search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.28k stars 363 forks source link

[WebKit vendored code] osv-scanner fails to identify ANGLE and webrtc projects #802

Open ddkilzer opened 9 months ago

ddkilzer commented 9 months ago

Summary:

osv-scanner fails to identify ANGLE and webrtc projects in the WebKit project while scanning for vendored code dependencies.

Steps to Reproduce:

  1. Check out WebKit (at commit https://github.com/WebKit/WebKit/commit/fda388552a877f757aa8216c8d116937fe8651f2): 
    git clone https://github.com/WebKit/WebKit.git WebKit.git
  2. Run osv-scanner (at commit 85563d901bec48bbe8db1242f083c42d42353ace): 
    go run ./cmd/osv-scanner/main.go -r WebKit.git/Source/ThirdParty

Expected Results:

osv-scanner identifies ANGLE and webrtc as vendored code dependencies.

Actual Results:

osv-scanner fails to identify ANGLE and webrtc as vendored code dependencies.

Scanning dir WebKit.git/Source/ThirdParty
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty
[...]
Scanning potential vendored dir: WebKit.git/Source/ThirdParty/ANGLE
[...]
Scanning potential vendored dir: WebKit.git/Source/ThirdParty/libwebrtc
[...]
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty/ANGLE/src/third_party
[...]
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty/libwebrtc/Source/third_party
[...]

Notes:

Both ANGLE and libwebrtc folders have their own third-party subfolders with additional vendored code dependencies.

oliverchang commented 9 months ago

They're not indexed currently. We'll get these added.

oliverchang commented 9 months ago

Taking a closer look here, it looks like webrtc and ANGLE do not do release tags, which is blocking our current indexing mechanisms.

@andrewpollock FYI since this was a case that you mentioned.