,18 +1107,18 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
| https://osv.dev/GHSA-x92r-3vfx-4cv3 | | | | | |
| https://osv.dev/GO-2024-2937 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GHSA-9phm-fm57-rhg8 | | | | | |
| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+

---
Expand Down Expand Up @@ -2082,14 +2082,22 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
| https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | |
| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | |
| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | |
| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | |
| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | |
| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | |
| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | |
| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | |
| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -2283,14 +2291,22 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
| https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | |
| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | |
| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | |
| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | |
| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | |
| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | |
| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | |
| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | |
| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down
31 changes: 0 additions & 31 deletions internal/clients/clientimpl/osvmatcher/osvmatcher.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,13 @@ package osvmatcher
import (
"context"
"errors"
"fmt"
"time"

"github.com/google/osv-scalibr/extractor"
"github.com/google/osv-scalibr/log"
"github.com/google/osv-scanner/v2/internal/imodels"
"github.com/google/osv-scanner/v2/internal/imodels/ecosystem"
"github.com/google/osv-scanner/v2/internal/osvdev"
"github.com/google/osv-scanner/v2/internal/semantic"
"github.com/google/osv-scanner/v2/pkg/models"
"github.com/ossf/osv-schema/bindings/go/osvschema"
"golang.org/x/sync/errgroup"
)

Expand Down Expand Up @@ -186,34 +182,7 @@ func invsToQueries(invs []*extractor.Inventory) []*osvdev.Query {
for i, inv := range invs {
pkg := imodels.FromInventory(inv)
queries[i] = pkgToQuery(pkg)
patchQueryForRequest(queries[i])
}

return queries
}

// patchQueryForRequest modifies packages before they are sent to osv.dev to
// account for edge cases.
func patchQueryForRequest(queryToPatch *osvdev.Query) {
// Assume Go stdlib patch version as the latest version
//
// This is done because go1.20 and earlier do not support patch
// version in go.mod file, and will fail to build.
//
// However, if we assume patch version as .0, this will cause a lot of
// false positives. This compromise still allows osv-scanner to pick up
// when the user is using a minor version that is out-of-support.
//
// MustParse works here because this query is converted from a valid ecosystem in the first place
if queryToPatch.Package.Name == "stdlib" && ecosystem.MustParse(queryToPatch.Package.Ecosystem).Ecosystem == osvschema.EcosystemGo {
v := semantic.ParseSemverLikeVersion(queryToPatch.Version, 3)
if len(v.Components) == 2 {
queryToPatch.Version = fmt.Sprintf(
"%d.%d.%d",
v.Components.Fetch(0),
v.Components.Fetch(1),
9999,
)
}
}
}
Loading

0 comments on commit e146bf5

Please sign in to comment.