osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

[WebKit vendored code] osv-scanner fails to identify ANGLE and webrtc projects

Open ddkilzer opened this issue 1 year ago • 2 comments

Summary:

osv-scanner fails to identify ANGLE and webrtc projects in the WebKit project while scanning for vendored code dependencies.

Steps to Reproduce:

  1. Check out WebKit (at commit https://github.com/WebKit/WebKit/commit/fda388552a877f757aa8216c8d116937fe8651f2):
    git clone https://github.com/WebKit/WebKit.git WebKit.git
  1. Run osv-scanner (at commit 85563d901bec48bbe8db1242f083c42d42353ace):
    go run ./cmd/osv-scanner/main.go -r WebKit.git/Source/ThirdParty

Expected Results:

osv-scanner identifies ANGLE and webrtc as vendored code dependencies.

Actual Results:

osv-scanner fails to identify ANGLE and webrtc as vendored code dependencies.

Scanning dir WebKit.git/Source/ThirdParty
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty
[...]
Scanning potential vendored dir: WebKit.git/Source/ThirdParty/ANGLE
[...]
Scanning potential vendored dir: WebKit.git/Source/ThirdParty/libwebrtc
[...]
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty/ANGLE/src/third_party
[...]
Scanning directory for vendored libs: WebKit.git/Source/ThirdParty/libwebrtc/Source/third_party
[...]

Notes:

Both ANGLE and libwebrtc folders have their own third-party subfolders with additional vendored code dependencies.

ddkilzer avatar Feb 13 '24 17:02 ddkilzer

They're not indexed currently. We'll get these added.

oliverchang avatar Feb 14 '24 01:02 oliverchang

Taking a closer look here, it looks like webrtc and ANGLE do not do release tags, which is blocking our current indexing mechanisms.

@andrewpollock FYI since this was a case that you mentioned.

oliverchang avatar Feb 19 '24 02:02 oliverchang