search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.15k stars 347 forks source link

Config file (GoVersionOverride) is not applied properly on recursive scans #1273

Closed tuminoid closed 6 hours ago

tuminoid commented 5 days ago

GoVersionOverride in osv-scanner.toml config applies only to one go.mod in recursive scan. Regardless of using --config <file> or placing osv-scanner.toml next to each go.mod file, config is ignored for all but first go.mod scanned.

GoVersionOverride was implemented in #850 .

osv-scanner version tested: v1.8.5

Expected outcome

Repository tested: https://github.com/metal3-io/ip-address-manager

Using osv-scanner.toml with following content works and does not report any vulnerabilities as all mentioned vulnerabiilties are fixed before Golang 1.22.7:

GoVersionOverride = "1.22.7"

Actual outcome

Running individual scans for each go.mod file are always clean:

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml go.mod
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Filtered 1 local package/s from the scan.
No issues found

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml api/go.mod 
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
No issues found

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml hack/tools/go.mod 
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
No issues found

However when executed with --recursive or using extglob **/go.mod, it produces failures as if the config only applies to api (first dir?):

$ osv-scanner scan --skip-git --verbosity verbose --config osv-scanner.toml **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │

Without osv-scanner.toml at all, it finds additionally same vulns in api/, so the config seems to apply but only to a single directory:

$ osv-scanner scan --skip-git --verbosity verbose **/go.mod
Scanning dir api/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanning dir go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanning dir hack/tools/go.mod
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ api/go.mod        │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯

This breaks scan results from osv-scanner-reusable GH action workflow, which uses --recursive.

$ osv-scanner scan --skip-git --verbosity verbose --recursive .
Scanning dir .
Scanned /home/tumi/git/metal3-io/ip-address-manager/api/go.mod file and found 60 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/go.mod file and found 93 packages
Scanned /home/tumi/git/metal3-io/ip-address-manager/hack/tools/go.mod file and found 61 packages
Filtered 1 local package/s from the scan.
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/api/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/osv-scanner.toml
Loaded filter from: /home/tumi/git/metal3-io/ip-address-manager/hack/tools/osv-scanner.toml
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities     │      │           │         │         │                   │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ go.mod            │
│ https://osv.dev/GO-2024-2887 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2888 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-2963 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3105 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3106 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
│ https://osv.dev/GO-2024-3107 │      │ Go        │ stdlib  │ 1.22.3  │ hack/tools/go.mod │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────╯
cuixq commented 5 days ago

@G-Rath could you take a look on this?