⚠️ OSV scanner integration (#2509)

* Improve OSV scanning integration (squashed)

Signed-off-by: Rex P <rexpan@google.com>

* Add support for grouping vulnerabilities and aliases

Signed-off-by: Rex P <rexpan@google.com>

* Updated documentation, spit vulnerability output to multiple warnings

Signed-off-by: Rex P <rexpan@google.com>

* Updated documentation, spit vulnerability output to multiple warnings

Signed-off-by: Rex P <rexpan@google.com>

* Add its own codebase into docs

Signed-off-by: Rex P <rexpan@google.com>

* Update scorecard test to not prevent known vulns

Signed-off-by: Rex P <rexpan@google.com>

Signed-off-by: Rex P <rexpan@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

Author: another-rex

.gitignore

@@ -42,6 +42,7 @@ e2e-coverage.out
 .vscode/
 *.iml
 .idea
+.history
 
 # tools
 bin

checker/client.go

@@ -45,7 +45,7 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge
 			localdir.CreateLocalDirClient(ctx, logger), /*repoClient*/
 			nil, /*ossFuzzClient*/
 			nil, /*ciiClient*/
-			nil, /*vulnClient*/
+			clients.DefaultVulnerabilitiesClient(), /*vulnClient*/
 			retErr
 	}
 

checks/evaluation/vulnerabilities.go

@@ -18,6 +18,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/google/osv-scanner/pkg/grouper"
+
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
 )
@@ -31,21 +33,25 @@ func Vulnerabilities(name string, dl checker.DetailLogger,
 		return checker.CreateRuntimeErrorResult(name, e)
 	}
 
-	score := checker.MaxResultScore
-	IDs := []string{}
+	aliasVulnerabilities := []grouper.IDAliases{}
 	for _, vuln := range r.Vulnerabilities {
-		IDs = append(IDs, vuln.ID)
-		score--
+		aliasVulnerabilities = append(aliasVulnerabilities, grouper.IDAliases(vuln))
 	}
 
+	IDs := grouper.Group(aliasVulnerabilities)
+	score := checker.MaxResultScore - len(IDs)
+
 	if score < checker.MinResultScore {
 		score = checker.MinResultScore
 	}
 
 	if len(IDs) > 0 {
-		dl.Warn(&checker.LogMessage{
-			Text: fmt.Sprintf("HEAD is vulnerable to %s", strings.Join(IDs, ", ")),
-		})
+		for _, v := range IDs {
+			dl.Warn(&checker.LogMessage{
+				Text: fmt.Sprintf("Project is vulnerable to: %s", strings.Join(v.IDs, " / ")),
+			})
+		}
+
 		return checker.CreateResultWithScore(name,
 			fmt.Sprintf("%v existing vulnerabilities detected", len(IDs)), score)
 	}

checks/raw/vulnerabilities.go

@@ -23,18 +23,19 @@ import (
 
 // Vulnerabilities retrieves the raw data for the Vulnerabilities check.
 func Vulnerabilities(c *checker.CheckRequest) (checker.VulnerabilitiesData, error) {
+	commitHash := ""
 	commits, err := c.RepoClient.ListCommits()
-	if err != nil {
-		return checker.VulnerabilitiesData{}, fmt.Errorf("repoClient.ListCommits: %w", err)
+	if err == nil && len(commits) > 0 && !allOf(commits, hasEmptySHA) {
+		commitHash = commits[0].SHA
 	}
 
-	if len(commits) < 1 || allOf(commits, hasEmptySHA) {
-		return checker.VulnerabilitiesData{}, nil
+	localPath, err := c.RepoClient.LocalPath()
+	if err != nil {
+		return checker.VulnerabilitiesData{}, fmt.Errorf("RepoClient.LocalPath: %w", err)
 	}
-
-	resp, err := c.VulnerabilitiesClient.HasUnfixedVulnerabilities(c.Ctx, commits[0].SHA)
+	resp, err := c.VulnerabilitiesClient.ListUnfixedVulnerabilities(c.Ctx, commitHash, localPath)
 	if err != nil {
-		return checker.VulnerabilitiesData{}, fmt.Errorf("vulnerabilitiesClient.HasUnfixedVulnerabilities: %w", err)
+		return checker.VulnerabilitiesData{}, fmt.Errorf("vulnerabilitiesClient.ListUnfixedVulnerabilities: %w", err)
 	}
 	return checker.VulnerabilitiesData{
 		Vulnerabilities: resp.Vulnerabilities,

checks/raw/vulnerabilities_test.go

@@ -85,9 +85,13 @@ func TestVulnerabilities(t *testing.T) {
 				return []clients.Commit{{SHA: "test"}}, nil
 			}).AnyTimes()
 
