Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autocrlf issue when performing c++ package analysis on windows system #657

Open
ErsiaJin opened this issue Nov 15, 2023 · 0 comments · May be fixed by #684
Open

autocrlf issue when performing c++ package analysis on windows system #657

ErsiaJin opened this issue Nov 15, 2023 · 0 comments · May be fixed by #684
Labels
bug Something isn't working

Comments

@ErsiaJin
Copy link

ErsiaJin commented Nov 15, 2023
edited

Hi. Thank you for distributing such a great tool.

I checked out this post and did some testing on a few projects.
- https://osv.dev/blog/posts/introducing-broad-c-c++-support/

However, I discovered a case where the test results for the same project were different.

Problem

In a Windows environment, there are cases where vulnerabilities cannot be discovered due to the autocrlf setting when checking out git.

Why is it a problem

This problem is caused by git's CRLF option, so it is not an OSV-Scanner issue.
However, since this is an option that can cause user error, I personally think that it should be supported regardless of LF / CRLF, or at least be specified in the documentation.
If used without knowing the settings, users may hastily conclude that OSV-Scanner does not find vulnerabilities.

Test Environment

OS

Windows 11 Pro 64-bit (10.0, Build 22621) (22621.ni_release.220506-1250)

Git Version

ersia@MINGW64 ~/source/Repos/test $ git --version
git version 2.40.1.windows.1

OSV-Scanner Version

ersia@MINGW64 ~/source/Repos/test $ osv-scanner.exe -v
osv-scanner version: 1.4.3
commit: 6316373
built at: 2023-11-02T00:53:14Z

Issue testing

mkdir test; cd test;
git clone https://github.com/opencv/opencv.git
cd opencv;

Windows CRLF

git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf 3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;

ersia@MINGW64 ~/source/Repos/test $ cd opencv
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf 3rdparty;
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf true;
git config --global core.autocrlf;
git config core.autocrlf;
true
true
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty;
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
No package sources found, --help for usage information.

Linux LF

git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
rm -rf ./3rdparty;
git checkout 3rdparty;
osv-scanner.exe -r 3rdparty;

ersia@MINGW64 ~/source/Repos/test/opencv $ git config --global core.autocrlf input;
git config --global core.autocrlf;
git config core.autocrlf;
input
input
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ rm -rf ./3rdparty
ersia@MINGW64 ~/source/Repos/test/opencv $ 
ersia@MINGW64 ~/source/Repos/test/opencv $ git checkout 3rdparty
Updated 1345 paths from the index
ersia@MINGW64 ~/source/Repos/test/opencv $ osv-scanner.exe -r 3rdparty;
Scanning dir 3rdparty
Scanning directory for vendored libs: C:\Users\ersia\source\Repos\test\opencv\3rdparty
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\carotene
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\cpufeatures
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ffmpeg
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\flatbuffers
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\include
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ippicv
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\ittnotify
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjasper
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libpng as https://github.com/glennrp/libpng.git at a40189cf881e9f0db80511c382292a5604c3c3d1.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libspng
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libtim-vx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\openvx
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725.
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\quirc
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\tbb
Scanning potential vendored dir: C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib
Identified C:\Users\ersia\source\Repos\test\opencv\3rdparty\zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc.
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE            │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────┤
│ https://osv.dev/CVE-2021-20205 │ 6.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-29390 │ 7.1  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2021-46822 │ 5.5  │ GIT       │  9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ 3rdparty\libjpeg  │
│ https://osv.dev/CVE-2022-3857  │ 5.5  │ GIT       │  a40189cf881e9f0db80511c382292a5604c3c3d1 │ 3rdparty\libpng   │
│ https://osv.dev/CVE-2022-0561  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0562  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0865  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0891  │ 7.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0907  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0909  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-0924  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1056  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1210  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1354  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1355  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1622  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-1623  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2056  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2057  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2058  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2867  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2868  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-2869  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-34526 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-3970  │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-40090 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2022-4645  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-0804  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-1916  │ 6.1  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25433 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25434 │ 8.8  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-25435 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26965 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-26966 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2731  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-2908  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-30775 │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3576  │ 5.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-3618  │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-40745 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-41175 │ 6.5  │ GIT       │  4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ 3rdparty\libtiff  │
│ https://osv.dev/CVE-2023-4863  │ 8.8  │ GIT       │  fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ 3rdparty\libwebp  │
│ https://osv.dev/CVE-2018-18443 │ 4.3  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2018-18444 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11758 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11759 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11760 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11761 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11762 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11763 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11764 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-11765 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15304 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15305 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-15306 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16587 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16588 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2020-16589 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20298 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20299 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20300 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20302 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20303 │ 6.1  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-20304 │ 7.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23169 │ 8.8  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-23215 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26260 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-26945 │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3598  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3605  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3933  │ 5.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/CVE-2021-3941  │ 6.5  │ GIT       │  0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ 3rdparty\openexr  │
│ https://osv.dev/OSV-2022-416   │      │ GIT       │  a5891555eb49ed7cc26b2901ea680acda136d811 │ 3rdparty\openjpeg │
│ https://osv.dev/CVE-2021-22569 │ 5.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3509  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2022-3510  │ 7.5  │ GIT       │  7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ 3rdparty\protobuf │
│ https://osv.dev/CVE-2023-45853 │ 9.8  │ GIT       │  04f42ceca40f73e2978b50e93806c2a18c1281fc │ 3rdparty\zlib     │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴───────────────────╯

Probable cause

Although the exact internal logic has not been analyzed, it is presumed that packages are searched based on hash values at the file and directory level.
At this time, it is expected that package search will not be possible because the hash value is different due to the autocrlf setting.
@oliverchang oliverchang added the bug Something isn't working label Nov 15, 2023
@another-rex another-rex linked a pull request Dec 1, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix vendor scanning for windows another-rex/osv-scanner
2 participants
@oliverchang @ErsiaJin