internal/worker: add non-Go modules
Module paths that we know are not Go modules are now tracked, to avoid
creating false positive issues.
Change-Id: Ibfc7256691addfe0cd4dc842b74444a0be7ea705
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/376534
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/internal/worker/triage.go b/internal/worker/triage.go
index b5ab2b0..5fe9c77 100644
--- a/internal/worker/triage.go
+++ b/internal/worker/triage.go
@@ -63,6 +63,17 @@
const snykIdentifier = "snyk.io/vuln/SNYK-GOLANG"
+// nonGoModules are paths that return a 200 on pkg.go.dev, but do not contain
+// Go code. However, these libraries often have CVEs that are false positive for
+// a Go vuln.
+var notGoModules = map[string]bool{
+ "github.com/channelcat/sanic": true, // python library
+ "github.com/rapid7/metasploit-framework": true, // ruby library
+ "github.com/tensorflow/tensorflow": true, // python library
+ "gitweb.gentoo.org/repo/gentoo.git": true, // ebuild
+ "qpid.apache.org": true, // C, python, & Java library
+}
+
// triageV4CVE triages a CVE following schema v4.0 and returns the result.
func triageV4CVE(ctx context.Context, c *cveschema.CVE, pkgsiteURL string) (_ *triageResult, err error) {
defer derrors.Wrap(&err, "triageV4CVE(ctx, %q, %q)", c.ID, pkgsiteURL)
@@ -98,6 +109,9 @@
}
modpaths := candidateModulePaths(refURL.Host + refURL.Path)
for _, mp := range modpaths {
+ if notGoModules[mp] {
+ continue
+ }
known, err := knownToPkgsite(ctx, pkgsiteURL, mp)
if err != nil {
return nil, err
