From 826a3a72341a4062216a56292d9626ff8cc76b6c Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@google.com>
Date: Wed, 8 Nov 2023 13:57:19 +1100
Subject: [PATCH] Don't include nested vendored libs in determineversions
 query.

This mirrors https://github.com/google/osv.dev/commit/81a02135365a8ff0856588cf844645ed253b5257.
---
 pkg/osvscanner/osvscanner.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
index bc334e7d7d..38ed2f7714 100644
--- a/pkg/osvscanner/osvscanner.go
+++ b/pkg/osvscanner/osvscanner.go
@@ -247,6 +247,10 @@ func queryDetermineVersions(repoDir string) (*osv.DetermineVersionResponse, erro
 				// results with our regular git commit scanning.
 				return filepath.SkipDir
 			}
+			if _, ok := vendoredLibNames[strings.ToLower(info.Name())]; ok {
+				// Ignore nested vendored libraries, as they can cause bad matches.
+				return filepath.SkipDir
+			}
 
 			return nil
 		}