Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autocrlf issue when performing c++ package analysis on windows system #657

Open
ErsiaJin opened this issue Nov 15, 2023 · 3 comments
Open

autocrlf issue when performing c++ package analysis on windows system #657

ErsiaJin opened this issue Nov 15, 2023 · 3 comments
Labels
backlog Important but currently unprioritized bug Something isn't working stale The issue or PR is stale and pending automated closure

Comments

@ErsiaJin
Copy link

ErsiaJin commented Nov 15, 2023
edited
Loading

Hi. Thank you for distributing such a great tool.

I checked out this post and did some testing on a few projects.
- https://osv.dev/blog/posts/introducing-broad-c-c++-support/

However, I discovered a case where the test results for the same project were different.

Problem

In a Windows environment, there are cases where vulnerabilities cannot be discovered due to the autocrlf setting when checking out git.

Why is it a problem

This problem is caused by git's CRLF option, so it is not an OSV-Scanner issue.
However, since this is an option that can cause user error, I personally think that it should be supported regardless of LF / CRLF, or at least be specified in the documentation.
If used without knowing the settings, users may hastily conclude that OSV-Scanner does not find vulnerabilities.

Test Environment

OS

Windows 11 Pro 64-bit (10.0, Build 22621) (22621.ni_release.220506-1250)

Git Version

ersia@MINGW64 ~/source/Repos/test $ git --version
git version 2.40.1.windows.1

OSV-Scanner Version

ersia@MINGW64 ~/source/Repos/test $ osv-scanner.exe -v
osv-scanner version: 1.4.3
commit: 6316373
built at: 2023-11-02T00:53:14Z

Issue testing

mkdir test; cd test;
git clone https://github.com/opencv/opencv.git
cd opencv;

Windows CRLF

git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf 3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;

ersia@MINGW64 ~/source/Repos/test $ cd opencv
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf 3rdparty;
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
true
true
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty;
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
No package sources found, --help for usage information.

Linux LF

git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf ./3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;

ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
input
input
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf ./3rdparty
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng as https://github.com/glennrp/libpng.git at a40189cf881e9f0db80511c382292a5604c3c3d1.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc.
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE            │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────┤
│ https://osv.dev/CVE-2021-20205 │ 6.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-29390 │ 7.1  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-46822 │ 5.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2022-3857  │ 5.5  │ GIT       │  a40189cf881e9f0db80511c382292a5604c3c3d1 │ 3rdparty\libpng   │
│ https://osv.dev/CVE-2022-0561  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0562  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0865  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0891  │ 7.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0907  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0909  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0924  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1056  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1210  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1354  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1355  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1622  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1623  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2056  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2057  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2058  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2867  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2868  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2869  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-34526 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-3970  │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-40090 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-4645  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-0804  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-1916  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25433 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25434 │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25435 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26965 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26966 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2731  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-30775 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3576  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3618  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-40745 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-41175 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-4863  │ 8.8  │ GIT       │  fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ 3rdparty\libwebp  │
│ https://osv.dev/CVE-2018-18443 │ 4.3  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2018-18444 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11758 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11759 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11760 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11761 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11762 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11763 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11764 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11765 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15304 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15305 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15306 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16587 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16588 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16589 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20298 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20299 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20300 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20302 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20303 │ 6.1  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20304 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23169 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23215 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26260 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26945 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3598  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3605  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3933  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3941  │ 6.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/OSV-2022-416   │      │ GIT       │  a5891555eb49ed7cc26b2901ea680acda136d811 │ 3rdparty\openjpeg │
│ https://osv.dev/CVE-2021-22569 │ 5.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3509  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3510  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2023-45853 │ 9.8  │ GIT       │  04f42ceca40f73e2978b50e93806c2a18c1281fc │ 3rdparty\zlib     │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴───────────────────╯

Probable cause

Although the exact internal logic has not been analyzed, it is presumed that packages are searched based on hash values at the file and directory level.
At this time, it is expected that package search will not be possible because the hash value is different due to the autocrlf setting.
@oliverchang oliverchang added the bug Something isn't working label Nov 15, 2023
@another-rex another-rex mentioned this issue Dec 1, 2023
Closed
@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Jul 20, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 3, 2024

Automatically closing stale issue

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 3, 2024
@another-rex another-rex removed the stale The issue or PR is stale and pending automated closure label Aug 5, 2024
@another-rex another-rex reopened this Aug 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 4, 2024

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Oct 4, 2024
@another-rex another-rex added the backlog Important but currently unprioritized label Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Important but currently unprioritized bug Something isn't working stale The issue or PR is stale and pending automated closure
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix vendor scanning for windows another-rex/osv-scanner
3 participants
@oliverchang @ErsiaJin @another-rex