CI: improve the OSV scanner to reduce the maintenance burden #4945
Labels
Comments
zhaohuabing
added
triage
area/ci
|
@shahar-h Let's continue the discussion here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recursive scan is only done for vulnerabilities scan. For license scan only root go.mod is scanned since we don't care about licenses of dev packages.
I wonder if we also need recursive vulnerabilities scan. I added it back then to prevent supply chain attacks, but on the other the scan also fails because of CVEs like this one which is only relevant for packages that are compiled with the released binary, not for packages used in dev / CI/CD.
Regarding the maintenance effort - we can omit the version field in PackageOverrides sections with the risk of package relicensing on version upgrade.
package relicensing can occur both on minor release(i.e. terraform) or major release(i.e. grafana).
Currently call analysis doesn't work so there are many false positives in vulnerability scan since we use a newer go version than the one installed in osv-scanner-action image. One of osv-scanner maintainers [GitHub Action] Call analysis doesn't work for go projects with go version > 1.22.8 google/osv-scanner#1453 (comment) that it's a good idea to support running osv-scanner on host, thus allowing the consumer to pre-install its desired go version. Once it's supported we will have no false positives which will make the maintenance easier.
originally posted by @shahar-h on #4941 (comment)
The text was updated successfully, but these errors were encountered: