aquasecurity · knqyf263 · Jul 20, 2023 · Jul 2, 2023 · Jul 10, 2023 · Jul 19, 2023
@@ -15,7 +15,6 @@ require (
 	go.etcd.io/bbolt v1.3.7
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/text v0.10.0
-	golang.org/x/vuln v0.0.0-20211221130724-9d39a965865f
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	gopkg.in/cheggaaa/pb.v1 v1.0.28
 	gopkg.in/yaml.v2 v2.4.0
@@ -35,8 +34,7 @@ require (
 	github.com/stretchr/objx v0.5.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/sys v0.7.0 // indirect
 	golang.org/x/term v0.1.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

@@ -80,8 +80,6 @@ go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -90,17 +88,15 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
+golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/vuln v0.0.0-20211221130724-9d39a965865f h1:ItHAoc29v2tEtSkL2oGCsO0s1TrbNAZW5108AFJ3FSY=
-golang.org/x/vuln v0.0.0-20211221130724-9d39a965865f/go.mod h1:YzHo/6uxZoZ2fGerGwR/VABIRuNZ3yHsHX8KGvlHnzM=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

@@ -10,7 +10,6 @@ import (
 	"time"
 
 	bolt "go.etcd.io/bbolt"
-	"golang.org/x/vuln/osv"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
@@ -50,8 +49,8 @@ var ecosystems = []ecosystem{
 		},
 	*/
 
-	// We cannot use OSV for golang scanning until module names are included.
-	// See https://github.com/golang/go/issues/50006 for the detail.
+	// Go ecosystem advisories in OSV were disabled,
+	// because GitHub Advisory Database contains almost all information.
 	//{dir: "go", pkgType: vulnerability.Go, sourceID: vulnerability.OSVGo},
 }
 
@@ -151,7 +150,7 @@ func (vs VulnSrc) commit(tx *bolt.Tx, eco ecosystem, entry Entry) error {
 		pkgName := vulnerability.NormalizePkgName(eco.name, affected.Package.Name)
 		var patchedVersions, vulnerableVersions []string
 		for _, affects := range affected.Ranges {
-			if affects.Type == osv.TypeGit {
+			if affects.Type == RangeTypeGit {
 				continue
 			}
 

@@ -1,12 +1,74 @@
 package osv
 
-import "golang.org/x/vuln/osv"
+import (
+	"time"
+)
 
-// source: https://github.com/golang/vuln/blob/9d39a965865fd1d0030df18602433a01f679fd7d/osv/json.go
+type RangeType string
+
+const RangeTypeGit RangeType = "GIT"
+
+type Ecosystem string
+
+type Package struct {
+	Name      string    `json:"name"`
+	Ecosystem Ecosystem `json:"ecosystem"`
+}
+
+type RangeEvent struct {
+	Introduced string `json:"introduced,omitempty"`
+	Fixed      string `json:"fixed,omitempty"`
+}
+
+type Range struct {
+	Type   RangeType    `json:"type"`
+	Events []RangeEvent `json:"events"`
+}
+
+type ReferenceType string
+
+type Reference struct {
+	Type ReferenceType `json:"type"`
+	URL  string        `json:"url"`
+}
+
+type Affected struct {
+	Package           Package           `json:"package"`
+	Ranges            []Range           `json:"ranges,omitempty"`
+	EcosystemSpecific EcosystemSpecific `json:"ecosystem_specific"`
+}
+
+type Import struct {
+	Path    string   `json:"path,omitempty"`
+	GOOS    []string `json:"goos,omitempty"`
+	GOARCH  []string `json:"goarch,omitempty"`
+	Symbols []string `json:"symbols,omitempty"`
+}
+
+type EcosystemSpecific struct {
+	Imports []Import `json:"imports,omitempty"`
+}
+
+// source: https://ossf.github.io/osv-schema
 type Entry struct {
-	// According to the specification, "summary" field is missing in the below struct.
-	// https://ossf.github.io/osv-schema/
-	Summary string `json:"summary"`
+	SchemaVersion    string            `json:"schema_version,omitempty"`
+	ID               string            `json:"id"`
+	Modified         time.Time         `json:"modified,omitempty"`
+	Published        time.Time         `json:"published,omitempty"`
+	Withdrawn        *time.Time        `json:"withdrawn,omitempty"`
+	Aliases          []string          `json:"aliases,omitempty"`
+	Summary          string            `json:"summary,omitempty"`
+	Details          string            `json:"details"`
+	Affected         []Affected        `json:"affected"`
+	References       []Reference       `json:"references,omitempty"`
+	Credits          []Credit          `json:"credits,omitempty"`
+	DatabaseSpecific *DatabaseSpecific `json:"database_specific,omitempty"`
+}
+
+type Credit struct {
+	Name string `json:"name"`
+}
 
-	osv.Entry
+type DatabaseSpecific struct {
+	URL string `json:"url,omitempty"`
 }