search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.1k stars 343 forks source link

CyclonDX SBOM vulnerabilities not found #535

Open dtrussel opened 11 months ago

dtrussel commented 11 months ago

I tried using osv-scanner with the latest available docker image and a CyclonDX SBOM using the following command 

~/test/osv$ docker run -it -v ${PWD}:/src ghcr.io/google/osv-scanner --sbom=/src/bom.cdx.json
Scanned /src/bom.cdx.json as CycloneDX SBOM and found 2 packages
No vulnerabilities found

With the following CyclonDX SBOM (bom.cdx.json):

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "wolfssl",
      "version": "v5.6.0-stable",
      "purl": "pkg:github/wolfssl/wolfssl@v5.6.0-stable"
    },
    {
      "type": "library",
      "name": "NanoPb",
      "version": "0.4.1",
      "purl": "pkg:github/nanopb/nanopb@0.4.1"
    }
  ]
}

The osv-scanner tool reports "No vulnerabilities found", but if I check for vulnerabilities of the used libraries using the web interface, I can see several known vulnerabilities. For example: https://osv.dev/list?ecosystem=&q=wolfssl https://osv.dev/list?ecosystem=&q=nanopb

Also, if I use the API, I receive a list of vulnerabilities. For example: curl -d '{"package": {"name": "wolfssl"}, "version": "v5.6.0-stable"}' "https://api.osv.dev/v1/query" curl -d '{"package": {"name": "nanopb"}, "version": "0.4.1"}' "https://api.osv.dev/v1/query"

I tried to follow the usage documentation here https://google.github.io/osv-scanner/usage/ So I assume that I either missed something in the documentation on how to use the CLI tool, or that there is a potential bug. If there is an error in the SBOM itself I would expect an error or at least no feedback that the two packages were found.

Used docker image: ghcr.io/google/osv-scanner latest 725aa024bca8 8 weeks ago

docker run -it -v ${PWD}:/src ghcr.io/google/osv-scanner --version
osv-scanner version: 1.3.6
commit: b5f7502d2b76b1b84201937aa759299d23e02c48
built at: 2023-07-19T05:04:48Z
dtrussel commented 11 months ago

Nevermind, after having had another look at the API responses I realized that the purl's are not the same as in the SBOM, namely the package type is different "purl":"pkg:pypi/nanopb" and "purl":"pkg:generic/wolfssl" instead of pkg:github. As both projects are hosted on github, that leaves me wondering how one determines the right package type to use for the purl in the SBOM. For example, some vulnerabilities reported for pypi are not specific to the nanopb python package, but are generic nanopb issues... If I understand the documentation right, SBOMs can currently only be used with purl, and not only based on name and version.

oliverchang commented 11 months ago

indeed, we currently don't have support for github package URLs. In general it's also challenging to build a reliable mapping between github repos and ecosystem specific ones like PyPI etc.

That said, there are probably some things we can do here to give more results in some cases. E.g. leveraging our git commit scanning to match github PURLs.

@another-rex thoughts?

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] commented 1 month ago

Automatically closing stale issue

another-rex commented 1 month ago

I think long term we can get some matching with the GitHub URLs.