diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index b555187d13c..3b0f67dd411 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -1085,15 +1085,15 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | | -| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | Uncalled vulnerabilities | | | | | | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ @@ -1107,18 +1107,18 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack | https://osv.dev/GHSA-x92r-3vfx-4cv3 | | | | | | | https://osv.dev/GO-2024-2937 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GHSA-9phm-fm57-rhg8 | | | | | | -| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ --- @@ -2082,14 +2082,22 @@ Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | +| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -2283,14 +2291,22 @@ Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | +| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | diff --git a/internal/clients/clientimpl/osvmatcher/osvmatcher.go b/internal/clients/clientimpl/osvmatcher/osvmatcher.go index d7e2372d016..ca3421421ae 100644 --- a/internal/clients/clientimpl/osvmatcher/osvmatcher.go +++ b/internal/clients/clientimpl/osvmatcher/osvmatcher.go @@ -3,17 +3,13 @@ package osvmatcher import ( "context" "errors" - "fmt" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/log" "github.com/google/osv-scanner/v2/internal/imodels" - "github.com/google/osv-scanner/v2/internal/imodels/ecosystem" "github.com/google/osv-scanner/v2/internal/osvdev" - "github.com/google/osv-scanner/v2/internal/semantic" "github.com/google/osv-scanner/v2/pkg/models" - "github.com/ossf/osv-schema/bindings/go/osvschema" "golang.org/x/sync/errgroup" ) @@ -186,34 +182,7 @@ func invsToQueries(invs []*extractor.Inventory) []*osvdev.Query { for i, inv := range invs { pkg := imodels.FromInventory(inv) queries[i] = pkgToQuery(pkg) - patchQueryForRequest(queries[i]) } return queries } - -// patchQueryForRequest modifies packages before they are sent to osv.dev to -// account for edge cases. -func patchQueryForRequest(queryToPatch *osvdev.Query) { - // Assume Go stdlib patch version as the latest version - // - // This is done because go1.20 and earlier do not support patch - // version in go.mod file, and will fail to build. - // - // However, if we assume patch version as .0, this will cause a lot of - // false positives. This compromise still allows osv-scanner to pick up - // when the user is using a minor version that is out-of-support. - // - // MustParse works here because this query is converted from a valid ecosystem in the first place - if queryToPatch.Package.Name == "stdlib" && ecosystem.MustParse(queryToPatch.Package.Ecosystem).Ecosystem == osvschema.EcosystemGo { - v := semantic.ParseSemverLikeVersion(queryToPatch.Version, 3) - if len(v.Components) == 2 { - queryToPatch.Version = fmt.Sprintf( - "%d.%d.%d", - v.Components.Fetch(0), - v.Components.Fetch(1), - 9999, - ) - } - } -} diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index 5d93dcacbe5..35f1064f719 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -1,6 +1,7 @@ package imodels import ( + "fmt" "log" "strings" @@ -17,6 +18,7 @@ import ( "github.com/google/osv-scanner/v2/internal/imodels/ecosystem" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" + "github.com/google/osv-scanner/v2/internal/semantic" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" @@ -125,6 +127,26 @@ func (pkg *PackageInfo) Version() string { return pkg.purlCache.Version } + // Assume Go stdlib patch version as the latest version + // + // This is done because go1.20 and earlier do not support patch + // version in go.mod file, and will fail to build. + // + // However, if we assume patch version as .0, this will cause a lot of + // false positives. This compromise still allows osv-scanner to pick up + // when the user is using a minor version that is out-of-support. + if pkg.Ecosystem().Ecosystem == osvschema.EcosystemGo && pkg.Name() == "stdlib" { + v := semantic.ParseSemverLikeVersion(pkg.Inventory.Version, 3) + if len(v.Components) == 2 { + return fmt.Sprintf( + "%d.%d.%d", + v.Components.Fetch(0), + v.Components.Fetch(1), + 99, + ) + } + } + return pkg.Inventory.Version } diff --git a/internal/utility/vulns/vulnerabilities.go b/internal/utility/vulns/vulnerabilities.go index b3ecbbe4ea2..9130967acaf 100644 --- a/internal/utility/vulns/vulnerabilities.go +++ b/internal/utility/vulns/vulnerabilities.go @@ -7,13 +7,6 @@ func Include(vs []*models.Vulnerability, vulnerability models.Vulnerability) boo if vuln.ID == vulnerability.ID { return true } - - if isAliasOf(*vuln, vulnerability) { - return true - } - if isAliasOf(vulnerability, *vuln) { - return true - } } return false diff --git a/internal/utility/vulns/vulnerabilities_test.go b/internal/utility/vulns/vulnerabilities_test.go index 5397eb751d5..d8831a0dc22 100644 --- a/internal/utility/vulns/vulnerabilities_test.go +++ b/internal/utility/vulns/vulnerabilities_test.go @@ -65,7 +65,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{}, }, }, - want: true, + want: false, }, { name: "", @@ -81,7 +81,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"GHSA-1"}, }, }, - want: true, + want: false, }, { name: "", @@ -97,7 +97,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"CVE-1"}, }, }, - want: true, + want: false, }, { name: "", @@ -113,7 +113,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"CVE-2"}, }, }, - want: true, + want: false, }, } for _, tt := range tests { diff --git a/internal/utility/vulns/vulnerability.go b/internal/utility/vulns/vulnerability.go index 48516e01a6e..e31ee1e9167 100644 --- a/internal/utility/vulns/vulnerability.go +++ b/internal/utility/vulns/vulnerability.go @@ -98,25 +98,25 @@ func rangeAffectsVersion(a []models.Range, pkg lockfile.PackageDetails) bool { return false } -func isAliasOfID(v models.Vulnerability, id string) bool { - for _, alias := range v.Aliases { - if alias == id { - return true - } - } - - return false -} - -func isAliasOf(v models.Vulnerability, vulnerability models.Vulnerability) bool { - for _, alias := range vulnerability.Aliases { - if v.ID == alias || isAliasOfID(v, alias) { - return true - } - } - - return false -} +// func isAliasOfID(v models.Vulnerability, id string) bool { +// for _, alias := range v.Aliases { +// if alias == id { +// return true +// } +// } + +// return false +// } + +// func isAliasOf(v models.Vulnerability, vulnerability models.Vulnerability) bool { +// for _, alias := range vulnerability.Aliases { +// if v.ID == alias || isAliasOfID(v, alias) { +// return true +// } +// } + +// return false +// } func AffectsEcosystem(v models.Vulnerability, ecosystem lockfile.Ecosystem) bool { for _, affected := range v.Affected {