From e146bf596a5a2e9e2c5e21f44e868652c0605adb Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Wed, 5 Feb 2025 14:10:47 +1100 Subject: [PATCH] fix: offline scanning having different results than online (#1566) This fixes offline scanning having different results compared to using the API. Seems to have two causes: - vulnerabilities.Include function tests whether a vulnerability is included in aliases as well, and offline scanning skips those vulns if it is included in aliases. However, this is not the behavior of online scanning, where we return all records that match and do not skip alised vulns. - osv.dev query code has a special section to edit stdlib versions without a patch version to always assume it's at the max patch version. This code is not replicated in offline matcher code. - I initially placed it in the query code because I didn't want to show the patched version in the output. But I think it's probably a good thing that we show how we are interpreting a version rather than silently patching it, so moved it out to our PackageInfo struct. --- cmd/osv-scanner/__snapshots__/main_test.snap | 90 +++++++++++-------- .../clientimpl/osvmatcher/osvmatcher.go | 31 ------- internal/imodels/imodels.go | 22 +++++ internal/utility/vulns/vulnerabilities.go | 7 -- .../utility/vulns/vulnerabilities_test.go | 8 +- internal/utility/vulns/vulnerability.go | 38 ++++---- 6 files changed, 98 insertions(+), 98 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index b555187d13c..3b0f67dd411 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -1085,15 +1085,15 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | | -| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2382 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2887 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2025-3373 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | Uncalled vulnerabilities | | | | | | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ @@ -1107,18 +1107,18 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack | https://osv.dev/GHSA-x92r-3vfx-4cv3 | | | | | | | https://osv.dev/GO-2024-2937 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GHSA-9phm-fm57-rhg8 | | | | | | -| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2600 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2888 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-2963 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3105 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3106 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2024-3107 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GO-2025-3420 | | Go | stdlib | 1.19.99 | fixtures/call-analysis-go-project/go.mod | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ --- @@ -2082,14 +2082,22 @@ Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | +| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -2283,14 +2291,22 @@ Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | +| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | diff --git a/internal/clients/clientimpl/osvmatcher/osvmatcher.go b/internal/clients/clientimpl/osvmatcher/osvmatcher.go index d7e2372d016..ca3421421ae 100644 --- a/internal/clients/clientimpl/osvmatcher/osvmatcher.go +++ b/internal/clients/clientimpl/osvmatcher/osvmatcher.go @@ -3,17 +3,13 @@ package osvmatcher import ( "context" "errors" - "fmt" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/log" "github.com/google/osv-scanner/v2/internal/imodels" - "github.com/google/osv-scanner/v2/internal/imodels/ecosystem" "github.com/google/osv-scanner/v2/internal/osvdev" - "github.com/google/osv-scanner/v2/internal/semantic" "github.com/google/osv-scanner/v2/pkg/models" - "github.com/ossf/osv-schema/bindings/go/osvschema" "golang.org/x/sync/errgroup" ) @@ -186,34 +182,7 @@ func invsToQueries(invs []*extractor.Inventory) []*osvdev.Query { for i, inv := range invs { pkg := imodels.FromInventory(inv) queries[i] = pkgToQuery(pkg) - patchQueryForRequest(queries[i]) } return queries } - -// patchQueryForRequest modifies packages before they are sent to osv.dev to -// account for edge cases. -func patchQueryForRequest(queryToPatch *osvdev.Query) { - // Assume Go stdlib patch version as the latest version - // - // This is done because go1.20 and earlier do not support patch - // version in go.mod file, and will fail to build. - // - // However, if we assume patch version as .0, this will cause a lot of - // false positives. This compromise still allows osv-scanner to pick up - // when the user is using a minor version that is out-of-support. - // - // MustParse works here because this query is converted from a valid ecosystem in the first place - if queryToPatch.Package.Name == "stdlib" && ecosystem.MustParse(queryToPatch.Package.Ecosystem).Ecosystem == osvschema.EcosystemGo { - v := semantic.ParseSemverLikeVersion(queryToPatch.Version, 3) - if len(v.Components) == 2 { - queryToPatch.Version = fmt.Sprintf( - "%d.