Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: govulncheck calls on C code #1228

Merged
merged 6 commits into from
Sep 6, 2024
Merged

fix: govulncheck calls on C code #1228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
753f4ba
Fix cgo govulncheck
another-rex Sep 6, 2024
0b3bbf8
Some go mod changes after running go mod tidy
another-rex Sep 6, 2024
39aff70
Revert "Fix cgo govulncheck"
another-rex Sep 6, 2024
3fbcc78
Set CGO_ENABLED=0 on invocation of govulncheck
another-rex Sep 6, 2024
cae6268
Fix dup word
another-rex Sep 6, 2024
e2f771c
Fix snapshots
another-rex Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1240,6 +1240,7 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3878-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5142-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5271-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5391-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1326,6 +1327,7 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3878-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5142-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5271-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5391-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down
5 changes: 1 addition & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ require (
github.com/urfave/cli/v2 v2.27.4
golang.org/x/exp v0.0.0-20240822175202-778ce7bba035
golang.org/x/mod v0.20.0
golang.org/x/net v0.28.0
golang.org/x/sync v0.8.0
golang.org/x/term v0.23.0
golang.org/x/vuln v1.0.4
Expand All @@ -51,9 +52,7 @@ require (
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/charmbracelet/x/ansi v0.2.3 // indirect
github.com/charmbracelet/x/input v0.1.0 // indirect
github.com/charmbracelet/x/term v0.2.0 // indirect
github.com/charmbracelet/x/windows v0.1.0 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
Expand Down Expand Up @@ -97,12 +96,10 @@ require (
github.com/vbatts/tar-split v0.11.5 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
github.com/yuin/goldmark v1.7.4 // indirect
github.com/yuin/goldmark-emoji v1.0.3 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/net v0.28.0 // indirect
golang.org/x/sys v0.24.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/tools v0.24.0 // indirect
Expand Down
12 changes: 0 additions & 12 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,28 +44,18 @@ github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1l
github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
github.com/charmbracelet/bubbles v0.19.0 h1:gKZkKXPP6GlDk6EcfujDK19PCQqRjaJZQ7QRERx1UF0=
github.com/charmbracelet/bubbles v0.19.0/go.mod h1:WILteEqZ+krG5c3ntGEMeG99nCupcuIk7V0/zOP0tOA=
github.com/charmbracelet/bubbletea v0.27.1 h1:/yhaJKX52pxG4jZVKCNWj/oq0QouPdXycriDRA6m6r8=
github.com/charmbracelet/bubbletea v0.27.1/go.mod h1:xc4gm5yv+7tbniEvQ0naiG9P3fzYhk16cTgDZQQW6YE=
github.com/charmbracelet/bubbletea v1.1.0 h1:FjAl9eAL3HBCHenhz/ZPjkKdScmaS5SK69JAK2YJK9c=
github.com/charmbracelet/bubbletea v1.1.0/go.mod h1:9Ogk0HrdbHolIKHdjfFpyXJmiCzGwy+FesYkZr7hYU4=
github.com/charmbracelet/glamour v0.8.0 h1:tPrjL3aRcQbn++7t18wOpgLyl8wrOHUEDS7IZ68QtZs=
github.com/charmbracelet/glamour v0.8.0/go.mod h1:ViRgmKkf3u5S7uakt2czJ272WSg2ZenlYEZXT2x7Bjw=
github.com/charmbracelet/lipgloss v0.13.0 h1:4X3PPeoWEDCMvzDvGmTajSyYPcZM4+y8sCA/SsA3cjw=
github.com/charmbracelet/lipgloss v0.13.0/go.mod h1:nw4zy0SBX/F/eAO1cWdcvy6qnkDUxr8Lw7dvFrAIbbY=
github.com/charmbracelet/x/ansi v0.1.4 h1:IEU3D6+dWwPSgZ6HBH+v6oUuZ/nVawMiWj5831KfiLM=
github.com/charmbracelet/x/ansi v0.1.4/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw=
github.com/charmbracelet/x/ansi v0.2.3 h1:VfFN0NUpcjBRd4DnKfRaIRo53KRgey/nhOoEqosGDEY=
github.com/charmbracelet/x/ansi v0.2.3/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw=
github.com/charmbracelet/x/exp/golden v0.0.0-20240815200342-61de596daa2b h1:MnAMdlwSltxJyULnrYbkZpp4k58Co7Tah3ciKhSNo0Q=
github.com/charmbracelet/x/exp/golden v0.0.0-20240815200342-61de596daa2b/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
github.com/charmbracelet/x/input v0.1.0 h1:TEsGSfZYQyOtp+STIjyBq6tpRaorH0qpwZUj8DavAhQ=
github.com/charmbracelet/x/input v0.1.0/go.mod h1:ZZwaBxPF7IG8gWWzPUVqHEtWhc1+HXJPNuerJGRGZ28=
github.com/charmbracelet/x/term v0.1.1 h1:3cosVAiPOig+EV4X9U+3LDgtwwAoEzJjNdwbXDjF6yI=
github.com/charmbracelet/x/term v0.1.1/go.mod h1:wB1fHt5ECsu3mXYusyzcngVWWlu1KKUmmLhfgr/Flxw=
github.com/charmbracelet/x/term v0.2.0 h1:cNB9Ot9q8I711MyZ7myUR5HFWL/lc3OpU8jZ4hwm0x0=
github.com/charmbracelet/x/term v0.2.0/go.mod h1:GVxgxAbjUrmpvIINHIQnJJKpMlHiZ4cktEQCN6GWyF0=
github.com/charmbracelet/x/windows v0.1.0 h1:gTaxdvzDM5oMa/I2ZNF7wN78X/atWemG9Wph7Ika2k4=
github.com/charmbracelet/x/windows v0.1.0/go.mod h1:GLEO/l+lizvFDBPLIOk+49gdX49L9YWMB5t+DZd0jkQ=
github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
Expand Down Expand Up @@ -248,8 +238,6 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
Expand Down
4 changes: 3 additions & 1 deletion internal/sourceanalysis/go.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,9 @@ func runGovulncheck(moddir string, vulns []models.Vulnerability, goVersion strin
cmd := scan.Command(context.Background(), "-db", dbdirURL.String(), "-C", moddir, "-json", "./...")
var b bytes.Buffer
cmd.Stdout = &b
cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion)
// Disable CGO because govulncheck does not support CGO code, and will always fail.
// This still leaves govulncheck enabled for non C related calls.
cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion, "CGO_ENABLED=0")
if err := cmd.Start(); err != nil {
return nil, err
}
Expand Down
Loading