Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config file (GoVersionOverride) is not applied properly on recursive scans #1273

Closed
tuminoid opened this issue Sep 25, 2024 · 1 comment · Fixed by #1278
Closed

Config file (GoVersionOverride) is not applied properly on recursive scans #1273

tuminoid opened this issue Sep 25, 2024 · 1 comment · Fixed by #1278
Assignees
@G-Rath

Comments

@tuminoid
Copy link

GoVersionOverride in osv-scanner.toml config applies only to one go.mod in recursive scan. Regardless of using --config <file> or placing osv-scanner.toml next to each go.mod file, config is ignored for all but first go.mod scanned.

GoVersionOverride was implemented in #850 .

osv-scanner version tested: v1.8.5

Expected outcome

Repository tested: https://github.com/metal3-io/ip-address-manager

Using osv-scanner.toml with following content works and does not report any vulnerabilities as all mentioned vulnerabiilties are fixed before Golang 1.22.7:

GoVersionOverride = "1.22.7"

Actual outcome

Running individual scans for each go.mod file are always clean:

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml go.mod
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Filtered 1 local package/s from the scan.
No issues found

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml api/go.mod 
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
No issues found

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml hack/tools/go.mod 
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
No issues found

However when executed with --recursive or using extglob **/go.mod, it produces failures as if the config only applies to api (first dir?):

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │

Without osv-scanner.toml at all, it finds additionally same vulns in api/, so the config seems to apply but only to a single directory:

$ osv-scanner scan --skip-git --verbosity verbose **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯

This breaks scan results from osv-scanner-reusable GH action workflow, which uses --recursive.

$ osv-scanner scan --skip-git --verbosity verbose --recursive .
Scanning dir .
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/api/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/hack/tools/osv-scanner.toml
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯
@cuixq
Copy link
Contributor

cuixq commented Sep 25, 2024

@G-Rath could you take a look on this?

@tuminoid tuminoid mentioned this issue Sep 25, 2024
Merged
@G-Rath G-Rath mentioned this issue Sep 25, 2024
Merged
@G-Rath G-Rath self-assigned this Sep 26, 2024
another-rex pushed a commit that referenced this issue Sep 30, 2024
@G-Rath
fix: apply go version override to _all_ instances of the stdlib (#1278
a20e520 
)

Currently we assume that there'll only ever be one occurence of `stdlib`
when overriding the Go version but really there can be an occurrence
_per `go.mod`_ file

Resolves #1273
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@G-Rath G-Rath

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: apply go version override to _all_ instances of the stdlib ackama/osv-scanner
3 participants
@tuminoid @G-Rath @cuixq