Skip to content

scanner-audit/main.go: include GHSA IDs when loading expected vulnerabilities#137

Open
Dev-X25874 wants to merge 1 commit into
chainguard-dev:mainfrom
Dev-X25874:fix/load-ghsa-expected-vulns
Open

scanner-audit/main.go: include GHSA IDs when loading expected vulnerabilities#137
Dev-X25874 wants to merge 1 commit into
chainguard-dev:mainfrom
Dev-X25874:fix/load-ghsa-expected-vulns

Conversation

@Dev-X25874
Copy link
Copy Markdown

@Dev-X25874 Dev-X25874 commented May 14, 2026

The loadExpectedCVEs function filtered expected vulnerability IDs with
strings.HasPrefix(vuln[0], "CVE-"), silently dropping all GHSA-* entries
from the expected set.

The answers data contains GHSA identifiers across multiple test cases
(e.g. fixed-language-package-vulnerabilities,
false-positive-language-package-vulnerabilities). With an empty expected
list, compareCVEs could never produce false negatives for those test cases,
causing them to always appear as passing regardless of actual scanner output.

Remove the prefix guard so all identifiers in the answers file are loaded
as expected vulnerabilities.

@Dev-X25874
scanner-audit/main.go: include GHSA IDs when loading expected vulnera…
bbd235d 
…bilities

Signed-off-by: Dev-X25874 <283057883+Dev-X25874@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dev-X25874