BUG: Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner

[pnacht]

See https://api.securityscorecards.dev/projects/github.com/nebraska-dev/cronk

{
  "name":"Vulnerabilities",
  "score":-1,
  "reason":"internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: osvscanner.DoScan: vulnerabilities found",
  "details":null,
  "documentation": {
    "short":"Determines if the project has open, known unfixed vulnerabilities.", 
    "url": "https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#vulnerabilities"
}

The project has two vulnerable dependencies (requirements.txt).

Running on the CLI works:

$ scorecard --repo=nebraska-dev/cronk
# ...
| 8 / 10  | Vulnerabilities        | 2 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                   |

[laurentsimon]

@another-rex can you help troubleshoot the problem?

[laurentsimon]

mhh, sorry. The CLI seems to be working just fine, and the problem may be in the cron job. @spencerschrock any ideas?

[spencerschrock]

Those API results are recent, and the cron is currently paused. So the problem is with the scorecard action:

https://github.com/nebraska-dev/cronk/actions/runs/4207314787/jobs/7301950046

[pnacht]

Ah yes, sorry, I didn't make that clear in the issue. These results are from publishing with the Action. This is a toy project I'm developing, it's certainly not even on the cronjob's list.

[spencerschrock]

osvscanner returns an error when vulns are found
https://github.com/google/osv-scanner/blob/5f1716cf32821d93f1b01afb558e32858ad30415/pkg/osvscanner/osvscanner.go#L467

which we're not handling:
https://github.com/ossf/scorecard/blob/db6a26eb46e298b5b0d91702023d2243899502af/clients/osv.go#L49

Not immediately clear to me why it's working on the CLI

[spencerschrock]

The version we pin in Scorecard's go.mod doesn't have the error returned when vulns are found:
https://github.com/google/osv-scanner/blob/8aef1778b823497786296aca5595485ddac74943/pkg/osvscanner/osvscanner.go

The scorecard-action go.mod has osv-scanner pinned differently:
https://github.com/ossf/scorecard-action/blob/e38b1902ae4f44df626f11ba0734b14fb91f8f86/go.mod

github.com/google/osv-scanner v1.0.1 // indirect

and osv-scanner v1.0.1 does have the new behavior:
https://github.com/google/osv-scanner/blob/a6c6cd756e0cf4fd858398976208145cb23e707b/pkg/osvscanner/osvscanner.go

[another-rex]

Might want to reopen this, as it is not quite fixed yet until the scorecard action is also updated.

[spencerschrock]

v2.1.3 has been released which has this fix.