Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 enable osv-scanner Go call analysis #3893

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions clients/osv.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@
SkipGit: true,
Recursive: true,
GitCommits: gitCommits,
CallAnalysisStates: map[string]bool{
"go": true,
},
Comment on lines +55 to +57
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

putting a temporary merge hold while discussing exactly how this would work

}, nil) // TODO: Do logging?

response := VulnerabilitiesResponse{}
Expand All @@ -66,6 +69,11 @@
if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
vulns := res.Flatten()
for i := range vulns {
// skip if call analysis was performed and the vuln is not called
// based on the documentation, this wont skip vulns for languages which don't support call analysis
if !vulns[i].GroupInfo.IsCalled() {
continue

Check warning on line 75 in clients/osv.go

View check run for this annotation

Codecov / codecov/patch

clients/osv.go#L72-L75

Added lines #L72 - L75 were not covered by tests
}
response.Vulnerabilities = append(response.Vulnerabilities, Vulnerability{
ID: vulns[i].Vulnerability.ID,
Aliases: vulns[i].Vulnerability.Aliases,
Expand Down
55 changes: 28 additions & 27 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/ossf/scorecard/v4

go 1.21.5
go 1.21.8

require (
cloud.google.com/go/bigquery v1.59.1
Expand Down Expand Up @@ -30,9 +30,9 @@ require (
go.opencensus.io v0.24.0
gocloud.dev v0.36.0
golang.org/x/text v0.14.0
golang.org/x/tools v0.17.0 // indirect
golang.org/x/tools v0.19.0 // indirect
google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
google.golang.org/protobuf v1.32.0
google.golang.org/protobuf v1.33.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
mvdan.cc/sh/v3 v3.8.0
Expand All @@ -43,7 +43,7 @@ require (
github.com/caarlos0/env/v6 v6.10.0
github.com/gobwas/glob v0.2.3
github.com/google/go-github/v53 v53.2.0
github.com/google/osv-scanner v1.6.2
github.com/google/osv-scanner v1.7.0
github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
github.com/onsi/ginkgo/v2 v2.15.0
github.com/otiai10/copy v1.14.0
Expand All @@ -55,7 +55,7 @@ require (
cloud.google.com/go/containeranalysis v0.11.4 // indirect
cloud.google.com/go/kms v1.15.7 // indirect
dario.cat/mergo v1.0.0 // indirect
deps.dev/api/v3alpha v0.0.0-20240109042716-00b51ef52ece // indirect
deps.dev/api/v3alpha v0.0.0-20240223021916-3ec708cc3f2e // indirect
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
Expand All @@ -64,6 +64,7 @@ require (
github.com/containerd/typeurl/v2 v2.1.1 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dghubble/trie v0.1.0 // indirect
github.com/emicklei/go-restful/v3 v3.10.2 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
Expand All @@ -72,7 +73,7 @@ require (
github.com/go-openapi/swag v0.22.4 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
github.com/goccy/go-json v0.10.2 // indirect
github.com/golang/glog v1.1.2 // indirect
github.com/golang/glog v1.2.0 // indirect
github.com/google/flatbuffers v23.5.26+incompatible // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-github/v57 v57.0.0 // indirect
Expand All @@ -81,8 +82,8 @@ require (
github.com/google/s2a-go v0.1.7 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
github.com/ianlancetaylor/demangle v0.0.0-20240117034632-964b1d53ca6c // indirect
github.com/jedib0t/go-pretty/v6 v6.5.3 // indirect
github.com/ianlancetaylor/demangle v0.0.0-20240205174729-1f824a1a9b87 // indirect
github.com/jedib0t/go-pretty/v6 v6.5.4 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/cpuid/v2 v2.2.5 // indirect
Expand All @@ -106,12 +107,12 @@ require (
go.opentelemetry.io/otel v1.23.0 // indirect
go.opentelemetry.io/otel/metric v1.23.0 // indirect
go.opentelemetry.io/otel/trace v1.23.0 // indirect
golang.org/x/mod v0.14.0 // indirect
golang.org/x/term v0.17.0 // indirect
golang.org/x/mod v0.16.0 // indirect
golang.org/x/term v0.18.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/vuln v1.0.1 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 // indirect
golang.org/x/vuln v1.0.4 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240304212257-790db918fca8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
k8s.io/api v0.28.2 // indirect
k8s.io/apimachinery v0.28.2 // indirect
Expand All @@ -130,15 +131,15 @@ require (
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go/storage v1.37.0 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
github.com/ProtonMail/go-crypto v1.0.0 // indirect
github.com/aws/aws-sdk-go v1.49.0 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/docker/cli v24.0.4+incompatible // indirect
github.com/docker/distribution v2.8.2+incompatible // indirect
github.com/docker/docker v24.0.7+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
github.com/docker/cli v25.0.3+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v25.0.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.1 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
Expand All @@ -157,7 +158,7 @@ require (
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.17.2 // indirect
github.com/klauspost/compress v1.17.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
Expand All @@ -168,20 +169,20 @@ require (
github.com/rivo/uniseg v0.4.7 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
github.com/xanzy/go-gitlab v0.98.0
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
golang.org/x/net v0.21.0 // indirect
golang.org/x/crypto v0.21.0 // indirect
golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
golang.org/x/net v0.22.0 // indirect
golang.org/x/oauth2 v0.17.0
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.17.0 // indirect
golang.org/x/sys v0.18.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.166.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.61.1 // indirect
google.golang.org/grpc v1.62.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
)
Loading
Loading