%d.%d", - v.Components.Fetch(0), - v.Components.Fetch(1), - 9999, - ) - } - } -} diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index 5d93dcacbe5..35f1064f719 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -1,6 +1,7 @@ package imodels import ( + "fmt" "log" "strings" @@ -17,6 +18,7 @@ import ( "github.com/google/osv-scanner/v2/internal/imodels/ecosystem" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" + "github.com/google/osv-scanner/v2/internal/semantic" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" @@ -125,6 +127,26 @@ func (pkg *PackageInfo) Version() string { return pkg.purlCache.Version } + // Assume Go stdlib patch version as the latest version + // + // This is done because go1.20 and earlier do not support patch + // version in go.mod file, and will fail to build. + // + // However, if we assume patch version as .0, this will cause a lot of + // false positives. This compromise still allows osv-scanner to pick up + // when the user is using a minor version that is out-of-support. + if pkg.Ecosystem().Ecosystem == osvschema.EcosystemGo && pkg.Name() == "stdlib" { + v := semantic.ParseSemverLikeVersion(pkg.Inventory.Version, 3) + if len(v.Components) == 2 { + return fmt.Sprintf( + "%d.%d.%d", + v.Components.Fetch(0), + v.Components.Fetch(1), + 99, + ) + } + } + return pkg.Inventory.Version } diff --git a/internal/utility/vulns/vulnerabilities.go b/internal/utility/vulns/vulnerabilities.go index b3ecbbe4ea2..9130967acaf 100644 --- a/internal/utility/vulns/vulnerabilities.go +++ b/internal/utility/vulns/vulnerabilities.go @@ -7,13 +7,6 @@ func Include(vs []*models.Vulnerability, vulnerability models.Vulnerability) boo if vuln.ID == vulnerability.ID { return true } - - if isAliasOf(*vuln, vulnerability) { - return true - } - if isAliasOf(vulnerability, *vuln) { - return true - } } return false diff --git a/internal/utility/vulns/vulnerabilities_test.go b/internal/utility/vulns/vulnerabilities_test.go index 5397eb751d5..d8831a0dc22 100644 --- a/internal/utility/vulns/vulnerabilities_test.go +++ b/internal/utility/vulns/vulnerabilities_test.go @@ -65,7 +65,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{}, }, }, - want: true, + want: false, }, { name: "", @@ -81,7 +81,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"GHSA-1"}, }, }, - want: true, + want: false, }, { name: "", @@ -97,7 +97,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"CVE-1"}, }, }, - want: true, + want: false, }, { name: "", @@ -113,7 +113,7 @@ func TestVulnerabilities_Includes(t *testing.T) { Aliases: []string{"CVE-2"}, }, }, - want: true, + want: false, }, } for _, tt := range tests { diff --git a/internal/utility/vulns/vulnerability.go b/internal/utility/vulns/vulnerability.go index 48516e01a6e..e31ee1e9167 100644 --- a/internal/utility/vulns/vulnerability.go +++ b/internal/utility/vulns/vulnerability.go @@ -98,25 +98,25 @@ func rangeAffectsVersion(a []models.Range, pkg lockfile.PackageDetails) bool { return false } -func isAliasOfID(v models.Vulnerability, id string) bool { - for _, alias := range v.Aliases { - if alias == id { - return true - } - } - - return false -} - -func isAliasOf(v models.Vulnerability, vulnerability models.Vulnerability) bool { - for _, alias := range vulnerability.Aliases { - if v.ID == alias || isAliasOfID(v, alias) { - return true - } - } - - return false -} +// func isAliasOfID(v models.Vulnerability, id string) bool { +// for _, alias := range v.Aliases { +// if alias == id { +// return true +// } +// } + +// return false +// } + +// func isAliasOf(v models.Vulnerability, vulnerability models.Vulnerability) bool { +// for _, alias := range vulnerability.Aliases { +// if v.ID == alias || isAliasOfID(v, alias) { +// return true +// } +// } + +// return false +// } func AffectsEcosystem(v models.Vulnerability, ecosystem lockfile.Ecosystem) bool { for _, affected := range v.Affected {