+			mockRepo.EXPECT().LocalPath().DoAndReturn(func() (string, error) {
+				return "test_path", nil
+			}).AnyTimes()
+
 			mockVulnClient := mockrepo.NewMockVulnerabilitiesClient(ctrl)
-			mockVulnClient.EXPECT().HasUnfixedVulnerabilities(context.TODO(), gomock.Any()).DoAndReturn(
-				func(ctx context.Context, repo string) (clients.VulnerabilitiesResponse, error) {
+			mockVulnClient.EXPECT().ListUnfixedVulnerabilities(context.TODO(), gomock.Any(), gomock.Any()).DoAndReturn(
+				func(ctx context.Context, commit string, localPath string) (clients.VulnerabilitiesResponse, error) {
 					if tt.vulnsError {
 						//nolint
 						return clients.VulnerabilitiesResponse{}, errors.New("error")

checks/vulnerabilities.go

@@ -28,6 +28,7 @@ const CheckVulnerabilities = "Vulnerabilities"
 func init() {
 	supportedRequestTypes := []checker.RequestType{
 		checker.CommitBased,
+		checker.FileBased,
 	}
 	if err := registerCheck(CheckVulnerabilities, Vulnerabilities, supportedRequestTypes); err != nil {
 		// this should never happen

checks/vulnerabilities_test.go

@@ -55,9 +55,13 @@ func TestVulnerabilities(t *testing.T) {
 				return []clients.Commit{{SHA: "test"}}, nil
 			}).MinTimes(1)
 
+			mockRepo.EXPECT().LocalPath().DoAndReturn(func() (string, error) {
+				return "test_path", nil
+			}).AnyTimes()
+
 			mockVulnClient := mockrepo.NewMockVulnerabilitiesClient(ctrl)
-			mockVulnClient.EXPECT().HasUnfixedVulnerabilities(context.TODO(), gomock.Any()).DoAndReturn(
-				func(ctx context.Context, repo string) (clients.VulnerabilitiesResponse, error) {
+			mockVulnClient.EXPECT().ListUnfixedVulnerabilities(context.TODO(), gomock.Any(), gomock.Any()).DoAndReturn(
+				func(ctx context.Context, commit string, localPath string) (clients.VulnerabilitiesResponse, error) {
 					return tt.expected, tt.err
 				}).MinTimes(1)
 

clients/githubrepo/client.go

@@ -130,6 +130,11 @@ func (client *Client) URI() string {
 	return fmt.Sprintf("github.com/%s/%s", client.repourl.owner, client.repourl.repo)
 }
 
+// LocalPath implements RepoClient.LocalPath.
+func (client *Client) LocalPath() (string, error) {
+	return client.tarball.getLocalPath()
+}
+
 // ListFiles implements RepoClient.ListFiles.
 func (client *Client) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
 	return client.tarball.listFiles(predicate)

clients/githubrepo/tarball.go

@@ -243,6 +243,17 @@ func (handler *tarballHandler) listFiles(predicate func(string) (bool, error)) (
 	return ret, nil
 }
 
+func (handler *tarballHandler) getLocalPath() (string, error) {
+	if err := handler.setup(); err != nil {
+		return "", fmt.Errorf("error during tarballHandler.setup: %w", err)
+	}
+	absTempDir, err := filepath.Abs(handler.tempDir)
+	if err != nil {
+		return "", fmt.Errorf("error during filepath.Abs: %w", err)
+	}
+	return absTempDir, nil
+}
+
 func (handler *tarballHandler) getFileContent(filename string) ([]byte, error) {
 	if err := handler.setup(); err != nil {
 		return nil, fmt.Errorf("error during tarballHandler.setup: %w", err)

clients/gitlabrepo/client.go

@@ -136,6 +136,10 @@ func (client *Client) URI() string {
 	return fmt.Sprintf("%s/%s/%s", client.repourl.hostname, client.repourl.owner, client.repourl.projectID)
 }
 
+func (client *Client) LocalPath() (string, error) {
+	return "", nil
+}
+
 func (client *Client) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
 	return nil, nil
 }