GoVersionOverride in osv-scanner.toml config applies only to one go.mod in recursive scan. Regardless of using --config <file> or placing osv-scanner.toml next to each go.mod file, config is ignored for all but first go.mod scanned.
Using osv-scanner.toml with following content works and does not report any vulnerabilities as all mentioned vulnerabiilties are fixed before Golang 1.22.7:
GoVersionOverride = "1.22.7"
Actual outcome
Running individual scans for each go.mod file are always clean:
$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml go.mod
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Filtered 1 local package/s from the scan.
No issues found
$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml api/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
No issues found
$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml hack/tools/go.mod
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
No issues found
However when executed with --recursive or using extglob **/go.mod, it produces failures as if the config only applies to api (first dir?):
$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities │ │ │ │ │ │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
Without osv-scanner.toml at all, it finds additionally same vulns in api/, so the config seems to apply but only to a single directory:
$ osv-scanner scan --skip-git --verbosity verbose **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities │ │ │ │ │ │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ api/go.mod │
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯
This breaks scan results from osv-scanner-reusable GH action workflow, which uses --recursive.
$ osv-scanner scan --skip-git --verbosity verbose --recursive .
Scanning dir .
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/api/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/hack/tools/osv-scanner.toml
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities │ │ │ │ │ │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ go.mod │
│ https://osv.dev/GO-2024-2887 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │ │ Go │ stdlib │ 1.22.3 │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯
GoVersionOverride in
osv-scanner.toml
config applies only to one go.mod in recursive scan. Regardless of using--config <file>
or placingosv-scanner.toml
next to eachgo.mod
file, config is ignored for all but first go.mod scanned.GoVersionOverride was implemented in #850 .
osv-scanner version tested: v1.8.5
Expected outcome
Repository tested: https://github.com/metal3-io/ip-address-manager
Using
osv-scanner.toml
with following content works and does not report any vulnerabilities as all mentioned vulnerabiilties are fixed before Golang 1.22.7:Actual outcome
Running individual scans for each
go.mod
file are always clean:However when executed with
--recursive
or using extglob**/go.mod
, it produces failures as if the config only applies toapi
(first dir?):Without
osv-scanner.toml
at all, it finds additionally same vulns inapi/
, so the config seems to apply but only to a single directory:This breaks scan results from osv-scanner-reusable GH action workflow, which uses
--recursive
.