Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

osv-scanner fails to run code analysis with govulncheck, but running govulncheck directly works #1443

Open
tuminoid opened this issue Dec 12, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@tuminoid
Copy link

Issue

osv-scanner fails to run code analysis with govulncheck, but running govulncheck directly works.

This can be reproduced by scanning https://github.com/metal3-io/baremetal-operator's release-0.8 branch, where test directory scan is failing.

Expected outcome

osv-scanner works, and correctly completes code analysis.

Actual outcome

  • libvirt-dev is installed locally, if it matters.
  • it makes no difference if -r is used, or osv-scanner is directly executed in test/
 osv-scanner -r --skip-git --verbosity=verbose .
Scanning dir .
Scanned /home/tumi/git/metal3-io/baremetal-operator/test/go.mod file and found 143 packages
Filtered 2 local package/s from the scan.
Failed to run code analysis (govulncheck) on '/home/tumi/git/metal3-io/baremetal-operator/test/go.mod' because govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:38:60: undefined: libvirt.StoragePool
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:40:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:102:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:166:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:211:23: undefined: libvirt.NewConnect
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:249:11: undefined: libvirt.NETWORK_UPDATE_COMMAND_ADD_LAST
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:250:11: undefined: libvirt.NETWORK_SECTION_IP_DHCP_HOST
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:253:11: undefined: libvirt.NETWORK_UPDATE_AFFECT_LIVE
/home/tumi/git/metal3-io/baremetal-operator/test/createVM/main.go:253:46: undefined: libvirt.NETWORK_UPDATE_AFFECT_CONFIG

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

(the Go toolchain is required)
╭─────────────────────────────────────┬──────┬───────────┬──────────────────────────────────────┬─────────┬────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                              │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼──────────────────────────────────────┼─────────┼────────┤
│ https://osv.dev/GO-2024-3282        │ 6.9  │ Go        │ github.com/cert-manager/cert-manager │ 1.10.2  │ go.mod │
│ https://osv.dev/GHSA-r4pg-vg54-wxx4 │      │           │                                      │         │        │
│ https://osv.dev/GO-2024-3321        │      │ Go        │ golang.org/x/crypto                  │ 0.26.0  │ go.mod │
│ https://osv.dev/GHSA-v778-237x-gjrc │      │           │                                      │         │        │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────────────────────────┴─────────┴────────╯

Running govulncheck directly in test (using --test or not, makes no difference):

❯ govulncheck --test ./createVM/
=== Symbol Results ===

Vulnerability #1: GO-2024-3282
    cert-manager ha a potential slowdown / DoS when parsing specially crafted
    PEM inputs in github.com/cert-manager/cert-manager
  More info: https://pkg.go.dev/vuln/GO-2024-3282
  Module: github.com/cert-manager/cert-manager
    Found in: github.com/cert-manager/[email protected]
    Fixed in: github.com/cert-manager/[email protected]
    Example traces found:
      #1: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.ACMEIssuer.DeepCopyInto
      #2: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.Challenge.DeepCopyObject
      #3: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.ChallengeList.DeepCopyObject
      #4: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.Order.DeepCopyObject
      #5: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls acme.OrderList.DeepCopyObject
      #6: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls acme.addKnownTypes
      #7: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which eventually calls acme.init
      #8: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which calls acme.init
      #9: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.Certificate.DeepCopyObject
      #10: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateList.DeepCopyObject
      #11: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateRequest.DeepCopyObject
      #12: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.CertificateRequestList.DeepCopyObject
      #13: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.ClusterIssuer.DeepCopyObject
      #14: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.ClusterIssuerList.DeepCopyObject
      #15: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.Issuer.DeepCopyObject
      #16: createVM/main.go:280:14: createVM.main calls fmt.Printf, which eventually calls certmanager.IssuerList.DeepCopyObject
      #17: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls certmanager.addKnownTypes
      #18: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init
      #19: e2e/cert_manager.go:9:2: e2e.init calls certmanager.init, which calls certmanager.init
      #20: e2e/common.go:22:2: e2e.init calls patch.init, which eventually calls meta.addKnownTypes
      #21: e2e/cert_manager.go:10:2: e2e.init calls meta.init
      #22: e2e/cert_manager.go:10:2: e2e.init calls meta.init, which calls meta.init

Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
@another-rex another-rex added the bug Something isn't working label Dec 12, 2024
hogo6002 added a commit that referenced this issue Dec 19, 2024
@hogo6002
Copy link
Contributor

We have made a fix release for this issue: https://github.com/google/osv-scanner/releases/tag/v1.9.2

@tuminoid
Copy link
Author

@hogo6002 Unfortunately issue still persists the same with v1.9.2.

Cloning into 'baremetal-operator-release-0.8'...
osv-scanner scan --skip-git --recursive --verbosity=warn .
Failed to run code analysis (govulncheck) on '/tmp/scan-all/baremetal-operator-release-0.8/test/go.mod' because govulncheck: loading packages: 
There are errors with the provided package patterns:

/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:38:60: undefined: libvirt.StoragePool
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:40:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:102:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:166:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:211:23: undefined: libvirt.NewConnect
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:249:11: undefined: libvirt.NETWORK_UPDATE_COMMAND_ADD_LAST
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:250:11: undefined: libvirt.NETWORK_SECTION_IP_DHCP_HOST
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:253:11: undefined: libvirt.NETWORK_UPDATE_AFFECT_LIVE
/tmp/scan-all/baremetal-operator-release-0.8/test/createVM/main.go:253:46: undefined: libvirt.NETWORK_UPDATE_AFFECT_CONFIG

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

(the Go toolchain is required)
╭─────────────────────────────────────┬──────┬───────────┬──────────────────┬─────────┬───────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE          │ VERSION │ SOURCE            │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.28.0  │ test/go.mod       │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ Uncalled vulnerabilities            │      │           │                  │         │                   │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼───────────────────┤
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.23.0  │ apis/go.mod       │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.28.0  │ go.mod            │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
│ https://osv.dev/GO-2024-3333        │ 8.7  │ Go        │ golang.org/x/net │ 0.23.0  │ hack/tools/go.mod │
│ https://osv.dev/GHSA-w32m-9786-jp63 │      │           │                  │         │                   │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────┴─────────┴───────────────────╯
❯ osv-scanner --version
osv-scanner version: 1.9.2
commit: n/a
built at: n/a

Can we reopen this?

@hogo6002 hogo6002 reopened this Dec 20, 2024
@another-rex
Copy link
Collaborator

It looks like we disable CGO specifically in our govulncheck calls as it was not supported. With the latest version of govulncheck it seems to work fine now (C code is ignored I believe), should be a relatively simple fix.

another-rex added a commit that referenced this issue Jan 7, 2025
#1443 

This will solve the above issue, but let's not close it until the
release is out.

The disabling CGO env flag can be removed as it seems like govulncheck
will successfully analyse CGO projects, just not actually do analysis on
the C parts.

The comment about: 
> This still leaves govulncheck enabled for non C related calls.

It is only partially true, as if the C parts are required to compile the
application, if CGO is disabled, it cannot compile successfully.

We'll need to cherrypick this change into `main` after this is merged.
@tuminoid
Copy link
Author

tuminoid commented Jan 8, 2025

Thanks for the fix! I've verified versus our problematic code base that this actually solves the issue with CGO.

However, I'm noting this was only merged to v1 branch and not main. Main is still broken in this regard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants