Open dtrussel opened 11 months ago
Nevermind, after having had another look at the API responses I realized that the purl's are not the same as in the SBOM, namely the package type is different "purl":"pkg:pypi/nanopb"
and "purl":"pkg:generic/wolfssl"
instead of pkg:github
.
As both projects are hosted on github, that leaves me wondering how one determines the right package type to use for the purl in the SBOM.
For example, some vulnerabilities reported for pypi are not specific to the nanopb python package, but are generic nanopb issues...
If I understand the documentation right, SBOMs can currently only be used with purl, and not only based on name and version.
indeed, we currently don't have support for github package URLs. In general it's also challenging to build a reliable mapping between github repos and ecosystem specific ones like PyPI etc.
That said, there are probably some things we can do here to give more results in some cases. E.g. leveraging our git commit scanning to match github PURLs.
@another-rex thoughts?
This issue has not had any activity for 60 days and will be automatically closed in two weeks
Automatically closing stale issue
I think long term we can get some matching with the GitHub URLs.
I tried using osv-scanner with the latest available docker image and a CyclonDX SBOM using the following command
With the following CyclonDX SBOM (bom.cdx.json):
The osv-scanner tool reports "No vulnerabilities found", but if I check for vulnerabilities of the used libraries using the web interface, I can see several known vulnerabilities. For example: https://osv.dev/list?ecosystem=&q=wolfssl https://osv.dev/list?ecosystem=&q=nanopb
Also, if I use the API, I receive a list of vulnerabilities. For example:
curl -d '{"package": {"name": "wolfssl"}, "version": "v5.6.0-stable"}' "https://api.osv.dev/v1/query"
curl -d '{"package": {"name": "nanopb"}, "version": "0.4.1"}' "https://api.osv.dev/v1/query"
I tried to follow the usage documentation here https://google.github.io/osv-scanner/usage/ So I assume that I either missed something in the documentation on how to use the CLI tool, or that there is a potential bug. If there is an error in the SBOM itself I would expect an error or at least no feedback that the two packages were found.
Used docker image:
ghcr.io/google/osv-scanner latest 725aa024bca8 8 weeks ago