Don't include nested vendored libs in determineversions query.

This mirrors google/osv.dev@81a0213.
google · Nov 8, 2023 · 826a3a7 · 826a3a7
1 parent 8fef787
commit 826a3a7
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -247,6 +247,10 @@ func queryDetermineVersions(repoDir string) (*osv.DetermineVersionResponse, erro
 				// results with our regular git commit scanning.
 				return filepath.SkipDir
 			}
+			if _, ok := vendoredLibNames[strings.ToLower(info.Name())]; ok {
+				// Ignore nested vendored libraries, as they can cause bad matches.
+				return filepath.SkipDir
+			}
 
 			return nil
 		}