-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠️ OSV scanner integration #2509
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR. I left one major comment about keeping clients.Vulnerabilities
field.
unit tests should be hermetic and should not be making any network calls. You can use the mocks generated for the interfaces to write any unit tests and it shouldn't affect any vulnerability finding. |
That makes sense, what about e2e tests? It looks like a some repositories are set up in ossf-tests, can I set up a project with some lockfiles that contain known vulnerable dependencies? |
Yes that's possible. Curious, does OSV-Scanner look at direct dependencies only or transitive dependencies too? |
https://github.com/ossf-tests/scorecard-check-osv-e2e Send a PR and cc me on it - I don't receive notifications automatically for these repos |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2509 +/- ##
==========================================
- Coverage 40.69% 39.95% -0.74%
==========================================
Files 115 122 +7
Lines 9609 9815 +206
==========================================
+ Hits 3910 3922 +12
- Misses 5419 5612 +193
- Partials 280 281 +1 |
@another-rex - Please try to finish this soon, so a scorecard release can be cut by end of week or coming Monday. |
OSV-Scanner also looks at transitive dependencies, since it scans the lockfile, which generally lists the transitive dependencies. |
Is there a specific reason we want to cut a release? |
I mean this is a very strong feature where scorecard was not looking at transitive deps before and can now can look at vulns transitively. By release, i just meant a minor release (not major announcement or anything for scorecard). OSV-scanner will go out next week, so it will be nice for people to try in scorecard too, not a big deal if you need more review time. |
Yes, that makes sense! 👍 Thanks for the update. We need to get better at releases. To be honest, we need to improve our release process by calling out new features and breaking changes in the release notes. |
Integration tests success for |
Integration tests success for |
Can you please rebase with the main? Also, DCO is missing. Thanks |
Signed-off-by: Rex P <[email protected]>
578624d
to
61e4be7
Compare
Integration tests success for |
Signed-off-by: Rex P <[email protected]>
Signed-off-by: Rex P <[email protected]>
Signed-off-by: Rex P <[email protected]>
a4b69a5
to
981b438
Compare
Signed-off-by: Rex P <[email protected]>
Integration tests success for |
Integration tests success for |
Signed-off-by: Rex P <[email protected]>
Head branch was pushed to by a user without write access
Integration tests success for |
* Improve OSV scanning integration (squashed) Signed-off-by: Rex P <[email protected]> * Add support for grouping vulnerabilities and aliases Signed-off-by: Rex P <[email protected]> * Updated documentation, spit vulnerability output to multiple warnings Signed-off-by: Rex P <[email protected]> * Updated documentation, spit vulnerability output to multiple warnings Signed-off-by: Rex P <[email protected]> * Add its own codebase into docs Signed-off-by: Rex P <[email protected]> * Update scorecard test to not prevent known vulns Signed-off-by: Rex P <[email protected]> Signed-off-by: Rex P <[email protected]> Co-authored-by: laurentsimon <[email protected]>
What kind of change does this PR introduce?
Feature
What is the current behavior?
Currently the vulnerability check only checks if the HEAD commit hash has any vulnerability specified in OSV.dev. Most of the time this will return 10/10.
What is the new behavior (if this is a feature change)?**
This integrates the OSV-Scanner library, which will scan for manifest and SBOM files, retrieve the dependencies, and match those dependencies with OSV.dev database as well. (The commit hash check is still being done, though through the osvscanner library rather than directly setting up a client to use the OSV API).
Which issue(s) this PR fixes
Fixes #2162
Special notes for your reviewer
Currently the e2e tests fail because the Scorecard score has changed since osvscanner found 3 vulnerabilities. I can change the expected results to match, but this might cause more issues in the future as new vulnerabilities are discovered, causing tests to break even though there are no code changes. Not sure what the best way to resolve this.
Does this PR introduce a user-facing change?
Yes, TODO.