Skip to content

Commit

Permalink
Fix result scanning (#526)
Browse files Browse the repository at this point in the history
Fix issues with scanning OSV-Scanner Results.

- Adds support for adding commit hashes to the OSV-Scanner results, 
- Allow actually scanning OSV-Scanner results from the cli.
  • Loading branch information
another-rex authored Sep 8, 2023
1 parent 60d09d5 commit 2a61873
Show file tree
Hide file tree
Showing 9 changed files with 79 additions and 18 deletions.
13 changes: 13 additions & 0 deletions internal/local/check.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,19 @@ func MakeRequest(r reporter.Reporter, query osv.BatchedQuery, offline bool, loca
continue
}

if pkg.Ecosystem == "" {
if pkg.Commit == "" {
// The only time this can happen should be when someone passes in their own OSV-Scanner-Results file.
return nil, fmt.Errorf("ecosystem is empty and there is no commit hash")
}

// Is a commit based query, skip local scanning
results = append(results, osv.Response{})
r.PrintText(fmt.Sprintf("Skipping commit scanning for: %s\n", pkg.Commit))

continue
}

db, err := loadDBFromCache(pkg.Ecosystem)

if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions internal/output/table.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,8 @@ func tableBuilderInner(vulnResult *models.VulnerabilityResults, addStyling bool,
outputRow = append(outputRow, strings.Join(links, "\n"))
outputRow = append(outputRow, MaxSeverity(group, pkg))

if pkg.Package.Ecosystem == "GIT" {
outputRow = append(outputRow, "GIT", pkg.Package.Version, pkg.Package.Version)
if pkg.Package.Ecosystem == "" && pkg.Package.Commit != "" {
outputRow = append(outputRow, "GIT", pkg.Package.Commit, pkg.Package.Commit)
shouldMerge = true
} else {
outputRow = append(outputRow, pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version)
Expand Down
19 changes: 19 additions & 0 deletions pkg/lockfile/fixtures/osvscannerresults/one-package-commit.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"results": [
{
"source": {
"path": "/path/to/Gemfile.lock",
"type": "lockfile"
},
"packages": [
{
"package": {
"commit": "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52"
},
"vulnerabilities": [],
"groups": []
}
]
}
]
}
16 changes: 16 additions & 0 deletions pkg/lockfile/osv-vuln-result_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,22 @@ func TestParseOSVScannerResults_OnePackage(t *testing.T) {
})
}

func TestParseOSVScannerResults_OnePackageCommit(t *testing.T) {
t.Parallel()

packages, err := lockfile.ParseOSVScannerResults("fixtures/osvscannerresults/one-package-commit.json")

if err != nil {
t.Errorf("Got unexpected error: %v", err)
}

expectPackages(t, packages, []lockfile.PackageDetails{
{
Commit: "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52",
},
})
}

func TestParseOSVScannerResults_MultiPackages(t *testing.T) {
t.Parallel()

Expand Down
18 changes: 12 additions & 6 deletions pkg/lockfile/osv-vuln-results.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,18 @@ func (e OSVScannerResultsExtractor) Extract(f DepFile) ([]PackageDetails, error)
packages := []PackageDetails{}
for _, res := range parsedResults.Results {
for _, pkg := range res.Packages {
packages = append(packages, PackageDetails{
Name: pkg.Package.Name,
Ecosystem: Ecosystem(pkg.Package.Ecosystem),
Version: pkg.Package.Version,
CompareAs: Ecosystem(pkg.Package.Ecosystem),
})
if pkg.Package.Commit != "" { // Prioritize results
packages = append(packages, PackageDetails{
Commit: pkg.Package.Commit,
})
} else {
packages = append(packages, PackageDetails{
Name: pkg.Package.Name,
Ecosystem: Ecosystem(pkg.Package.Ecosystem),
Version: pkg.Package.Version,
CompareAs: Ecosystem(pkg.Package.Ecosystem),
})
}
}
}

Expand Down
1 change: 1 addition & 0 deletions pkg/models/results.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,4 +121,5 @@ type PackageInfo struct {
Name string `json:"name"`
Version string `json:"version"`
Ecosystem string `json:"ecosystem"`
Commit string `json:"commit"`
}
21 changes: 13 additions & 8 deletions pkg/osv/osv.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,14 +92,19 @@ func MakePURLRequest(purl string) *Query {
}

func MakePkgRequest(pkgDetails lockfile.PackageDetails) *Query {
return &Query{
Version: pkgDetails.Version,
// API has trouble parsing requests with both commit and Package details filled ins
// Commit: pkgDetails.Commit,
Package: Package{
Name: pkgDetails.Name,
Ecosystem: string(pkgDetails.Ecosystem),
},
// API has trouble parsing requests with both commit and Package details filled in
if pkgDetails.Ecosystem == "" && pkgDetails.Commit != "" {
return &Query{
Commit: pkgDetails.Commit,
}
} else {
return &Query{
Version: pkgDetails.Version,
Package: Package{
Name: pkgDetails.Name,
Ecosystem: string(pkgDetails.Ecosystem),
},
}
}
}

Expand Down
2 changes: 2 additions & 0 deletions pkg/osvscanner/osvscanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,8 @@ func scanLockfile(r reporter.Reporter, query *osv.BatchedQuery, path string, par
parsedLockfile, err = lockfile.FromApkInstalled(path)
case "dpkg-status":
parsedLockfile, err = lockfile.FromDpkgStatus(path)
case "osv-scanner-results":
parsedLockfile, err = lockfile.FromOSVScannerResults(path)
default:
parsedLockfile, err = lockfile.ExtractDeps(f, parseAs)
}
Expand Down
3 changes: 1 addition & 2 deletions pkg/osvscanner/vulnerability_result.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,7 @@ func groupResponseBySource(r reporter.Reporter, query osv.BatchedQuery, resp *os
}
var pkg models.PackageVulns
if query.Commit != "" {
pkg.Package.Version = query.Commit
pkg.Package.Ecosystem = "GIT"
pkg.Package.Commit = query.Commit
} else if query.Package.PURL != "" {
var err error
pkg.Package, err = models.PURLToPackage(query.Package.PURL)
Expand Down

0 comments on commit 2a61873

Please sign in to comment.