Skip to content

Commit

Permalink
Disable all unimportant vulnerabilities (#968)
Browse files Browse the repository at this point in the history 
osv.dev integrates Debian security tracker data into existing CVE
entries, filtering out unimportant vulnerabilities.

![image](https://github.com/google/osv-scanner/assets/39108850/14e00974-fa2c-47d7-a526-e3ab06009cf1)
  • Loading branch information
@hogo6002
hogo6002 authored May 13, 2024
1 parent 5e53ae8 commit e1eaafe
Show file tree
Hide file tree
Showing 6 changed files with 407 additions and 6 deletions.
2 changes: 0 additions & 2 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,6 @@ Loaded filter from: <rootdir>/fixtures/go-project/osv-scanner.toml
| https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
| https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
| https://osv.dev/GO-2024-2824 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod |
+------------------------------+------+-----------+---------+---------+----------------------------+

---
Expand Down Expand Up @@ -431,7 +430,6 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
| https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
| https://osv.dev/GO-2024-2824 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+
Expand Down
112 changes: 111 additions & 1 deletion pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1485,6 +1485,112 @@
[Test_filterResults/filter_partially - 1]
{
"results": [
{
"source": {
"path": "fixtures/filter/some/configs/a/",
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "chromium",
"version": "73.0.3683.75-1",
"ecosystem": "Debian:10"
},
"vulnerabilities": [
{
"modified": "2024-05-03T03:16:29Z",
"published": "2024-04-17T08:15:10Z",
"id": "CVE-2024-3847",
"details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)",
"affected": [
{
"package": {
"ecosystem": "Debian:10",
"name": "chromium"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "low"
}
},
{
"package": {
"ecosystem": "Debian:11",
"name": "chromium"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "low"
}
}
],
"references": [
{
"type": "ARTICLE",
"url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/328690293"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/"
}
]
}
],
"groups": [
{
"ids": [
"CVE-2024-3847"
],
"aliases": null,
"max_severity": ""
}
]
}
]
},
{
"source": {
"path": "fixtures/filter/some/configs/b/",
Expand Down Expand Up @@ -1530,6 +1636,9 @@
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json"
},
"ecosystem_specific": {
"urgency": "unimportant"
}
}
],
Expand Down Expand Up @@ -1618,7 +1727,8 @@
{
"path": "net/http"
}
]
],
"urgency": "low"
}
},
{
Expand Down
159 changes: 158 additions & 1 deletion pkg/osvscanner/fixtures/filter/some/input.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,159 @@
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "unixodbc",
"version": "2.3.11-2",
"ecosystem": "Debian:10"
},
"vulnerabilities": [
{
"id": "CVE-2024-1013",
"details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.",
"affected": [
{
"package": {
"name": "unixodbc",
"ecosystem": "Debian:10"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "unimportant"
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1013"
},
{
"type": "WEB",
"url": "https://github.com/lurcher/unixODBC/pull/157"
}
],
"modified": "2024-03-18T12:38:25Z",
"published": "2024-03-18T11:15:09Z"
}
],
"groups": [
{
"ids": [
"CVE-2024-1013"
]
}
]
},
{
"package": {
"name": "chromium",
"version": "73.0.3683.75-1",
"ecosystem": "Debian:10"
},
"vulnerabilities": [
{
"id": "CVE-2024-3847",
"details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)",
"affected": [
{
"package": {
"name": "chromium",
"ecosystem": "Debian:10"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "low"
}
},
{
"package": {
"name": "chromium",
"ecosystem": "Debian:11"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "low"
}
}
],
"references": [
{
"type": "ARTICLE",
"url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/328690293"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/"
}
],
"modified": "2024-05-03T03:16:29Z",
"published": "2024-04-17T08:15:10Z"
}
],
"groups": [
{
"ids": [
"CVE-2024-3847"
]
}
]
},
{
"package": {
"name": "remove_dir_all",
Expand Down Expand Up @@ -717,6 +870,9 @@
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json"
},
"ecosystem_specific": {
"urgency": "unimportant"
}
}
],
Expand Down Expand Up @@ -806,7 +962,8 @@
{
"path": "net/http"
}
]
],
"urgency": "low"
}
},
{
Expand Down
Loading

0 comments on commit e1eaafe

Please sign in to comment.