Add determineversions support #612
Assignees
Labels
enhancement
New feature or request
Comments
|
The first version of this can just base the detection on common directory names. e.g. looking for top level subdirectories in |
|
More variations:
|
This was referenced Oct 26, 2023
Closed
oliverchang
added a commit
that referenced
this issue
Oct 30, 2023
Tested on https://github.com/opencv/opencv We need to set up an e2e test for this as well (maybe add some submodules + vendored libs to https://github.com/ossf-tests/scorecard-check-osv-e2e). ``` Scanning dir /tmp/opencv Scanning /tmp/opencv/ at commit e9e6b1e22c1a966a81aca1217b16a51fe7311b3b Scanning directory for vendored libs: /tmp/opencv/3rdparty Scanning potential vendored dir: /tmp/opencv/3rdparty/carotene ... Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg Identified /tmp/opencv/3rdparty/libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf. Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg-turbo Identified /tmp/opencv/3rdparty/libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa. Scanning potential vendored dir: /tmp/opencv/3rdparty/libpng ... Scanning potential vendored dir: /tmp/opencv/3rdparty/libwebp Identified /tmp/opencv/3rdparty/libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b. Scanning potential vendored dir: /tmp/opencv/3rdparty/openexr ... Scanning potential vendored dir: /tmp/opencv/3rdparty/zlib Scanning directory for vendored libs: /tmp/opencv/modules/core/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/core/3rdparty/SoftFloat Scanning directory for vendored libs: /tmp/opencv/modules/features2d/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/features2d/3rdparty/mscr Scanned /tmp/opencv/platforms/maven/opencv/pom.xml file and found 0 packages ... Scanned /tmp/opencv/platforms/maven/opencv-it/pom.xml file and found 12 packages ... +-------------------------------------+------+-----------+---------------------+---------------------+----------------------------------------------------------------------------------- | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE +-------------------------------------+------+-----------+---------------------+---------------------+----------------------------------------------------------------------------------- | https://osv.dev/OSV-2022-394 | | GIT | e9e6b1e22c1a966a81aca1217b16a51fe7311b3b | ../../../../../../tmp/opencv | https://osv.dev/OSV-2023-444 | | GIT | e9e6b1e22c1a966a81aca1217b16a51fe7311b3b | ../../../../../../tmp/opencv | https://osv.dev/CVE-2021-29390 | 7.1 | GIT | 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf | ../../../../../../tmp/opencv/3rdparty/libjpeg | https://osv.dev/CVE-2021-46822 | 5.5 | GIT | 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf | ../../../../../../tmp/opencv/3rdparty/libjpeg | https://osv.dev/CVE-2023-4863 | 8.8 | GIT | fd7bb21c0cb56e8a82e9bfa376164b842f433f3b | ../../../../../../tmp/opencv/3rdparty/libwebp ... ```
|
I stole a bit of this here: #621 :) |
oliverchang
added a commit
that referenced
this issue
Nov 1, 2023
Fixes #612. Tested on https://github.com/opencv/opencv We need to set up an e2e test for this as well (maybe add some submodules + vendored libs to https://github.com/ossf-tests/scorecard-check-osv-e2e). ``` Scanning dir /tmp/opencv Scanning /tmp/opencv/ at commit e9e6b1e22c1a966a81aca1217b16a51fe7311b3b Scanning directory for vendored libs: /tmp/opencv/3rdparty Scanning potential vendored dir: /tmp/opencv/3rdparty/carotene Scanning potential vendored dir: /tmp/opencv/3rdparty/cpufeatures Scanning potential vendored dir: /tmp/opencv/3rdparty/ffmpeg Scanning potential vendored dir: /tmp/opencv/3rdparty/flatbuffers Scanning potential vendored dir: /tmp/opencv/3rdparty/include Scanning potential vendored dir: /tmp/opencv/3rdparty/ippicv Scanning potential vendored dir: /tmp/opencv/3rdparty/ittnotify Scanning potential vendored dir: /tmp/opencv/3rdparty/libjasper Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg Identified /tmp/opencv/3rdparty/libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf. Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg-turbo Identified /tmp/opencv/3rdparty/libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa. Scanning potential vendored dir: /tmp/opencv/3rdparty/libpng Identified /tmp/opencv/3rdparty/libpng as https://github.com/gemini-testing/png-img at 4a9d62598d369566680300c96ec0a22f1dec48c3. Scanning potential vendored dir: /tmp/opencv/3rdparty/libspng Scanning potential vendored dir: /tmp/opencv/3rdparty/libtiff Identified /tmp/opencv/3rdparty/libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99. Scanning potential vendored dir: /tmp/opencv/3rdparty/libtim-vx Scanning potential vendored dir: /tmp/opencv/3rdparty/libwebp Identified /tmp/opencv/3rdparty/libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b. Scanning potential vendored dir: /tmp/opencv/3rdparty/openexr Identified /tmp/opencv/3rdparty/openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb. Scanning potential vendored dir: /tmp/opencv/3rdparty/openjpeg Identified /tmp/opencv/3rdparty/openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811. Scanning potential vendored dir: /tmp/opencv/3rdparty/openvx Scanning potential vendored dir: /tmp/opencv/3rdparty/protobuf Identified /tmp/opencv/3rdparty/protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725. Scanning potential vendored dir: /tmp/opencv/3rdparty/quirc Scanning potential vendored dir: /tmp/opencv/3rdparty/tbb Scanning potential vendored dir: /tmp/opencv/3rdparty/zlib Identified /tmp/opencv/3rdparty/zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc. Scanning directory for vendored libs: /tmp/opencv/modules/core/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/core/3rdparty/SoftFloat Scanning directory for vendored libs: /tmp/opencv/modules/features2d/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/features2d/3rdparty/mscr Scanned /tmp/opencv/platforms/maven/opencv/pom.xml file and found 0 packages Failed to resolve version of org.ops4j.pax.exam:pax-exam-container-karaf: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of org.ops4j.pax.exam:pax-exam-junit4: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of ${project.groupId}:opencv: property "project.version" could not be found for "org.opencv:opencv-it" Scanned /tmp/opencv/platforms/maven/opencv-it/pom.xml file and found 12 packages Scanned /tmp/opencv/platforms/maven/pom.xml file and found 0 packages Scanned /tmp/opencv/samples/dnn/dnn_model_runner/dnn_conversion/requirements.txt file and found 11 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────────────────────────────────────────────────────────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────────────────────────────────────────────────────────────────── ≈ │ https://osv.dev/OSV-2022-394 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/OSV-2023-444 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/CVE-2021-29390 │ 7.1 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2021-46822 │ 5.5 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2022-1056 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1210 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1354 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1355 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1622 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1623 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-3970 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-40090 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-1916 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25433 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25434 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25435 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26965 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26966 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2731 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2908 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-30775 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3576 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3618 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-40745 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-41175 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-4863 │ 8.8 │ GIT │ fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ ../../../../../../tmp/opencv/3rdparty/libwebp ≈ │ https://osv.dev/CVE-2018-18443 │ 4.3 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2018-18444 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11758 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11759 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11760 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11761 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11762 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11763 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11764 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11765 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15304 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15305 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15306 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16587 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16588 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16589 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20298 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20299 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20300 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20302 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20303 │ 6.1 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20304 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23169 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23215 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26260 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26945 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3598 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3605 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3933 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3941 │ 6.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/OSV-2022-416 │ │ GIT │ a5891555eb49ed7cc26b2901ea680acda136d811 │ ../../../../../../tmp/opencv/3rdparty/openjpeg ≈ │ https://osv.dev/CVE-2021-22569 │ 5.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3509 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3510 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2023-45853 │ 9.8 │ GIT │ 04f42ceca40f73e2978b50e93806c2a18c1281fc │ ../../../../../../tmp/opencv/3rdparty/zlib ``` --------- Co-authored-by: Rex P <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using https://google.github.io/osv.dev/post-v1-determineversion/ for detecting vendored C/C++ libs.
The text was updated successfully, but these errors were encountered: