Skip to content

Commit

Permalink
Scan submodules too. (#581)
Browse files Browse the repository at this point in the history
Using https://github.com/charlesneimog/pd-server (at cf3f15a) as the
example:

With submodules not initialized:

```
$ go run ./cmd/osv-scanner -r ../pd-server/
Scanning dir ../pd-server/
Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c
Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2
Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807
Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c
Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE                       │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤
│ https://osv.dev/CVE-2023-26130 │ 8.8  │ GIT       │  227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯
exit status 1
```

With submodules initialized:

```
$ go run ./cmd/osv-scanner -r ../pd-server/
Scanning dir ../pd-server/
Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c
Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2
Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807
Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c
Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e
Scanned /home/apollock/pd-server/src/json/docs/mkdocs/requirements.txt file and found 49 packages
Scanned /home/apollock/pd-server/src/json/tools/serve_header/requirements.txt file and found 2 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE                                             │
├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼────────────────────────────────────────────────────┤
│ https://osv.dev/CVE-2023-26130      │ 8.8  │ GIT       │  227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib                       │
│ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5  │ PyPI      │ certifi             │ 2022.12.7           │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-135      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-v3c5-jqr6-7qm8 │ 7.5  │ PyPI      │ future              │ 0.18.2              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2022-42991    │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-cwvm-v4w8-q58c │ 6.5  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-165      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-hcpj-qp55-gfph │ 8.1  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2022-42992    │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-pr76-5cm5-w9cj │ 9.8  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-137      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-wfm5-v35h-vwf4 │ 7.8  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-161      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5  │ PyPI      │ pygments            │ 2.13.0              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-117      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-jh85-wwv9-24hv │ 7.5  │ PyPI      │ pymdown-extensions  │ 9.9                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1  │ PyPI      │ requests            │ 2.28.1              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-74       │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-hj3f-6gcp-jg8j │ 6.1  │ PyPI      │ tornado             │ 6.2                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-75       │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-qppv-j76h-2rpx │      │ PyPI      │ tornado             │ 6.2                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2  │ PyPI      │ urllib3             │ 1.26.13             │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-212      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1  │ PyPI      │ urllib3             │ 1.26.13             │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-192      │      │           │                     │                     │                                                    │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────╯
exit status 1
```
  • Loading branch information
andrewpollock authored Oct 30, 2023
1 parent 419a945 commit f819495
Showing 1 changed file with 44 additions and 1 deletion.
45 changes: 44 additions & 1 deletion pkg/osvscanner/osvscanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"
"os"
"os/exec"
"path"
"path/filepath"
"strings"

Expand Down Expand Up @@ -349,6 +350,30 @@ func getCommitSHA(repoDir string) (string, error) {
return head.Hash().String(), nil
}

func getSubmodules(repoDir string) (submodules []*git.SubmoduleStatus, err error) {
repo, err := git.PlainOpen(repoDir)
if err != nil {
return nil, err
}
worktree, err := repo.Worktree()
if err != nil {
return nil, err
}
ss, err := worktree.Submodules()
if err != nil {
return nil, err
}
for _, s := range ss {
status, err := s.Status()
if err != nil {
continue
}
submodules = append(submodules, status)
}

return submodules, nil
}

// Scan git repository. Expects repoDir to end with /
func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error {
commit, err := getCommitSHA(repoDir)
Expand All @@ -357,7 +382,25 @@ func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error
}
r.PrintText(fmt.Sprintf("Scanning %s at commit %s\n", repoDir, commit))

return scanGitCommit(query, commit, repoDir)
err = scanGitCommit(query, commit, repoDir)
if err != nil {
return err
}

submodules, err := getSubmodules(repoDir)
if err != nil {
return err
}

for _, s := range submodules {
r.PrintText(fmt.Sprintf("Scanning submodule %s at commit %s\n", s.Path, s.Expected.String()))
err = scanGitCommit(query, s.Expected.String(), path.Join(repoDir, s.Path))
if err != nil {
return err
}
}

return nil
}

func scanGitCommit(query *osv.BatchedQuery, commit string, source string) error {
Expand Down

0 comments on commit f819495

Please sign in to comment.