Override Go versions for OSV Scanner and disable

Disabled pending the next release that uses the override file. Signed-off-by: Brandon Mitchell <git@bmitch.net>
regclient · Mar 25, 2024 · 1645a99 · 1645a99
1 parent 665ee59
commit 1645a99
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 9 deletions.
diff --git a/.github/workflows/vulnscans.yml b/.github/workflows/vulnscans.yml
@@ -9,8 +9,8 @@ permissions:
   contents: read
 
 jobs:
-  govunlcheck:
-    name: Go Vuln Check
+  vulnerability-scans:
+    name: Run vulnerability scans
     runs-on: ubuntu-latest
     env:
       RELEASE_GO_VER: "1.22"
@@ -25,6 +25,7 @@ jobs:
         go-version: "${{ env.RELEASE_GO_VER }}"
         check-latest: true
 
+    # intentionally not pinned to always run the latest scanner
     - name: "Install govulncheck"
       run: |
         go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -33,10 +34,12 @@ jobs:
       run: |
         govulncheck ./...
 
-    - name: "Install OSV Scanner"
-      run: |
-        go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+    # TODO: reenable after 1.7.2 or later is released
+    # intentionally not pinned to always run the latest scanner
+    # - name: "Install OSV Scanner"
+    #   run: |
+    #     go install github.com/google/osv-scanner/cmd/osv-scanner@latest
 
-    - name: "Run OSV Scanner"
-      run: |
-        osv-scanner scan -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
+    # - name: "Run OSV Scanner"
+    #   run: |
+    #     osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
diff --git a/.osv-scanner.toml b/.osv-scanner.toml
@@ -0,0 +1 @@
+GoVersionOverride = "1.22.1"
diff --git a/.version-bump.yml b/.version-bump.yml
@@ -42,6 +42,9 @@ files:
   "go.mod":
     scans:
       - go-mod-golang-release
+  ".osv-scanner.toml":
+    scans:
+      - osv-golang-release
 
 scans:
   docker-arg-alpine-tag:
@@ -220,6 +223,12 @@ scans:
     source: "registry-digest-match"
     args:
       regexp: '^SYFT_CONTAINER\?=(?P<Image>[^:]*):(?P<Tag>v[0-9\.]+)@(?P<Version>sha256:[0-9a-f]+)\s*$'
+  osv-golang-release:
+    type: "regexp"
+    source: "registry-tag-arg-semver"
+    args:
+      regexp: '^GoVersionOverride = "(?P<Version>[0-9\.]+)"\s*$'
+      repo: "docker.io/library/golang"
   shell-alpine-tag:
     type: "regexp"
     source: "registry-tag-arg-semver-major"

diff --git a/Makefile b/Makefile
@@ -102,7 +102,7 @@ vulnerability-scan: osv-scanner vulncheck-go ## Run all vulnerability scanners
 
 .PHONY: osv-scanner
 osv-scanner: $(GOPATH)/bin/osv-scanner .FORCE ## Run OSV Scanner
-	$(GOPATH)/bin/osv-scanner scan -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
+	$(GOPATH)/bin/osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
 
 .PHONY: vulncheck-go
 vulncheck-go: $(GOPATH)/bin/govulncheck .FORCE ## Run govulncheck