Container scanning issues after switching to OSV-Scalibr

[hogo6002]

Container scanning is currently unavailable due to our ongoing transition to OSV-Scalibr. We've encountered several issues during this process, including:

• Not able to determine the version of the Ubuntu
  • Version extraction solved by symbolic link handling in osv-scalbr
  • Matching solved by API changes in osv.dev
  • Identify unimportant vulnerabilities from Ubuntu
• Symbolic link handling failures (Solved by handling symbolic links in osv-scalibr)
• Unable to identify vulnerabilities in Go binaries (Solved by properly implementing the Stat() function in osv-scalibr)
• Infinite Loop when attempting to scan nginx
  • Run go run ./cmd/osv-scanner --docker=nginx:1.27.3
  • It will print out a lot of OS id not found or similar, this is fine, this is caused by the symlink issue mentioned above.
  • It will get stuck it seems, or take a very long time, crashes the vscode web terminal even.

Some issues from OSV.dev:

• Ubuntu package matching issue (Update Ubuntu package matching behavior osv.dev#2963)
• Incomplete Debian vulnerability matching (not doing range check)

[oliverchang]

@another-rex do we how to solve the issues mentioned here? IIRC there's some fixes in OSV-Scalibr already that address the Go binary and symlink issues?

[oliverchang]

I ran go run ./cmd/osv-scanner --docker=nginx:1.27.3 from https://github.com/another-rex/osv-scanner/tree/use-scalibr-container-scanning, and it finishes pretty quickly:

...
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
No issues found