From d4028a0ac9662fffdd0f7564896c2a7fceed37dc Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Sat, 24 Jun 2023 14:44:48 +0100
Subject: [PATCH] Remove OSV-Scanner from vulnerability scan (#138)

Running OSV-Scanner on the Node package-lock.json file could also detect
vulnerabilities in dev dependencies. The intention of the vulnerability
scan is to ensure that the production dependencies do not contain
vulnerabilities, not the dev dependencies. This could be resolved by
generating a Software Bill of Materials (SBOM) for the Node project,
omitting dev dependencies, and running OSV-Scanner on the SBOM.
Unfortunately, the use of non-semver tags (such as `latest`) in the
dependency tree causes errors in npm ls when generating an SBOM.

Govulncheck and npm audit already do a good job of detecting
vulnerabilities in Go and Node respectively so, for now at least, remove
OSV-Scanner.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 .github/workflows/vulnerability-scan.yml |  7 -------
 Makefile                                 | 16 ++--------------
 2 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index b50e423..164fdb6 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -16,7 +16,6 @@ jobs:
       matrix:
         target:
           - govulncheck
-          - osv-scanner
     steps:
       - uses: actions/checkout@v3
       - name: Set up Go
@@ -34,17 +33,11 @@ jobs:
       matrix:
         target:
           - npm-audit
-          - osv-scanner
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
           node-version: 18
-      - name: Set up Go
-        if: matrix.target == 'osv-scanner'
-        uses: actions/setup-go@v4
-        with:
-          go-version: '1.20'
       - name: Scan
         run: make scan-node-${{ matrix.target }}
diff --git a/Makefile b/Makefile
index 24b379c..92c2e3c 100644
--- a/Makefile
+++ b/Makefile
@@ -41,20 +41,15 @@ golangci-lint: $(go_bin_dir)/golangci-lint
 scan: scan-go scan-node
 
 .PHONEY: scan-go
-scan-go: scan-go-govulncheck scan-go-osv-scanner
+scan-go: scan-go-govulncheck
 
 .PHONEY: scan-go-govulncheck
 scan-go-govulncheck:
 	go install golang.org/x/vuln/cmd/govulncheck@latest
 	govulncheck '$(base_dir)/...'
 
-.PHONEY: scan-go-osv-scanner
-scan-go-osv-scanner:
-	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
-	osv-scanner --lockfile='$(base_dir)/go.mod'
-
 .PHONEY: scan-node
-scan-node: scan-node-npm-audit scan-node-osv-scanner
+scan-node: scan-node-npm-audit
 
 .PHONEY: scan-node-npm-audit
 scan-node-npm-audit:
@@ -62,13 +57,6 @@ scan-node-npm-audit:
 		npm install --package-lock-only && \
 		npm audit --omit=dev
 
-.PHONEY: scan-node-osv-scanner
-scan-node-osv-scanner:
-	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
-	cd "$(node_dir)/admin" && \
-		npm install --package-lock-only && \
-		osv-scanner --lockfile=package-lock.json
-
 .PHONEY: escapes_detect
 escapes_detect:
 	@go build -gcflags="-m -l" ./... 2>&1 | grep "escapes to heap" || true