From b37c83e19af3b2555864457cbd0b08ef0e1f9d7d Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:56:11 +1100 Subject: [PATCH] feat: Update govulncheck integration and enable CGO there (#1478) #1443 This will solve the above issue, but let's not close it until the release is out. The disabling CGO env flag can be removed as it seems like govulncheck will successfully analyse CGO projects, just not actually do analysis on the C parts. The comment about: > This still leaves govulncheck enabled for non C related calls. It is only partially true, as if the C parts are required to compile the application, if CGO is disabled, it cannot compile successfully. We'll need to cherrypick this change into `main` after this is merged. --- cmd/osv-scanner/__snapshots__/main_test.snap | 65 ++++++++++++------- go.mod | 3 +- go.sum | 6 +- .../__snapshots__/integration_test.snap | 3 +- internal/sourceanalysis/go.go | 4 +- 5 files changed, 50 insertions(+), 31 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 90f74023d8..86161ddf3c 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -816,29 +816,48 @@ Scanned /fixtures/locks-requirements/requirements-dev.txt file and foun Scanned /fixtures/locks-requirements/requirements.prod.txt file and found 1 package Scanned /fixtures/locks-requirements/requirements.txt file and found 3 packages Scanned /fixtures/locks-requirements/the_requirements_for_test.txt file and found 1 package -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ -| https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | -| https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-53qw-q765-4fww | | | | | | -| https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | -| https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | -| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | -| https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | -| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | -| https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | -| https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | -| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | fixtures/locks-requirements/requirements.txt | -+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+ ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ +| https://osv.dev/PYSEC-2018-66 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-562c-5r94-xh97 | | | | | | +| https://osv.dev/PYSEC-2019-179 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-5wv5-4vpf-pj6m | | | | | | +| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/my-requirements.txt | +| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | +| https://osv.dev/PYSEC-2024-48 | 5.3 | PyPI | black | 0.0.0 | fixtures/locks-requirements/requirements-dev.txt | +| https://osv.dev/GHSA-fj7x-q9j7-g6q6 | | | | | | +| https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | +| https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-53qw-q765-4fww | | | | | | +| https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | +| https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | +| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | +| https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | +| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | +| https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | fixtures/locks-requirements/requirements.prod.txt | +| https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | +| https://osv.dev/PYSEC-2018-66 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-562c-5r94-xh97 | | | | | | +| https://osv.dev/PYSEC-2019-179 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-5wv5-4vpf-pj6m | | | | | | +| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | +| https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | +| https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 0.0.0 | fixtures/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | +| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | fixtures/locks-requirements/requirements.txt | ++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+ --- diff --git a/go.mod b/go.mod index 5cf3109479..2b6cb7bff3 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( golang.org/x/net v0.33.0 golang.org/x/sync v0.10.0 golang.org/x/term v0.27.0 - golang.org/x/vuln v1.0.4 + golang.org/x/vuln v1.1.3 google.golang.org/grpc v1.69.0 google.golang.org/protobuf v1.35.2 gopkg.in/ini.v1 v1.67.0 @@ -101,6 +101,7 @@ require ( github.com/yuin/goldmark-emoji v1.0.3 // indirect golang.org/x/crypto v0.31.0 // indirect golang.org/x/sys v0.28.0 // indirect + golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/tools v0.27.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect diff --git a/go.sum b/go.sum index 5aaa36d732..3da1f3039f 100644 --- a/go.sum +++ b/go.sum @@ -310,6 +310,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0= +golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -334,8 +336,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= -golang.org/x/vuln v1.0.4 h1:SP0mPeg2PmGCu03V+61EcQiOjmpri2XijexKdzv8Z1I= -golang.org/x/vuln v1.0.4/go.mod h1:NbJdUQhX8jY++FtuhrXs2Eyx0yePo9pF7nPlIjo9aaQ= +golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw= +golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U= diff --git a/internal/sourceanalysis/__snapshots__/integration_test.snap b/internal/sourceanalysis/__snapshots__/integration_test.snap index 6733a3503b..9870f14aa3 100755 --- a/internal/sourceanalysis/__snapshots__/integration_test.snap +++ b/internal/sourceanalysis/__snapshots__/integration_test.snap @@ -82,8 +82,7 @@ "trace": [ { "module": "stdlib", - "version": "v1.19.0", - "package": "net/http/internal" + "version": "v1.19.0" } ] }, diff --git a/internal/sourceanalysis/go.go b/internal/sourceanalysis/go.go index db31d33e3c..94484b0444 100644 --- a/internal/sourceanalysis/go.go +++ b/internal/sourceanalysis/go.go @@ -162,9 +162,7 @@ func runGovulncheck(moddir string, vulns []models.Vulnerability, goVersion strin cmd := scan.Command(context.Background(), "-db", dbdirURL.String(), "-C", moddir, "-json", "./...") var b bytes.Buffer cmd.Stdout = &b - // Disable CGO because govulncheck does not support CGO code, and will always fail. - // This still leaves govulncheck enabled for non C related calls. - cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion, "CGO_ENABLED=0") + cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion) if err := cmd.Start(); err != nil { return nil, err }