Scan submodules too. (#581)

andrewpollock · web-flow · commit f81949534035 · 2023-10-30T14:10:52.000+10:00
Using https://github.com/charlesneimog/pd-server (at cf3f15a) as the example: With submodules not initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e ╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ ╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯ exit status 1 ``` With submodules initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e Scanned /home/apollock/pd-server/src/json/docs/mkdocs/requirements.txt file and found 49 packages Scanned /home/apollock/pd-server/src/json/tools/serve_header/requirements.txt file and found 2 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼────────────────────────────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ │ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5 │ PyPI │ certifi │ 2022.12.7 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-135 │ │ │ │ │ │ │ https://osv.dev/GHSA-v3c5-jqr6-7qm8 │ 7.5 │ PyPI │ future │ 0.18.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42991 │ │ │ │ │ │ │ https://osv.dev/GHSA-cwvm-v4w8-q58c │ 6.5 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-165 │ │ │ │ │ │ │ https://osv.dev/GHSA-hcpj-qp55-gfph │ 8.1 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42992 │ │ │ │ │ │ │ https://osv.dev/GHSA-pr76-5cm5-w9cj │ 9.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-137 │ │ │ │ │ │ │ https://osv.dev/GHSA-wfm5-v35h-vwf4 │ 7.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-161 │ │ │ │ │ │ │ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5 │ PyPI │ pygments │ 2.13.0 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-117 │ │ │ │ │ │ │ https://osv.dev/GHSA-jh85-wwv9-24hv │ 7.5 │ PyPI │ pymdown-extensions │ 9.9 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1 │ PyPI │ requests │ 2.28.1 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-74 │ │ │ │ │ │ │ https://osv.dev/GHSA-hj3f-6gcp-jg8j │ 6.1 │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-75 │ │ │ │ │ │ │ https://osv.dev/GHSA-qppv-j76h-2rpx │ │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-212 │ │ │ │ │ │ │ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-192 │ │ │ │ │ │ ╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────╯ exit status 1 ```
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -349,6 +350,30 @@ func getCommitSHA(repoDir string) (string, error) {
 	return head.Hash().String(), nil
 }
 
+func getSubmodules(repoDir string) (submodules []*git.SubmoduleStatus, err error) {
+	repo, err := git.PlainOpen(repoDir)
+	if err != nil {
+		return nil, err
+	}
+	worktree, err := repo.Worktree()
+	if err != nil {
+		return nil, err
+	}
+	ss, err := worktree.Submodules()
+	if err != nil {
+		return nil, err
+	}
+	for _, s := range ss {
+		status, err := s.Status()
+		if err != nil {
+			continue
+		}
+		submodules = append(submodules, status)
+	}
+
+	return submodules, nil
+}
+
 // Scan git repository. Expects repoDir to end with /
 func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error {
 	commit, err := getCommitSHA(repoDir)
@@ -357,7 +382,25 @@ func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error
 	}
 	r.PrintText(fmt.Sprintf("Scanning %s at commit %s\n", repoDir, commit))
 
-	return scanGitCommit(query, commit, repoDir)
+	err = scanGitCommit(query, commit, repoDir)
+	if err != nil {
+		return err
+	}
+
+	submodules, err := getSubmodules(repoDir)
+	if err != nil {
+		return err
+	}
+
+	for _, s := range submodules {
+		r.PrintText(fmt.Sprintf("Scanning submodule %s at commit %s\n", s.Path, s.Expected.String()))
+		err = scanGitCommit(query, s.Expected.String(), path.Join(repoDir, s.Path))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func scanGitCommit(query *osv.BatchedQuery, commit string, source string) error {
