From e834fb5de267569267095e0e276320ea48f1176f Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Wed, 6 Mar 2024 10:59:30 -0800
Subject: [PATCH] ignore Go stdlib vulns

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 clients/osv.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/clients/osv.go b/clients/osv.go
index e265aa2bbea..6015f2fd7ae 100644
--- a/clients/osv.go
+++ b/clients/osv.go
@@ -66,6 +66,11 @@ func (v osvClient) ListUnfixedVulnerabilities(
 	if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
 		vulns := res.Flatten()
 		for i := range vulns {
+			// ignore Go stdlib vulns. The go directive from the go.mod isn't a perfect metric
+			// of which version of Go will be used to build a project.
+			if vulns[i].Package.Ecosystem == "Go" && vulns[i].Package.Name == "stdlib" {
+				continue
+			}
 			response.Vulnerabilities = append(response.Vulnerabilities, Vulnerability{
 				ID:      vulns[i].Vulnerability.ID,
 				Aliases: vulns[i].Vulnerability.Aliases,