[question] How to use google osv-scanner with conan package?

[ASKAC0810]

What is your question?

At first, I would like to thank you guys for providing a C/C++ package manager solution.

I am looking for a soultion for creating SBOM and CVE scan report of C/C++.

For the SBOM portion, I found conan package can generate SBOM file with json format.
Therefore, I did following steps to create SBOM report.

a. Install openssl package from ConanCenter
b. Use "conan sbom:cyclonedx --format 1.4_json . > ./1.json" to create the SBOM file of openssl package.

Also from the document of google OSV-scanner, I found it also supports the ConanCenter ecosytem and can scan the SBOM file to create CVE report.

Therefore, I tired following command to scan the SBOM file.
"osv-scanner -sbom ./1.json"

However, the osv-scanner just shown "No issues found".

I do not understand how it works between conan package and osv-scanner.
Could you please share some information about it?

I know how to use osv-scanner to create CVE report if download the openssl source code from github.
But my target is as following:

a. Use Conan to create my own package.
	This package bases on an open source  like openssl   and  I will do cross-compile  it as ARM version .
b. Create SBOM for this package.
c. Create CVE report for this package.

Thank you very much.

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[czoido]

Hi @ASKAC0810,

Thank you very much for reporting this issue. I believe this is something that should be addressed on the osv-scanner side. It could be that the support for Conan is not fully implemented, or the SBOM file created by the sbom:cyclonedx command is not compatible with what osv-scanner expects.

[oliverchang]

Hi! I'm from the OSV-Scanner team. Could we ask some questions for Conan to better understand how we can support it?

1. Is there a specific advisory database for Conan packages/recipes?
2. Are Conan recipes typically all built from upstream repositories from a given git repository commit / tag? Are security patches etc ever backported?

[czoido]

Hi! I'm from the OSV-Scanner team. Could we ask some questions for Conan to better understand how we can support it?

Thank you very much for your questions @oliverchang! Please feel free to ask any questions you have 🙂

1. Is there a specific advisory database for Conan packages/recipes?

Currently, there is no specific advisory database for Conan packages or recipes.

2. Are Conan recipes typically all built from upstream repositories from a given git repository commit / tag? Are security patches etc ever backported?

The primary source for Conan packages, for third-party dependencies, is the Conan Center Index. Here, all packages are built from the upstream repositories, typically using the release tarballs from the upstream repository and verifying the SHA for the downloaded file. We store this information in the conandata.yml file which the Conan recipe has access to, to download the sources for the recipe. For example, the conandata.yml for zlib looks like this. A bit more info abut the sources origin here.

It's also accepted to backport security patches in some cases in the conandata.yml file marked as vulnerability adding the vulnerability information and url to the patch from the upstream repository. Some more info about the vulnerability patches here

Hope this helps!

[valgur]

The only CVE database for ConanCenter I'm aware of is maintained by Repology, if that helps: https://repology.org/projects/?inrepo=conancenter&vulnerable=1