Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

osv-scanner fails to run code analysis with govulncheck, but running govulncheck directly works #1443

Open
tuminoid opened this issue Dec 12, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@tuminoid
Copy link

Issue

osv-scanner fails to run code analysis with govulncheck, but running govulncheck directly works.

This can be reproduced by scanning https://github.com/metal3-io/baremetal-operator's release-0.8 branch, where test directory scan is failing.

Expected outcome

osv-scanner works, and correctly completes code analysis.

Actual outcome

  • libvirt-dev is installed locally, if it matters.
  • it makes no difference if -r is used, or osv-scanner is directly executed in test/
 osv-scanner -r --skip-git --verbosity=verbose .
Scanning dir .
Scanned /home/tumi/git/metal3-io/baremetal-operator/test/go.mod file and found 143 packages
Filtered 2 local package/s from the scan.
Failed to run code analysis (govulncheck) on '/home/tumi/git/metal3-io/baremetal-operator/test/go.mod' because govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:38:60: undefined: libvirt.StoragePool
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:40:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:102:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:166:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:211:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:249:11: undefined: libvirt.NETWORK_UPDATE_COMMAND_ADD_LAST
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:250:11: undefined: libvirt.NETWORK_SECTION_IP_DHCP_HOST
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:253:11: undefined: libvirt.NETWORK_UPDATE_AFFECT_LIVE
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:253:46: undefined: libvirt.NETWORK_UPDATE_AFFECT_CONFIG

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

(the Go toolchain is required)
╭─────────────────────────────────────┬──────┬───────────┬──────────────────────────────────────┬─────────┬────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                              │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼──────────────────────────────────────┼─────────┼────────┤
│ https://osv.dev/GO-2024-3282        │ 6.9  │ Go        │ github.com/cert-manager/cert-manager │ 1.10.2  │ go.mod │
│ https://osv.dev/GHSA-r4pg-vg54-wxx4 │      │           │                                      │         │        │
│ https://osv.dev/GO-2024-3321        │      │ Go        │ golang.org/x/crypto                  │ 0.26.0  │ go.mod │
│ https://osv.dev/GHSA-v778-237x-gjrc │      │           │                                      │         │        │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────────────────────────┴─────────┴────────╯

Running govulncheck directly in test (using --test or not, makes no difference):

❯ govulncheck --test ./createVM/
=== Symbol Results ===

Vulnerability #1: GO-2024-3282
    cert-manager ha a potential slowdown / DoS when parsing specially crafted
    PEM inputs in github.com/cert-manager/cert-manager
  More info: https://pkg.go.dev/vuln/GO-2024-3282
  Module: github.com/cert-manager/cert-manager
    Found in: github.com/cert-manager/[email protected]
    Fixed in: github.com/cert-manager/[email protected]
    Example traces found:
      #1: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.ACMEIssuer.DeepCopyInto
      #2: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.Challenge.DeepCopyObject
      #3: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.ChallengeList.DeepCopyObject
      #4: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.Order.DeepCopyObject
      #5: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.OrderList.DeepCopyObject
      #6: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls acme.addKnownTypes
      #7: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which eventually calls acme.init
      #8: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which calls acme.init
      #9: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.Certificate.DeepCopyObject
      #10: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateList.DeepCopyObject
      #11: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateRequest.DeepCopyObject
      #12: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateRequestList.DeepCopyObject
      #13: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.ClusterIssuer.DeepCopyObject
      #14: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.ClusterIssuerList.DeepCopyObject
      #15: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.Issuer.DeepCopyObject
      #16: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.IssuerList.DeepCopyObject
      #17: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls certmanager.addKnownTypes
      #18: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init
      #19: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which calls certmanager.init
      #20: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls meta.addKnownTypes
      #21: e2e/cert_manager.go:10:2: e2e.init calls meta.init
      #22: e2e/cert_manager.go:10:2: e2e.init calls meta.init, which calls meta.init

Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
@another-rex another-rex added the bug Something isn't working label Dec 12, 2024
hogo6002 added a commit that referenced this issue Dec 19, 2024
@hogo6002
Copy link
Contributor

We have made a fix release for this issue: https://github.com/google/osv-scanner/releases/tag/v1.9.2

@tuminoid
Copy link
Author

@hogo6002 Unfortunately issue still persists the same with v1.9.2.

Cloning into 'baremetal-operator-release-0.8'...
osv-scanner scan --skip-git --recursive --verbosity=warn .
Failed to run code analysis (govulncheck) on '/tmp/scan-all/baremetal-operator-release-0.8/test/go.mod' because govulncheck: loading packages: 
There are errors with the provided package patterns:

/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:38:60: undefined: libvirt.StoragePool
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:40:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:102:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:166:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:211:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:249:11: undefined: libvirt.NETWORK_UPDATE_COMMAND_ADD_LAST
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:250:11: undefined: libvirt.NETWORK_SECTION_IP_DHCP_HOST
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:253:11: undefined: libvirt.NETWORK_UPDATE_AFFECT_LIVE
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:253:46: undefined: libvirt.NETWORK_UPDATE_AFFECT_CONFIG

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

(the Go toolchain is required)
╭─────────────────────────────────────┬──────┬───────────┬──────────────────┬─────────┬───────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE          │ VERSION │ SOURCE            │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.28.0  │ test/go.mod       │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities            │      │           │                  │         │                   │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.23.0  │ apis/go.mod       │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.28.0  │ go.mod            │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.23.0  │ hack/tools/go.mod │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────┴─────────┴───────────────────╯
❯ osv-scanner --version
osv-scanner version: 1.9.2
commit: n/a
built at: n/a

Can we reopen this?

@hogo6002 hogo6002 reopened this Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants