Skip to content

Commit

Permalink
filter out unimportant vulnerabilities from vuln group (#1072)
Browse files Browse the repository at this point in the history 
#968 only filters out
unimportant vulnerabilities from `pkgVulns.Vulnerabilities` but not from
`pkgVulns.Groups`. This causes some unimportant vulnerabilities to still
appear in the scanner output.
Fixing this issue by ignoring all unimportant vulnerability groups.
  • Loading branch information
@hogo6002
hogo6002 authored Jun 27, 2024
1 parent e619fcc commit 4fa2fa4
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 25 deletions.
18 changes: 0 additions & 18 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1045,7 +1045,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DSA-4685-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5147-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand All @@ -1058,12 +1057,9 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5122-1 | | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3263-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1098,10 +1094,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3755-1 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand All @@ -1110,7 +1102,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5055-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1138,7 +1129,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DSA-4685-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5147-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand All @@ -1151,12 +1141,9 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5122-1 | | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3263-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1191,10 +1178,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3755-1 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand All @@ -1203,7 +1186,6 @@ Filtered 15 vulnerabilities from output
| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5055-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down
22 changes: 15 additions & 7 deletions pkg/osvscanner/osvscanner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,16 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi
return pkgVulns
}
ignoredVulns := map[string]struct{}{}

// Ignores all unimportant vulnerabilities.
for _, vuln := range pkgVulns.Vulnerabilities {
if isUnimportant(pkgVulns.Package.Ecosystem, vuln.Affected) {
// Track the count of all unimportant vulnerabilities, including duplicate vulnerabilities from different packages.
*unimportantCount++
ignoredVulns[vuln.ID] = struct{}{}
}
}

// Iterate over groups first to remove all aliases of ignored vulnerabilities.
var newGroups []models.GroupInfo
for _, group := range pkgVulns.Groups {
Expand All @@ -718,6 +728,11 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi

break
}

if _, unimportant := ignoredVulns[id]; unimportant {
r.Verbosef("%s has been filtered out due to its unimportance.\n", id)
ignore = true
}
}
if !ignore {
newGroups = append(newGroups, group)
Expand All @@ -727,13 +742,6 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi
var newVulns []models.Vulnerability
if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities.
for _, vuln := range pkgVulns.Vulnerabilities {
if isUnimportant(pkgVulns.Package.Ecosystem, vuln.Affected) {
*unimportantCount++
r.Verbosef("%s has been filtered out due to its unimportance.\n", vuln.ID)

continue
}

if _, filtered := ignoredVulns[vuln.ID]; !filtered {
newVulns = append(newVulns, vuln)
}
Expand Down

0 comments on commit 4fa2fa4

Please sign in to comment.