search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.27k stars 363 forks source link

autocrlf issue when performing c++ package analysis on windows system #657

Open ErsiaJin opened 1 year ago

ErsiaJin commented 1 year ago

Hi. Thank you for distributing such a great tool.

I checked out this post and did some testing on a few projects.

However, I discovered a case where the test results for the same project were different.

Problem

In a Windows environment, there are cases where vulnerabilities cannot be discovered due to the autocrlf setting when checking out git.

Why is it a problem

This problem is caused by git's CRLF option, so it is not an OSV-Scanner issue. However, since this is an option that can cause user error, I personally think that it should be supported regardless of LF / CRLF, or at least be specified in the documentation. If used without knowing the settings, users may hastily conclude that OSV-Scanner does not find vulnerabilities.

Test Environment

OS

Windows 11 Pro 64-bit (10.0, Build 22621) (22621.ni_release.220506-1250)

Git Version

ersia@MINGW64 ~/source/Repos/test $ git --version git version 2.40.1.windows.1

OSV-Scanner Version

ersia@MINGW64 ~/source/Repos/test $ osv-scanner.exe -v osv-scanner version: 1.4.3 commit: 6316373e47d7e3e4b4fd3630c4bbc10987738de6 built at: 2023-11-02T00:53:14Z

Issue testing

mkdir test; cd test;
git clone https://github.com/opencv/opencv.git
cd opencv;

Windows CRLF

git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf 3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;
ersia@MINGW64 ~/source/Repos/test $ cd opencv
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf 3rdparty;
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
true
true
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty;
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
No package sources found, --help for usage information.

Linux LF

git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf ./3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;
ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
input
input
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf ./3rdparty
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng as https://github.com/glennrp/libpng.git at a40189cf881e9f0db80511c382292a5604c3c3d1.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc.
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE            │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────┤
│ https://osv.dev/CVE-2021-20205 │ 6.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-29390 │ 7.1  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-46822 │ 5.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2022-3857  │ 5.5  │ GIT       │  a40189cf881e9f0db80511c382292a5604c3c3d1 │ 3rdparty\libpng   │
│ https://osv.dev/CVE-2022-0561  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0562  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0865  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0891  │ 7.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0907  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0909  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0924  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1056  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1210  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1354  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1355  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1622  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1623  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2056  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2057  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2058  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2867  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2868  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2869  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-34526 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-3970  │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-40090 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-4645  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-0804  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-1916  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25433 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25434 │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25435 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26965 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26966 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2731  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-30775 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3576  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3618  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-40745 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-41175 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-4863  │ 8.8  │ GIT       │  fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ 3rdparty\libwebp  │
│ https://osv.dev/CVE-2018-18443 │ 4.3  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2018-18444 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11758 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11759 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11760 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11761 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11762 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11763 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11764 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11765 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15304 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15305 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15306 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16587 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16588 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16589 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20298 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20299 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20300 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20302 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20303 │ 6.1  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20304 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23169 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23215 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26260 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26945 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3598  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3605  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3933  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3941  │ 6.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/OSV-2022-416   │      │ GIT       │  a5891555eb49ed7cc26b2901ea680acda136d811 │ 3rdparty\openjpeg │
│ https://osv.dev/CVE-2021-22569 │ 5.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3509  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3510  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2023-45853 │ 9.8  │ GIT       │  04f42ceca40f73e2978b50e93806c2a18c1281fc │ 3rdparty\zlib     │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴───────────────────╯

Probable cause

Although the exact internal logic has not been analyzed, it is presumed that packages are searched based on hash values at the file and directory level. At this time, it is expected that package search will not be possible because the hash value is different due to the autocrlf setting.

github-actions[bot] commented 4 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] commented 3 months ago

Automatically closing stale issue

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.