search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.25k stars 362 forks source link

How to scan C/C++ language with conan.lock? #884

Open ASKAC0810 opened 7 months ago

ASKAC0810 commented 7 months ago

Hi everyone,

I would like to use this great tool for scanning C/C++ language.

I already know how to scan C/C++ lanuage from github commit hash.

From osv-scanner document, I found conan.lock can be used to scan also. And from API document, the ConanCenter echo system is included.

Therefore, I tried to install openssl package from ConanCenter.

After installing, I tried to use following 2 ways to do OSV scan but both got "No issues found" result.

a. Scan by option "--sbom". Because conan CLI can create the SBOM with CycloneDX format, so I created the SBOM file.

b. Scan by option "--lockfile". The conan CLI can create conan.lock form conanfile.txt.

Could anyone share information for reference?

Thank you very much.

oliverchang commented 7 months ago

Thanks for the question! While OSV-Scanner has Conan.lock support, there's actually no available vulnerability database for ConanCenter packages.

We have some questions for Conan that I've asked in https://github.com/conan-io/conan/issues/15918#issuecomment-2017309688 regarding this.

github-actions[bot] commented 3 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] commented 3 months ago

Automatically closing stale issue