diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 90f74023d8..86161ddf3c 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -816,29 +816,48 @@ Scanned /fixtures/locks-requirements/requirements-dev.txt file and foun Scanned /fixtures/locks-requirements/requirements.prod.txt file and found 1 package Scanned /fixtures/locks-requirements/requirements.txt file and found 3 packages Scanned /fixtures/locks-requirements/the_requirements_for_test.txt file and found 1 package -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ -| https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | -| https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-53qw-q765-4fww | | | | | | -| https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | -| https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | -| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | -| https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | -| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | -| https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | -| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | fixtures/locks-requirements/requirements.txt | -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ +| https://osv.dev/PYSEC-2018-66 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-562c-5r94-xh97 | | | | | | +| https://osv.dev/PYSEC-2019-179 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-5wv5-4vpf-pj6m | | | | | | +| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | +| https://osv.dev/PYSEC-2024-48 | 5.3 | PyPI | black | 0.0.0 | fixtures/locks-requirements/requirements-dev.txt | +| https://osv.dev/GHSA-fj7x-q9j7-g6q6 | | | | | | +| https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | +| https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-53qw-q765-4fww | | | | | | +| https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | +| https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | +| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | +| https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | +| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | +| https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | +| https://osv.dev/PYSEC-2018-66 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-562c-5r94-xh97 | | | | | | +| https://osv.dev/PYSEC-2019-179 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-5wv5-4vpf-pj6m | | | | | | +| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | +| https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | +| https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | +| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | fixtures/locks-requirements/requirements.txt | ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ --- diff --git a/go.mod b/go.mod index 5cf3109479..2b6cb7bff3 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( golang.org/x/net v0.33.0 golang.org/x/sync v0.10.0 golang.org/x/term v0.27.0 - golang.org/x/vuln v1.0.4 + golang.org/x/vuln v1.1.3 google.golang.org/grpc v1.69.0 google.golang.org/protobuf v1.35.2 gopkg.in/ini.v1 v1.67.0 @@ -101,6 +101,7 @@ require ( github.com/yuin/goldmark-emoji v1.0.3 // indirect golang.org/x/crypto v0.31.0 // indirect golang.org/x/sys v0.28.0 // indirect + golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/tools v0.27.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect diff --git a/go.sum b/go.sum index 5aaa36d732..3da1f3039f 100644 --- a/go.sum +++ b/go.sum @@ -310,6 +310,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0= +golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -334,8 +336,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= -golang.org/x/vuln v1.0.4 h1:SP0mPeg2PmGCu03V+61EcQiOjmpri2XijexKdzv8Z1I= -golang.org/x/vuln v1.0.4/go.mod h1:NbJdUQhX8jY++FtuhrXs2Eyx0yePo9pF7nPlIjo9aaQ= +golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw= +golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U= diff --git a/internal/sourceanalysis/__snapshots__/integration_test.snap b/internal/sourceanalysis/__snapshots__/integration_test.snap index 6733a3503b..9870f14aa3 100755 --- a/internal/sourceanalysis/__snapshots__/integration_test.snap +++ b/internal/sourceanalysis/__snapshots__/integration_test.snap @@ -82,8 +82,7 @@ "trace": [ { "module": "stdlib", - "version": "v1.19.0", - "package": "net/http/internal" + "version": "v1.19.0" } ] }, diff --git a/internal/sourceanalysis/go.go b/internal/sourceanalysis/go.go index db31d33e3c..94484b0444 100644 --- a/internal/sourceanalysis/go.go +++ b/internal/sourceanalysis/go.go @@ -162,9 +162,7 @@ func runGovulncheck(moddir string, vulns []models.Vulnerability, goVersion strin cmd := scan.Command(context.Background(), "-db", dbdirURL.String(), "-C", moddir, "-json", "./...") var b bytes.Buffer cmd.Stdout = &b - // Disable CGO because govulncheck does not support CGO code, and will always fail. - // This still leaves govulncheck enabled for non C related calls. - cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion, "CGO_ENABLED=0") + cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion) if err := cmd.Start(); err != nil { return nil, err }