Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

osv-scanner: Callgraph analysis to help prioritize matched vulnerabilities #11

Closed
oliverchang opened this issue Sep 28, 2022 · 1 comment
Closed

osv-scanner: Callgraph analysis to help prioritize matched vulnerabilities #11

oliverchang opened this issue Sep 28, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@oliverchang
Copy link
Collaborator

Meta-issue to track the feature of doing callgraph analysis as part of vulnerability scanning to help reduce false positives (or at least help prioritize vulnerabilities). Vulnerability databases are starting to include metadata about which functions need to be called to actually be considered vulnerable (GHSA, Go at the very least).

Related idea from @jonathanmetzman: We can even go further with this analysis: We can completely disable the vulnerable code path to completely remove any possibly of the vulnerability being reached.

Current open issues:
@oliverchang oliverchang added the enhancement New feature or request label Sep 28, 2022
@another-rex another-rex transferred this issue from google/osv.dev Nov 25, 2022
@oliverchang oliverchang mentioned this issue Jan 5, 2023
Closed
@another-rex
Copy link
Collaborator

Closing this as a duplicate of #476

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliverchang @another-rex