Skip to content

Commit

Permalink
Merge branch 'main' into refactor/merge-selector
Browse files Browse the repository at this point in the history
  • Loading branch information
@hogo6002
hogo6002 authored Nov 8, 2024
2 parents f0c9c78 + 581d1a3 commit 1d73b62
Show file tree
Hide file tree
Showing 8 changed files with 183 additions and 62 deletions.
44 changes: 38 additions & 6 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1682,12 +1682,9 @@ Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S
Loaded Debian local db from <tempdir>/osv-scanner/Debian/all.zip
Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
Loaded Go local db from <tempdir>/osv-scanner/Go/all.zip
16 unimportant vulnerabilities have been filtered out.
Filtered 16 vulnerabilities from output
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1849,6 +1846,25 @@ Filtered 16 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+

---

Expand All @@ -1862,12 +1878,9 @@ Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S
Loaded Debian local db from <tempdir>/osv-scanner/Debian/all.zip
Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
Loaded Go local db from <tempdir>/osv-scanner/Go/all.zip
16 unimportant vulnerabilities have been filtered out.
Filtered 16 vulnerabilities from output
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -2029,6 +2042,25 @@ Filtered 16 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+

---

Expand Down
39 changes: 26 additions & 13 deletions internal/output/__snapshots__/machinejson_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -927,7 +928,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-2": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -995,7 +997,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -1224,7 +1227,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -1288,7 +1292,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2273,7 +2278,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand All @@ -2285,7 +2291,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-5": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2402,7 +2409,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-3": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2574,7 +2582,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand All @@ -2586,7 +2595,8 @@
"aliases": null,
"experimentalAnalysis": {
"GHSA-123": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2642,7 +2652,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2698,7 +2709,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2877,7 +2889,8 @@
],
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down
9 changes: 6 additions & 3 deletions internal/sourceanalysis/__snapshots__/go_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2021-0053": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -313,7 +314,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2023-1558": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -467,7 +469,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2023-1572": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down
7 changes: 6 additions & 1 deletion pkg/models/results.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,10 @@ func (groupInfo *GroupInfo) IsCalled() bool {
if analysis.Called {
return true
}
// TODO(gongh@): For v2, create a separate function `isGroupUnimportant()` to encapsulate this check.
if analysis.Unimportant {
return false
}
}

return false
Expand Down Expand Up @@ -164,7 +168,8 @@ func (v *Vulnerability) FixedVersions() map[Package][]string {
}

type AnalysisInfo struct {
Called bool `json:"called"`
Called bool `json:"called"`
Unimportant bool `json:"unimportant"`
}

// Specific package information
Expand Down
59 changes: 59 additions & 0 deletions pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1491,6 +1491,65 @@
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "unixodbc",
"version": "2.3.11-2",
"ecosystem": "Debian:10"
},
"vulnerabilities": [
{
"modified": "2024-03-18T12:38:25Z",
"published": "2024-03-18T11:15:09Z",
"id": "CVE-2024-1013",
"details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.",
"affected": [
{
"package": {
"ecosystem": "Debian:10",
"name": "unixodbc"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "unimportant"
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1013"
},
{
"type": "WEB",
"url": "https://github.com/lurcher/unixODBC/pull/157"
}
]
}
],
"groups": [
{
"ids": [
"CVE-2024-1013"
],
"aliases": null,
"max_severity": ""
}
]
},
{
"package": {
"name": "chromium",
Expand Down
Loading

0 comments on commit 1d73b62

Please sign in to comment.