Override Go versions for OSV Scanner and disable

Disabled pending the next release that uses the override file. Signed-off-by: Brandon Mitchell <git@bmitch.net>
regclient · Mar 25, 2024 · f0a851d · f0a851d
1 parent 665ee59
commit f0a851d
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 8 deletions.
diff --git a/.github/workflows/vulnscans.yml b/.github/workflows/vulnscans.yml
@@ -33,10 +33,11 @@ jobs:
       run: |
         govulncheck ./...
 
-    - name: "Install OSV Scanner"
-      run: |
-        go install github.com/google/osv-scanner/cmd/osv-scanner@latest
-
-    - name: "Run OSV Scanner"
-      run: |
-        osv-scanner scan -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
+    # TODO: reenable after 1.7.2 or later is released
+    # - name: "Install OSV Scanner"
+    #   run: |
+    #     go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+
+    # - name: "Run OSV Scanner"
+    #   run: |
+    #     osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
diff --git a/.osv-scanner.toml b/.osv-scanner.toml
@@ -0,0 +1 @@
+GoVersionOverride = "1.22.1"
diff --git a/.version-bump.yml b/.version-bump.yml
@@ -42,6 +42,9 @@ files:
   "go.mod":
     scans:
       - go-mod-golang-release
+  ".osv-scanner.toml":
+    scans:
+      - osv-golang-release
 
 scans:
   docker-arg-alpine-tag:
@@ -220,6 +223,12 @@ scans:
     source: "registry-digest-match"
     args:
       regexp: '^SYFT_CONTAINER\?=(?P<Image>[^:]*):(?P<Tag>v[0-9\.]+)@(?P<Version>sha256:[0-9a-f]+)\s*$'
+  osv-golang-release:
+    type: "regexp"
+    source: "registry-tag-arg-semver"
+    args:
+      regexp: '^GoVersionOverride = "(?P<Version>[0-9\.]+)"\s*$'
+      repo: "docker.io/library/golang"
   shell-alpine-tag:
     type: "regexp"
     source: "registry-tag-arg-semver-major"

diff --git a/Makefile b/Makefile
@@ -102,7 +102,7 @@ vulnerability-scan: osv-scanner vulncheck-go ## Run all vulnerability scanners
 
 .PHONY: osv-scanner
 osv-scanner: $(GOPATH)/bin/osv-scanner .FORCE ## Run OSV Scanner
-	$(GOPATH)/bin/osv-scanner scan -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
+	$(GOPATH)/bin/osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .
 
 .PHONY: vulncheck-go
 vulncheck-go: $(GOPATH)/bin/govulncheck .FORCE ## Run govulncheck